Skip to content

Commit 6b145dd

Browse files
tellieretelliere
committed
applying precommit recommandations
1 parent ec3c2a2 commit 6b145dd

33 files changed

+474
-358
lines changed

.github/workflows/build-container-prep-image.yml

+3-3
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ jobs:
1313
steps:
1414
- uses: actions/checkout@v4
1515
with:
16-
lfs: 'true'
16+
lfs: "true"
1717

1818
- name: Build image
1919
run: git lfs pull ; docker build . -f ./client/container_preparation/Dockerfile -t $IMAGE_NAME --label "runnumber=${GITHUB_RUN_ID}"
@@ -33,10 +33,10 @@ jobs:
3333
3434
# This strips the "v" prefix from the tag name.
3535
[[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//')
36-
36+
3737
# This uses the Docker `latest` tag convention.
3838
[ "$VERSION" == "main" ] && VERSION=latest
3939
echo IMAGE_ID=$IMAGE_ID
4040
echo VERSION=$VERSION
4141
docker tag $IMAGE_NAME $IMAGE_ID:$VERSION
42-
docker push $IMAGE_ID:$VERSION
42+
docker push $IMAGE_ID:$VERSION

.github/workflows/build-data-prep-image.yml

+3-3
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ jobs:
1313
steps:
1414
- uses: actions/checkout@v4
1515
with:
16-
lfs: 'true'
16+
lfs: "true"
1717

1818
- name: Build image
1919
run: git lfs pull ; docker build . -f ./client/data_preparation/Dockerfile -t $IMAGE_NAME --label "runnumber=${GITHUB_RUN_ID}"
@@ -33,10 +33,10 @@ jobs:
3333
3434
# This strips the "v" prefix from the tag name.
3535
[[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//')
36-
36+
3737
# This uses the Docker `latest` tag convention.
3838
[ "$VERSION" == "main" ] && VERSION=latest
3939
echo IMAGE_ID=$IMAGE_ID
4040
echo VERSION=$VERSION
4141
docker tag $IMAGE_NAME $IMAGE_ID:$VERSION
42-
docker push $IMAGE_ID:$VERSION
42+
docker push $IMAGE_ID:$VERSION

.github/workflows/build-job-prep-image.yml

+3-3
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ jobs:
1313
steps:
1414
- uses: actions/checkout@v4
1515
with:
16-
lfs: 'true'
16+
lfs: "true"
1717

1818
- name: Build image
1919
run: git lfs pull ; docker build . -f ./client/job_preparation/Dockerfile -t $IMAGE_NAME --label "runnumber=${GITHUB_RUN_ID}"
@@ -33,10 +33,10 @@ jobs:
3333
3434
# This strips the "v" prefix from the tag name.
3535
[[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//')
36-
36+
3737
# This uses the Docker `latest` tag convention.
3838
[ "$VERSION" == "main" ] && VERSION=latest
3939
echo IMAGE_ID=$IMAGE_ID
4040
echo VERSION=$VERSION
4141
docker tag $IMAGE_NAME $IMAGE_ID:$VERSION
42-
docker push $IMAGE_ID:$VERSION
42+
docker push $IMAGE_ID:$VERSION

.github/workflows/build-server-image.yml

+3-3
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ jobs:
1313
steps:
1414
- uses: actions/checkout@v4
1515
with:
16-
lfs: 'true'
16+
lfs: "true"
1717

1818
- name: Build image
1919
run: git lfs pull ; docker build . -f ./server/Dockerfile -t $IMAGE_NAME --label "runnumber=${GITHUB_RUN_ID}"
@@ -33,10 +33,10 @@ jobs:
3333
3434
# This strips the "v" prefix from the tag name.
3535
[[ "${{ github.ref }}" == "refs/tags/"* ]] && VERSION=$(echo $VERSION | sed -e 's/^v//')
36-
36+
3737
# This uses the Docker `latest` tag convention.
3838
[ "$VERSION" == "main" ] && VERSION=latest
3939
echo IMAGE_ID=$IMAGE_ID
4040
echo VERSION=$VERSION
4141
docker tag $IMAGE_NAME $IMAGE_ID:$VERSION
42-
docker push $IMAGE_ID:$VERSION
42+
docker push $IMAGE_ID:$VERSION

