FROM ubuntu:22.04
LABEL github="https://github.com/mlcommons/GaNDLF"
LABEL docs="https://mlcommons.github.io/GaNDLF/"
LABEL version=1.0
# ARG SETUPTOOLS_USE_DISTUTILS=local
ARG DEBIAN_FRONTEND=noninteractive

# Install fresh Python and dependencies for build-from-source
RUN apt-get update && apt-get install -y software-properties-common
RUN add-apt-repository ppa:deadsnakes/ppa
RUN apt install -y python3.11 
RUN apt install -y libpython3.11-dev 
RUN apt install -y libpython3.11 
# RUN apt install -y python-distutils-extra
RUN apt install -y python3.11-venv 
# RUN apt install -y python-setuptools
RUN apt install -y python3-pip
RUN apt-get install -y libjpeg8-dev zlib1g-dev libffi-dev libgl1
# fix pip version because of weird PyYAML issue
RUN python3.11 -m pip install --upgrade pip
# EXPLICITLY install cpu versions of torch/torchvision (not all versions have +cpu modes on PyPI...)
RUN python3.11 -m pip install torch==2.5.0 torchvision==0.20.0 torchaudio==2.5.0 --index-url https://download.pytorch.org/whl/cpu
RUN python3.11 -m pip install openvino-dev opencv-python-headless

# Do some dependency installation separately here to make layer caching more efficient
COPY ./setup.py ./setup.py
RUN python3.11 -c "from setup import requirements; file = open('requirements.txt', 'w'); file.writelines([req + '\n' for req in requirements]); file.close()" \
  && python3.11 -m pip install -r ./requirements.txt

COPY . /GaNDLF
WORKDIR /GaNDLF
RUN python3.11 -m pip install -e .
# Entrypoint forces all commands given via "docker run" to go through python, CMD forces the default entrypoint script argument to be gandlf run
# If a user calls "docker run gandlf:[tag] anonymize", it will resolve to running "gandlf anonymize" instead.
# CMD is inherently overridden by args to "docker run", entrypoint is constant.
ENTRYPOINT gandlf
CMD run

# The below force the container commands to run as a nonroot user with UID > 10000.
# This greatly reduces UID collision probability between container and host, helping prevent privilege escalation attacks.
# As a side benefit this also decreases the likelihood that users on a cluster won't be able to access their files.
# See https://github.com/hexops/dockerfile as a best practices guide.
#RUN addgroup --gid 10001 --system nonroot \
# && adduser --uid 10000 --system --ingroup nonroot --home /home/nonroot nonroot
#
#USER nonroot

# Prepare the container for possible model embedding later.
RUN mkdir /embedded_model
