diff --git a/Dockerfile b/Dockerfile index c140981..cbe4508 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,153 @@ -FROM nfcore/base -MAINTAINER ATACFlow Team @ RMGCH-18 -LABEL authors="evanfloden@gmail.com" \ - description="Docker image containing all requirements for NCBI-Hackathons/ATACFlow pipeline" +#FROM nfcore/base +#MAINTAINER ATACFlow Team @ RMGCH-18 +#LABEL authors="evanfloden@gmail.com" \ +# description="Docker image containing all requirements for NCBI-Hackathons/ATACFlow pipeline" +#RUN pip install dastk --user +#COPY environment.yml / +#RUN conda env create -f /environment.yml && conda clean -a +#ENV PATH /opt/conda/envs/ncbihackathons-atacflow-0.1.0/bin:$PATH +# Copyright (c) Jupyter Development Team. +# Distributed under the terms of the Modified BSD License. -RUN pip install dastk --user +# Ubuntu 16.04 (xenial) from 2018-02-28 +# https://github.com/docker-library/official-images/commit/8728671fdca3dfc029be4ab838ab5315aa125181 +FROM ubuntu:xenial-20180228@sha256:e348fbbea0e0a0e73ab0370de151e7800684445c509d46195aef73e090a49bd6 + +LABEL maintainer="Steve Tsa " + +USER root + +# Install all OS dependencies for notebook server that starts but lacks all +# features (e.g., download as all possible file formats) +ENV DEBIAN_FRONTEND noninteractive +RUN apt-get update && apt-get -yq dist-upgrade \ + && apt-get install -yq --no-install-recommends \ + wget \ + bzip2 \ + ca-certificates \ + sudo \ + locales \ + fonts-liberation \ + git \ + curl \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* + +RUN echo "en_US.UTF-8 UTF-8" > /etc/locale.gen && \ + locale-gen + +# Install Tini +RUN wget --quiet https://github.com/krallin/tini/releases/download/v0.10.0/tini && \ + echo "1361527f39190a7338a0b434bd8c88ff7233ce7b9a4876f3315c22fce7eca1b0 *tini" | sha256sum -c - && \ + mv tini /usr/local/bin/tini && \ + chmod +x /usr/local/bin/tini + +# Configure environment +ENV CONDA_DIR=/opt/conda \ + SHELL=/bin/bash \ + NB_USER=jovyan \ + NB_UID=1000 \ + NB_GID=100 \ + LC_ALL=en_US.UTF-8 \ + LANG=en_US.UTF-8 \ + LANGUAGE=en_US.UTF-8 +ENV PATH=$CONDA_DIR/bin:$PATH \ + HOME=/home/$NB_USER + +ADD fix-permissions /usr/local/bin/fix-permissions +# Create jovyan user with UID=1000 and in the 'users' group +# and make sure these dirs are writable by the `users` group. +RUN useradd -m -s /bin/bash -N -u $NB_UID $NB_USER && \ + mkdir -p $CONDA_DIR && \ + chown $NB_USER:$NB_GID $CONDA_DIR && \ + chmod g+w /etc/passwd /etc/group && \ + fix-permissions $HOME && \ + fix-permissions $CONDA_DIR + +USER $NB_UID + +# Setup work directory for backward-compatibility +RUN mkdir /home/$NB_USER/work && \ + fix-permissions /home/$NB_USER + +# Install conda as jovyan and check the md5 sum provided on the download site +ENV MINICONDA_VERSION 4.4.10 +RUN cd /tmp && \ + wget --quiet https://repo.continuum.io/miniconda/Miniconda3-${MINICONDA_VERSION}-Linux-x86_64.sh && \ + echo "bec6203dbb2f53011e974e9bf4d46e93 *Miniconda3-${MINICONDA_VERSION}-Linux-x86_64.sh" | md5sum -c - && \ + /bin/bash Miniconda3-${MINICONDA_VERSION}-Linux-x86_64.sh -f -b -p $CONDA_DIR && \ + rm