yottalabsai
diff --git a/‎.github/workflows/build.yml‎
Lines changed: 219 additions & 0 deletions b/‎.github/workflows/build.yml‎
Lines changed: 219 additions & 0 deletions
diff --git a/‎official-templates/aws-neuron/Dockerfile‎
Lines changed: 142 additions & 0 deletions b/‎official-templates/aws-neuron/Dockerfile‎
Lines changed: 142 additions & 0 deletions
@@ -0,0 +1,219 @@
+name: Build and Push
+
+# ──────────────────────────────────────────────────────────────────────────────
+# CI  — triggered on every PR: builds images and pushes to GHCR for validation.
+# CD  — triggered when a PR is merged: promotes the GHCR image to Docker Hub
+#        via skopeo copy (no rebuild).
+# ──────────────────────────────────────────────────────────────────────────────
+
+on:
+  # CI: validate every PR that touches a template
+  pull_request:
+    paths:
+      - 'official-templates/**'
+
+  # CD: promote on merge
+  pull_request_target:
+    types: [closed]
+    paths:
+      - 'official-templates/**'
+
+  # Manual override for both CI and CD
+  workflow_dispatch:
+    inputs:
+      template:
+        description: 'Template name to build (e.g. pytorch). Leave empty to build all changed.'
+        required: false
+        type: string
+      mode:
+        description: 'ci = build to GHCR only, cd = promote GHCR → Docker Hub'
+        required: false
+        default: 'ci'
+        type: choice
+        options: [ci, cd]
+      sha:
+        description: 'Full or short SHA of the GHCR image to promote (cd mode only). Defaults to HEAD.'
+        required: false
+        type: string
+
+# ──────────────────────────────────────────────────────────────────────────────
+# CI jobs
+# ──────────────────────────────────────────────────────────────────────────────
+jobs:
+  ci-detect:
+    name: CI — Detect changed templates
+    if: >
+      github.event_name == 'pull_request' ||
+      (github.event_name == 'workflow_dispatch' && inputs.mode == 'ci')
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Determine templates to build
+        id: set-matrix
+        env:
+          BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+        run: |
+          if [ -n "${{ inputs.template }}" ]; then
+            TEMPLATES='["${{ inputs.template }}"]'
+          else
+            TEMPLATES=$(git diff --name-only "${BASE_SHA}" "${HEAD_SHA}" \
+              | grep '^official-templates/' \
+              | awk -F'/' '{print $2}' \
+              | sort -u \
+              | grep -v '^\s*$' \
+              | while read -r dir; do
+                  [ -f "official-templates/$dir/docker-bake.hcl" ] && echo "$dir"
+                done \
+              | jq -R -s -c 'split("\n") | map(select(length > 0))')
+          fi
+          echo "matrix=${TEMPLATES}" >> "$GITHUB_OUTPUT"
+          echo "Templates to build: ${TEMPLATES}"
+
+  ci-build:
+    name: CI — Build ${{ matrix.template }}
+    needs: ci-detect
+    if: needs.ci-detect.outputs.matrix != '[]' && needs.ci-detect.outputs.matrix != ''
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    strategy:
+      fail-fast: false
+      matrix:
+        template: ${{ fromJson(needs.ci-detect.outputs.matrix) }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GHCR
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Log in to Docker Hub (for registry cache read)
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Build and push to GHCR
+        working-directory: official-templates/${{ matrix.template }}
+        env:
+          HF_TOKEN: ${{ secrets.HF_TOKEN }}
+          TEMPLATE: ${{ matrix.template }}
+          BUILDX_BAKE_ENTITLEMENTS_FS: "0"
+        run: |
+          SHA_SHORT="${GITHUB_SHA::7}"
+          CACHE_REF="yottalabsai/buildcache:${TEMPLATE}"
+
+          # Override each bake target's tags to GHCR.
+          # Tag scheme: ghcr.io/yottalabsai/<template>:<target>-sha-<sha>
+          # Using per-target tags handles multi-target bake files (e.g. base has 8 targets).
