Dockerfile_k8s

# Ubuntu 22.04 to match the GPU image's base (nvidia/cuda:*-ubuntu22.04 is
# layered on top of ubuntu:22.04).
FROM ubuntu:22.04

# Detect architecture using ARG with default value
ARG TARGETARCH
ARG DEBIAN_FRONTEND=noninteractive

# Install ssh and other local dependencies.
# FUSE setup mirrors sky/templates/kubernetes-ray.yml.j2:825-832 — install
# fuse (FUSE 2) in the main batch, then fuse3 in a separate apt-get call.
# fuse and fuse3 cannot be installed together (fuse3 Breaks: fuse — both ship
# /usr/bin/fusermount), but in two steps apt resolves the conflict by removing
# the `fuse` package while leaving `libfuse2`. Final state: libfuse.so.2 +
# libfuse3.so.3 both in ldconfig (covers hf-mount + legacy FUSE 2 clients).
RUN apt-get update -y && \
    apt-get upgrade -y && \
    apt-get install -y --no-install-recommends \
        ca-certificates \
        git build-essential rsync sudo patch openssh-server \
        pciutils nano fuse unzip socat netcat-openbsd curl wget autossh jq && \
    apt-get install -y --no-install-recommends fuse3 && \
    rm -rf /var/lib/apt/lists/*

# Setup SSH and generate hostkeys
RUN mkdir -p /var/run/sshd && \
    sed -i 's/PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config && \
    sed 's@session\s*required\s*pam_loginuid.so@session optional pam_loginuid.so@g' -i /etc/pam.d/sshd && \
    cd /etc/ssh/ && \
    ssh-keygen -A

# Setup new user named sky and add to sudoers. secure_path is hardcoded
# (sudoers cannot expand $HOME) with /home/sky/miniconda3/bin so that
# `sudo conda ...` resolves — conda lives in $HOME/miniconda3 in this image.
RUN useradd -m -s /bin/bash sky && \
    echo "sky ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers && \
    echo 'Defaults        secure_path="/home/sky/miniconda3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"' > /etc/sudoers.d/sky

# Switch to sky user
USER sky

# Set HOME environment variable for sky user
ENV HOME=/home/sky

# Set current working directory
WORKDIR /home/sky

SHELL ["/bin/bash", "-c"]

# Install conda and other dependencies based on architecture
# Keep the conda and Ray versions below in sync with the ones in skylet.constants
# Keep this section in sync with the custom image optimization recommendations in our docs (kubernetes-getting-started.rst)
RUN ARCH=${TARGETARCH:-$(case "$(uname -m)" in \
        "x86_64") echo "amd64" ;; \
        "aarch64") echo "arm64" ;; \
        *) echo "$(uname -m)" ;; \
    esac)} && \
    if [ "$ARCH" = "arm64" ]; then \
        curl -fsSL https://repo.anaconda.com/miniconda/Miniconda3-py310_23.11.0-2-Linux-aarch64.sh -o miniconda.sh; \
    else \
        curl -fsSL https://repo.anaconda.com/miniconda/Miniconda3-py310_23.11.0-2-Linux-x86_64.sh -o miniconda.sh; \
    fi && \
    bash miniconda.sh -b -p $HOME/miniconda3 && \
    rm miniconda.sh && \
    eval "$($HOME/miniconda3/bin/conda shell.bash hook)" && \
    conda init && \
    conda config --set auto_activate_base true && \
    export PIP_DISABLE_PIP_VERSION_CHECK=1 && \
    curl -LsSf https://astral.sh/uv/install.sh | sh && \
    $HOME/.local/bin/uv venv ~/skypilot-runtime --seed --python=3.10 && \
    source ~/skypilot-runtime/bin/activate && \
    $HOME/.local/bin/uv pip install 'skypilot-nightly[remote,kubernetes]' \
        'ray[default]==2.9.3' 'pycryptodome==3.12.0' && \
    $HOME/.local/bin/uv pip uninstall skypilot-nightly && \
    curl -LO "https://dl.k8s.io/release/v1.33.12/bin/linux/$ARCH/kubectl" && \
    # Install kubectl to user's local bin instead of system path to avoid
    # sudo-related issues during cross-architecture builds, especially on ARM
    chmod +x kubectl && \
    mkdir -p $HOME/.local/bin && \
    mv kubectl $HOME/.local/bin/ && \
    echo 'export PATH="$PATH:$HOME/.local/bin"' >> ~/.bashrc

# Set PYTHONUNBUFFERED=1 to have Python print to stdout/stderr immediately
ENV PYTHONUNBUFFERED=1