MengnanLi91
diff --git a/‎.env.example‎
Lines changed: 43 additions & 0 deletions b/‎.env.example‎
Lines changed: 43 additions & 0 deletions
diff --git a/‎docker/dev.def‎
Lines changed: 76 additions & 0 deletions b/‎docker/dev.def‎
Lines changed: 76 additions & 0 deletions
diff --git a/‎docker/ngc.def‎
Lines changed: 48 additions & 0 deletions b/‎docker/ngc.def‎
Lines changed: 48 additions & 0 deletions
diff --git a/‎docker/physicsnemo-cpu.def‎
Lines changed: 68 additions & 0 deletions b/‎docker/physicsnemo-cpu.def‎
Lines changed: 68 additions & 0 deletions
diff --git a/‎docs/user/getting_started.md‎
Lines changed: 99 additions & 10 deletions b/‎docs/user/getting_started.md‎
Lines changed: 99 additions & 10 deletions
@@ -0,0 +1,43 @@
+# Copy this file to .env and fill in values for your environment.
+# cp .env.example .env
+
+# ---------------------------------------------------------------------------
+# Apptainer (HPC)
+# ---------------------------------------------------------------------------
+
+# Bind your project data directory into the container.
+# Format: host_path:container_path (use the same path on both sides).
+APPTAINER_BIND=/path/to/project:/path/to/project
+
+# ---------------------------------------------------------------------------
+# Docker Compose
+# ---------------------------------------------------------------------------
+
+# Target platform. Use linux/amd64 on Intel/AMD hosts or to force amd64 on
+# Apple Silicon.
+# DOCKER_PLATFORM=linux/amd64
+
+# Directory containing custom CA certificates (.pem/.crt/.cer).
+# Defaults to ./docker/certs if not set.
+# CA_CERT_DIR=/path/to/certs
+
+# Custom CA certificate encoded as base64 (alternative to CA_CERT_DIR).
+# EXTRA_CA_CERT_B64=
+
+# Skip the full PhysicsNeMo install in the `etl` image (set to 0 to speed up
+# builds when PhysicsNeMo is not needed).
+# INSTALL_PHYSICSNEMO=1
+
+# TLS bypass flags — use only as a last resort when CA cert injection fails.
+# For `etl` (uv-based):
+# UV_ALLOW_INSECURE_HOST_FLAGS=--allow-insecure-host pypi.org --allow-insecure-host files.pythonhosted.org
+# For `etl-dev` and `etl-ngc` (pip-based):
+# PIP_TRUSTED_HOST_FLAGS=--trusted-host pypi.org --trusted-host pypi.python.org --trusted-host files.pythonhosted.org
+
+# ---------------------------------------------------------------------------
+# Proxy (Docker Compose and Apptainer)
+# ---------------------------------------------------------------------------
+
+# HTTP_PROXY=http://proxy.example.com:8080
+# HTTPS_PROXY=http://proxy.example.com:8080
+# NO_PROXY=localhost,127.0.0.1
@@ -0,0 +1,76 @@
+Bootstrap: docker
+From: python:3.11-slim
+
+%files
+    physicsnemo-curator /workspace/physicsnemo-curator
+    docker/certs/ /tmp/certs/
+
+%environment
+    export DEBIAN_FRONTEND=noninteractive
+    export PYTHONDONTWRITEBYTECODE=1
+    export PYTHONUNBUFFERED=1
+    export SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.pem
+    export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-bundle.pem
+    export PIP_CERT=/etc/ssl/certs/ca-bundle.pem
+
+%post
+    apt-get update && apt-get install -y --no-install-recommends \
+        ca-certificates \
+        openssl \
+        build-essential \
+        && rm -rf /var/lib/apt/lists/*
+
+    # Handle custom CA certs with validation
+    mkdir -p /usr/local/share/ca-certificates/custom
+    found=0
+    idx=0
+    for cert_file in /tmp/certs/*; do
+        [ -e "${cert_file}" ] || continue
+        case "${cert_file}" in
+            *.pem|*.crt|*.cer)
+                if ! openssl x509 -in "${cert_file}" -noout >/dev/null 2>&1; then
+                    echo "WARN: ${cert_file} is not a valid X.509 certificate; skipping." >&2
+                    continue
+                fi
+                if ! openssl x509 -in "${cert_file}" -noout -text | grep -q "CA:TRUE"; then
+                    echo "WARN: ${cert_file} is not a CA certificate (CA:TRUE missing); skipping." >&2
+                    continue
+                fi
+                idx=$((idx+1))
+                cp "${cert_file}" "/usr/local/share/ca-certificates/custom/custom-${idx}.crt"
+                found=1 ;;
+        esac
+    done
+    if [ "${found}" -eq 0 ]; then
+        echo "No custom CA files found under /tmp/certs (supported: .pem/.crt/.cer)."
+    fi
+    update-ca-certificates
+    cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-bundle.pem
+    rm -rf /tmp/certs /usr/local/share/ca-certificates/custom
+
+    # Set env vars for install step
+    export SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.pem
+    export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-bundle.pem
+    export PIP_CERT=/etc/ssl/certs/ca-bundle.pem
+
+    # ETL dependencies only — no PhysicsNeMo, no PyTorch, no vtk/pyvista
+    pip install --no-cache-dir \
+        --cert /etc/ssl/certs/ca-bundle.pem \
+        "numpy>=1.26.4" \
+        "scipy" \
+        "netCDF4" \
+        "zarr>=3.1.2" \
+        "numcodecs>=0.13.1" \
+        "hydra-core>=1.3" \
+        "omegaconf>=2.3" \
+        "tqdm>=4.67.1" \
+        "pytest>=9.0"
+
+    # physicsnemo-curator with --no-deps to skip heavy optional deps
+    pip install --no-cache-dir \
+        --cert /etc/ssl/certs/ca-bundle.pem \
+        --no-deps \
+        -e /workspace/physicsnemo-curator
+
+%runscript
+    exec bash "$@"
@@ -0,0 +1,48 @@
+Bootstrap: docker
+From: nvcr.io/nvidia/physicsnemo/physicsnemo:25.11
+
+%files
+    physicsnemo-curator /workspace/physicsnemo-curator
+    docker/certs/ /tmp/certs/
+
+%environment
+    export PYTHONDONTWRITEBYTECODE=1
+    export PYTHONUNBUFFERED=1
+    export SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.pem
+    export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-bundle.pem
+    export NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-bundle.pem
+
+%post
+    # Handle custom CA certs
+    cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-bundle.pem 2>/dev/null || true
+    found=0
+    for cert_file in /tmp/certs/*; do
+        [ -e "${cert_file}" ] || continue
+        case "${cert_file}" in
+            *.pem|*.crt|*.cer)
+                cat "${cert_file}" >> /etc/ssl/certs/ca-bundle.pem
+                found=1 ;;
+        esac
+    done
+    if [ "${found}" -eq 0 ]; then
+        echo "No custom CA files found under /tmp/certs (supported: .pem/.crt/.cer)"
+    fi
+    rm -rf /tmp/certs
+
+    # Set env vars for install step
+    export SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.pem
+    export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-bundle.pem
+
+    # PhysicsNeMo, PyTorch, hydra-core, omegaconf, zarr, scipy are pre-installed
+    pip install --no-cache-dir \
+        --cert /etc/ssl/certs/ca-bundle.pem \
+        netCDF4 \
+        "optuna>=4.0" \
+        "pytest>=9.0"
+
+    pip install --no-cache-dir \
+        --cert /etc/ssl/certs/ca-bundle.pem \
+        -e /workspace/physicsnemo-curator
+
+%runscript
+    exec bash "$@"
@@ -0,0 +1,68 @@
+Bootstrap: docker
+From: python:3.11-slim
+
+%files
+    physicsnemo-curator /workspace/physicsnemo-curator
+    docker/certs/ /tmp/certs/
+
+%environment
+    export DEBIAN_FRONTEND=noninteractive
+    export UV_SYSTEM_PYTHON=1
+    export UV_BREAK_SYSTEM_PACKAGES=1
+    export PYTHONDONTWRITEBYTECODE=1
+    export PYTHONUNBUFFERED=1
+    export SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.pem
+    export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-bundle.pem
+    export NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-bundle.pem
+
+%post
+    apt-get update && apt-get install -y --no-install-recommends \
+        ca-certificates \
+        curl \
+        git \
+        build-essential \
+        libgl1 \
+        libglib2.0-0 \
+        && rm -rf /var/lib/apt/lists/*
+
+    # Install uv
+    curl -fsSL https://astral.sh/uv/0.10.3/install.sh | sh
+    cp /root/.local/bin/uv /usr/local/bin/uv
+    cp /root/.local/bin/uvx /usr/local/bin/uvx
+
+    # Handle custom CA certs
+    cp /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-bundle.pem 2>/dev/null || true
+    found=0
+    for cert_file in /tmp/certs/*; do
+        [ -e "${cert_file}" ] || continue
+        case "${cert_file}" in
+            *.pem|*.crt|*.cer)
+                cat "${cert_file}" >> /etc/ssl/certs/ca-bundle.pem
+                found=1 ;;
+        esac
+    done
+    if [ "${found}" -eq 0 ]; then
+        echo "No custom CA files found under /tmp/certs (supported: .pem/.crt/.cer)"
+    fi
+    rm -rf /tmp/certs
+
+    # Set env vars for the install step
+    export SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.pem
+    export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-bundle.pem
+    export UV_SYSTEM_PYTHON=1
+    export UV_BREAK_SYSTEM_PACKAGES=1
+
+    # Install PhysicsNeMo and dependencies
+    uv --native-tls pip install --system "nvidia-physicsnemo"
+    uv --native-tls pip install --system \
+        "hydra-core>=1.3" \
+        "omegaconf>=2.3" \
+        "optuna>=4.0" \
+        "netCDF4" \
+        "scipy" \
+        "zarr" \
+        "pytest>=9.0"
+    uv --native-tls pip install --system -e /workspace/physicsnemo-curator
+
+%runscript
+    exec bash "$@"
@@ -1,6 +1,7 @@
 # Getting Started
 
