-
Notifications
You must be signed in to change notification settings - Fork 0
/
Dockerfile
200 lines (145 loc) · 5.46 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
# hadolint global ignore=DL3006,DL3013,DL3018,DL3041,DL3059
# -------------------- base -------------------- #
FROM redhat/ubi9-minimal AS base
RUN echo install_weak_deps=0 >> /etc/dnf/dnf.conf && \
curl -O https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm && \
rpm -ivh ./*.rpm && \
rm -f ./*.rpm && \
microdnf upgrade -y && \
microdnf install -y \
libsodium && \
microdnf clean all
# -------------------- go -------------------- #
FROM base AS go
RUN microdnf install -y \
git-core \
go-toolset \
&& microdnf clean all
WORKDIR /build
# -------------------- sfgwas -------------------- #
FROM go AS sfgwas
RUN git clone --depth 1 https://github.com/hcholab/sfgwas . && \
git checkout f604681 && \
go build && \
mkdir cache && \
rm -rf .git
# -------------------- sf-relate -------------------- #
FROM go AS sf-relate
RUN git clone https://github.com/froelich/sf-relate . && \
git checkout 9d1a076 && \
go get relativeMatch && \
go build && \
go test -c -o sf-relate && \
rm -rf .git
# -------------------- sfkit-proxy -------------------- #
FROM go AS sfkit-proxy
SHELL ["/bin/bash", "-eo", "pipefail", "-c"]
RUN git clone https://github.com/hcholab/sfkit-proxy . && \
git checkout f8e25f2 && \
go build && \
# ensure FIPS is enabled, fail if not
go get github.com/acardace/fips-detect && \
go run github.com/acardace/fips-detect sfkit-proxy \
| grep -E 'FIPS-capable Go binary.*Yes'
# -------------------- dev -------------------- #
FROM base AS dev
WORKDIR /build
# -------------------- plink2 -------------------- #
FROM dev AS plink2
ARG MARCH=native
RUN microdnf install -y unzip && \
microdnf clean all && \
ARCH=$(grep -q avx2 /proc/cpuinfo && [ "${MARCH}" = "native" ] || [ "${MARCH}" = "x86-64-v3" ] && echo "avx2" || echo "x86_64") && \
curl -so plink2.zip "https://s3.amazonaws.com/plink2-assets/plink2_linux_${ARCH}_latest.zip" && \
unzip plink2.zip
# -------------------- c++ & ntl -------------------- #
FROM dev AS cpp
RUN microdnf install -y \
clang \
git-core \
gmp-devel \
libsodium-devel \
openssl-devel \
perl \
tar \
&& microdnf clean all
SHELL ["/bin/bash", "-eo", "pipefail", "-c"]
WORKDIR /ntl
RUN curl -so- https://libntl.org/ntl-10.3.0.tar.gz | tar -C /ntl -zxvf- --strip-components=1 && \
NTL_MOD_URL="https://raw.githubusercontent.com/hcholab/secure-gwas/refs/heads/master/code/NTL_mod" && \
curl -s "${NTL_MOD_URL}/ZZ.h" -o /ntl/include/NTL/ZZ.h && \
curl -s "${NTL_MOD_URL}/ZZ.cpp" -o /ntl/src/ZZ.cpp
ARG MARCH=native
WORKDIR /ntl/src
RUN ./configure NTL_THREAD_BOOST=on CXXFLAGS="-g -O2 -march=${MARCH}" && \
make "-j$(nproc)" all && \
make install
WORKDIR /build
# -------------------- secure-dti -------------------- #
FROM cpp AS secure-dti
RUN git clone --depth 1 https://github.com/hcholab/secure-dti . && \
git checkout 9c040f1 && \
rm -rf .git
WORKDIR /build/mpc/code
RUN sed -i "s|^CPP.*$|CPP = /usr/bin/clang++|g" Makefile && \
sed -i "s|^INCPATHS.*$|INCPATHS = -I/usr/local/include|g" Makefile && \
sed -i "s|^LDPATH.*$|LDPATH = -L/usr/local/lib|g" Makefile && \
sed -i "s|-march=native|-march=${MARCH} -maes|g" Makefile && \
sed -i "s|c++11|c++14|g" Makefile && \
sed -i '5i#include <stdint.h>' param.h && \
make "-j$(nproc)" && \
rm -rf build include lib
# -------------------- secure-gwas -------------------- #
FROM cpp AS secure-gwas
RUN git clone --depth 1 https://github.com/hcholab/secure-gwas . && \
git checkout d4c6dbc && \
rm -rf .git
WORKDIR /build/code
RUN sed -i "s|^LDPATH.*$|LDPATH = -L/usr/local/lib|g" Makefile && \
sed -i "s|-march=native|-march=${MARCH} -maes|g" Makefile && \
make "-j$(nproc)" && \
rm -rf build
# -------------------- sfkit package -------------------- #
FROM dev AS sfkit
ENV PIP_NO_CACHE_DIR=1
RUN microdnf install -y python3-pip && \
microdnf clean all && \
pip install poetry
COPY . .
RUN poetry install --only main,dev
RUN poetry run flake8 . --count --select=E9,F63,F7,F82 --show-source --statistics --exclude .venv
RUN poetry run flake8 . --count --exit-zero --max-complexity=10 --max-line-length=127 --statistics --exclude .venv
RUN poetry run pytest
RUN poetry build -f wheel
RUN poetry install --only main --sync
# -------------------- final image -------------------- #
FROM base
WORKDIR /sfkit
ENV OPENSSL_FORCE_FIPS_MODE=1 \
PATH="$PATH:/sfkit:/sfkit/sfgwas:/sfkit/sf-relate" \
PYTHONUNBUFFERED=TRUE \
SFKIT_DIR="/sfkit/.sfkit" \
SFKIT_PROXY_ON=TRUE
COPY --from=plink2 --chown=nonroot /build/plink2 ./
COPY --from=secure-dti --chown=nonroot /build ./secure-dti/
COPY --from=secure-gwas --chown=nonroot /build ./secure-gwas/
COPY --from=sfgwas --chown=nonroot /build ./sfgwas/
COPY --from=sf-relate --chown=nonroot /build ./sf-relate/
COPY --from=sfkit-proxy --chown=nonroot /build/*-proxy ./
COPY --from=sfkit /build/.venv/lib /usr/lib/
COPY --from=sfkit /build/.venv/lib64 /usr/lib64/
COPY --from=sfkit /build/dist/sfkit*.whl ./
RUN microdnf install -y \
findutils \
proxychains-ng \
python3 \
python3-pip \
&& \
pip install --no-cache-dir ./*.whl && \
microdnf remove -y python3-pip && \
microdnf clean all \
&& \
adduser nonroot && \
chown -R nonroot:nonroot .
USER nonroot
ENTRYPOINT ["sfkit"]