Merge pull request #127 from iot-salzburg/v1.6_cuda-12.0_ubuntu-22.04

V1.6 cuda 12.0 ubuntu 22.04

.build/10activate-conda-env.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+# Copyright (c) Jupyter Development Team.
+# Distributed under the terms of the Modified BSD License.
+
+# This registers the initialization code for the conda shell code
+# It also activates default environment in the end, so we don't need to activate it manually
+# Documentation: https://docs.conda.io/projects/conda/en/latest/dev-guide/deep-dives/activation.html
+eval "$(conda shell.bash hook)"

.build/Dockerfile

@@ -1,7 +1,7 @@
-# This Dockerfile is generated by 'generate-Dockerfile.sh' from elements within 'src/'
+# This Dockerfile is generated by 'generate-Dockerfile.sh' from elements within 'custom/'
 
 # **Please do not change this file directly!**
-# To adapt this Dockerfile, adapt 'generate-Dockerfile.sh' or 'src/Dockerfile.usefulpackages'.
+# To adapt this Dockerfile, adapt 'generate-Dockerfile.sh' or 'custom/usefulpackages.Dockerfile'.
 # More information can be found in the README under configuration.
 
 
@@ -39,12 +39,12 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 USER root
 
-# Install all OS dependencies for notebook server that starts but lacks all
-# features (e.g., download as all possible file formats)
+# Install all OS dependencies for the Server that starts
+# but lacks all features (e.g., download as all possible file formats)
 ENV DEBIAN_FRONTEND noninteractive
 RUN apt-get update --yes && \
-    # - apt-get upgrade is run to patch known vulnerabilities in apt-get packages as
-    #   the ubuntu base image is rebuilt too seldom sometimes (less than once a month)
+    # - `apt-get upgrade` is run to patch known vulnerabilities in apt-get packages as
+    #   the Ubuntu base image is rebuilt too seldom sometimes (less than once a month)
     apt-get upgrade --yes && \
     apt-get install --yes --no-install-recommends \
     # - bzip2 is necessary to extract the micromamba executable.
@@ -80,36 +80,37 @@ RUN chmod a+rx /usr/local/bin/fix-permissions
 # Enable prompt color in the skeleton .bashrc before creating the default NB_USER
 # hadolint ignore=SC2016
 RUN sed -i 's/^#force_color_prompt=yes/force_color_prompt=yes/' /etc/skel/.bashrc && \
-   # Add call to conda init script see https://stackoverflow.com/a/58081608/4413446
-   echo 'eval "$(command conda shell.bash hook 2> /dev/null)"' >> /etc/skel/.bashrc
+    # More information in: https://github.com/jupyter/docker-stacks/pull/2047
+    # and docs: https://docs.conda.io/projects/conda/en/latest/dev-guide/deep-dives/activation.html
+    echo 'eval "$(conda shell.bash hook)"' >> /etc/skel/.bashrc
 
 # Create NB_USER with name jovyan user with UID=1000 and in the 'users' group
 # and make sure these dirs are writable by the `users` group.
 RUN echo "auth requisite pam_deny.so" >> /etc/pam.d/su && \
     sed -i.bak -e 's/^%admin/#%admin/' /etc/sudoers && \
     sed -i.bak -e 's/^%sudo/#%sudo/' /etc/sudoers && \
-    useradd -l -m -s /bin/bash -N -u "${NB_UID}" "${NB_USER}" && \
+    useradd --no-log-init --create-home --shell /bin/bash --uid "${NB_UID}" --no-user-group "${NB_USER}" && \
     mkdir -p "${CONDA_DIR}" && \
     chown "${NB_USER}:${NB_GID}" "${CONDA_DIR}" && \
     chmod g+w /etc/passwd && \
-    fix-permissions "${HOME}" && \
-    fix-permissions "${CONDA_DIR}"
+    fix-permissions "${CONDA_DIR}" && \
+    fix-permissions "/home/${NB_USER}"
 
 USER ${NB_UID}
 
-# Pin python version here, or set it to "default"
+# Pin the Python version here, or set it to "default"
 ARG PYTHON_VERSION=3.11
 
 # Setup work directory for backward-compatibility
 RUN mkdir "/home/${NB_USER}/work" && \
     fix-permissions "/home/${NB_USER}"
 