.pre-commit-config.yaml

+27-28
Original file line numberDiff line numberDiff line change
@@ -1,35 +1,34 @@
11
repos:
2-
# Base repo
3-
- repo: https://github.com/pre-commit/pre-commit-hooks
4-
rev: v3.2.0
2+
# Base repo
3+
- repo: https://github.com/pre-commit/pre-commit-hooks
4+
rev: v4.5.0
55
hooks:
6-
- id: trailing-whitespace
7-
- id: end-of-file-fixer
8-
- id: check-yaml
9-
- id: check-added-large-files
6+
- id: trailing-whitespace
7+
- id: end-of-file-fixer
8+
- id: check-yaml
9+
- id: check-added-large-files
1010

11-
# Code formatting using Black (python)
12-
- repo: https://github.com/psf/black
13-
rev: 24.2.0
11+
# Code formatting using Black (python)
12+
- repo: https://github.com/psf/black
13+
rev: 24.3.0
1414
hooks:
15-
- id: black
15+
- id: black
1616

17-
# Dockerfile lint
18-
- repo: https://github.com/pryorda/dockerfilelint-precommit-hooks
19-
rev: v0.1.0
20-
hooks:
21-
- id: dockerfilelint
22-
stages: [commit]
17+
# Dockerfile lint
18+
- repo: https://github.com/hadolint/hadolint
19+
rev: v2.12.1-beta
20+
hooks:
21+
- id: hadolint
2322

24-
# Code formatting using beautysh (bash)
25-
- repo: https://github.com/lovesegfault/beautysh
26-
rev: v6.2.1
27-
hooks:
28-
- id: beautysh
23+
# Code formatting using beautysh (bash)
24+
- repo: https://github.com/scop/pre-commit-shfmt
25+
rev: v3.8.0-1
26+
hooks:
27+
- id: shfmt
2928

30-
# Markdown lint
31-
- repo: https://github.com/igorshubovych/markdownlint-cli
32-
rev: v0.39.0
33-
hooks:
34-
- id: markdownlint
35-
29+
# Markdown lint
30+
- repo: https://github.com/pre-commit/mirrors-prettier
31+
rev: v4.0.0-alpha.8
32+
hooks:
33+
- id: prettier
34+
files: \.(js|ts|jsx|tsx|css|less|html|json|markdown|md|yaml|yml)$

LICENSE

+1-1
Original file line numberDiff line numberDiff line change
@@ -18,4 +18,4 @@ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
1818
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
1919
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
2020
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21-
SOFTWARE.
21+
SOFTWARE.

README.md

+1
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@
33
## Main goal
44

55
This partnership project involving CSC and Hewlett Packard Enterprise aims to enable HPC users to run secured jobs. It provides tools to enable anyone running secured jobs with encrypted data and specific confidential containers on a supercomputing site, leveraging (non exhaustively) :
6+
67
- [SPIFFE/SPIRE](https://github.com/spiffe/spire)
78
- [Hashicorp Vault](https://github.com/hashicorp/vault)
89
- [Singularity / Apptainer encryption](https://github.com/apptainer/apptainer)

