Yaml驱动的Docker剧本
docker-playbook的Python项目详细描述
Docker行动手册
YAML驱动(NVIDIA)Docker行动手册
要求
- Python3.x
- nvidia-docker2(确保您可以
nvidia-smi
和docker images
) - pyyaml>;=3.12(主机和Docker映像)
Template Dockerfile is provided at the bottom, which is optional
though recommended because of its security enhancements and useful features.
用法示例
./playbook.py sample.yml
功能
- 以
nvidia-docker2
运行,主要以非交互模式运行(因此,如果您的脚本意外地等待输入,它将收到信号并死亡) - 按顺序运行(白名单)步骤
- 上下文推断:每个步骤可以在不同的docker映像或主机中运行
- 以非交互模式完全访问主机网络服务
- 简单的阶跃函数信号
step_blah(ctx)
-易于扩展 - 最小的命令行参数
./playbook.py some.yml
就是您要做的一切 - 单一源文件&低依赖性(只有pyyaml不在标准库中,可重放,但强烈建议)
- 彩色日志以提高可读性
如何添加步骤?
- 从这个存储库复制
library.steps
模块,开始开发自己的library.steps
模块,以便导入这个脚本。 - 添加函数
def step_something(ctx)
。当前执行上下文在^ {< CD9> }中,因为DIST键被代理到属性,以保存大量的括号和引号。您可以使用logger
打印信息。
defstep_something(ctx):logger.info(ctx.other_vars)
- 白名单中没有
step_
前缀的步骤library.steps.whitlist
。 - 在
steps
中向yaml文件添加一个条目,其中action
是不带前缀的步骤函数名:
steps: - name: Some message here action: something other_vars: goes_to_ctx
上下文推断规则
docker overrides > step config > global config > parser defualts > context initialization
如何指定docker环境?
您可以添加默认的Docker环境。
使用docker时,使用docker_overrides
更改上下文变量。
docker: image: aleozlx/tkstack2:latest runtime: nvidia gui: False ports: - 6006:6006 volumes: - /tmp:/workspace/build - /mnt/datasets:/workspace/datasets docker_overrides: storage: /workspace/datasets steps: - name: Some message here action: something storage: /mnt/datasets
或者每一步完全覆盖Docker环境
docker: # ... steps: - name: Some message here action: something storage: /mnt/datasets docker: image: aleozlx/tkstack2:latest runtime: nvidia volumes: - /tmp:/workspace/build docker_overrides: storage: /workspace/datasets
或使用主机
docker: # ... steps: - name: Some message here action: something storage: /mnt/datasets docker: null
Note: When a docker environment is present, the playbook starts docker accordingly and resumes itself inside docker to reuse many of the playbooks' features, so that context deduction and logging have consistent behavior. (To do that, you code containing the playbook will have to be mounted read-only. This is automatic.) That's why PyYAML is also required inside your docker image. Consider you are keeping the full operationalizing mechanism with a silght dependency constraint.
安全假设(或问题)
Host file system: volumes specified in your playbook will be mounted RW. Although your code will be mounted RO automatically. Playbook assumes that you use a docker image that uses non-root user (like recommended) whose uid:gid hopefully maps to you on host system.
Network: network services inside docker are not isolated from host in non-interactive mode to provide convenient access to host databases etc. Playbook assumes whatever you are operationalizing is trusted and that your host should have a proper set of INPUT rules, and that services inside docker should be protected by an independent firewall if necessary.
X11: the recommended docker image does intend to provide isolated X11 access by creating non-root user that presumably maps to you on host and your X authentication files are natually mounted with proper permissions already in place. But the uid in that image is just a guess so on a host shared by many users, this is probably no good if it even works. (Docker image needs to be build in a better way)
Playbook itself: the playbook itself is obviously a very capable shell program. It has execute permission by default for convenience (not necessarily good idea). It is based on a simple whitelist to allow any actions to be executed. The docker shell provided shouldn't be able to be spawned on host. But all these are best-effort, no promises.
在一天结束时,这是一个2^7行以下的脚本,它应该只是驱动其他东西并使它们工作。组合优先于继承原则使事情更简单和有用。
模板文档文件
https://gitlab-p01.cgi.missouri.edu/ExternalUsers/AlexYang_Fun/tkstack2/blob/master/src/Dockerfile
功能
- 使用无密码sudo的非根用户
- 低维护:基本映像是
tensorflow/tensorflow:1.8.0-devel-gpu-py3
- 链接到libblas+liblapack的numpy+scipy
- 独立的x11图形用户界面支持
- 详细信息请参见https://gitlab-p01.cgi.missouri.edu/ExternalUsers/AlexYang_Fun/tkstack2
许可证
根据
- apache许可证,2.0版,(LICENSE-APACHE或http://www.apache.org/licenses/LICENSE-2.0)
- 麻省理工学院许可证(LICENSE-MIT或http://opensource.org/licenses/MIT)
由你选择。