-
Notifications
You must be signed in to change notification settings - Fork 581
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow passwordless sudo in docker images #17473
Allow passwordless sudo in docker images #17473
Conversation
This will allow to run commands like apt with other users besides root. Allowing us to install stuff not only when the image is being created. Signed-off-by: Boian Petkantchin <boian.petkantchin@amd.com>
438420e
to
d553a8a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To publish updates to this image someone with access to the iree-oss GCP project will need to follow the steps at https://github.com/iree-org/iree/tree/main/build_tools/docker#adding-or-updating-an-image
(#15332 to make that better)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you know who has such access?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jpienaar may know.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes there are a few, sorry missed ping here.
@@ -12,4 +12,5 @@ set -euo pipefail | |||
# (https://docs.docker.com/develop/develop-images/multistage-build/) but it | |||
# turns out that Dockerfile is a thoroughly non-composable awful format and that | |||
# doesn't actually work that well. These deps are pretty small. | |||
apt-get update && apt-get install -y git unzip wget curl gnupg2 lsb-release | |||
apt-get update && apt-get install -y git unzip wget curl gnupg2 lsb-release sudo | |||
echo "ALL ALL=NOPASSWD: ALL" > "/etc/sudoers.d/iree" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This seems fine to me, but out of curiosity, what do you want to install during job execution that needs to be under a docker image? (I'm aiming to remove more uses of Docker, so I want to limit new dependencies on it)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I want specifically libopenmpi-dev
. What would we use instead of docker?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, I see. Installing the Python mpi4py
package still needs libopenmpi-dev: https://stackoverflow.com/questions/28440834/error-when-installing-mpi4py (https://github.com/mpi4py/setup-mpi even uses apt get too).
My overall goals are for build machines and jobs to be separate from test machines and jobs.
- The compiler is built on host platforms (Linux, Windows, macOS, arm/x86, etc.), using Docker for toolchains (CMake, Bazel, Ninja, MSVC, clang, etc.) as needed
- Tests (think "user workflows") are run on target machines using readily available packages, drivers, and other deps. For Python that means pip installing some utilities. For GPU execution that means installing drivers - either from the test runner machine itself, from a standard dockerfile (maybe https://hub.docker.com/r/nvidia/cuda ?), or from a custom dockerfile.
This will allow to run commands like apt with other users besides root. Allowing us to install stuff not only when the image is being created. Signed-off-by: Boian Petkantchin <boian.petkantchin@amd.com>
This will allow to run commands like apt with other users besides root. Allowing us to install stuff not only when the image is being created. Signed-off-by: Boian Petkantchin <boian.petkantchin@amd.com>
We should probably move these to the GH registry in iree-org at some point |
This will allow to run commands like apt with other users besides root. Allowing us to install stuff not only when the image is being created. Signed-off-by: Boian Petkantchin <boian.petkantchin@amd.com>
This will allow to run commands like apt with other users besides root. Allowing us to install stuff not only when the image is being created. Signed-off-by: Boian Petkantchin <boian.petkantchin@amd.com> Signed-off-by: Lubo Litchev <lubol@google.com>
This will allow to run commands like apt with other users besides root. Allowing us to install stuff not only when the image is being created.