-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CI: add build and push models workflow #474
base: main
Are you sure you want to change the base?
CI: add build and push models workflow #474
Conversation
This workflow will build and push into the ghcr.io the example MAP in examples/apps/simple_imaging_app. This workflow will use terraform to launch a VM with a GPU and then run the monai-deploy-sdk package subcommand inside it. NOTE: you need to setup the secrets: * AZURE_CLIENT_ID * AZURE_SUBSCRIPTION_ID * AZURE_TENANT_ID * AZURE_CLIENT_SECRET The workflow will patch holoscan, so that it works when there is no cache. The workflow will install a "patched" libseccomp package so that we can install libnvidia-container. The workflow will use nvidia docker runtime to build, load, export, ... the image. The workflow uses the smallest/cheapest Azure Image with GPU available in Western Europe, which is Standard_NC4as_T4_v3. For this to work, you need to request a quota increase to Azure Help Desk. However, the default 30GB disc is not enough for the build, so you need to setup a 64GB. :WARNING: This will incur in costs in Azure Cloud, use it with caution. Signed-off-by: Jordi Massaguer Pla <jmassaguerpla@suse.com>
This 6013c5e adds SBOM (Software Bill Of Materials) and image signing, by using trivy and cosign. This can later be used to verify the image and check for known vulnerabilities, in order to secure your supply chain. |
b4233a6
to
f15d9c6
Compare
Sign the image with cosign using the OIDC token. Add Software Bill of Materials with trivy as signed cosign attestations. This informatin is needed for securing the supply chain. You can verify the image with cosign. You can get the SBOM from the attestations and then use trivy to check for vulnerabilities. Signed-off-by: Jordi Massaguer Pla <jmassaguerpla@suse.com>
c202359
to
6013c5e
Compare
Kudos, SonarCloud Quality Gate passed! |
Thank you so much @jordimassaguerpla for this PR. Sorry for this late reply due to the RSNA 2023 prep and others. MD App SDK proper does not intend to maintain a MAP registry, and the couple container image examples are for demonstration purpose so that adopters of MD App SDK can quickly enhance and make use of the example for their use case. GitHub CR also has certain I/O limits I believe, so pushing (and overwriting) the image over and over may not be helpful. Having said that, I definitely can see the workflow be used for on-demand (or periodical) publishing task, and the adopters can benefit from this example too! |
I was thinking that could be used as an example for other projects. I agree on every commit makes no sense to update the container. I was more thinking on each new tag and/or on-demand. Will it make more sense to push this to some example folder or documentation? Thanks for your answer, no problem it took you a while, perfectly understandable. Congrats on this great project! |
Hi! This is the result of my SUSE Hackweek Project https://hackweek.opensuse.org/23/projects/package-monai-machine-learning-models-for-medical-applications . The motivation was totally personal, to learn more about the Medical Machine Learning Topic, even though has nothing to do with my daily work.
I thought it could be nice to share with you. Might be you can reuse some ideas or details .... or maybe not . Whatever makes sense for your team and your current roadmap.
This is the implementation of a workflow that will build and push into the ghcr.io the example MAP in examples/apps/simple_imaging_app.
This workflow will use terraform to launch a VM with a GPU and then run the monai-deploy-sdk package subcommand inside it.
NOTE: you need to setup the secrets:
The workflow will patch holoscan, so that it works when there is no cache.
The workflow will install a "patched" libseccomp package so that we can install libnvidia-container.
The workflow will use nvidia docker runtime to build, load, export, ... the image.
The workflow uses the smallest/cheapest Azure Image with GPU available in Western Europe, which is Standard_NC4as_T4_v3. For this to work, you might need to request a quota increase to Azure Help Desk.
The default 30GB disc is not enough for the build, so you need to setup a 64GB one.
:WARNING: This will incur in costs in Azure Cloud, use it with caution. It costed me 1.6€ each run.