Build Alma9 base images for WMCore services, specifically MSUnmerged#1604
Build Alma9 base images for WMCore services, specifically MSUnmerged#1604d-ylee wants to merge 6 commits into
Conversation
mapellidario
left a comment
There was a problem hiding this comment.
I suggest a couple of name changes to improve a bit the clarity of our setup:
- move
docker/pypi/dmwm-base/Dockerfile.alma9todocker/pypi/dmwm-alma9-base/Dockerfile- i really do not like to have completely different images (debian-based and alma9-based) to be differentiated only by a tag. the image name should be different, so i suggest that we create a new directory/docker image, not simply a new dockerfile for new tags of an already existing image.
- move
docker/pypi/msunmerged/Dockerfile.alma9todocker/pypi/msunmerged/Dockerfile- be bold! the current
docker/pypi/msunmerged/Dockerfileshould go away. we can keep it around with a.cc7suffix for the time being, but we should make an effort to make sure that the new file used gets the shinyDockerfilefilename.
- be bold! the current
then, as a bonus, we could also
- deprecate
docker/pypi/alma-base
what do you think? :)
|
@d-ylee That sounds good. The error I got regarding importing It was due to the older |
|
Here are the tags on harbor I'm using for the images. I specified the os version and python version in the tag names: registry.cern.ch/cmsweb/cmsweb-alma9-base:20250506 |
Renamed Dockerfiles Separated dmwm-alma9-base Removed alma-base Renamed current msunmerged Dockerfile to Dockerfile.cc7 Set alma9 based msunmerged to Dockerfile
mapellidario
left a comment
There was a problem hiding this comment.
thanks for the changes! they are good to me :)
|
Thanks to @amaltaro for creating a new RC with changes by @mapellidario , I created a new msunmerged image: |
Added grid certificates from egi repo Update dmwm-alma9-base to use updated cmsweb-alma9-base Added boost and gfal build image for alma9 and python 3.12 Copy built boost and gfal for msunmerged image Refactored msunmerged Dockerfile steps to better use build cache on rebuilds Removed rotatelogs references
|
@amaltaro @mapellidario I added a new Dockerfile.alma9 under Additionally, since the new Alma9 images do not have These are the current image tags I have made to make these work:
I currently am using the tl;dr
|
amaltaro
left a comment
There was a problem hiding this comment.
Thank you for providing all these changes, @d-ylee . I left a few comments/questions along the code, some only for my own education.
Instead of building gfal2 ourselves, I am considering to reach out to the gfal2 developers to see if they have any suggestion on the gfal2-python package.
Let me tag @belforte as well, as he might have some insights on the GFAL2 package.
| @@ -0,0 +1,23 @@ | |||
| FROM cern/alma9-base:latest | |||
There was a problem hiding this comment.
This looks a clean base image. I would suggest discussing this with Aroosha to see if there is anything that we can reuse from different images, or if CMSWEB could actually adopt this image as base for other services.
There was a problem hiding this comment.
Alan,
I would recommend against adopting pypi/alma-base as the base image for other services for several reasons:
-
Lack of Generality: A base image should be minimal and serve as a common foundation for all services, regardless of the programming language or specific team requirements. alma-base is tailored to the needs of the WM group and includes packages such as
curl-minimal, libcurl-minimal, vim, python3-pycurl, pip, sudo, and less. These are not broadly applicable—for example,Pythonis irrelevant for Go-based applications, and tools likevimare unnecessary unless one intends to log into containers for interactive editing, which we generally discourage. -
On-Demand Tooling: Tools like
vimorcurlshould be installed on demand within a pod when needed for debugging or maintenance. This can be done easily using standard package managers (yum, dnf, apt-get, etc.). This approach keeps the base image lean and reduces the surface area for potential vulnerabilities, while still allowing flexibility for developers. Once debugging or inspection is complete, the pod should be terminated and allowed to restart in a clean state, in line with the stateless nature of Kubernetes workloads. -
Security implications: Each package added to a base image introduces additional dependencies and potential vulnerabilities. If a service does not require these tools, including them unnecessarily increases risk and image size without clear benefit.
