-
Notifications
You must be signed in to change notification settings - Fork 22
Expand file tree
/
Copy pathci-conda.Dockerfile
More file actions
297 lines (257 loc) · 8.65 KB
/
ci-conda.Dockerfile
File metadata and controls
297 lines (257 loc) · 8.65 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
# SPDX-FileCopyrightText: Copyright (c) 2023-2026, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
# SPDX-License-Identifier: Apache-2.0
################################ build and update miniforge-upstream ###############################
ARG CUDA_VER=notset
ARG LINUX_VER=notset
ARG MINIFORGE_VER=notset
FROM condaforge/miniforge3:${MINIFORGE_VER} AS miniforge-upstream
SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
RUN \
--mount=type=bind,source=scripts,target=/tmp/build-scripts \
<<EOF
# Ensure new files/dirs have group write permissions
umask 002
# install gha-tools for rapids-mamba-retry
/tmp/build-scripts/install-tools \
--gha-tools
# Example of pinned package in case you require an override
# echo '<PACKAGE_NAME>==<VERSION>' >> /opt/conda/conda-meta/pinned
# update everything before other environment changes, to ensure mixing
# an older conda with newer packages still works well
#
# NOTE: 'PATH' is set locally here (instead of 'ENV') because this target is just an intermediate
# build that files are copied out of.
PATH="/opt/conda/bin:$PATH" \
rapids-mamba-retry update --all -y -n base
EOF
FROM nvidia/cuda:${CUDA_VER}-base-${LINUX_VER} AS ci-conda
ARG CONDA_ARCH=notset
ARG CUDA_VER=notset
ARG DEBIAN_FRONTEND=noninteractive
ARG PYTHON_VER=notset
ARG PYTHON_VER_UPPER_BOUND=notset
ENV PATH=/opt/conda/bin:$PATH
ENV PYTHON_VERSION=${PYTHON_VER}
SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
# Install all the tools that are just "download a binary and stick it on PATH".
#
# These can be together, and earlier, because they're very cache-friendly... the versions are
# pinned so the layer content shouldn't change.
#
# And safe here because they're unaffected by conda or conda packages.
ARG AWS_CLI_VER=notset
ARG CPU_ARCH=notset
ARG LINUX_VER=notset
ARG GH_CLI_VER=notset
ARG REAL_ARCH=notset
ARG SCCACHE_VER=notset
ARG YQ_VER=notset
RUN \
--mount=type=secret,id=GH_TOKEN,env=GH_TOKEN \
--mount=type=bind,source=scripts,target=/tmp/build-scripts \
<<EOF
# configure apt (do this first because it affects installs in later scripts)
LINUX_VER=${LINUX_VER} \
/tmp/build-scripts/configure-apt
# install AWS CLI, gh CLI, gha-tools, sccache, and yq
AWS_CLI_VER=${AWS_CLI_VER} \
CPU_ARCH=${CPU_ARCH} \
GH_CLI_VER=${GH_CLI_VER} \
REAL_ARCH=${REAL_ARCH} \
