Add containers (stfc#580)

Co-authored-by: Elliott Kasoar <[email protected]>

Author: alinelena

.github/workflows/docker-jupyter-image.yml

@@ -0,0 +1,60 @@
+name: ghcr-jupyter
+on:
+  push:
+    branches: [ "main" ]
+
+jobs:
+  build-amd64:
+    runs-on: ubuntu-latest
+    if: github.repository == 'stfc/janus-core'
+    permissions:
+      packages: write
+      contents: read
+    steps:
+      - name: 'clone the repo'
+        uses: actions/checkout@v4
+      - name: 'login to ghcr'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{github.actor}}
+          password: ${{secrets.GITHUB_TOKEN}}
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: ./containers
+          file: ./containers/Dockerfile.jupyter
+          push: true
+          tags: |
+            ghcr.io/stfc/janus-core/jupyter:amd64-${{ github.sha }}
+            ghcr.io/stfc/janus-core/jupyter:amd64-latest
+  build-arm64:
+    runs-on: ubuntu-24.04-arm
+    if: github.repository == 'stfc/janus-core'
+    permissions:
+      packages: write
+      contents: read
+    steps:
+      - name: 'clone the repo'
+        uses: actions/checkout@v4
+      - name: 'login to ghcr'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{github.actor}}
+          password: ${{secrets.GITHUB_TOKEN}}
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: ./containers
+          file: ./containers/Dockerfile.jupyter
+          push: true
+          tags: |
+            ghcr.io/stfc/janus-core/jupyter:arm64-${{ github.sha }}
+            ghcr.io/stfc/janus-core/jupyter:arm64-latest

.github/workflows/docker-marimo-image.yml

@@ -0,0 +1,60 @@
+name: ghcr-marimo
+on:
+  push:
+    branches: [ "main" ]
+
+jobs:
+  build-amd64:
+    runs-on: ubuntu-latest
+    if: github.repository == 'stfc/janus-core'
+    permissions:
+      packages: write
+      contents: read
+    steps:
+      - name: 'clone the repo'
+        uses: actions/checkout@v4
+      - name: 'login to ghcr'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{github.actor}}
+          password: ${{secrets.GITHUB_TOKEN}}
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: ./containers
+          file: ./containers/Dockerfile.marimo
+          push: true
+          tags: |
+            ghcr.io/stfc/janus-core/marimo:amd64-${{ github.sha }}
+            ghcr.io/stfc/janus-core/marimo:amd64-latest
+  build-arm64:
+    runs-on: ubuntu-24.04-arm
+    if: github.repository == 'stfc/janus-core'
+    permissions:
+      packages: write
+      contents: read
+    steps:
+      - name: 'clone the repo'
+        uses: actions/checkout@v4
+      - name: 'login to ghcr'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{github.actor}}
+          password: ${{secrets.GITHUB_TOKEN}}
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: ./containers
+          file: ./containers/Dockerfile.marimo
+          push: true
+          tags: |
+            ghcr.io/stfc/janus-core/marimo:arm64-${{ github.sha }}
+            ghcr.io/stfc/janus-core/marimo:arm64-latest

README.md

@@ -17,6 +17,7 @@ Tools for machine learnt interatomic potentials
 - [Features](#features)
 - [Python interface](#python-interface)
 - [Command line interface](#command-line-interface)
+- [Docker/Podman images](#dockerpodman-images)
 - [Development](#development)
 - [License](#license)
 - [Funding](#funding)
@@ -294,6 +295,41 @@ This will run a singlepoint energy calculation on `KCl.cif` using the [MACE-MP](
 Minimal and full example configuration files for all calculations can be found
 [here](https://stfc.github.io/janus-core/examples/index.html).
 
+## Docker/Podman images
+
+You can use `janus_core` in a JupyterHub or marimo environment using [docker](https://www.docker.com) or [podman](https://podman.io/). We provide regularly updated docker/podman images, which can be dowloaded by running:
+
+```shell
+docker pull ghcr.io/stfc/janus-core/jupyter:amd64-latest
+
+docker pull ghcr.io/stfc/janus-core/marimo:amd64-latest
+```
+or using podman
+
+```shell
+podman pull ghcr.io/stfc/janus-core/jupyter-amd64:latest
+
+podman pull ghcr.io/stfc/janus-core/marimo-amd64:latest
+```
+
+for amd64 architecture, if you require arm64 replace amd64 with arm64 above, and next instructions.
+
+To start, for marimo run:
+
+```shell
+
+podman run --rm --security-opt seccomp=unconfined -p 8842:8842 ghcr.io/stfc/janus-core/marimo:amd64-latest
+
+```
+or for JupyterHub, run:
+
+```
+podman run --rm --security-opt seccomp=unconfined -p 8888:8888 ghcr.io/stfc/janus-core/jupyter:amd64-latest
+```
+
+For more details on how to share your filesystem and so on you can refer to this documentation: https://summer.ccp5.ac.uk/introduction.html#run-locally.
+
+
 
