add dockerfile and workflow to build a jupyter

alinelena · alinelena · commit 6ae19a01ed23 · 2025-08-04T16:06:24.000+01:00
diff --git a/.github/workflows/docker-jupyter-image.yml b/.github/workflows/docker-jupyter-image.yml
@@ -0,0 +1,33 @@
+name: ghcr
+#on:
+#  push:
+#    branches: [ "main" ]
+#  pull_request:
+#    branches: [ "main" ]
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+      contents: read
+    steps:
+      - name: 'clone the repo'
+        uses: actions/checkout@v4
+      - name: 'login to ghcr'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{github.actor}}
+          password: ${{secrets.GITHUB_TOKEN}}
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: ./containers
+          file: ./containters/Dockerfile.jupyter
+          push: true
+          tags: |
+            ghcr.io/stfc/janus-core/jupyter:${{ github.sha }}
+            ghcr.io/stfc/janus-core/jupyter:latest
diff --git a/containers/Dockerfile.jupyter b/containers/Dockerfile.jupyter
@@ -0,0 +1,187 @@
+# Copyright (c) Jupyter Development Team.
+# Distributed under the terms of the Modified BSD License.
+# this is adapted from above.
+
+ARG ROOT_CONTAINER=ubuntu:25.04
+
+FROM $ROOT_CONTAINER
+
+LABEL maintainer="Alin Elena <alin@elena.re>"
+ARG NB_USER="jovyan"
+ARG NB_UID="1001"
+ARG NB_GID="100"
+
+USER root
+
+# Install all OS dependencies for notebook server that starts but lacks all
+# features (e.g., download as all possible file formats)
+ENV DEBIAN_FRONTEND=noninteractive
+RUN apt update --yes && \
+    # - apt-get upgrade is run to patch known vulnerabilities in apt-get packages as
+    #   the ubuntu base image is rebuilt too seldom sometimes (less than once a month)
+    apt upgrade --yes && \
+    apt install --yes --no-install-recommends \
+    ca-certificates \
+    fonts-liberation \
+    locales \
+    # - pandoc is used to convert notebooks to html files
+    #   it's not present in arm64 ubuntu image, so we install it here
+    pandoc \
+    # - run-one - a wrapper script that runs no more
+    #   than one unique  instance  of  some  command with a unique set of arguments,
+    #   we use `run-one-constantly` to support `RESTARTABLE` option
+    run-one \
+    sudo \
+    # - tini is installed as a helpful container entrypoint that reaps zombie
+    #   processes and such of the actual executable we want to start, see
+    #   https://github.com/krallin/tini#why-tini for details.
+    tini \
+    wget bzip2 && \
+    apt clean && rm -rf /var/lib/apt/lists/* && \
+    echo "en_US.UTF-8 UTF-8" > /etc/locale.gen && \
+    locale-gen
+
+# Configure environment
+ENV CONDA_DIR=/opt/conda \
+    SHELL=/bin/bash \
+    NB_USER="${NB_USER}" \
+    NB_UID=${NB_UID} \
+    NB_GID=${NB_GID} \
+    LC_ALL=en_US.UTF-8 \
+    LANG=en_US.UTF-8 \
+    LANGUAGE=en_US.UTF-8
+ENV PATH="${CONDA_DIR}/bin:${PATH}" \
+    HOME="/home/${NB_USER}"
+
+# Copy a script that we will use to correct permissions after running certain commands
+COPY fix-permissions /usr/local/bin/fix-permissions
+RUN chmod a+rx /usr/local/bin/fix-permissions
+
+# Enable prompt color in the skeleton .bashrc before creating the default NB_USER
+# hadolint ignore=SC2016
+RUN sed -i 's/^#force_color_prompt=yes/force_color_prompt=yes/' /etc/skel/.bashrc && \
+   # Add call to conda init script see https://stackoverflow.com/a/58081608/4413446
+   echo 'eval "$(command conda shell.bash hook 2> /dev/null)"' >> /etc/skel/.bashrc
+
+# Create NB_USER with name jovyan user with UID=1000 and in the 'users' group
+# and make sure these dirs are writable by the `users` group.