Miniconda3-${MINICONDA_VERSION}-Linux-x86_64.sh && \ + $CONDA_DIR/bin/conda config --system --prepend channels conda-forge && \ + $CONDA_DIR/bin/conda config --system --set auto_update_conda false && \ + $CONDA_DIR/bin/conda config --system --set show_channel_urls true && \ + $CONDA_DIR/bin/conda update --all --quiet --yes && \ + conda clean -tipsy && \ + rm -rf /home/$NB_USER/.cache/yarn && \ + fix-permissions $CONDA_DIR && \ + fix-permissions /home/$NB_USER + +# Install Jupyter Notebook and Hub +RUN conda install --quiet --yes \ + 'notebook=5.4.*' \ + 'jupyterhub=0.8.*' \ + 'jupyterlab=0.32.*' && \ + conda clean -tipsy && \ + jupyter labextension install @jupyterlab/hub-extension@^0.8.1 && \ + npm cache clean --force && \ + rm -rf $CONDA_DIR/share/jupyter/lab/staging && \ + rm -rf /home/$NB_USER/.cache/yarn && \ + fix-permissions $CONDA_DIR && \ + fix-permissions /home/$NB_USER + +USER root + +##### Tools needed for the NextFlow ATACSeq Workflow +RUN pip install dastk +RUN pip install --upgrade --force-reinstall git+https://github.com/nf-core/tools.git +WORKDIR /home/$NB_USER/work +RUN chmod -R 777 /home/$NB_USER/work +#RUN conda install -n base conda +#RUN pip install --upgrade --force-reinstall git+https://github.com/nf-core/tools.git COPY environment.yml / RUN conda env create -f /environment.yml && conda clean -a ENV PATH /opt/conda/envs/ncbihackathons-atacflow-0.1.0/bin:$PATH +RUN curl -s https://get.nextflow.io | bash +RUN cp nextflow /usr/local/bin/. + +RUN git clone https://github.com/NCBI-Hackathons/ATACFlow.git +RUN fix-permissions /home/$NB_USER +RUN fix-permissions $CONDA_DIR + +### Graphviz installation +#RUN conda install -c anaconda graphviz - failed +#RUN apt-get install -y + +#WORKDIR /opt/ +#RUN wget https://graphviz.gitlab.io/pub/graphviz/stable/SOURCES/graphviz.tar.gz +#RUN tar xvzf graphviz-2.40.1.tar.gz +#WORKDIR /opt/graphviz-2.40.1 +#RUN ./configure +#RUN make +#RUN make install +RUN pip install graphviz +######### + +USER root +RUN chmod 777 /usr/local/bin/nextflow +EXPOSE 8888 + +# Configure container startup +ENTRYPOINT ["tini", "--"] +CMD ["start-notebook.sh"] + +# Add local files as late as possible to avoid cache busting +COPY start.sh /usr/local/bin/ +COPY start-notebook.sh /usr/local/bin/ +COPY start-singleuser.sh /usr/local/bin/ +COPY jupyter_notebook_config.py /etc/jupyter/ +RUN fix-permissions /etc/jupyter/ + +# Switch back to jovyan to avoid accidental container runs as root +USER $NB_UID +ENV USER $NB_USER + diff --git a/fix-permissions b/fix-permissions new file mode 100755 index 0000000..c3992d7 --- /dev/null +++ b/fix-permissions @@ -0,0 +1,35 @@ +#!/bin/bash +# set permissions on a directory +# after any installation, if a directory needs to be (human) user-writable, +# run this script on it. +# It will make everything in the directory owned by the group $NB_GID +# and writable by that group. +# Deployments that want to set a specific user id can preserve permissions +# by adding the `--group-add users` line to `docker run`. + +# uses find to avoid touching files that already have the right permissions, +# which would cause massive image