-# Download and install Micromamba, and initialize Conda prefix.
+# Download and install Micromamba, and initialize the Conda prefix.
 #   <https://github.com/mamba-org/mamba#micromamba>
 #   Similar projects using Micromamba:
 #     - Micromamba-Docker: <https://github.com/mamba-org/micromamba-docker>
 #     - repo2docker: <https://github.com/jupyterhub/repo2docker>
-# Install Python, Mamba and jupyter_core
+# Install Python, Mamba, and jupyter_core
 # Cleanup temporary files and remove Micromamba
 # Correct permissions
 # Do all this in a single RUN command to avoid duplicating all of the
@@ -148,7 +149,15 @@ ENTRYPOINT ["tini", "-g", "--"]
 CMD ["start.sh"]
 
 # Copy local files as late as possible to avoid cache busting
-COPY start.sh /usr/local/bin/
+COPY run-hooks.sh start.sh /usr/local/bin/
+
+USER root
+
+# Create dirs for startup hooks
+RUN mkdir /usr/local/bin/start-notebook.d && \
+    mkdir /usr/local/bin/before-notebook.d
+
+COPY 10activate-conda-env.sh /usr/local/bin/before-notebook.d/
 
 # Switch back to jovyan to avoid accidental container runs as root
 USER ${NB_UID}
@@ -161,6 +170,7 @@ WORKDIR "${HOME}"
 
 # Copyright (c) Jupyter Development Team.
 # Distributed under the terms of the Modified BSD License.
+ARG REGISTRY=quay.io
 ARG OWNER=jupyter
 
 LABEL maintainer="Jupyter Project <jupyter@googlegroups.com>"
@@ -171,35 +181,35 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 USER root
 
-# Install all OS dependencies for notebook server that starts but lacks all
+# Install all OS dependencies for the Server that starts but lacks all
 # features (e.g., download as all possible file formats)
 RUN apt-get update --yes && \
     apt-get install --yes --no-install-recommends \
     fonts-liberation \
     # - pandoc is used to convert notebooks to html files
-    #   it's not present in aarch64 ubuntu image, so we install it here
+    #   it's not present in the aarch64 Ubuntu image, so we install it here
     pandoc \
     # - run-one - a wrapper script that runs no more
     #   than one unique  instance  of  some  command with a unique set of arguments,
-    #   we use `run-one-constantly` to support `RESTARTABLE` option
+    #   we use `run-one-constantly` to support the `RESTARTABLE` option
     run-one && \
     apt-get clean && rm -rf /var/lib/apt/lists/*
 
 USER ${NB_UID}
 
-# Install Jupyter Notebook, Lab, and Hub
-# Generate a notebook server config
+# Install JupyterLab, Jupyter Notebook, JupyterHub and NBClassic
+# Generate a Jupyter Server config
 # Cleanup temporary files
 # Correct permissions
 # Do all this in a single RUN command to avoid duplicating all of the
 # files across image layers when the permissions change
 WORKDIR /tmp
 RUN mamba install --yes \
+    'jupyterlab' \
     'notebook' \
     'jupyterhub' \
-    'jupyterlab' \
     'nbclassic' && \
-    jupyter notebook --generate-config && \
+    jupyter server --generate-config && \
     mamba clean --all -f -y && \
     npm cache clean --force && \
     jupyter lab clean && \
@@ -211,23 +221,18 @@ ENV JUPYTER_PORT=8888
 EXPOSE $JUPYTER_PORT
 
 # Configure container startup
-CMD ["start-notebook.sh"]
+CMD ["start-notebook.py"]
 
 # Copy local files as late as possible to avoid cache busting
-COPY start-notebook.sh start-singleuser.sh /usr/local/bin/
-# Currently need to have both jupyter_notebook_config and jupyter_server_config to support classic and lab
+COPY start-notebook.py start-notebook.sh start-singleuser.py start-singleuser.sh /usr/local/bin/
 COPY jupyter_server_config.py docker_healthcheck.py /etc/jupyter/
 
 # Fix permissions on /etc/jupyter as root
 USER root
-
-# Legacy for Jupyter Notebook Server, see: [#1205](https://github.com/jupyter/docker-stacks/issues/1205)
-RUN sed -re "s/c.ServerApp/c.NotebookApp/g" \
-    /etc/jupyter/jupyter_server_config.py > /etc/jupyter/jupyter_notebook_config.py && \
-    fix-permissions /etc/jupyter/
+RUN fix-permissions /etc/jupyter/
 
 # HEALTHCHECK documentation: https://docs.docker.com/engine/reference/builder/#healthcheck
-# This healtcheck works well for `lab`, `notebook`, `nbclassic`, `server` and `retro` jupyter commands
+# This healtcheck works well for `lab`, `notebook`, `nbclassic`, `server`, and `retro` jupyter commands
 # https://github.com/jupyter/docker-stacks/issues/915#issuecomment-1068528799
 HEALTHCHECK --interval=5s --timeout=3s --start-period=5s --retries=3 \
     CMD /etc/jupyter/docker_healthcheck.py || exit 1
@@ -243,6 +248,7 @@ WORKDIR "${HOME}"
 
