Add new GH Workflow and restructure nf base image Dockerfiles (#181)

.github/workflows/build_and_push_nf_base_images.yml

@@ -0,0 +1,69 @@
+name: Push new nextflow images to ECR
+on:
+  workflow_dispatch:
+  push:
+    branches: master
+    paths:
+      - 'nextflow-base-images/**' #Runs every time this folder gets updated
+      - '.github/workflows/build_and_push_nf_base_images.yml'
+  schedule:
+    - cron: '0 0 * * 6'  # Run at midnight UTC every Saturday
+
+jobs:
+  build_and_push_nf_images:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+        with:
+          path: containers
+
+
+      - name: Checkout other private repository
+        uses: actions/checkout@v3
+        with:
+          repository: uc-cdis/base-images
+          token: ${{ secrets.PLANXCYBORG_TOKEN }}
+          path: base-images
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Login to Amazon ECR
+        env:
+          AWS_REGION: us-east-1  # Replace with your AWS region
+          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID_ACCT_654654631253_ECR }}
+          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY_ACCT_654654631253_ECR }}
+        run: |
+          aws ecr-public get-login-password --region $AWS_REGION | docker login --username AWS --password-stdin public.ecr.aws/u5x5h6w3
+
+      - name: Build and push Docker images
+        run: |
+              dir=base-images/amazonlinux-base/
+              echo "Building an image present in $dir"
+              image_name=nextflow-approved/public
+              tag_name=$(basename "$dir")
+              docker build -t public.ecr.aws/u5x5h6w3/$image_name:$tag_name $dir
+              docker push public.ecr.aws/u5x5h6w3/$image_name:$tag_name
+              echo "Built an image with name --> $image_name:$tag_name"
+
+              for dir in containers/nextflow-base-images/*/;do
+                  echo "Building an image present in $dir"
+                  image_name=nextflow-approved/public
+                  tag_name=$(basename "$dir")
+                  docker build -t public.ecr.aws/u5x5h6w3/$image_name:$tag_name $dir
+                  docker push public.ecr.aws/u5x5h6w3/$image_name:$tag_name
+                  echo "Built an image with name --> $image_name:$tag_name"
+              done
+
+      - name: Trigger `get_layer_info_for_nf_imgs.yml` workflow
+        env:
+          GH_TOKEN: ${{ secrets.PLANXCYBORG_TOKEN }}
+        run: |
+              gh api \
+              --method POST \
+              -H "Accept: application/vnd.github+json" \
+              -H "X-GitHub-Api-Version: 2022-11-28" \
+              /repos/uc-cdis/containers/actions/workflows/get_layer_info_for_nf_imgs.yml/dispatches \
+              -f "ref=master"

.github/workflows/get_layer_info_for_nf_imgs.yml

@@ -1,14 +1,12 @@
 name: Update Nextflow-approved image's layers
 on:
+  # Primarily this workflow is only expected to be triggered by `build_and_push_nf_base_images.yml`, these extra triggers are just added for convenience.
   workflow_dispatch:
   push:
     branches: master
     paths:
-      - 'nextflow-base-images/**' #Runs every time this folder gets updated
+      - 'nextflow-base-images/**'
       - '.github/workflows/get_layer_info_for_nf_imgs.yml'
-  schedule:
-    - cron: '0 0 * * 0'  # Run at midnight UTC every Sunday
-
 jobs:
   get_image_layers:
     runs-on: ubuntu-latest

nextflow-base-images/gen3-cuda-12.3-torch2.2-ubuntu22.04-openssl/Dockerfile

@@ -0,0 +1,25 @@
+FROM public.ecr.aws/u5x5h6w3/nextflow-approved/public:gen3-cuda-12.3-ubuntu22.04-openssl
+
+# Set environment variables
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Install system dependencies
+RUN apt-get update && \
+    apt-get install -y \
+        git \
+        python3-pip \
+        python3-dev \
+        python3-opencv \
+        libglib2.0-0
+
+# Upgrade pip
+RUN python3 -m pip install --upgrade pip
+
+# Install PyTorch and torchvision
+RUN pip3 install torch -f https://download.pytorch.org/whl/cu123/torch_stable.html
+
+# Set the working directory
+WORKDIR /app
+
+# Set the entrypoint
+ENTRYPOINT [ "python3" ]

nextflow-base-images/gen3-cuda-12.3-ubuntu22.04-openssl/Dockerfile

@@ -0,0 +1,36 @@
+# Use the specified base image
+FROM nvcr.io/nvidia/cuda:12.3.1-base-ubuntu22.04
+
+RUN apt-get purge -y --auto-remove openssl && apt-get autoremove && apt-get autoclean
+
+RUN apt-get update && apt-get -y upgrade && apt install -y wget
+
+RUN apt install -y build-essential && \
+    apt-get install -y python3 && \
+    apt-get install -y python3-pip
+
+# install openssl 3.0.8 as it is required for FIPS compliance.
+WORKDIR /tmp
+RUN wget https://www.openssl.org/source/openssl-3.0.8.tar.gz && \
+    tar -xzvf openssl-3.0.8.tar.gz && \
+    rm openssl-3.0.8.tar.gz
+
+WORKDIR /tmp/openssl-3.0.8
+RUN ./Configure enable-fips && \
+    make && \
+    make install
+
+# Changing adding `/usr/local/lib` as a prefix to LD_LIBRARY_PATH will
+# give precedence to OpenSSL 3.0.8 library files over the 3.0.2
+ENV LD_LIBRARY_PATH=/usr/local/lib:/usr/local/lib64:$LD_LIBRARY_PATH
+
+# Make config changes ti ensure FIPS compliance
+RUN sed -i 's$# .include fipsmodule.cnf$.include /usr/local/ssl/fipsmodule.cnf$g' /usr/local/ssl/openssl.cnf
+RUN sed -i 's$providers = provider_sect$providers = provider_sect\nalg_section = algorithm_sect$g' /usr/local/ssl/openssl.cnf
+RUN sed -i 's$# fips = fips_sect$fips = fips_sect$g' /usr/local/ssl/openssl.cnf
+RUN sed -i -e 's$# activate = 1$activate = 1 \n\n[algorithm_sect]\ndefault_properties = fips=yes$g' /usr/local/ssl/openssl.cnf
+
+
+# Clean up the temporary directory
+WORKDIR /
+RUN rm -rf /tmp/openssl-3.0.8