explosion + +# right permissions are: +# group=$NB_GID +# AND permissions include group rwX (directory-execute) +# AND directories have setuid,setgid bits set + +set -e + +for d in $@; do + find "$d" \ + ! \( \ + -group $NB_GID \ + -a -perm -g+rwX \ + \) \ + -exec chgrp $NB_GID {} \; \ + -exec chmod g+rwX {} \; + # setuid,setgid *on directories only* + find "$d" \ + \( \ + -type d \ + -a ! -perm -6000 \ + \) \ + -exec chmod +6000 {} \; +done diff --git a/jupyter_notebook_config.py b/jupyter_notebook_config.py new file mode 100644 index 0000000..ef9c24b --- /dev/null +++ b/jupyter_notebook_config.py @@ -0,0 +1,39 @@ +# Copyright (c) Jupyter Development Team. +# Distributed under the terms of the Modified BSD License. + +from jupyter_core.paths import jupyter_data_dir +import subprocess +import os +import errno +import stat + +c = get_config() +c.NotebookApp.ip = '*' +c.NotebookApp.port = 8888 +c.NotebookApp.open_browser = False + +# https://github.com/jupyter/notebook/issues/3130 +c.FileContentsManager.delete_to_trash = False + +# Generate a self-signed certificate +if 'GEN_CERT' in os.environ: + dir_name = jupyter_data_dir() + pem_file = os.path.join(dir_name, 'notebook.pem') + try: + os.makedirs(dir_name) + except OSError as exc: # Python >2.5 + if exc.errno == errno.EEXIST and os.path.isdir(dir_name): + pass + else: + raise + # Generate a certificate if one doesn't exist on disk + subprocess.check_call(['openssl', 'req', '-new', + '-newkey', 'rsa:2048', + '-days', '365', + '-nodes', '-x509', + '-subj', '/C=XX/ST=XX/L=XX/O=generated/CN=generated', + '-keyout', pem_file, + '-out', pem_file]) + # Restrict access to the file + os.chmod(pem_file, stat.S_IRUSR | stat.S_IWUSR) + c.NotebookApp.certfile = pem_file diff --git a/ls b/ls new file mode 100755 index 0000000..c3992d7 --- /dev/null +++ b/ls @@ -0,0 +1,35 @@ +#!/bin/bash +# set permissions on a directory +# after any installation, if a directory needs to be (human) user-writable, +# run this script on it. +# It will make everything in the directory owned by the group $NB_GID +# and writable by that group. +# Deployments that want to set a specific user id can preserve permissions +# by adding the `--group-add users` line to `docker run`. + +# uses find to avoid touching files that already have the right permissions, +# which would cause massive image explosion + +# right permissions are: +# group=$NB_GID +# AND permissions include group rwX (directory-execute) +# AND directories have setuid,setgid bits set + +set -e + +for d in $@; do + find "$d" \ + ! \( \ + -group $NB_GID \ + -a -perm -g+rwX \ + \) \ + -exec chgrp $NB_GID {} \; \ + -exec chmod g+rwX {} \; + # setuid,setgid *on directories only* + find "$d" \ + \( \ + -type d \ + -a ! -perm -6000 \ + \) \ + -exec chmod +6000 {} \; +done diff --git a/start-notebook.sh b/start-notebook.sh new file mode 100755 index 0000000..d9de07c --- /dev/null +++ b/start-notebook.sh @@ -0,0 +1,16 @@ +#!