+RUN echo "auth requisite pam_deny.so" >> /etc/pam.d/su && \
+    sed -i.bak -e 's/^%admin/#%admin/' /etc/sudoers && \
+    sed -i.bak -e 's/^%sudo/#%sudo/' /etc/sudoers && \
+    useradd -l -m -s /bin/bash -N -u "${NB_UID}" "${NB_USER}" && \
+    mkdir -p "${CONDA_DIR}" && \
+    chown "${NB_USER}:${NB_GID}" "${CONDA_DIR}" && \
+    chmod g+w /etc/passwd && \
+    fix-permissions "${HOME}" && \
+    fix-permissions "${CONDA_DIR}"
+
+USER ${NB_UID}
+ARG PYTHON_VERSION=3.12
+
+# Setup work directory for backward-compatibility
+RUN mkdir "/home/${NB_USER}/work" && \
+    fix-permissions "/home/${NB_USER}"
+
+# Install conda as jovyan and check the sha256 sum provided on the download site
+WORKDIR /tmp
+
+RUN set -x && \
+    arch=$(uname -m) && \
+    if [ "${arch}" = "x86_64" ]; then  arch="64"; fi && \
+    wget --progress=dot:giga -O - "https://micro.mamba.pm/api/micromamba/linux-${arch}/latest" | tar -xvj bin/micromamba && \
+    PYTHON_SPECIFIER="python=${PYTHON_VERSION}" && \
+    if [ "${PYTHON_VERSION}" = "default" ]; then PYTHON_SPECIFIER="python"; fi && \
+    ./bin/micromamba install \
+        --root-prefix="${CONDA_DIR}" \
+        --prefix="${CONDA_DIR}" \
+        --yes \
+        'jupyter_core' \
+        'conda' \
+        'mamba' \
+        "${PYTHON_SPECIFIER}" && \
+    rm -rf /tmp/bin/ && \
+    mamba list --full-name 'python' | awk 'END{sub("[^.]*$", "*", $2); print $1 " " $2}' >> "${CONDA_DIR}/conda-meta/pinned" && \
+    mamba clean --all -f -y && \
+    fix-permissions "${CONDA_DIR}" && \
+    fix-permissions "/home/${NB_USER}"
+
+RUN rm -rf "/home/${NB_USER}/.cache/"
+
+# Switch back to jovyan to avoid accidental container runs as root
+USER ${NB_UID}
+
+#============
+#minimal image  now
+
+USER root
+
+RUN apt update --yes && \
+    apt install --yes --no-install-recommends \
+    cm-super \
+    dvipng && \
+    apt clean && rm -rf /var/lib/apt/lists/*
+
+USER ${NB_UID}
+
+# Install Python 3 packages
+RUN mamba install  --yes \
+    'altair' \
+    'beautifulsoup4' \
+    'bokeh' \
+    'bottleneck' \
+    'cloudpickle' \
+    'conda-forge::blas=*=openblas' \
+    'conda-forge::gfortran' \
+    'conda-forge::hdf5' \
+    'cython' \
+    'dask' \
+    'dill' \
+    'h5py' \
+    'ipympl'\
+    'ipywidgets' \
+    'matplotlib-base' \
+    'numba' \
+    'numexpr' \
+    'pandas' \
+    'openpyxl' \
+    'patsy' \
+    'protobuf' \
+    'pytables' \
+    'scikit-image' \
+    'scikit-learn' \
+    'scipy' \
+    'seaborn' \
+    'sqlalchemy' \
+    'statsmodels' \
+    'sympy' \
+    'widgetsnbextension'\
+    'xlrd' \
+    'meson' \
+    'spglib' && \
+    mamba clean --all -f -y && \
+    fix-permissions "${CONDA_DIR}" && \
+    fix-permissions "/home/${NB_USER}"
+
+# Import matplotlib the first time to build the font cache.
+ENV XDG_CACHE_HOME="/home/${NB_USER}/.cache/"
+
+RUN MPLBACKEND=Agg python -c "import matplotlib.pyplot" && \
+    fix-permissions "/home/${NB_USER}"
+
+USER root
+
+RUN apt -y update && apt -y upgrade\
+ && apt install -y git pkg-config cmake && \
+   apt clean && rm -rf /var/lib/apt/lists/*
+
+RUN chown -R $NB_UID:$NB_GID $HOME
+
+COPY --chown=$NB_UID:$NB_GID environment.yml /tmp
+USER $NB_USER
+RUN . /opt/conda/bin/activate && \
+    mamba env update --quiet --file /tmp/environment.yml && \
+    mamba clean --all -f -y && \
+    rm -rf "/home/${NB_USER}/.cache"
+
+
+WORKDIR "${HOME}"
diff --git a/containers/environment.yml b/containers/environment.yml
@@ -0,0 +1,24 @@
+channels:
+  - conda-forge
+  - nodefaults
+dependencies:
+  - pip
+  - pip:
+      - git+https://github.com/imagdau/aseMolec@main
+      - skmatter
+      - pymatgen
+      - tqdm
+      - pack-mm
+      - 'janus-core[all]@git+https://github.com/stfc/janus-core.git@main'
+      - git+https://github.com/ChengUCB/les.git
+#      - git+https://github.com/ACEsuit/mace.git@develop
+      - torch-dftd
+#      - git+https://github.com/CheukHinHoJerry/torch-dftd.git
+      - cuequivariance==0.5.1
+      - cuequivariance-torch==0.5.1
+      - cuequivariance-ops-torch-cu12==0.5.1
+      - torchvision
+      - weas-widget
+      - seaborn
+      - data-tutorials
+      - opentsne
diff --git a/containers/fix-permissions b/containers/fix-permissions
@@ -0,0 +1,35 @@
+#!/bin/bash
+# set permissions on a directory
+# after any installation, if a directory needs to be (human) user-writable,
+# run this script on it.
+# It will make everything in the directory owned by the group ${NB_GID}
+# and writable by that group.
+# Deployments that want to set a specific user id can preserve permissions
+# by adding the `--group-add users` line to `docker run`.
+
+# uses find to avoid touching files that already have the right permissions,
+# which would cause massive image explosion
+
+# right permissions are:
+# group=${NB_GID}
+# AND permissions include group rwX (directory-execute)
+# AND directories have setuid,setgid bits set
+
+set -e
+
+for d in "$@"; do
+    find "${d}" \
+        ! \( \
+            -group "${NB_GID}" \
+            -a -perm -g+rwX \
+        \) \
+        -exec chgrp "${NB_GID}" {} \; \
+        -exec chmod g+rwX {} \;
+    # setuid, setgid *on directories only*
+    find "${d}" \
+        \( \
+            -type d \
+            -a ! -perm -6000 \
+        \) \
+        -exec chmod +6000 {} \;
+done