-This guide covers day-to-day usage with Docker Compose:
+This guide covers day-to-day usage with Docker Compose or Apptainer (for HPC
+systems where Docker is unavailable):
 
 - setting up and running the ETL
 - choosing the right container image
@@ -9,24 +10,48 @@ This guide covers day-to-day usage with Docker Compose:
 
 ## Prerequisites
 
-- Docker Desktop (or Docker Engine + Compose v2)
+- Docker Desktop (or Docker Engine + Compose v2) **or** Apptainer (HPC)
 - Git submodules initialized:
 
 ```bash
 git submodule update --init --recursive
 ```
 
-## Choose a Docker service
+## Environment variables
 
-| Service | Dockerfile | Base | Approx. size | Best for |
-|---|---|---|---|---|
-| `etl-dev` | `docker/Dockerfile.dev` | `python:3.11-slim` | ~300 MB | Fast ETL iteration (no PhysicsNeMo/PyTorch) |
-| `etl` | `docker/Dockerfile.physicsnemo-cpu` | `python:3.11-slim` | ~1 GB | Full CPU stack from PyPI |
-| `etl-ngc` | `docker/Dockerfile.ngc` | `nvcr.io/nvidia/physicsnemo/physicsnemo:25.11` | ~13 GB | NVIDIA pre-tested stack |
+Copy `.env.example` to `.env` and fill in values for your environment:
 