client/container_preparation/Dockerfile

+24-24
Original file line numberDiff line numberDiff line change
@@ -1,39 +1,39 @@
11
# Using Python original Docker image
2-
FROM --platform=linux/amd64 python:3.9-alpine
3-
4-
# Install necessary packages
5-
RUN apk add \
6-
git \
7-
curl \
8-
jq \
9-
build-base \
10-
libffi-dev
11-
12-
RUN curl https://sh.rustup.rs -sSf -o rustup.sh ; chmod +x rustup.sh ; ./rustup.sh -y
2+
ARG BUILDPLATFORM=linux/amd64
3+
FROM --platform=$BUILDPLATFORM python:3.9-alpine
4+
5+
# Install necessary packages, spire-agent and rust
6+
RUN apk add --no-cache \
7+
git=2.43.0-r0 \
8+
curl=8.5.0-r0 \
9+
jq=1.7.1-r0 \
10+
build-base=0.5-r3 \
11+
libffi-dev=3.4.4-r3 && \
12+
curl -o spire-1.9.0-linux-amd64-musl.tar.gz https://github.com/spiffe/spire/releases/download/v1.9.0/spire-1.9.0-linux-amd64-musl.tar.gz && \
13+
tar xvf spire-1.9.0-linux-amd64-musl.tar.gz ; mv spire-1.9.0 /opt ; mv /opt/spire-1.9.0 /opt/spire && \
14+
ln -s /opt/spire/bin/spire-agent /usr/bin/spire-agent && \
15+
ln -s /opt/spire/bin/spire-server /usr/bin/spire-server && \
16+
rm -rf spire-1.9.0-linux-amd64-musl.tar.gz && \
17+
curl https://sh.rustup.rs -sSf -o rustup.sh ; chmod +x rustup.sh ; ./rustup.sh -y
18+
19+
# Add rust binaries to PATH
1320
ENV PATH="$PATH:/root/.cargo/bin"
1421

15-
# Install spire-agent
16-
RUN wget -q https://github.com/spiffe/spire/releases/download/v1.9.1/spire-1.9.1-linux-amd64-musl.tar.gz
17-
RUN tar xvf spire-1.9.1-linux-amd64-musl.tar.gz ; mv spire-1.9.1 /opt ; mv /opt/spire-1.9.1 /opt/spire
18-
RUN ln -s /opt/spire/bin/spire-agent /usr/bin/spire-agent
19-
20-
# Install pyspiffe package
21-
RUN pip install git+https://github.com/HewlettPackard/py-spiffe.git@3640af9d6629c05e027f99010abc934cb74122a8
22-
2322
# Create code directory, output directory
24-
RUN mkdir /container_preparation /output ; chmod -R 777 /output
23+
RUN mkdir /container_preparation /output
2524

2625
# Copy useful data from the project
2726
COPY ./client/container_preparation /container_preparation
2827

28+
# Set workdir
29+
WORKDIR /container_preparation
30+
2931
# Install dependencies
30-
RUN cd /container_preparation && pip install -r ./requirements.txt
32+
RUN pip install --no-cache-dir -r ./requirements.txt && \
33+
pip install --no-cache-dir git+https://github.com/HewlettPackard/py-spiffe.git@3640af9d6629c05e027f99010abc934cb74122a8
3134

3235
# Copy utils for SPIFFEID creation ...
3336
COPY ./utils /container_preparation/utils
3437

35-
# Set workdir
36-
WORKDIR /container_preparation
37-
3838
# Set entrypoint
3939
ENTRYPOINT [ "./entrypoint.sh" ]

client/container_preparation/README.md

+5-3
Original file line numberDiff line numberDiff line change
@@ -1,18 +1,20 @@
11
# Introduction
2+
23
This directory contains code which prepares existing OCI images to be used on LUMI in a secure way.
34
The code adds layers to handle encryption and encrypts the resulting apptainer (singularity) image itself.
45

56
## Current state
67

78
Currently, the container_preparation.py script is able to run most of the needed tasks
9+
810
- Create a new receipe (Dockerfile) prepared for secure workloads
911
- Build the new image
1012
- Build an apptainer image based on the just built one
11-
- Unencrypted
12-
- But unfortunately not encrypted for the moment
13-
13+
- Unencrypted
14+
- But unfortunately not encrypted for the moment
1415

1516
What is missing :
17+
1618
- Encryption of the container
1719
- Crypt binary inside of the resulting container and the logic needed to encrypt ouput data before leaving the container
1820
- Documentation (global) - Explanation of how it works, what is needed ...

0 commit comments

Comments
 (0)