Allow passwordless sudo in docker images #17473
Conversation
This will allow to run commands like apt with other users besides root. Allowing us to install stuff not only when the image is being created. Signed-off-by: Boian Petkantchin <boian.petkantchin@amd.com>
sogartar
force-pushed
the
allow-passwordless-sudo-in-docker-images
branch
from
438420e
to
d553a8a
Compare
There was a problem hiding this comment.
To publish updates to this image someone with access to the iree-oss GCP project will need to follow the steps at https://github.com/iree-org/iree/tree/main/build_tools/docker#adding-or-updating-an-image
(#15332 to make that better)
There was a problem hiding this comment.
Do you know who has such access?
There was a problem hiding this comment.
Yes there are a few, sorry missed ping here.
| @@ -12,4 +12,5 @@ set -euo pipefail | |||
| # (https://docs.docker.com/develop/develop-images/multistage-build/) but it | |||
| # turns out that Dockerfile is a thoroughly non-composable awful format and that | |||
| # doesn't actually work that well. These deps are pretty small. | |||
| apt-get update && apt-get install -y git unzip wget curl gnupg2 lsb-release | |||
| apt-get update && apt-get install -y git unzip wget curl gnupg2 lsb-release sudo | |||
| echo "ALL ALL=NOPASSWD: ALL" > "/etc/sudoers.d/iree" | |||
There was a problem hiding this comment.
This seems fine to me, but out of curiosity, what do you want to install during job execution that needs to be under a docker image? (I'm aiming to remove more uses of Docker, so I want to limit new dependencies on it)
There was a problem hiding this comment.
I want specifically libopenmpi-dev. What would we use instead of docker?
There was a problem hiding this comment.
Ah, I see. Installing the Python mpi4py package still needs libopenmpi-dev: https://stackoverflow.com/questions/28440834/error-when-installing-mpi4py (https://github.com/mpi4py/setup-mpi even uses apt get too).
My overall goals are for build machines and jobs to be separate from test machines and jobs.
- The compiler is built on host platforms (Linux, Windows, macOS, arm/x86, etc.), using Docker for toolchains (CMake, Bazel, Ninja, MSVC, clang, etc.) as needed
- Tests (think "user workflows") are run on target machines using readily available packages, drivers, and other deps. For Python that means pip installing some utilities. For GPU execution that means installing drivers - either from the test runner machine itself, from a standard dockerfile (maybe https://hub.docker.com/r/nvidia/cuda ?), or from a custom dockerfile.
This will allow to run commands like apt with other users besides root. Allowing us to install stuff not only when the image is being created. Signed-off-by: Boian Petkantchin <boian.petkantchin@amd.com>
This will allow to run commands like apt with other users besides root. Allowing us to install stuff not only when the image is being created. Signed-off-by: Boian Petkantchin <boian.petkantchin@amd.com>
|
We should probably move these to the GH registry in iree-org at some point |
This will allow to run commands like apt with other users besides root. Allowing us to install stuff not only when the image is being created. Signed-off-by: Boian Petkantchin <boian.petkantchin@amd.com>
This will allow to run commands like apt with other users besides root. Allowing us to install stuff not only when the image is being created. Signed-off-by: Boian Petkantchin <boian.petkantchin@amd.com> Signed-off-by: Lubo Litchev <lubol@google.com>
This will allow to run commands like apt with other users besides root. Allowing us to install stuff not only when the image is being created.