+          OVERRIDES=$(docker buildx bake --print 2>/dev/null \
+            | jq -r --arg tmpl "${TEMPLATE}" --arg sha "${SHA_SHORT}" \
+                '.target | keys[] | "--set \(.).tags=ghcr.io/yottalabsai/\($tmpl):\(.)-sha-\($sha)"' \
+            | tr '\n' ' ')
+
+          eval "docker buildx bake ${OVERRIDES} \
+            --set '*.cache-from=type=registry,ref=${CACHE_REF}' \
+            --set '*.cache-to=type=registry,ref=${CACHE_REF},mode=max' \
+            --set '*.args.HF_TOKEN=${HF_TOKEN:-}' \
+            --push"
+
+# ──────────────────────────────────────────────────────────────────────────────
+# CD jobs
+# ──────────────────────────────────────────────────────────────────────────────
+  cd-detect:
+    name: CD — Detect merged templates
+    if: >
+      (github.event_name == 'pull_request_target' && github.event.pull_request.merged == true) ||
+      (github.event_name == 'workflow_dispatch' && inputs.mode == 'cd')
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.set-matrix.outputs.matrix }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Determine templates to promote
+        id: set-matrix
+        env:
+          BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+        run: |
+          if [ -n "${{ inputs.template }}" ]; then
+            TEMPLATES='["${{ inputs.template }}"]'
+          else
+            TEMPLATES=$(git diff --name-only "${BASE_SHA}" "${HEAD_SHA}" \
+              | grep '^official-templates/' \
+              | awk -F'/' '{print $2}' \
+              | sort -u \
+              | grep -v '^\s*$' \
+              | while read -r dir; do
+                  [ -f "official-templates/$dir/docker-bake.hcl" ] && echo "$dir"
+                done \
+              | jq -R -s -c 'split("\n") | map(select(length > 0))')
+          fi
+          echo "matrix=${TEMPLATES}" >> "$GITHUB_OUTPUT"
+          echo "Templates to promote: ${TEMPLATES}"
+
+  cd-promote:
+    name: CD — Promote ${{ matrix.template }} → Docker Hub
+    needs: cd-detect
+    if: needs.cd-detect.outputs.matrix != '[]' && needs.cd-detect.outputs.matrix != ''
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: read
+    strategy:
+      fail-fast: false
+      matrix:
+        template: ${{ fromJson(needs.cd-detect.outputs.matrix) }}
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Promote GHCR → Docker Hub
+        env:
+          TEMPLATE: ${{ matrix.template }}
+          PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+          DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+          DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          # Priority: manual sha input → PR head → current HEAD
+          RESOLVE_SHA="${{ inputs.sha }}"
+          RESOLVE_SHA="${RESOLVE_SHA:-${PR_HEAD_SHA:-${GITHUB_SHA}}}"
+          SHA_SHORT="${RESOLVE_SHA::7}"
+
+          # Use the bake file at the exact commit so target names and
+          # Docker Hub tags match what CI built.
+          git checkout "${RESOLVE_SHA}" -- "official-templates/${TEMPLATE}/docker-bake.hcl"
+
+          # For each bake target, copy its GHCR image to the Docker Hub tag
+          # defined in the bake file. skopeo is pre-installed on ubuntu-latest.
+          cd "official-templates/${TEMPLATE}"
+          docker buildx bake --print 2>/dev/null \
+            | jq -r '.target | to_entries[] | "\(.key) \(.value.tags[])"' \
+            | while IFS=' ' read -r target dh_tag; do
+                src="docker://ghcr.io/yottalabsai/${TEMPLATE}:${target}-sha-${SHA_SHORT}"
+                dst="docker://${dh_tag}"
+                echo "Promoting ${src} → ${dst}"
+                skopeo copy \
+                  --src-creds "x-access-token:${GITHUB_TOKEN}" \
+                  --dest-creds "${DOCKERHUB_USERNAME}:${DOCKERHUB_TOKEN}" \
+                  "${src}" "${dst}"
+              done
@@ -0,0 +1,142 @@
+ARG BASE_IMAGE="ubuntu:22.04"
+FROM ${BASE_IMAGE}
+
+# ===============================
+# Build args
+# ===============================
+ARG TORCH_NEURONX_VERSION="2.*"
+ARG NEURONX_CC_VERSION="2.*"
+
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+# ===============================
+# Env
+# ===============================
+ENV DEBIAN_FRONTEND=noninteractive \
+    SHELL=/bin/bash \
+    PATH=/opt/aws/neuron/bin:/usr/local/bin:/usr/bin:/bin:$PATH \
+    NEURON_RT_NUM_CORES=1 \
+    HF_HOME=/workspace/hf \