 # Copyright (c) Jupyter Development Team.
 # Distributed under the terms of the Modified BSD License.
+ARG REGISTRY=quay.io
 ARG OWNER=jupyter
 
 LABEL maintainer="Jupyter Project <jupyter@googlegroups.com>"
@@ -253,10 +259,11 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
 USER root
 
-# Install all OS dependencies for fully functional notebook server
+# Install all OS dependencies for a fully functional Server
 RUN apt-get update --yes && \
     apt-get install --yes --no-install-recommends \
     # Common useful utilities
+    curl \
     git \
     nano-tiny \
     tzdata \
@@ -282,7 +289,7 @@ RUN update-alternatives --install /usr/bin/nano nano /bin/nano-tiny 10
 # Switch back to jovyan to avoid accidental container runs as root
 USER ${NB_UID}
 
-# Add R mimetype option to specify how the plot returns from R to the browser
+# Add an R mimetype option to specify how the plot returns from R to the browser
 COPY --chown=${NB_UID}:${NB_GID} Rprofile.site /opt/conda/lib/R/etc/
 
 # Add setup scripts that may be used by downstream images or inherited images
@@ -294,6 +301,7 @@ COPY setup-scripts/ /opt/setup-scripts/
 
 # Copyright (c) Jupyter Development Team.
 # Distributed under the terms of the Modified BSD License.
+ARG REGISTRY=quay.io
 ARG OWNER=jupyter
 
 LABEL maintainer="Jupyter Project <jupyter@googlegroups.com>"
@@ -353,17 +361,15 @@ RUN mamba install --yes \
     fix-permissions "${CONDA_DIR}" && \
     fix-permissions "/home/${NB_USER}"
 
-# Install facets which does not have a pip or conda package at the moment
+# Install facets package which does not have a `pip` or `conda-forge` package at the moment
 WORKDIR /tmp
-RUN git clone https://github.com/PAIR-code/facets.git && \
+RUN git clone https://github.com/PAIR-code/facets && \
     jupyter nbclassic-extension install facets/facets-dist/ --sys-prefix && \
     rm -rf /tmp/facets && \
     fix-permissions "${CONDA_DIR}" && \
     fix-permissions "/home/${NB_USER}"
 
-# Import matplotlib the first time to build the font cache.
-ENV XDG_CACHE_HOME="/home/${NB_USER}/.cache/"
-
+# Import matplotlib the first time to build the font cache
 RUN MPLBACKEND=Agg python -c "import matplotlib.pyplot" && \
     fix-permissions "/home/${NB_USER}"
 
@@ -381,12 +387,6 @@ LABEL maintainer="Christoph Schranz <christoph.schranz@salzburgresearch.at>, Mat
 # https://www.tensorflow.org/install/source#gpu
 # installation via conda leads to errors in version 4.8.2
 # Install CUDA-specific nvidia libraries and update libcudnn8 before that
-USER root
-RUN apt-get update && \
-    apt-get install -y --no-install-recommends  --allow-change-held-packages libcudnn8 && \
-    apt-get install -y --no-install-recommends libnvinfer-dev libnvinfer-plugin-dev  && \
-    apt-get clean && rm -rf /var/lib/apt/lists/*
-RUN cd /usr/lib/x86_64-linux-gnu && ln -s libnvinfer_plugin.so.8 libnvinfer_plugin.so.7 && ln -s libnvinfer.so.8 libnvinfer.so.7
 USER ${NB_UID}
 RUN pip install --upgrade pip && \
     pip install --no-cache-dir tensorflow==2.15.0 keras==2.15.0 && \

.build/docker_healthcheck.py

@@ -7,7 +7,7 @@
 
 import requests
 
-# A number of operations below deliberately don't check for possible errors
+# Several operations below deliberately don't check for possible errors
 # As this is a healthcheck, it should succeed or raise an exception on error
 
 runtime_dir = Path("/home/") / os.environ["NB_USER"] / ".local/share/jupyter/runtime/"
@@ -16,6 +16,11 @@
 url = json.loads(json_file.read_bytes())["url"]
 url = url + "api"
 
-r = requests.get(url, verify=False)  # request without SSL verification
+proxies = {
+    "http": "",
+    "https": "",
+}
+
+r = requests.get(url, proxies=proxies, verify=False)  # request without SSL verification
 r.raise_for_status()
 print(r.content)

.build/fix-permissions

@@ -1,16 +1,14 @@
 #!/bin/bash
-# set permissions on a directory
-# after any installation, if a directory needs to be (human) user-writable,
-# run this script on it.
-# It will make everything in the directory owned by the group ${NB_GID}
-# and writable by that group.
+# Set permissions on a directory
+# After any installation, if a directory needs to be (human) user-writable, run this script on it.
+# It will make everything in the directory owned by the group ${NB_GID} and writable by that group.
 # Deployments that want to set a specific user id can preserve permissions
 # by adding the `--group-add users` line to `docker run`.
 
