This repository handles all the images for Serve. The pipeline for an image goes as follows:
- Build image
- Scan for security issues
- If secure, run tests to make sure that the image works as expected
- If passed, push the image to GHCR
- Run scheduled security scans of the version of the image that is used in production by Serve. This Trivy worklow must be maintained with the current list of images.
So for instance, our torchserve image is build like this
- Pull torchserve:latest, update system and some python versions, build image
- Scan for security issues
- Run tests
- Push to GHCR
We use Trivy for security scans, black for python formatting and hadolint for linting of dockerfiles.
In this repo, we work Trunk based, which means that we bypass the dev branch.
serve-images
│ README.md
│ .gitignore
| .github/workflows
| ...
|
└───dev_scripts
| | run_<image-name>.sh
|
└───image1
│ │ Dockerfile
│ │ run_script.sh
│ │
│ └───tests
│ │ test_files/
│ │ test_script.py
| | Dockerfile.test
│ │ requirements.txt
│ │ ...
│
└───image2
│ │ Dockerfile
│ │ run_script.sh
│ │
│ └───tests
| | ...
Scripts has been created to ease the processes of building and testing the image. These are found in dev_scripts and can be run like this:
$ chmod +x ./dev_scripts/run_jupyterlab.sh
$ ./dev_scripts/run_jupyterlab.sh
$ chmod +x ./dev_scripts/run_mlflow.sh
$ ./dev_scripts/run_mlflow.sh
$ chmod +x ./dev_scripts/run_rstudio.sh
$ ./dev_scripts/run_rstudio.sh
$ chmod +x ./dev_scripts/run_torchserve.sh
$ ./dev_scripts/run_torchserve.sh
In case of error messages such as
Got permission denied while trying to connect to the Docker daemon socket.
or
docker.errors.DockerException: Error while fetching server API version: ('Connection aborted.', PermissionError(13, 'Permission denied'))
Run docker as a non-root user.
See https://docs.docker.com/engine/install/linux-postinstall/
Do not forget to switch to the docker group in every new terminal.
newgrp docker