Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CI: add build and push models workflow #474

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

jordimassaguerpla
Copy link

@jordimassaguerpla jordimassaguerpla commented Nov 23, 2023

Hi! This is the result of my SUSE Hackweek Project https://hackweek.opensuse.org/23/projects/package-monai-machine-learning-models-for-medical-applications . The motivation was totally personal, to learn more about the Medical Machine Learning Topic, even though has nothing to do with my daily work.

I thought it could be nice to share with you. Might be you can reuse some ideas or details .... or maybe not . Whatever makes sense for your team and your current roadmap.

This is the implementation of a workflow that will build and push into the ghcr.io the example MAP in examples/apps/simple_imaging_app.

This workflow will use terraform to launch a VM with a GPU and then run the monai-deploy-sdk package subcommand inside it.

NOTE: you need to setup the secrets:

  • AZURE_CLIENT_ID
  • AZURE_SUBSCRIPTION_ID
  • AZURE_TENANT_ID
  • AZURE_CLIENT_SECRET

The workflow will patch holoscan, so that it works when there is no cache.

The workflow will install a "patched" libseccomp package so that we can install libnvidia-container.

The workflow will use nvidia docker runtime to build, load, export, ... the image.

The workflow uses the smallest/cheapest Azure Image with GPU available in Western Europe, which is Standard_NC4as_T4_v3. For this to work, you might need to request a quota increase to Azure Help Desk.

The default 30GB disc is not enough for the build, so you need to setup a 64GB one.

:WARNING: This will incur in costs in Azure Cloud, use it with caution. It costed me 1.6€ each run.

This workflow will build and push into the ghcr.io the
example MAP in examples/apps/simple_imaging_app.

This workflow will use terraform to launch a VM with a GPU and then run
the monai-deploy-sdk package subcommand inside it.

NOTE: you need to setup the secrets:
* AZURE_CLIENT_ID
* AZURE_SUBSCRIPTION_ID
* AZURE_TENANT_ID
* AZURE_CLIENT_SECRET

The workflow will patch holoscan, so that it works when there is no
cache.

The workflow will install a "patched" libseccomp package so that we can
install libnvidia-container.

The workflow will use nvidia docker runtime to build, load, export, ...
the image.

The workflow uses the smallest/cheapest Azure Image with GPU available
in Western Europe, which is Standard_NC4as_T4_v3. For this to work,
you need to request a quota increase to Azure Help Desk.

However, the default 30GB disc is not enough for the build, so you need
to setup a 64GB.

:WARNING: This will incur in costs in Azure Cloud, use it with caution.

Signed-off-by: Jordi Massaguer Pla <[email protected]>
@jordimassaguerpla
Copy link
Author

jordimassaguerpla commented Nov 29, 2023

This 6013c5e adds SBOM (Software Bill Of Materials) and image signing, by using trivy and cosign.

This can later be used to verify the image and check for known vulnerabilities, in order to secure your supply chain.

@jordimassaguerpla jordimassaguerpla force-pushed the add_build_and_push_workflow4 branch from b4233a6 to f15d9c6 Compare November 29, 2023 12:07
Sign the image with cosign using the OIDC token.
Add Software Bill of Materials with trivy as signed cosign attestations.

This informatin is needed for securing the supply chain.

You can verify the image with cosign.
You can get the SBOM from the attestations and then use trivy to check
for vulnerabilities.

Signed-off-by: Jordi Massaguer Pla <[email protected]>
@jordimassaguerpla jordimassaguerpla force-pushed the add_build_and_push_workflow4 branch from c202359 to 6013c5e Compare November 30, 2023 21:17
Copy link

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

@MMelQin
Copy link
Collaborator

MMelQin commented Dec 4, 2023

Thank you so much @jordimassaguerpla for this PR. Sorry for this late reply due to the RSNA 2023 prep and others.

MD App SDK proper does not intend to maintain a MAP registry, and the couple container image examples are for demonstration purpose so that adopters of MD App SDK can quickly enhance and make use of the example for their use case. GitHub CR also has certain I/O limits I believe, so pushing (and overwriting) the image over and over may not be helpful.

Having said that, I definitely can see the workflow be used for on-demand (or periodical) publishing task, and the adopters can benefit from this example too!

@jordimassaguerpla
Copy link
Author

Thank you so much @jordimassaguerpla for this PR. Sorry for this late reply due to the RSNA 2023 prep and others.

MD App SDK proper does not intend to maintain a MAP registry, and the couple container image examples are for demonstration purpose so that adopters of MD App SDK can quickly enhance and make use of the example for their use case. GitHub CR also has certain I/O limits I believe, so pushing (and overwriting) the image over and over may not be helpful.

Having said that, I definitely can see the workflow be used for on-demand (or periodical) publishing task, and the adopters can benefit from this example too!

I was thinking that could be used as an example for other projects. I agree on every commit makes no sense to update the container. I was more thinking on each new tag and/or on-demand.

Will it make more sense to push this to some example folder or documentation?

Thanks for your answer, no problem it took you a while, perfectly understandable. Congrats on this great project!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants