update recipe to use oras push/pull about github-ci HOT 53 CLOSED

omg success! https://github.com/singularityhub/github-ci/pkgs/container/github-ci

I'll figure out how to pull, update the docs, and we can get this merged soon. I did a couple of examples for automated builds, all with matrices:

• discovering changed files, build with docker base
• discovering changed files, build natively
• manually specified matrix, build natively

so hopefully there should be something for everyone!

from github-ci.

Ah! So for the push part I would recommend using one of these examples to push to docker hub, quay, or github packages: https://github.com/autamus/container-builder-template. You really don't even need sregistry.

from github-ci.

@myoung3 if you have some changes that helped your deployment, please open a pull request to fix for others if you have time in the next few weeks!

from github-ci.

Nope you unfortunately can’t do that - registries can accept custom content types like sif, but most of the production registries haven’t extended types. I think Cyverse is going with harbor and they could potentially do that.

so my suggestion is to either push a Docker container and pull down to Singularity, or do a trick to store sifs as artifacts alongside releases (proof of concept) https://github.com/singularityhub/singularity-deploy and hope that someday GitHub packages moves forward with supporting arbitrary blobs. You can technically put a SIF inside a Docker container and have a tool to extract, but it’s redundant imho.

from github-ci.

actually this looks promising:
https://azure.microsoft.com/en-us/blog/azure-container-registry-now-supports-singularity-image-format-containers/
https://sylabs.io/guides/3.7/user-guide/cli/singularity_pull.html
https://sylabs.io/guides/3.7/user-guide/cli/singularity_push.html

from github-ci.

yeah singularity push definitely has an oras endpoint listed in the documentation, but it's not clear how to authenticate that push. I'm guessing authentication might need to be set up prior to singularity push using an oras command? Or else only unauthenticated oras pushes are currently supported. I've decided to just use dockerhub at least for now since having an easy to pull (public) repo is more important than having singularity runscripts/apps. Hopefully the landscape changes someday and there's more support for .sif images in public repos. Thanks so much for your help with this!

from github-ci.

haha yeah the synchronicity is getting absurd! super glad to have someone working through this with me though!

from github-ci.

Woohoo congrats on your container!

So for editing packages, the most you can do to make them private/public is click on Package settings, but as far as I know you can't edit that particular line. I think at best you can update the README.md, which is directly below that box.

from github-ci.

okay gave it a shot! https://twitter.com/vsoch/status/1422777308146847746.

from github-ci.

Awesome! So glad it's going well. I'm going to close the issue here then - please ping me on here again for any new discussion / ideas / fun (and bugs too I guess 😆 )

from github-ci.

Oh geez, yes this is because of the repository change with singularity / sylabs - let me quickly fix this.

from github-ci.

Give this a shot? https://github.com/singularityhub/github-ci/blob/master/.github/workflows/native-install.yml

from github-ci.

Yeah I've got it working here https://github.com/kaufman-lab/github-ci/blob/master/.github/workflows/native-install.yml

We chose different version numbers for go and singularity but it probably doesn't matter.

Any advice on this? https://github.com/kaufman-lab/github-ci/runs/3225807086?check_suite_focus=true
"ERROR push is not implemented for docker. Why don't you add it?"

I suppose I have no affinity to dockerhub, so the easiest solution is to just use something else.

from github-ci.

fyi see that I added:

sudo -H pip3 install setuptools
sudo -H pip3 install wheel

under deploy container. sregistry installation was failing without them. Might want to update your readme.

from github-ci.

oh and the -H flag in sudo -H pip3 install sregistry seems to be necessary now

from github-ci.

Thanks, will do

from github-ci.

@vsoch Any tricks on pushing a .sif to dockerhub? I thought this was theoretically possible, but maybe that was crazy. docker push doesn't seem to allow specifying a file, it can only add images recognized by docker: https://docs.docker.com/engine/reference/commandline/push/

from github-ci.

nevermind I don't know where I got that crazy idea, obviously if I'm pushing to dockerhub it needs to be a docker image

from github-ci.

Thanks, yeah I think just building a docker image makes sense. The reason I didn't start with that technique was your caveat in the readme:

"While the second option is faster to complete and a more simple workflow, it should be noted that docker runs with --privileged which may lead to issues with the resulting container in a non privileged situation."

Is there a reason why I can't just drop the privileged tag? The singularity image definitely needs to be able to run as a normal (non-root) user.

from github-ci.

So just to clarify - this repository entirely is just for building Singularity, and not Docker. To distinguish between the native and Docker recipes here, the difference is building a singularity container natively on the action runner vs using a Docker image with singularity inside to do the build. The privileged flag you are talking about is here

from github-ci.

And I added that note because building with that flag can lead to wonky results that we can’t always predict, so it’s sort of a “proceed with caution” sort of deal.

from github-ci.

ahhh, ok thanks that makes sense. In the github actions workflow, prior to pushing to dockerhub I could try to spin it up the docker image in singularity to make sure it'll functioning correctly when converted to sif.

I supposed the main downside of this workflow is that I can't specify any singularity startscript, runscript, or apps.

from github-ci.

That’s a good point - but actually if you just use the scientific filesystem executable you can :)

https://sci-f.github.io///tutorial-quick-start#docker

SCIF is actually a standard that is implemented in Singularity to give that functionality, but doesn’t have to depend on it. And if you want to make the SIF conversion part of your workflow, how about just adding another step after push to just pull down to singularity?

from github-ci.

Oh neat! If you get a good recipe for azure please contribute it here so other users can benefit!

from github-ci.

But yes that’s what I was talking about with respect to registries accepting custom content types. I’d expect Azure is accepting helm charts and other metadata content types too, which is cool 😎

from github-ci.

yep: https://docs.microsoft.com/en-us/azure/container-registry/container-registry-image-formats

from github-ci.

The rumors are true, love it! <3

from github-ci.

Unfortunately it seems like the azure container repos have a few limitations;

• there's no free tier (although they do offer a 12 month free trial at the standard level).
• authentication seems to be required to pull (no public registries)
• singularity doc for authenticating with oras is entirely lacking. azure docs for pushing and pulling with singularity are similarly absent
  • based on the interface on azure, it seems like generating tokens for the container repo might require a premium feature for the azure container repository? Not 100% sure on that.
  • It seems admins can generate a token for themself, but it's not clear how to use these with singularity pull/push
  • As far as I can tell, you might need to install oras to do authentication? capability to authenticate doesn't seem to be built into singularity. as far as i can tell singularity remote is exclusively for the sylabs cloud library and can't be used to authenticate to an oras repo.

from github-ci.

Ack, that's frustrating! For the last point, however, I do think singularity push has an oras:// endpoint: https://sylabs.io/guides/3.5/user-guide/cli/singularity_push.html#synopsis. I've never used it, but I think that could be something to try?

from github-ci.

But actually I think you already may be trying that. It would be worth joining the SingularityCE slack and asking about how to do this.

from github-ci.

fyi: github container registry apparently supports oci?
https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry.

also I submitted a documentation issue to sylabs: sylabs/singularity#208

from github-ci.

Yes you can push docker images to the registry, check out one of my co-projects Autamus! https://autamus.io

from github-ci.

It seems that uploading and downloading .sifs to oras://ghcr.io works.

try this:

singularity remote login --username <username> oras://ghcr.io

You'll be prompted for a PAT. Then you can use singularity push and singularity pull to oras://ghcr.io/<registry>:<tag>

from github-ci.

No way! We should try a build recipe that deploys there (and then gives instructions to pull)

from github-ci.

Want me to submit a PR with a new github workflow?

from github-ci.

I don't really understand how github actions matrices work, so I'll submit something simple and you can modify it as you like

from github-ci.

actually it's probably easiest if I just modify an existing workflow and deploy twice, once to dockerhub and once to github packages.

from github-ci.

Whatever works for you! I'm having dinner now but am going to play around with this after. Super exciting if it can be an option!

from github-ci.

hey I'm working on this so don't rush to try and do it! I will need to test deploying to the package registry from CI, so I'm going to tweak the recipes and update docs for doing that.

from github-ci.

I'm testing it here:
https://github.com/kaufman-lab/build_containers

Weirdly I can't get singularity remote login commands that work locally to work in the build environment.

from github-ci.

That's funny! I just hit that error too. https://github.com/singularityhub/github-ci/pull/3/checks?check_run_id=3237348014 But I haven't tried debugging yet.

from github-ci.

hmm i was trying to pipe into password-stdin as well, but I was quoting the secret which apparently caused something weird to happen (possibly getting substituted to empty?). quoting locally didn't cause any problems. anyway my login is working now too. I also might try using this random person's actions to add singularity binaries https://github.com/marketplace/actions/setup-singularity to speed up build time.

from github-ci.

hah and now I see you made an issue in that repo like an hour ago.

from github-ci.

I tried that action with 3.8.0, but there was an error with mconfig (check out the issues on that repo) so I'm going to leave as is for now.

from github-ci.

lol and you already noticed my issue! We are like, running around the same bush like cartoon characters and telling one another what's on the other side!

from github-ci.

Are you thinking that it would be nice if we could edit or at least hide the docker pull instructions? https://github.com/kaufman-lab/build_containers/pkgs/container/geospatial_plus

Not even sure where we might submit an issue for that...

from github-ci.

It is quite funny though!

$ docker pull ghcr.io/singularityhub/github-ci:latest
latest: Pulling from singularityhub/github-ci
bb3948bc2682: Pulling fs layer 
unexpected end of JSON input

Yeah we should tweet someone at GitHub about this.

from github-ci.

fyi it seems like anyone who wants to singularity pull an image needs to first load a github PAT into singularity, even for public repositories.

from github-ci.

Do you want to PR to update docs?

from github-ci.

nevermind! You can totally do anonymous pulls using singularity. I think the issue is that if you try to pull with an disabled/expired github PAT, singularity will error out rather than try again without a key.

from github-ci.

issue filed here: sylabs/singularity#212

from github-ci.

@myoung3 good to close here? Anything to follow up on?

from github-ci.

All good! Using ghcr-hosted images in my current project using this approach flawlessly. Thanks for the help!

from github-ci.