Merge remote-tracking branch 'upstream/main'

Author: dchourasia

.github/workflows/snyk-dockerfile-scan.yml

@@ -0,0 +1,34 @@
+# Snyk scan for training‑runtime Dockerfiles
+# push to main, nightly 03:00 UTC, fork PRs after label `run‑snyk`
+# Fails on High/Critical CVEs
+name: Snyk Dockerfile Scan
+on:
+  push:
+    branches: [ main ]
+  pull_request_target:
+    types: [ labeled ]        
+  schedule:
+    - cron: '0 3 * * *'
+jobs:
+  snyk-scan:
+    if: |
+      github.event_name == 'schedule' ||
+      github.event_name == 'push' ||
+      (github.event_name == 'pull_request_target' &&
+       contains(github.event.pull_request.labels.*.name, 'run-snyk'))
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+      with:
+        # for pull_request_target scan the PR head commit
+        ref: ${{ github.event.pull_request.head.sha || github.sha }}
+    - uses: snyk/actions/setup@master
+      with:
+        token: ${{ secrets.SNYK_TOKEN }}
+    - name: Scan Dockerfiles
+      shell: bash
+      run: |
+        set -euo pipefail
+        find images/runtime/training -name Dockerfile | while read f; do
+          snyk iac test "$f" --severity-threshold=high
+        done

tests/kfto/kfto_mnist_training_test.go

@@ -169,6 +169,10 @@ func createKFTOPyTorchMnistJob(test Test, namespace string, config corev1.Config
 											Name:      "tmp-volume",
 											MountPath: "/tmp",
 										},
+										{
+											Name:      "shm-volume",
+											MountPath: "/dev/shm",
+										},
 									},
 									Resources: corev1.ResourceRequirements{
 										Requests: corev1.ResourceList{
@@ -199,6 +203,14 @@ func createKFTOPyTorchMnistJob(test Test, namespace string, config corev1.Config
 										EmptyDir: &corev1.EmptyDirVolumeSource{},
 									},
 								},
+								{
+									Name: "shm-volume",
+									VolumeSource: corev1.VolumeSource{
+										EmptyDir: &corev1.EmptyDirVolumeSource{
+											Medium: corev1.StorageMediumMemory,
+										},
+									},
+								},
 							},
 							RestartPolicy: corev1.RestartPolicyOnFailure,
 						},
@@ -253,6 +265,10 @@ func createKFTOPyTorchMnistJob(test Test, namespace string, config corev1.Config
 											Name:      "tmp-volume",
 											MountPath: "/tmp",
 										},
+										{
+											Name:      "shm-volume",
+											MountPath: "/dev/shm",
+										},
 									},
 									Resources: corev1.ResourceRequirements{
 										Requests: corev1.ResourceList{
@@ -283,6 +299,14 @@ func createKFTOPyTorchMnistJob(test Test, namespace string, config corev1.Config
 										EmptyDir: &corev1.EmptyDirVolumeSource{},
 									},
 								},
+								{
+									Name: "shm-volume",
+									VolumeSource: corev1.VolumeSource{
+										EmptyDir: &corev1.EmptyDirVolumeSource{
+											Medium: corev1.StorageMediumMemory,
+										},
+									},
+								},
 							},
 							RestartPolicy: corev1.RestartPolicyOnFailure,
 						},

tests/kfto/kfto_training_test.go

@@ -237,6 +237,10 @@ func createKFTOPyTorchJob(test Test, namespace string, config corev1.ConfigMap,
 											Name:      "output-volume",
 											MountPath: "/mnt/output",
 										},
+										{
+											Name:      "shm-volume",
+											MountPath: "/dev/shm",
+										},
 									},
 									Resources: corev1.ResourceRequirements{
 										Requests: corev1.ResourceList{
@@ -281,6 +285,14 @@ func createKFTOPyTorchJob(test Test, namespace string, config corev1.ConfigMap,
 										},
 									},
 								},
+								{
+									Name: "shm-volume",
+									VolumeSource: corev1.VolumeSource{
+										EmptyDir: &corev1.EmptyDirVolumeSource{
+											Medium: corev1.StorageMediumMemory,
+										},
+									},
+								},
 							},
 						},
 					},
@@ -390,6 +402,10 @@ func createKFTOPyTorchJob(test Test, namespace string, config corev1.ConfigMap,
 									Name:      "tmp-volume",
 									MountPath: "/tmp",
 								},
+								{
+									Name:      "shm-volume",
+									MountPath: "/dev/shm",
+								},
 							},
 							Resources: corev1.ResourceRequirements{
 								Requests: corev1.ResourceList{
@@ -426,6 +442,14 @@ func createKFTOPyTorchJob(test Test, namespace string, config corev1.ConfigMap,
 								EmptyDir: &corev1.EmptyDirVolumeSource{},
 							},
 						},
+						{
+							Name: "shm-volume",
+							VolumeSource: corev1.VolumeSource{
+								EmptyDir: &corev1.EmptyDirVolumeSource{
+									Medium: corev1.StorageMediumMemory,
+								},
+							},
+						},
 					},
 				},
 			},