 ## Development
 

containers/Dockerfile.jupyter

@@ -0,0 +1,222 @@
+# Copyright (c) Jupyter Development Team.
+# Distributed under the terms of the Modified BSD License.
+# this is adapted from above.
+
+ARG ROOT_CONTAINER=ubuntu:25.04
+
+FROM $ROOT_CONTAINER
+
+LABEL maintainer="Alin Elena <[email protected]>"
+ARG NB_USER="jovyan"
+ARG NB_UID="1001"
+ARG NB_GID="100"
+
+USER root
+
+# Install all OS dependencies for notebook server that starts but lacks all
+# features (e.g., download as all possible file formats)
+ENV DEBIAN_FRONTEND=noninteractive
+RUN apt update --yes && \
+    # - apt-get upgrade is run to patch known vulnerabilities in apt-get packages as
+    #   the ubuntu base image is rebuilt too seldom sometimes (less than once a month)
+    apt upgrade --yes && \
+    apt install --yes --no-install-recommends \
+    ca-certificates \
+    fonts-liberation \
+    locales \
+    # - pandoc is used to convert notebooks to html files
+    #   it's not present in arm64 ubuntu image, so we install it here
+    pandoc \
+    # - run-one - a wrapper script that runs no more
+    #   than one unique  instance  of  some  command with a unique set of arguments,
+    #   we use `run-one-constantly` to support `RESTARTABLE` option
+    run-one \
+    sudo \
+    # - tini is installed as a helpful container entrypoint that reaps zombie
+    #   processes and such of the actual executable we want to start, see
+    #   https://github.com/krallin/tini#why-tini for details.
+    tini \
+    wget bzip2 && \
+    apt clean && rm -rf /var/lib/apt/lists/* && \
+    echo "en_US.UTF-8 UTF-8" > /etc/locale.gen && \
+    locale-gen
+
+# Configure environment
+ENV CONDA_DIR=/opt/conda \
+    SHELL=/bin/bash \
+    NB_USER="${NB_USER}" \
+    NB_UID=${NB_UID} \
+    NB_GID=${NB_GID} \
+    LC_ALL=en_US.UTF-8 \
+    LANG=en_US.UTF-8 \
+    LANGUAGE=en_US.UTF-8
+ENV PATH="${CONDA_DIR}/bin:${PATH}" \
+    HOME="/home/${NB_USER}"
+
+# Copy a script that we will use to correct permissions after running certain commands
+COPY fix-permissions /usr/local/bin/fix-permissions
+RUN chmod a+rx /usr/local/bin/fix-permissions
+
+# Enable prompt color in the skeleton .bashrc before creating the default NB_USER
+# hadolint ignore=SC2016
+RUN sed -i 's/^#force_color_prompt=yes/force_color_prompt=yes/' /etc/skel/.bashrc && \
+   # Add call to conda init script see https://stackoverflow.com/a/58081608/4413446
+   echo 'eval "$(command conda shell.bash hook 2> /dev/null)"' >> /etc/skel/.bashrc
+
+# Create NB_USER with name jovyan user with UID=1000 and in the 'users' group
+# and make sure these dirs are writable by the `users` group.
+RUN echo "auth requisite pam_deny.so" >> /etc/pam.d/su && \
+    sed -i.bak -e 's/^%admin/#%admin/' /etc/sudoers && \
+    sed -i.bak -e 's/^%sudo/#%sudo/' /etc/sudoers && \
+    useradd -l -m -s /bin/bash -N -u "${NB_UID}" "${NB_USER}" && \
+    mkdir -p "${CONDA_DIR}" && \
+    chown "${NB_USER}:${NB_GID}" "${CONDA_DIR}" && \
+    chmod g+w /etc/passwd && \
+    fix-permissions "${HOME}" && \
+    fix-permissions "${CONDA_DIR}"
+
+USER ${NB_UID}
+ARG PYTHON_VERSION=3.12
+
+# Setup work directory for backward-compatibility
+RUN mkdir "/home/${NB_USER}/work" && \
+    fix-permissions "/home/${NB_USER}"
+
+# Install conda as jovyan and check the sha256 sum provided on the download site
+WORKDIR /tmp
+
+RUN set -x && \
+    arch=$(uname -m) && \
+    if [ "${arch}" = "x86_64" ]; then  arch="64"; fi && \
+    wget --progress=dot:giga -O - "https://micro.mamba.pm/api/micromamba/linux-${arch}/latest" | tar -xvj bin/micromamba && \
+    PYTHON_SPECIFIER="python=${PYTHON_VERSION}" && \
