From 693faca33049de825bc812a6d7f019771e4905c9 Mon Sep 17 00:00:00 2001 From: Tom Tseng Date: Sat, 7 Feb 2026 01:16:26 -0800 Subject: [PATCH 1/2] Dockerfile: Document it more --- Dockerfile | 40 ++++++++++++++++++++-------------------- Makefile | 2 +- 2 files changed, 21 insertions(+), 21 deletions(-) diff --git a/Dockerfile b/Dockerfile index be96897b..3fa051df 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -ARG PYTORCH_CUDA_VERSION=2.0.1-cuda11.7-cudnn8 +ARG PYTORCH_CUDA_VERSION=2.9.0-cuda12.8-cudnn9 FROM pytorch/pytorch:${PYTORCH_CUDA_VERSION}-runtime LABEL org.opencontainers.image.source=https://github.com/criticalml-uw/TamperBench @@ -19,7 +19,7 @@ RUN apt-get update -q \ && rm -rf /var/lib/apt/lists/* # Install uv -COPY --from=ghcr.io/astral-sh/uv:0.8.17-python3.10-alpine /usr/local/bin/uv /usr/local/bin/uv +COPY --from=ghcr.io/astral-sh/uv:0.10.0-python3.10-alpine /usr/local/bin/uv /usr/local/bin/uv # Don't run as root, instead run as non-root user that can still use # passwordless sudo for admin privileges @@ -34,24 +34,24 @@ RUN addgroup --gid ${GROUPID} ${USERNAME} \ && chown -R ${USERNAME}:${USERNAME} "/workspace" USER ${USERNAME} -# uv will install into VIRTUAL_ENV. We add VIRTUAL_ENV to the path so that users -# of image can use `python` rather than `uv run python`. -ENV VIRTUAL_ENV=/workspace/TamperBench/.venv -ENV PATH="$VIRTUAL_ENV/bin:/home/dev/.local/bin:$PATH" - -# Copy package installation files -COPY --chown=${USERNAME}:${USERNAME} pyproject.toml uv.lock /workspace/TamperBench/ - -# Create venv and install dependencies -# Run Pyright so its Node.js package gets installed -RUN cd /workspace/TamperBench \ - && mkdir -p src/tamperbench \ - && touch src/tamperbench/__init__.py \ - && uv sync --extra dev --frozen \ - && rm -rf "${HOME}/.cache" \ - && basedpyright . \ - && cd .. \ - && rm -rf TamperBench +# Install dependencies into a venv outside the repo directory. The repo will be +# cloned at runtime (see k8s/devbox.yaml), but the venv with deps is pre-baked. +# UV_PROJECT_ENVIRONMENT tells uv where to create the venv instead of .venv. +# +# This env var affects all uv projects in the container, so installing a +# different uv project will clobber the venv. If that becomes a problem, then +# make UV_PROJECT_ENVIRONMENT local to the uv commands in the Dockerfile and +# then create a symlink from /home/dev/.venv into /workspace/TamperBench/.venv +# after cloning in the k8s/ YAMLs. +ENV UV_PROJECT_ENVIRONMENT=/home/dev/.venv +ENV PATH="/home/dev/.venv/bin:/home/dev/.local/bin:$PATH" + +# Create venv and install dependencies (but not the project itself). +RUN --mount=type=bind,source=uv.lock,target=uv.lock \ + --mount=type=bind,source=pyproject.toml,target=pyproject.toml \ + uv sync --all-groups --locked --no-install-project + +WORKDIR /workspace # Default command to run -- may be changed at runtime CMD ["/bin/bash"] diff --git a/Makefile b/Makefile index bfdaae7a..fb268cf8 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -VERSION ?= 0.0.1 +VERSION ?= 0.0.2 FULL_IMAGE_NAME = ghcr.io/criticalml-uw/tamperbench:$(VERSION) .PHONY: docker-build devbox cpu large From 13ce1262c8df84c04316af1e53888b5e47a70f75 Mon Sep 17 00:00:00 2001 From: Tom Tseng Date: Sat, 7 Feb 2026 01:28:05 -0800 Subject: [PATCH 2/2] Dockerfile: Optimizations --- Dockerfile | 26 +++++++++++++------------- k8s/devbox.yaml | 1 + 2 files changed, 14 insertions(+), 13 deletions(-) diff --git a/Dockerfile b/Dockerfile index 3fa051df..1d7a1926 100644 --- a/Dockerfile +++ b/Dockerfile @@ -34,22 +34,22 @@ RUN addgroup --gid ${GROUPID} ${USERNAME} \ && chown -R ${USERNAME}:${USERNAME} "/workspace" USER ${USERNAME} -# Install dependencies into a venv outside the repo directory. The repo will be -# cloned at runtime (see k8s/devbox.yaml), but the venv with deps is pre-baked. -# UV_PROJECT_ENVIRONMENT tells uv where to create the venv instead of .venv. -# -# This env var affects all uv projects in the container, so installing a -# different uv project will clobber the venv. If that becomes a problem, then -# make UV_PROJECT_ENVIRONMENT local to the uv commands in the Dockerfile and -# then create a symlink from /home/dev/.venv into /workspace/TamperBench/.venv -# after cloning in the k8s/ YAMLs. -ENV UV_PROJECT_ENVIRONMENT=/home/dev/.venv +# Pre-bake dependencies into a venv at /home/dev/.venv. The repo itself is not +# included in the image as we usually want to clone it and checkout `main` or a +# specific commit. +# After cloning, symlink the pre-built venv into the repo so that tools +# (basedpyright, IDEs, uv) find it at the conventional .venv location: +# ln -s /home/dev/.venv /workspace/TamperBench/.venv ENV PATH="/home/dev/.venv/bin:/home/dev/.local/bin:$PATH" - # Create venv and install dependencies (but not the project itself). -RUN --mount=type=bind,source=uv.lock,target=uv.lock \ +# The cache mount keeps uv's download cache out of the image but persists it +# across builds. UV_LINK_MODE=copy is needed because hardlinks into the cache +# mount would dangle in the final image. +RUN --mount=type=cache,target=/home/dev/.cache/uv,uid=${USERID},gid=${GROUPID} \ + --mount=type=bind,source=uv.lock,target=uv.lock \ --mount=type=bind,source=pyproject.toml,target=pyproject.toml \ - uv sync --all-groups --locked --no-install-project + UV_PROJECT_ENVIRONMENT=/home/dev/.venv UV_LINK_MODE=copy \ + uv sync --locked --no-install-project WORKDIR /workspace diff --git a/k8s/devbox.yaml b/k8s/devbox.yaml index 68776b67..b3df77d2 100644 --- a/k8s/devbox.yaml +++ b/k8s/devbox.yaml @@ -37,6 +37,7 @@ spec: cd "/workspace/TamperBench" git pull git checkout {COMMIT_HASH} + ln -s /home/dev/.venv .venv git submodule update --recursive uv sync sleep {SLEEP_TIME}