Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

provide cli containerfile #329

Merged
merged 3 commits into from
Dec 3, 2024
Merged

provide cli containerfile #329

Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
07bcc5a
provide cli containerfile
miyunari Nov 22, 2024
2af4806
update py version and change dep install
miyunari Nov 23, 2024
bbd1cbb
add license header to Containerfile
miyunari Dec 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 23 additions & 0 deletions Containerfile
View file
Open in desktop
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should it be named Dockerfile?

Also, can you add the standard license header please? (the one with sigstore authors, see https://github.com/sigstore/model-transparency/blob/main/src/model_signing/__init__.py)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @mihaimaruseac, I added the license header. 😃
Regarding the file, I named it Containerfile over Dockerfile since its agnostic to container engines like Podman, Buildah (got recently donated to CNCF) or Docker. Podman/Buildah seem to pick Containerfile over Dockerfile by default. We could still change it if you think it makes more sense - wdyt? :)

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the context! This makes a lot of sense (and TIL!)

Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
FROM python:3.12-slim

COPY pyproject.toml ./
COPY src ./src

RUN pip install typing-extensions sigstore-protobuf-specs protobuf in-toto-attestation cryptography certifi pyOpenSSL sigstore
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a better way to resolve the python dependencies? I've not much exp. with python and didn't see a poetry file or requirements.txt.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The sub-dependencies are defined here: https://github.com/sigstore/model-transparency/blob/main/pyproject.toml#L29-L34

It might be better to just install https://pypi.org/project/model-signing/ instead? Or does this need to always be built from the source repo?

Running pip install . from the projects root directory should also install the project w/ these dependencies.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1 to just installing the library.

Alternatively, since we use hatch, hatch shell gives you an environment with all the dependencies installed. You just need to have hatch installed in the image.

I was actually thinking of making hatch scripts that would wrap around signing and verification CLI so a user would just run the script directly and that would manage the dependencies.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, seems like just installing the library is not going to be enough: #330.

Alternatively, since we use hatch, hatch shell gives you an environment with all the dependencies installed. You just need to have hatch installed in the image.

I was actually thinking of making hatch scripts that would wrap around signing and verification CLI so a user would just run the script directly and that would manage the dependencies.

I think it's probably fine to require hatch for development, but we shouldn't expect end users to need to use hatch just to have a CLI.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sounds good. I think we didn't add the CLI scripts to the library, but we'll do once we rewrite them to use the higher level API.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Running pip install . from the projects root directory should also install the project w/ these dependencies.

Hi @di, I tried this. But it fails. So I changed it to python -m pip install model_signing. 🙈

Processing /
  Installing build dependencies: started
  Installing build dependencies: finished with status 'done'
  Getting requirements to build wheel: started
  Getting requirements to build wheel: finished with status 'done'
  Preparing metadata (pyproject.toml): started
  Preparing metadata (pyproject.toml): finished with status 'error'
  error: subprocess-exited-with-error
  
  × Preparing metadata (pyproject.toml) did not run successfully.
  │ exit code: 1
  ╰─> [24 lines of output]
      Traceback (most recent call last):
        File "/usr/local/lib/python3.13/site-packages/pip/_vendor/pyproject_hooks/_in_process/_in_process.py", line 353, in <module>
          main()
          ~~~~^^
        File "/usr/local/lib/python3.13/site-packages/pip/_vendor/pyproject_hooks/_in_process/_in_process.py", line 335, in main
          json_out['return_val'] = hook(**hook_input['kwargs'])
                                   ~~~~^^^^^^^^^^^^^^^^^^^^^^^^
        File "/usr/local/lib/python3.13/site-packages/pip/_vendor/pyproject_hooks/_in_process/_in_process.py", line 152, in prepare_metadata_for_build_wheel
          whl_basename = backend.build_wheel(metadata_directory, config_settings)
        File "/tmp/pip-build-env-glunuzhs/overlay/lib/python3.13/site-packages/hatchling/build.py", line 58, in build_wheel
          return os.path.basename(next(builder.build(directory=wheel_directory, versions=['standard'])))
                                  ~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
        File "/tmp/pip-build-env-glunuzhs/overlay/lib/python3.13/site-packages/hatchling/builders/plugin/interface.py", line 90, in build
          self.metadata.validate_fields()
          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^
        File "/tmp/pip-build-env-glunuzhs/overlay/lib/python3.13/site-packages/hatchling/metadata/core.py", line 266, in validate_fields
          self.core.validate_fields()
          ~~~~~~~~~~~~~~~~~~~~~~~~~^^
        File "/tmp/pip-build-env-glunuzhs/overlay/lib/python3.13/site-packages/hatchling/metadata/core.py", line 1366, in validate_fields
          getattr(self, attribute)
          ~~~~~~~^^^^^^^^^^^^^^^^^
        File "/tmp/pip-build-env-glunuzhs/overlay/lib/python3.13/site-packages/hatchling/metadata/core.py", line 700, in license
          raise OSError(message)
      OSError: License file does not exist: LICENSE
      [end of output]
  
  note: This error originates from a subprocess, and is likely not a problem with pip.
error: metadata-generation-failed

× Encountered error while generating package metadata.
╰─> See above for output.

note: This is an issue with the package mentioned above, not pip.
hint: See above for details.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is interesting. I'll try to debug this on Monday.


RUN echo '#!/bin/bash\n\
cd "/src" && python sign.py' > /usr/local/bin/sign

RUN echo '#!/bin/bash\n\
cd "/src" && python verify.py' > /usr/local/bin/verify

RUN echo '#!/bin/bash\n\
echo "Usage:"\n\
echo " verify - Runs the verify.py Python script"\n\
echo " sign - Runs the sign.py Python script"\n\
echo " help - Displays this help message"' > /usr/local/bin/help

RUN chmod +x /usr/local/bin/sign /usr/local/bin/verify /usr/local/bin/help

CMD ["help"]