-
Notifications
You must be signed in to change notification settings - Fork 15
Dockerfile implementation for easy deployment #18
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| # Ignore all files | ||
| * | ||
| Original file line number | Diff line number | Diff line change | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| @@ -0,0 +1,49 @@ | ||||||||||||||||||
| FROM nvidia/cuda:11.8.0-cudnn8-devel-ubuntu22.04 | ||||||||||||||||||
| ENV DEBIAN_FRONTEND=noninteractive | ||||||||||||||||||
|
|
||||||||||||||||||
| # Install system dependencies | ||||||||||||||||||
| RUN apt-get update && apt-get install -y --no-install-recommends \ | ||||||||||||||||||
| wget \ | ||||||||||||||||||
| git \ | ||||||||||||||||||
| bzip2 \ | ||||||||||||||||||
| libglib2.0-0 \ | ||||||||||||||||||
| libxext6 \ | ||||||||||||||||||
| libsm6 \ | ||||||||||||||||||
| libxrender1 \ | ||||||||||||||||||
| libgl1 \ | ||||||||||||||||||
| python3 \ | ||||||||||||||||||
| python3-pip \ | ||||||||||||||||||
|
Comment on lines
+14
to
+15
|
||||||||||||||||||
| python3 \ | |
| python3-pip \ |
Copilot
AI
Feb 17, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The wget command downloads and executes the Miniforge installer script from a mutable latest URL without any integrity or authenticity verification. If an attacker compromises the conda-forge/miniforge release channel or the network path, they can inject arbitrary code that will be executed at build time with full privileges. Pin the download to a specific, expected release artifact and verify its checksum or signature before execution to prevent supply-chain compromise.
Copilot
AI
Feb 17, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The image is built from a fresh git clone of https://github.com/Anttwo/MAtCha.git, while the build context is effectively unused. This means docker build from this repo/branch will not include the code being reviewed (and will always build whatever is currently on the remote default branch), which breaks reproducibility and makes PR changes ineffective. Prefer copying the local checkout into the image (e.g., COPY . .) and remove the git clone step (optionally allow an ARG for building a specific ref).
| RUN chmod -R 777 /workspace/MAtCha | |
| RUN git clone https://github.com/Anttwo/MAtCha.git . | |
| COPY . . | |
| RUN chmod -R 777 /workspace/MAtCha |
Copilot
AI
Feb 17, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
chmod -R 777 grants world-writable permissions inside the image and is generally unsafe/unnecessary (especially as the container runs as root by default). Prefer creating a dedicated user and using chown/more restrictive permissions for /workspace/MAtCha.
| RUN chmod -R 777 /workspace/MAtCha | |
| RUN git clone https://github.com/Anttwo/MAtCha.git . | |
| RUN git clone https://github.com/Anttwo/MAtCha.git . | |
| RUN useradd -m -s /bin/bash matcha && chown -R matcha:matcha /workspace/MAtCha && chmod -R 755 /workspace/MAtCha |
Copilot
AI
Feb 17, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
install.py currently uses os.system(...) without checking return codes, so the script can exit 0 even if environment creation/build steps fail (which would allow docker build to succeed with a broken image). Consider updating install.py to fail fast on non-zero exit codes (e.g., subprocess.run(..., check=True)) or replace this with explicit shell commands in the Dockerfile that will fail the build on error.
| # Activate environment and install dependencies | |
| RUN python install.py --env_name matcha | |
| RUN python download_checkpoints.py | |
| # Activate environment, install dependencies, and download checkpoints (fail fast on error) | |
| RUN set -euo pipefail && \ | |
| python install.py --env_name matcha && \ | |
| python download_checkpoints.py |
Copilot
AI
Feb 17, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Downloading pretrained checkpoints during docker build makes the image much larger and forces network access at build time. Consider gating this behind a build ARG (default off) or moving checkpoint download to runtime with a volume-mounted cache, so users can choose between a lean image and a fully bundled one.
| RUN python download_checkpoints.py | |
| # Optionally download pretrained checkpoints at build time. | |
| # To skip this step and keep the image lean, build with: | |
| # docker build --build-arg DOWNLOAD_CHECKPOINTS=false ... | |
| ARG DOWNLOAD_CHECKPOINTS=true | |
| RUN if [ "$DOWNLOAD_CHECKPOINTS" = "true" ]; then python download_checkpoints.py; else echo "Skipping checkpoint download at build time."; fi |
Copilot
AI
Feb 17, 2026
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The ENTRYPOINT uses bash -c, which only works correctly when the user passes a single shell string. Common Docker usage like docker run image python train.py ... will be interpreted by bash as -c "python" (dropping the remaining args), so the command won’t run as intended. Prefer an entrypoint that executes "$@" (or set ENTRYPOINT to conda run ... -n matcha without bash -c) so arguments are preserved.
| ENTRYPOINT ["conda", "run", "--no-capture-output", "-n", "matcha", "/bin/bash", "-c"] | |
| ENTRYPOINT ["conda", "run", "--no-capture-output", "-n", "matcha"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This
.dockerignoreignores the entire build context (*). That pattern prevents usingCOPY/ADDfor the repo (and contributes to the Dockerfile needing togit clone), and it can be surprising to users who expectdocker buildto package the current working tree. Consider switching to a selective ignore list (e.g., outputs, caches, datasets) instead of ignoring everything.