-# uses find to avoid touching files that already have the right permissions,
-# which would cause massive image explosion
+# Uses find to avoid touching files that already have the right permissions,
+# which would cause a massive image explosion
 
-# right permissions are:
+# Right permissions are:
 # group=${NB_GID}
 # AND permissions include group rwX (directory-execute)
 # AND directories have setuid,setgid bits set

.build/jupyter_server_config.py

@@ -4,6 +4,7 @@
 import os
 import stat
 import subprocess
+from pathlib import Path
 
 from jupyter_core.paths import jupyter_data_dir
 
@@ -24,17 +25,16 @@
 [req_distinguished_name]
 """
 if "GEN_CERT" in os.environ:
-    dir_name = jupyter_data_dir()
-    pem_file = os.path.join(dir_name, "notebook.pem")
-    os.makedirs(dir_name, exist_ok=True)
+    dir_name = Path(jupyter_data_dir())
+    dir_name.mkdir(parents=True, exist_ok=True)
+    pem_file = dir_name / "notebook.pem"
 
     # Generate an openssl.cnf file to set the distinguished name
-    cnf_file = os.path.join(os.getenv("CONDA_DIR", "/usr/lib"), "ssl", "openssl.cnf")
-    if not os.path.isfile(cnf_file):
-        with open(cnf_file, "w") as fh:
-            fh.write(OPENSSL_CONFIG)
+    cnf_file = Path(os.getenv("CONDA_DIR", "/usr/lib")) / "ssl/openssl.cnf"
+    if not cnf_file.exists():
+        cnf_file.write_text(OPENSSL_CONFIG)
 
-    # Generate a certificate if one doesn't exist on disk
+    # Generate a certificate if one doesn't exist on a disk
     subprocess.check_call(
         [
             "openssl",
@@ -50,10 +50,9 @@
         ]
     )
     # Restrict access to the file
-    os.chmod(pem_file, stat.S_IRUSR | stat.S_IWUSR)
-    c.ServerApp.certfile = pem_file
+    pem_file.chmod(stat.S_IRUSR | stat.S_IWUSR)
+    c.ServerApp.certfile = str(pem_file)
 
-# Change default umask for all subprocesses of the notebook server if set in
-# the environment
+# Change default umask for all subprocesses of the Server if set in the environment
 if "NB_UMASK" in os.environ:
     os.umask(int(os.environ["NB_UMASK"], 8))

.build/run-hooks.sh

@@ -0,0 +1,46 @@
+#!/bin/bash
+# Copyright (c) Jupyter Development Team.
+# Distributed under the terms of the Modified BSD License.
+
+# The run-hooks.sh script looks for *.sh scripts to source
+# and executable files to run within a passed directory
+
+if [ "$#" -ne 1 ]; then
+    echo "Should pass exactly one directory"
+    return 1
+fi
+
+if [[ ! -d "${1}" ]]; then
+    echo "Directory ${1} doesn't exist or is not a directory"
+    return 1
+fi
+
+echo "Running hooks in: ${1} as uid: $(id -u) gid: $(id -g)"
+for f in "${1}/"*; do
+    # Handling a case when the directory is empty
+    [ -e "${f}" ] || continue
+    case "${f}" in
+        *.sh)
+            echo "Sourcing shell script: ${f}"
+            # shellcheck disable=SC1090
+            source "${f}"
+            # shellcheck disable=SC2181
+            if [ $? -ne 0 ]; then
+                echo "${f} has failed, continuing execution"
+            fi
+            ;;
+        *)
+            if [ -x "${f}" ]; then
+                echo "Running executable: ${f}"
+                "${f}"
+                # shellcheck disable=SC2181
+                if [ $? -ne 0 ]; then
+                    echo "${f} has failed, continuing execution"
+                fi
+            else
+                echo "Ignoring non-executable: ${f}"
+            fi
+            ;;
+    esac
+done
+echo "Done running hooks in: ${1}"