SCCACHE_VER=${SCCACHE_VER} \
YQ_VER=${YQ_VER} \
/tmp/build-scripts/install-tools \
--aws-cli \
--gh-cli \
--gha-tools \
--sccache \
--yq
# Create a conda group and assign it as root's primary group
groupadd conda
usermod -g conda root
EOF
# Ownership & permissions based on https://docs.anaconda.com/anaconda/install/multi-user/#multi-user-anaconda-installation-on-linux
COPY --from=miniforge-upstream --chown=root:conda --chmod=770 /opt/conda /opt/conda
RUN <<EOF
# Ensure new files are created with group write access & setgid. See https://unix.stackexchange.com/a/12845
chmod g+ws /opt/conda
# Ensure new files/dirs have group write permissions
umask 002
# install expected Python version
PYTHON_MAJOR_VERSION=${PYTHON_VERSION%%.*}
PYTHON_MINOR_VERSION=${PYTHON_VERSION#*.}
PYTHON_UPPER_BOUND="${PYTHON_MAJOR_VERSION}.$((PYTHON_MINOR_VERSION+1)).0a0"
PYTHON_MINOR_PADDED=$(printf "%02d" "$PYTHON_MINOR_VERSION")
PYTHON_VERSION_PADDED="${PYTHON_MAJOR_VERSION}.${PYTHON_MINOR_PADDED}"
if [[ "$PYTHON_VERSION_PADDED" > "3.12" ]]; then
PYTHON_ABI_TAG="cp${PYTHON_MAJOR_VERSION}${PYTHON_MINOR_VERSION}"
else
PYTHON_ABI_TAG="cpython"
fi
rapids-mamba-retry install -y -n base "python>=${PYTHON_VERSION},<${PYTHON_UPPER_BOUND}=*_${PYTHON_ABI_TAG}"
rapids-mamba-retry update --all -y -n base
if [[ "$LINUX_VER" == "rockylinux"* ]]; then
dnf install -y findutils
dnf clean all
fi
find /opt/conda -follow -type f -name '*.a' -delete
find /opt/conda -follow -type f -name '*.pyc' -delete
# recreate missing libstdc++ symlinks
conda clean -aiptfy
# Reassign root's primary group to root
usermod -g root root
# ensure conda environment is always activated
ln -s /opt/conda/etc/profile.d/conda.sh /etc/profile.d/conda.sh
echo ". /opt/conda/etc/profile.d/conda.sh; conda activate base" >> /etc/skel/.bashrc
echo ". /opt/conda/etc/profile.d/conda.sh; conda activate base" >> ~/.bashrc
EOF
# Set RAPIDS versions env variables
ENV RAPIDS_CONDA_ARCH="${CONDA_ARCH}"
ENV RAPIDS_CUDA_VERSION="${CUDA_VER}"
ENV RAPIDS_DEPENDENCIES="latest"
ENV RAPIDS_PY_VERSION="${PYTHON_VER}"
# Install system packages depending on the LINUX_VER
RUN <<EOF
case "${LINUX_VER}" in
"ubuntu"*)
rapids-retry apt-get update -y
apt-get upgrade -y
PACKAGES_TO_INSTALL=(
ca-certificates
curl
file
tzdata
unzip
wget
)
# tzdata is needed by the ORC library used by pyarrow, because it provides /etc/localtime
# On Ubuntu 24.04 and newer, we also need tzdata-legacy.
os_version=$(grep 'VERSION_ID' /etc/os-release | cut -d '"' -f 2)
# 'shellcheck' is unhappy with the use of '>' to compare decimals here, but it works as expected for the 'bash' version in these