+    if [ "${PYTHON_VERSION}" = "default" ]; then PYTHON_SPECIFIER="python"; fi && \
+    ./bin/micromamba install \
+        --root-prefix="${CONDA_DIR}" \
+        --prefix="${CONDA_DIR}" \
+        --yes \
+        'jupyter_core' \
+        'conda' \
+        'mamba' \
+        "${PYTHON_SPECIFIER}" && \
+    rm -rf /tmp/bin/ && \
+    mamba list --full-name 'python' | awk 'END{sub("[^.]*$", "*", $2); print $1 " " $2}' >> "${CONDA_DIR}/conda-meta/pinned" && \
+    mamba clean --all -f -y && \
+    fix-permissions "${CONDA_DIR}" && \
+    fix-permissions "/home/${NB_USER}"
+
+# setup the notebook... pretty basic stuff
+USER ${NB_UID}
+
+WORKDIR /tmp
+RUN mamba install --yes \
+    'jupyterhub-singleuser' \
+    'jupyterlab' \
+    'nbclassic' \
+    # Sometimes, when the new version of `jupyterlab` is released, latest `notebook` might not support it for some time
+    # Old versions of `notebook` (<v7) didn't have a restriction on the `jupyterlab` version, and old `notebook` is getting installed
+    # That's why we have to pin the minimum notebook version
+    # More info: https://github.com/jupyter/docker-stacks/pull/2167
+    'notebook>=7.2.2' && \
+    jupyter server --generate-config && \
+    mamba clean --all -f -y && \
+    jupyter lab clean && \
+    rm -rf "/home/${NB_USER}/.cache/yarn" && \
+    fix-permissions "${CONDA_DIR}" && \
+    fix-permissions "/home/${NB_USER}"
+
+ENV JUPYTER_PORT=8888
+EXPOSE $JUPYTER_PORT
+
+# Configure container startup
+CMD ["start-notebook.py"]
+
+# Copy local files as late as possible to avoid cache busting
+COPY start-notebook.py start-notebook.sh start-singleuser.py start-singleuser.sh /usr/local/bin/
+COPY jupyter_server_config.py /etc/jupyter/
+
+# Fix permissions on /etc/jupyter as root
+USER root
+RUN fix-permissions /etc/jupyter/
+
+RUN rm -rf "/home/${NB_USER}/.cache/"
+
+# Switch back to jovyan to avoid accidental container runs as root
+USER ${NB_UID}
+
+#============
+#minimal image  now
+
+USER root
+
+RUN apt update --yes && \
+    apt install --yes --no-install-recommends \
+    cm-super \
+    dvipng && \
+    apt clean && rm -rf /var/lib/apt/lists/*
+
+USER ${NB_UID}
+
+# Install Python 3 packages
+RUN mamba install  --yes \
+    'altair' \
+    'beautifulsoup4' \
+    'bokeh' \
+    'bottleneck' \
+    'cloudpickle' \
+    'conda-forge::blas=*=openblas' \
+    'conda-forge::gfortran' \
+    'conda-forge::hdf5' \
+    'cython' \
+    'dask' \
+    'dill' \
+    'h5py' \
+    'ipympl'\
+    'ipywidgets' \
+    'matplotlib-base' \
+    'numba' \
+    'numexpr' \
+    'pandas' \
+    'openpyxl' \
+    'patsy' \
+    'protobuf' \
+    'pytables' \
+    'scikit-image' \
+    'scikit-learn' \
+    'scipy' \
+    'seaborn' \
+    'sqlalchemy' \
+    'statsmodels' \
+    'sympy' \
+    'widgetsnbextension'\
+    'xlrd' \
+    'gxx' \
+    'spglib' 'jupyter-server-proxy' 'jupyter-collaboration' && \
+    mamba clean --all -f -y && \
+    fix-permissions "${CONDA_DIR}" && \
+    fix-permissions "/home/${NB_USER}"
+
+# Import matplotlib the first time to build the font cache.
+ENV XDG_CACHE_HOME="/home/${NB_USER}/.cache/"
+
+RUN MPLBACKEND=Agg python -c "import matplotlib.pyplot" && \
+    fix-permissions "/home/${NB_USER}"
+
+USER root
+
+RUN apt -y update && apt -y upgrade\
+ && apt install -y git pkg-config cmake && \
+   apt clean && rm -rf /var/lib/apt/lists/*
+
+RUN chown -R $NB_UID:$NB_GID $HOME
+
+COPY --chown=$NB_UID:$NB_GID environment.yml /tmp
+USER $NB_USER
+RUN . /opt/conda/bin/activate && \
+    mamba env update --quiet --file /tmp/environment.yml && \
+    mamba clean --all -f -y && \
+    rm -rf "/home/${NB_USER}/.cache"
+
+EXPOSE 8888
+
+WORKDIR "${HOME}"