/bin/bash +# Copyright (c) Jupyter Development Team. +# Distributed under the terms of the Modified BSD License. + +set -e + +if [[ ! -z "${JUPYTERHUB_API_TOKEN}" ]]; then + # launched by JupyterHub, use single-user entrypoint + exec /usr/local/bin/start-singleuser.sh $* +else + if [[ ! -z "${JUPYTER_ENABLE_LAB}" ]]; then + . /usr/local/bin/start.sh jupyter lab $* + else + . /usr/local/bin/start.sh jupyter notebook $* + fi +fi diff --git a/start-singleuser.sh b/start-singleuser.sh new file mode 100755 index 0000000..09c1d69 --- /dev/null +++ b/start-singleuser.sh @@ -0,0 +1,43 @@ +#!/bin/bash +# Copyright (c) Jupyter Development Team. +# Distributed under the terms of the Modified BSD License. + +set -e + +# set default ip to 0.0.0.0 +if [[ "$NOTEBOOK_ARGS $@" != *"--ip="* ]]; then + NOTEBOOK_ARGS="--ip=0.0.0.0 $NOTEBOOK_ARGS" +fi + +# handle some deprecated environment variables +# from DockerSpawner < 0.8. +# These won't be passed from DockerSpawner 0.9, +# so avoid specifying --arg=empty-string +if [ ! -z "$NOTEBOOK_DIR" ]; then + NOTEBOOK_ARGS="--notebook-dir='$NOTEBOOK_DIR' $NOTEBOOK_ARGS" +fi +if [ ! -z "$JPY_PORT" ]; then + NOTEBOOK_ARGS="--port=$JPY_PORT $NOTEBOOK_ARGS" +fi +if [ ! -z "$JPY_USER" ]; then + NOTEBOOK_ARGS="--user=$JPY_USER $NOTEBOOK_ARGS" +fi +if [ ! -z "$JPY_COOKIE_NAME" ]; then + NOTEBOOK_ARGS="--cookie-name=$JPY_COOKIE_NAME $NOTEBOOK_ARGS" +fi +if [ ! -z "$JPY_BASE_URL" ]; then + NOTEBOOK_ARGS="--base-url=$JPY_BASE_URL $NOTEBOOK_ARGS" +fi +if [ ! -z "$JPY_HUB_PREFIX" ]; then + NOTEBOOK_ARGS="--hub-prefix=$JPY_HUB_PREFIX $NOTEBOOK_ARGS" +fi +if [ ! -z "$JPY_HUB_API_URL" ]; then + NOTEBOOK_ARGS="--hub-api-url=$JPY_HUB_API_URL $NOTEBOOK_ARGS" +fi +if [ ! -z "$JUPYTER_ENABLE_LAB" ]; then + NOTEBOOK_BIN="jupyter labhub" +else + NOTEBOOK_BIN=jupyterhub-singleuser +fi + +. /usr/local/bin/start.sh $NOTEBOOK_BIN $NOTEBOOK_ARGS $@ diff --git a/start.sh b/start.sh new file mode 100755 index 0000000..3cde610 --- /dev/null +++ b/start.sh @@ -0,0 +1,136 @@ +#!/bin/bash +# Copyright (c) Jupyter Development Team. +# Distributed under the terms of the Modified BSD License. + +set -e + +# Exec the specified command or fall back on bash +if [ $# -eq 0 ]; then + cmd=bash +else + cmd=$* +fi + +for f in /usr/local/bin/start-notebook.d/*; do + case "$f" in + *.sh) + echo "$0: running $f"; . "$f" + ;; + *) + if [ -x $f ]; then + echo "$0: running $f" + $f + else + echo "$0: ignoring $f" + fi + ;; + esac + echo +done +# Handle special flags if we're root +if [ $(id -u) == 0 ] ; then + + # Only attempt to change the jovyan username if it exists + if id jovyan &> /dev/null ; then + echo "Set username to: $NB_USER" + usermod -d /home/$NB_USER -l $NB_USER jovyan + fi + + # Handle case where provisioned storage does not have the correct permissions by default + # Ex: default NFS/EFS (no auto-uid/gid) + if [[ "$CHOWN_HOME" == "1" || "$CHOWN_HOME" == 'yes' ]]; then + echo "Changing ownership of /home/$NB_USER to $NB_UID:$NB_GID" + chown $CHOWN_HOME_OPTS $NB_UID:$NB_GID /home/$NB_USER + fi + if [ ! -z "$CHOWN_EXTRA" ]; then + for extra_dir in $(echo $CHOWN_EXTRA | tr ',' ' '); do + chown $CHOWN_EXTRA_OPTS $NB_UID:$NB_GID $extra_dir + done + fi + + # handle home and working directory if the username changed + if [[ "$NB_USER" != "jovyan" ]]; then + # changing username, make sure homedir exists + # (it could be mounted, and we shouldn't create it if it already exists) + if [[ ! -e "/home/$NB_USER" ]]; then + echo "Relocating home dir to /home/$NB_USER" + mv /home/jovyan "/home/$NB_USER" + fi + # if workdir is in /home/jovyan, cd to /home/$NB_USER + if [[ "$PWD/" == "/home/jovyan/"* ]]; then + newcwd="/home/$NB_USER/${PWD:13}" + echo "Setting CWD to $newcwd" + cd "$newcwd" + fi + fi + + # Change UID of NB_USER to NB_UID if it does not match + if [ "$NB_UID" != $(id -u $NB_USER) ] ; then + echo "Set $NB_USER UID to: $NB_UID" + usermod -u $NB_UID $NB_USER + fi + + # Add NB_USER to NB_GID if it's not the default group + if [ "$NB_GID" != $(id -g $NB_USER) ] ; then + echo "Add $NB_USER to group: $NB_GID" + groupadd -g $NB_GID -o $NB_USER + usermod -a -G $NB_GID $NB_USER + fi + + # Enable sudo if requested + if [[ "$GRANT_SUDO" == "1" || "$GRANT_SUDO" == 'yes' ]]; then + echo "Granting $NB_USER sudo access and appending $CONDA_DIR/bin to sudo PATH" + echo "$NB_USER ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/notebook + fi + + # Add $CONDA_DIR/bin to sudo secure_path + sed -r "s#Defaults\s+secure_path=\"([^\"]+)\"#Defaults secure_path=\"\1:$CONDA_DIR/bin\"#" /etc/sudoers | grep secure_path > /etc/sudoers.d/path + + # Exec the command as NB_USER with the PATH and the rest of + # the environment preserved + echo "Executing the command: $cmd" + exec sudo -E -H -u $NB_USER PATH=$PATH XDG_CACHE_HOME=/home/$NB_USER/.cache PYTHONPATH=$PYTHONPATH $cmd +else + if [[ "$NB_UID" == "$(id -u jovyan)" && "$NB_GID" == "$(id -g jovyan)" ]]; then + # User is not attempting to override user/group via environment + # variables, but they could still have overridden the uid/gid that + # container runs as. Check that the user has an entry in the passwd + # file and if not add an entry. + whoami &> /dev/null || STATUS=$? && true + if [[ "$STATUS" != "0" ]]; then + if [[ -w /etc/passwd ]]; then + echo "Adding passwd file entry for $(id -u)" + cat /etc/passwd | sed -e "s/^jovyan:/nayvoj:/" > /tmp/passwd + echo "jovyan:x:$(id -u):$(id -g):,,,:/home/jovyan:/bin/bash" >> /tmp/passwd + cat /tmp/passwd > /etc/passwd + rm /tmp/passwd + else + echo 'Container must be run with group "root" to update passwd file' + fi + fi + + # Warn if the user isn't going to be able to write files to $HOME. + if [[ ! -w /home/jovyan ]]; then + echo 'Container must be run with group "users" to update files' + fi + else + # Warn if looks like user want to override uid/gid but hasn't + # run the container as root. + if [[ ! -z "$NB_UID" && "$NB_UID" != "$(id -u)" ]]; then + echo 'Container must be run as root to set $NB_UID' + fi + if [[ ! -z "$NB_GID" && "$NB_GID" != "$(id -g)" ]]; then + echo 'Container must be run as root to set $NB_GID' + fi + fi + + # Warn if looks like user want to run in sudo mode but hasn't run + # the container as root. + if [[ "$GRANT_SUDO" == "1" || "$GRANT_SUDO" == 'yes' ]]; then + echo 'Container must be run as root to grant sudo permissions' + fi + + # Execute the command + echo "Executing the command: $cmd" + exec $cmd +fi