-All services run on Apple Silicon (`arm64`) and Intel (`amd64`) without a GPU.
+```bash
+cp .env.example .env
+```
+
+Key variables:
+
+| Variable | Used by | Description |
+|---|---|---|
+| `APPTAINER_BIND` | Apptainer | Default bind mounts (e.g. `/path/to/project:/path/to/project`) |
+| `DOCKER_PLATFORM` | Docker Compose | Force `linux/amd64` on Apple Silicon |
+| `CA_CERT_DIR` | Docker Compose | Path to directory with custom CA certs |
+| `EXTRA_CA_CERT_B64` | Docker Compose | Base64-encoded CA cert (alternative to `CA_CERT_DIR`) |
+| `INSTALL_PHYSICSNEMO` | Docker Compose (`etl`) | Set to `0` to skip PhysicsNeMo install |
+| `UV_ALLOW_INSECURE_HOST_FLAGS` | Docker Compose (`etl`) | TLS bypass for uv |
+| `PIP_TRUSTED_HOST_FLAGS` | Docker Compose (`etl-dev`, `etl-ngc`) | TLS bypass for pip |
+| `HTTP_PROXY` / `HTTPS_PROXY` / `NO_PROXY` | Both | Corporate proxy settings |
+
+Docker Compose reads `.env` automatically. For Apptainer, see the source step
+in the [Apptainer section](#build-and-run-with-apptainer-hpc) below.
 
-## Build and run
+## Choose a container image
+
+| Service | Dockerfile | Apptainer def | Base | Approx. size | Best for |
+|---|---|---|---|---|---|
+| `etl-dev` | `docker/Dockerfile.dev` | `docker/dev.def` | `python:3.11-slim` | ~300 MB | Fast ETL iteration (no PhysicsNeMo/PyTorch) |
+| `etl` | `docker/Dockerfile.physicsnemo-cpu` | `docker/physicsnemo-cpu.def` | `python:3.11-slim` | ~1 GB | Full CPU stack from PyPI |
+| `etl-ngc` | `docker/Dockerfile.ngc` | `docker/ngc.def` | `nvcr.io/nvidia/physicsnemo/physicsnemo:25.11` | ~13 GB | NVIDIA pre-tested stack |
+
+All images run on Apple Silicon (`arm64`) and Intel (`amd64`) without a GPU.
+
+## Build and run with Docker Compose
 
 ### Option A: direct run from host terminal
 
@@ -37,6 +62,70 @@ docker compose run --rm etl-dev bash -lc 'cd src && python run_etl.py --config-n
 
 Replace `etl-dev` with `etl` or `etl-ngc` if needed.
 
+## Build and run with Apptainer (HPC)
+
+Use Apptainer on HPC systems where Docker is not available (e.g., INL ROD).
+
+### Step 1: Source environment variables
+
+Apptainer does not read `.env` automatically. Source it before every session:
+
+```bash
+set -a && source .env && set +a
+```
+
+This loads `APPTAINER_BIND` and any proxy settings into your shell so subsequent
+`apptainer` commands pick them up without needing `--bind` flags.
+
+### Step 2: Build a SIF image
+
+```bash
+# Minimal dev image (ETL only, ~300 MB)
+apptainer build th-holo-dev.sif docker/dev.def
+
+# Full CPU image with PhysicsNeMo (~1 GB)
+apptainer build th-holo-cpu.sif docker/physicsnemo-cpu.def
+
+# NGC image with GPU support (~13 GB)
+apptainer build th-holo-ngc.sif docker/ngc.def
+```
+
+### Step 3: Run with project folder bound
+
+Bind your project directory so the container can read inputs and write outputs:
+
+```bash
+apptainer run \
+  --bind /path/to/project:/path/to/project \
+  th-holo-cpu.sif
+```
+
+Your `$HOME` directory is auto-bound by Apptainer, so files under `$HOME` are
+always accessible without an explicit `--bind`.
+
+### Run a script directly
+
+```bash
+apptainer exec \
+  --bind /path/to/project:/path/to/project \
+  th-holo-cpu.sif \
+  bash -c 'cd /path/to/src && python run_etl.py --config-name lid_driven'
+```
+
+### Set a default bind (optional)
+
+To avoid typing `--bind` every time, export it in your shell profile:
+
+```bash
+export APPTAINER_BIND="/path/to/project:/path/to/project"
+```
+
+Then run without `--bind`:
+
+```bash
+apptainer run th-holo-cpu.sif
+```
+
 The `lid_driven` config is defined in `src/moose_etl/config/lid_driven.yaml`:
 
 ```yaml