-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
provide cli containerfile #329
Conversation
Signed-off-by: Janine Olear <[email protected]>
Containerfile
Outdated
COPY pyproject.toml ./ | ||
COPY src ./src | ||
|
||
RUN pip install typing-extensions sigstore-protobuf-specs protobuf in-toto-attestation cryptography certifi pyOpenSSL sigstore |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there a better way to resolve the python dependencies? I've not much exp. with python and didn't see a poetry
file or requirements.txt
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The sub-dependencies are defined here: https://github.com/sigstore/model-transparency/blob/main/pyproject.toml#L29-L34
It might be better to just install https://pypi.org/project/model-signing/ instead? Or does this need to always be built from the source repo?
Running pip install .
from the projects root directory should also install the project w/ these dependencies.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 to just installing the library.
Alternatively, since we use hatch
, hatch shell
gives you an environment with all the dependencies installed. You just need to have hatch
installed in the image.
I was actually thinking of making hatch
scripts that would wrap around signing and verification CLI so a user would just run the script directly and that would manage the dependencies.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm, seems like just installing the library is not going to be enough: #330.
Alternatively, since we use hatch, hatch shell gives you an environment with all the dependencies installed. You just need to have hatch installed in the image.
I was actually thinking of making hatch scripts that would wrap around signing and verification CLI so a user would just run the script directly and that would manage the dependencies.
I think it's probably fine to require hatch
for development, but we shouldn't expect end users to need to use hatch
just to have a CLI.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds good. I think we didn't add the CLI scripts to the library, but we'll do once we rewrite them to use the higher level API.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Running pip install . from the projects root directory should also install the project w/ these dependencies.
Hi @di, I tried this. But it fails. So I changed it to python -m pip install model_signing
. 🙈
Processing /
Installing build dependencies: started
Installing build dependencies: finished with status 'done'
Getting requirements to build wheel: started
Getting requirements to build wheel: finished with status 'done'
Preparing metadata (pyproject.toml): started
Preparing metadata (pyproject.toml): finished with status 'error'
error: subprocess-exited-with-error
× Preparing metadata (pyproject.toml) did not run successfully.
│ exit code: 1
╰─> [24 lines of output]
Traceback (most recent call last):
File "/usr/local/lib/python3.13/site-packages/pip/_vendor/pyproject_hooks/_in_process/_in_process.py", line 353, in <module>
main()
~~~~^^
File "/usr/local/lib/python3.13/site-packages/pip/_vendor/pyproject_hooks/_in_process/_in_process.py", line 335, in main
json_out['return_val'] = hook(**hook_input['kwargs'])
~~~~^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.13/site-packages/pip/_vendor/pyproject_hooks/_in_process/_in_process.py", line 152, in prepare_metadata_for_build_wheel
whl_basename = backend.build_wheel(metadata_directory, config_settings)
File "/tmp/pip-build-env-glunuzhs/overlay/lib/python3.13/site-packages/hatchling/build.py", line 58, in build_wheel
return os.path.basename(next(builder.build(directory=wheel_directory, versions=['standard'])))
~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/tmp/pip-build-env-glunuzhs/overlay/lib/python3.13/site-packages/hatchling/builders/plugin/interface.py", line 90, in build
self.metadata.validate_fields()
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^
File "/tmp/pip-build-env-glunuzhs/overlay/lib/python3.13/site-packages/hatchling/metadata/core.py", line 266, in validate_fields
self.core.validate_fields()
~~~~~~~~~~~~~~~~~~~~~~~~~^^
File "/tmp/pip-build-env-glunuzhs/overlay/lib/python3.13/site-packages/hatchling/metadata/core.py", line 1366, in validate_fields
getattr(self, attribute)
~~~~~~~^^^^^^^^^^^^^^^^^
File "/tmp/pip-build-env-glunuzhs/overlay/lib/python3.13/site-packages/hatchling/metadata/core.py", line 700, in license
raise OSError(message)
OSError: License file does not exist: LICENSE
[end of output]
note: This error originates from a subprocess, and is likely not a problem with pip.
error: metadata-generation-failed
× Encountered error while generating package metadata.
╰─> See above for output.
note: This is an issue with the package mentioned above, not pip.
hint: See above for details.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is interesting. I'll try to debug this on Monday.
Signed-off-by: Janine Olear <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should it be named Dockerfile
?
Also, can you add the standard license header please? (the one with sigstore authors, see https://github.com/sigstore/model-transparency/blob/main/src/model_signing/__init__.py)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @mihaimaruseac, I added the license header. 😃
Regarding the file, I named it Containerfile
over Dockerfile
since its agnostic to container engines like Podman, Buildah (got recently donated to CNCF) or Docker. Podman/Buildah seem to pick Containerfile over Dockerfile by default. We could still change it if you think it makes more sense - wdyt? :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the context! This makes a lot of sense (and TIL!)
Signed-off-by: Janine Olear <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you!
Summary
This PR provides a Containerfile to wrap sign.py and verify.py in a container, simplifying execution in containerized environments like kubernetes.
Part of:
Release Note
N/A
Documentation
N/A