# images, and installing 'bc' or using a Python interpreter seem heavy for this purpose.
#
# shellcheck disable=SC2072
if [[ "${os_version}" > "24.04" ]] || [[ "${os_version}" == "24.04" ]]; then
PACKAGES_TO_INSTALL+=(tzdata-legacy)
fi
apt-get install -y --no-install-recommends \
"${PACKAGES_TO_INSTALL[@]}"
update-ca-certificates
rm -rf /var/cache/apt/archives /var/lib/apt/lists/*
;;
"rockylinux"*)
dnf -y update
PACKAGES_TO_INSTALL=(
ca-certificates
file
unzip
wget
which
yum-utils
)
dnf -y install --setopt=install_weak_deps=False \
"${PACKAGES_TO_INSTALL[@]}"
update-ca-trust extract
dnf clean all
;;
*)
echo "Unsupported LINUX_VER: ${LINUX_VER}"
exit 1
;;
esac
EOF
# Create condarc file from env vars
ENV RAPIDS_CONDA_BLD_ROOT_DIR=/tmp/conda-bld-workspace
ENV RAPIDS_CONDA_BLD_OUTPUT_DIR=/tmp/conda-bld-output
COPY condarc.tmpl /tmp/condarc.tmpl
# Install CI tools using mamba
RUN <<EOF
# Install prereq for envsubst
rapids-mamba-retry install -y \
gettext
# create condarc file from env vars
cat /tmp/condarc.tmpl | envsubst | tee /opt/conda/.condarc; \
rm -f /tmp/condarc.tmpl
PYTHON_MAJOR_VERSION=${PYTHON_VERSION%%.*}
PYTHON_MINOR_VERSION=${PYTHON_VERSION#*.}
PYTHON_UPPER_BOUND="${PYTHON_MAJOR_VERSION}.$((PYTHON_MINOR_VERSION+1)).0a0"
PYTHON_MINOR_PADDED=$(printf "%02d" "$PYTHON_MINOR_VERSION")
PYTHON_VERSION_PADDED="${PYTHON_MAJOR_VERSION}.${PYTHON_MINOR_PADDED}"
if [[ "$PYTHON_VERSION_PADDED" > "3.12" ]]; then
PYTHON_ABI_TAG="cp${PYTHON_MAJOR_VERSION}${PYTHON_MINOR_VERSION}"
else
PYTHON_ABI_TAG="cpython"
fi
# TODO: remove the ceiling on 'rattler-build' (https://github.com/rapidsai/build-planning/issues/259)
PACKAGES_TO_INSTALL=(
'anaconda-client>=1.13.1'
'ca-certificates>=2026.1.4'
'certifi>=2026.1.4'
'conda-build>=25.11.1'
'conda-package-handling>=2.4.0'
'dunamai>=1.25.0'
'git>=2.52.0'
'jq>=1.8.1'
'packaging>=25.0'
"python>=${PYTHON_VERSION},<${PYTHON_UPPER_BOUND}=*_${PYTHON_ABI_TAG}"
'rapids-dependency-file-generator==1.*'
'rattler-build>=0.55.0,<0.58'
)
rapids-mamba-retry install -y \
"${PACKAGES_TO_INSTALL[@]}"
conda clean -aiptfy
EOF
# Install codecov-cli
ARG CODECOV_VER=notset
RUN <<EOF
# codecov-cli
#
# codecov-cli is a noarch Python package, but some of its dependencies require compilation.
# compilers are installed defensively here to prevent issues like "a dependency of codecov-cli
# doesn't support CPU_ARCH / LINUX_VER / PYTHON_VER" from slowing down updates to RAPIDS CI.
#
case "${LINUX_VER}" in
"ubuntu"*)
COMPILER_PACKAGES=(
gcc
g++
)
rapids-retry apt-get update -y
apt-get install -y --no-install-recommends \
"${COMPILER_PACKAGES[@]}"
;;
"rockylinux"*)
COMPILER_PACKAGES=(
gcc
gcc-c++
)
dnf install -y \
"${COMPILER_PACKAGES[@]}"
;;
esac
rapids-pip-retry install --prefer-binary \
"codecov-cli==${CODECOV_VER}"
# remove compiler packages... conda-based CI should use conda-forge's compilers
case "${LINUX_VER}" in
"ubuntu"*)
apt-get purge -y \
"${COMPILER_PACKAGES[@]}"
apt-get autoremove -y
rm -rf /var/cache/apt/archives /var/lib/apt/lists/*
;;
"rockylinux"*)
dnf remove -y \
"${COMPILER_PACKAGES[@]}"
dnf clean all
;;
esac
# clear the pip cache, to shrink image size and prevent unintentionally
# pinning CI to older versions of things
pip cache purge
# Allow git to clone anywhere (these are images for isolated, short-lived CI containers,
# don't need to worry about this setting intended for long-lived / shared servers)
/opt/conda/bin/git config --system --add safe.directory '*'
EOF
# Add pip.conf
COPY pip.conf /etc/xdg/pip/pip.conf
CMD ["/bin/bash"]