While the alma-base image may be appropriate for the WM group's specific needs, I would suggest that we not promote it as the standard base for all services.
As a side note, the only consistently shared requirement across our services appears to be access to CA certificates. However, the CMSWEB team has recently transitioned to retrieving these from Kubernetes nodes, now that CERN IT provides them via cluster configuration. This might even allow us to remove them from the CMSWEB base image in the future, though that's a separate discussion.
There was a problem hiding this comment.
Yes, I agree with basically everything that you said.
I think the base image needs to provide requirements that we have for CERN-related systems only (mostly CAs as you pointed out). Nonetheless, if this one is still more inflated than it needs, it is already progress compared to the CC7 base image that many of the services still rely on.
| CERN-CA-certs ca-certificates dummy-ca-certs ca-policy-lcg ca-policy-egi-core \ | ||
| ca_EG-GRID ca_CERN-GridCA ca_CERN-LCG-IOTA-CA ca_CERN-Root-2 \ | ||
| && yum install -y --nogpgcheck wlcg-voms-cms && yum clean all && rm -rf /var/cache/yum && ln -s /bin/bash /usr/bin/bashs && echo "32 */6 * * * root ! /usr/sbin/fetch-crl -q -r 360" > /etc/cron.d/fetch-crl-docker | ||
| ca_EG-GRID ca_CERN-GridCA ca_CERN-LCG-IOTA-CA ca_CERN-Root-2 && \ |
There was a problem hiding this comment.
How about installing these in the cmsweb-alma9-base image and stop using this base image in our Dockerfiles (or, at least in our MSUnmerged dockerfile)?
There was a problem hiding this comment.
beware that CA certificates may change. Unless you plan to rebuild often, picking the latest yum, there's a danger. CMSWEB folks have a way to keep them update on the pod hosts, you should pick the certs from there.
There was a problem hiding this comment.
i agree, with the new py312 images we confirmed that we can reliably load the certificates / CAs / CRLs / vomses from the k8s hosts, there is no need to install these packages inside the docker images
| RUN git clone --branch v1.13.0 https://github.com/cern-fts/gfal2-python.git | ||
|
|
||
| WORKDIR /tmp/gfal2-python | ||
| RUN ./ci/fedora-packages.sh |
There was a problem hiding this comment.
Perhaps add a brief comment here to say what this script is supposed to do.
| RUN python -m venv .venv | ||
| ENV PATH="$WDIR/.venv/bin:$PATH" | ||
|
|
||
| RUN .venv/bin/pip install -v gfal2-python |
There was a problem hiding this comment.
Is this command actually pulling the gfal2-python package that was built in the lines above? Or is it pulling this package from the PyPi registry?
| RUN cat requirements.txt | grep -v gfal2 > req.txt | ||
| RUN pip install -r req.txt | ||
| RUN pip install --no-deps msunmerged==$TAG | ||
| RUN cat requirements.txt | grep dbs3-client > req.txt |
There was a problem hiding this comment.
I don't think we need dbs3-client in this image, so I would suggest to completely remove this line grepping for it.
About L17 above, didn't you fix that FIXME message in the line below?
| ENV PATH="$WDIR/.venv/bin:$PATH" | ||
|
|
||
| # patch dmwm/WMCore https://github.com/dmwm/WMCore/pull/11955 | ||
| ADD 11955.patch $WDIR/11955.patch |
There was a problem hiding this comment.
We cannot forget to remove this patch before merging this in.
| @@ -0,0 +1,23 @@ | |||
| FROM registry.cern.ch/cmsweb/dmwm-base:alma9-py3.12-20250515 | |||
|
|
|||
| WORKDIR /tmp | |||
There was a problem hiding this comment.