+    JUPYTER_PASSWORD=ubuntu
+
+# ===============================
+# Workspace
+# ===============================
+WORKDIR /
+RUN mkdir -p /workspace && chmod 777 /workspace
+
+# ===============================
+# Base system packages
+# ===============================
+RUN apt-get update -y && \
+    apt-get install -y --no-install-recommends \
+      git wget curl ca-certificates bash \
+      gnupg2 software-properties-common \
+      locales tzdata \
+      openssh-server nginx sudo \
+      tmux vim zip unzip less procps net-tools htop \
+      jq tree rsync netcat-openbsd \
+      build-essential pkg-config \
+    && echo "en_US.UTF-8 UTF-8" > /etc/locale.gen \
+    && locale-gen \
+    && mkdir -p /var/run/sshd \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+# ===============================
+# Python 3.11 via deadsnakes PPA
+# (start.sh requires python3.11)
+# ===============================
+RUN add-apt-repository -y ppa:deadsnakes/ppa && \
+    apt-get update -y && \
+    apt-get install -y --no-install-recommends \
+      python3.11 python3.11-venv python3.11-dev \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+RUN curl -sS https://bootstrap.pypa.io/get-pip.py | python3.11 && \
+    python3.11 -m pip install --no-cache-dir --upgrade pip setuptools wheel
+
+RUN ln -sf /usr/bin/python3.11 /usr/local/bin/python3 && \
+    ln -sf /usr/bin/python3.11 /usr/local/bin/python
+
+# ===============================
+# AWS Neuron APT repo + runtime
+# (runtime-lib + collectives cover inf2 and trn1/trn2; dkms is host-side only)
+# ===============================
+RUN wget -qO- https://apt.repos.neuron.amazonaws.com/GPG-PUB-KEY-AMAZON-AWS-NEURON.PUB \
+      | gpg --dearmor -o /etc/apt/trusted.gpg.d/neuron.gpg && \
+    echo "deb https://apt.repos.neuron.amazonaws.com jammy main" \
+      > /etc/apt/sources.list.d/neuron.list && \
+    apt-get update -y && \
+    apt-get install -y --no-install-recommends \
+      aws-neuronx-tools \
+      aws-neuronx-runtime-lib \
+      aws-neuronx-collectives \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
+# ===============================
+# torch-neuronx (inf2 + trn1/trn2)
+# ===============================
+RUN python3.11 -m pip install --no-cache-dir \
+      "torch-neuronx==${TORCH_NEURONX_VERSION}" torchvision torchaudio \
+      --extra-index-url https://pip.repos.neuron.amazonaws.com
+
+# ===============================
+# Neuron compiler + distributed training + inference optimisation
+# ===============================
+RUN python3.11 -m pip install --no-cache-dir \
+      "neuronx-cc==${NEURONX_CC_VERSION}" \
+      transformers-neuronx \
+      neuronx-distributed \
+      --extra-index-url https://pip.repos.neuron.amazonaws.com
+
+# ===============================
+# Hugging Face stack + JupyterLab
+# ===============================
+RUN python3.11 -m pip install --no-cache-dir \
+      transformers datasets huggingface_hub accelerate \
+      jupyterlab ipywidgets jupyter-archive "notebook==7.3.3"
+
+# Build-time assertion: prevents pushing a broken image
+RUN python3.11 -c "import jupyter; import jupyterlab; print('python3.11 jupyter ok')"
+
+# ===============================
+# User
+# ===============================
+RUN useradd -ms /bin/bash ubuntu && \
+    usermod -aG sudo ubuntu && \
+    echo "ubuntu ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/ubuntu && \
+    echo "ubuntu:ubuntu" | chpasswd
+
+# ===============================
+# SSH config (start.sh handles sshd startup)
+# ===============================
+RUN sed -i 's/#PasswordAuthentication yes/PasswordAuthentication yes/' /etc/ssh/sshd_config && \
+    sed -i 's/PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config && \
+    rm -f /etc/ssh/ssh_host_*
+
+# ===============================
+# start.sh (from buildx bake context "scripts")
+# ===============================
+COPY --from=scripts start.sh /start.sh
+RUN chmod 755 /start.sh
+
+# ===============================
+# nginx / branding
+# ===============================
+COPY --from=proxy nginx.conf /etc/nginx/nginx.conf
+COPY --from=proxy readme.html /usr/share/nginx/html/readme.html
+
+COPY --from=logo yotta.txt /etc/yotta.txt
+RUN echo 'cat /etc/yotta.txt' >> /root/.bashrc
+
+# ===============================
+# Ports
+# ===============================
+EXPOSE 22 80 8888
+
+USER root
+WORKDIR /root
+CMD ["/bin/bash", "-lc", "exec /start.sh"]