I am inclined to say that we could rename this dockerfile as:
- the current debian/conda based to be named as Dockerfile.debian
- and this file to Dockerfile
What do you think?
|
thanks for tagging me Alan. But I am afraid that have no knowledge about gfal2-python nor did ever use it. Asking Mihai is surely always good. |
|
@d-ylee , I recommend running a vulnerability scanner such as Trivy, which is also used by the CERN container registry, to compare the number of vulnerabilities in the updated images (reflecting your proposed changes) against the current ones. As we make changes to our Docker images, we should aim to minimize vulnerabilities as much as possible. |
mapellidario
left a comment
There was a problem hiding this comment.
Thanks Dennis! I agree with the recipe to install gfal in docker/pypi/gfal/Dockerfile.alma9 (that we can also rename, this will be the production image, no need for any suffix), it's the same one i explored when trying to install it in the debian image.
I left a few comments along the code. I think we do not need to add the CAs / CRLs / vomses inside our images, everything should come from the k8s hosts, and i already changed the manifests for msunmerged as well in my PR [1]
| CERN-CA-certs ca-certificates dummy-ca-certs ca-policy-lcg ca-policy-egi-core \ | ||
| ca_EG-GRID ca_CERN-GridCA ca_CERN-LCG-IOTA-CA ca_CERN-Root-2 \ | ||
| && yum install -y --nogpgcheck wlcg-voms-cms && yum clean all && rm -rf /var/cache/yum && ln -s /bin/bash /usr/bin/bashs && echo "32 */6 * * * root ! /usr/sbin/fetch-crl -q -r 360" > /etc/cron.d/fetch-crl-docker | ||
| ca_EG-GRID ca_CERN-GridCA ca_CERN-LCG-IOTA-CA ca_CERN-Root-2 && \ |
There was a problem hiding this comment.
i agree, with the new py312 images we confirmed that we can reliably load the certificates / CAs / CRLs / vomses from the k8s hosts, there is no need to install these packages inside the docker images
| # Install EPEL repository (required for voms, fetch-crl and CA-related packages) | ||
| RUN dnf -y install epel-release && dnf -y upgrade && \ | ||
| dnf install -y http://linuxsoft.cern.ch/wlcg/el9/x86_64/wlcg-repo-1.0.0-1.el9.noarch.rpm && \ | ||
| dnf clean all | ||
|
|
||
| ADD http://repository.egi.eu/sw/production/cas/1/current/repo-files/egi-trustanchors.repo /etc/yum.repos.d/egi.repo | ||
|
|
||
| # Upgrade packages from the base image and install CMSWEB required packages | ||
| RUN dnf -y install fetch-crl cronie cern-get-certificate CERN-CA-certs ca-certificates \ | ||
| dummy-ca-certs ca-policy-lcg ca-policy-egi-core \ | ||
| ca_CERN-GridCA ca_CERN-Root-2 \ | ||
| wlcg-voms-cms && \ | ||
| dnf clean all && \ | ||
| echo "32 */6 * * * root ! /usr/sbin/fetch-crl -q -r 360" > /etc/cron.d/fetch-crl-docker |
There was a problem hiding this comment.
I am not sure we really need these anymore, all of these things should come from the k8s hosts
| RUN dnf -y upgrade && \ | ||
| dnf -y install --skip-broken curl libcurl && \ | ||
| dnf -y install sudo vim less procps && \ | ||
| dnf -y install python3.12 python3.12-pip python3-pycurl pip && \ |
There was a problem hiding this comment.
i would remove python3-pycurl from this list. it's not for python3.12, and we already install pycurl from requirements.txt
https://github.com/dmwm/WMCore/blob/ecf8b2e0a934145f60df7c52647f0cb4d4f1671f/requirements.txt#L34
| COPY --from=cmsweb-base /etc/grid-security/certificates /etc/grid-security/certificates | ||
| COPY --from=cmsweb-base /etc/grid-security/vomsdir /etc/grid-security/vomsdir |
There was a problem hiding this comment.
again, i would remove these two lines :)
|
@d-ylee I suspect this PR is no longer relevant. If you can confirm this, shall we close this out? |
|
Yes, I think we can close this with the merging of #1627 |
|
Thank you Dennis. Closing this out. |
fixes #11922
extends #1452
Images Added