├── .cramrc
├── tests
    ├── data
    │   ├── workdir-without-overlays.zip
    │   └── workdir-with-augur-auspice-overlays.zip
    ├── basic.t
    ├── aws-batch-endpoint-url.t
    ├── workdir.t
    ├── envdir.t
    ├── aws-batch-verbose.t
    ├── envdir-url.t
    └── aws-batch-workdir-url.t
├── chdir-workdir
├── .gitignore
├── devel
    ├── stop-localhost-registry
    ├── platform
    ├── pull-from-registry
    ├── start-localhost-registry
    ├── clean
    ├── validate-platforms
    ├── copy-images
    ├── build
    ├── summarize-buildkit-output
    └── delete-from-ghcr.js
├── drop-privs
├── bashrc
├── Makefile
├── .github
    ├── dependabot.yml
    └── workflows
    │   └── ci.yml
├── delete-envd
├── create-envd
├── entrypoint
├── entrypoint-aws-batch
├── README.md
└── Dockerfile


/.cramrc:
--------------------------------------------------------------------------------
1 | [cram]
2 | shell = /bin/bash
3 | indent = 2
4 | 


--------------------------------------------------------------------------------
/tests/data/workdir-without-overlays.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nextstrain/docker-base/HEAD/tests/data/workdir-without-overlays.zip


--------------------------------------------------------------------------------
/tests/data/workdir-with-augur-auspice-overlays.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/nextstrain/docker-base/HEAD/tests/data/workdir-with-augur-auspice-overlays.zip


--------------------------------------------------------------------------------
/chdir-workdir:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -euo pipefail
 3 | 
 4 | if [[ -n "${NEXTSTRAIN_WORKDIR:-}" ]]; then
 5 |     mkdir --parents "$NEXTSTRAIN_WORKDIR"
 6 |     cd "$NEXTSTRAIN_WORKDIR"
 7 | fi
 8 | 
 9 | exec "$@"
10 | 


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
 1 | /build/
 2 | /tests/*.err
 3 | /logs/
 4 | 
 5 | # OS generated files #
 6 | ######################
 7 | .DS_Store
 8 | .DS_Store?
 9 | ._*
10 | .Spotlight-V100
11 | .Trashes
12 | Icon?
13 | ehthumbs.db
14 | Thumbs.db
15 | 


--------------------------------------------------------------------------------
/devel/stop-localhost-registry:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | #
 3 | # Stops a local Docker registry created by start-localhost-registry.
 4 | #
 5 | set -euo pipefail
 6 | 
 7 | NAME=nextstrain-local-registry
 8 | 
 9 | docker stop "$NAME" > /dev/null
10 | docker rm "$NAME" > /dev/null
11 | 


--------------------------------------------------------------------------------
/drop-privs:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -euo pipefail
 3 | 
 4 | if [[ "$(id -u):$(id -g)" == 0:0 ]]; then
 5 |     # Drop down to nextstrain:nextstrain if we're root.
 6 |     exec setpriv --reuid nextstrain --regid nextstrain --init-groups "$@"
 7 | else
 8 |     # Otherwise, respect privs set externally.
 9 |     exec "$@"
10 | fi
11 | 


--------------------------------------------------------------------------------
/bashrc:
--------------------------------------------------------------------------------
1 | # Note that this file is overridden by newer versions of `nextstrain shell` and
2 | # so it provides only a fallback prompt for users of older CLI versions or
3 | # direct image users (e.g. `docker run …`).
4 | reset="\[\e[0m\]"
5 | bold="\[\e[1m\]"
6 | magenta="\[\e[35m\]"
7 | PS1="${bold}nextstrain:${magenta}\w${reset} ${bold}\$ ${reset}"
8 | unset reset bold magenta
9 | 


--------------------------------------------------------------------------------
/Makefile:
--------------------------------------------------------------------------------
 1 | SHELL := bash -euo pipefail
 2 | 
 3 | .PHONY: local-image test
 4 | 
 5 | local-image:
 6 | 	./devel/start-localhost-registry
 7 | 	./devel/build
 8 | 	
 9 | 	# Don't pull base-builder image since it's huge and not needed for local
10 | 	# inspection most of the time.
11 | 	docker image pull localhost:5000/nextstrain/base:latest
12 | 	
13 | 	./devel/stop-localhost-registry
14 | 
15 | test:
16 | 	rm -f tests/*.t.err
17 | 	cram -v tests/
18 | 
19 | clean:
20 | 	./devel/clean
21 | 


--------------------------------------------------------------------------------
/devel/platform:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | #
 3 | # Output the Docker platform matching the Docker server's (dockerd's)
 4 | # architecture.  This is usually the same as the current machine's (e.g. the
 5 | # host's, the Docker client's) architecture, but not always as the Docker
 6 | # server may be remote.
 7 | #
 8 | set -euo pipefail
 9 | 
10 | arch="$(docker info --format '{{.Architecture}}')"
11 | 
12 | case "$arch" in
13 |     x86_64)  echo linux/amd64;;
14 |     aarch64) echo linux/arm64;;
15 |     *)
16 |         echo "unsupported architecture: $arch" >&2
17 |         exit 1
18 | esac
19 | 


--------------------------------------------------------------------------------
/.github/dependabot.yml:
--------------------------------------------------------------------------------
 1 | # Dependabot configuration file
 2 | # <https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file>
 3 | #
 4 | # Each ecosystem is checked on a scheduled interval defined below.  To trigger
 5 | # a check manually, go to
 6 | #
 7 | #   https://github.com/nextstrain/docker-base/network/updates
 8 | #
 9 | # and look for a "Check for updates" button.  You may need to click around a
10 | # bit first.
11 | ---
12 | version: 2
13 | updates:
14 |   - package-ecosystem: "github-actions"
15 |     directory: "/"
16 |     schedule:
17 |       interval: "weekly"
18 | 


--------------------------------------------------------------------------------
/devel/pull-from-registry:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | #
 3 | # Pull the Nextstrain images from a Docker registry.
 4 | #
 5 | set -euo pipefail
 6 | 
 7 | # Set default values.
 8 | registry=localhost:5000
 9 | tag=latest
10 | 
11 | # Read command-line arguments.
12 | while getopts "r:t:" opt; do
13 |     case "$opt" in
14 |         r) registry="$OPTARG";;
15 |         t) tag="$OPTARG";;
16 |         *) echo "Usage: $0 [-r <registry>] [-t <tag>]" 1>&2; exit 1;;
17 |     esac
18 | done
19 | 
20 | BUILDER_BUILD_PLATFORM_IMAGE=nextstrain/base-builder-build-platform
21 | BUILDER_TARGET_PLATFORM_IMAGE=nextstrain/base-builder-target-platform
22 | FINAL_IMAGE=nextstrain/base
23 | 
24 | docker pull "$registry/$BUILDER_BUILD_PLATFORM_IMAGE:$tag"
25 | docker pull "$registry/$BUILDER_TARGET_PLATFORM_IMAGE:$tag"
26 | docker pull "$registry/$FINAL_IMAGE:$tag"
27 | 


--------------------------------------------------------------------------------
/delete-envd:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -euo pipefail
 3 | 
 4 | # Optionally remove the contents of /nextstrain/env.d (and any remote archive)
 5 | # so values remain only in process memory.  We don't remove /nextstrain/env.d
 6 | # itself because it might be mounted in from the host system and thus
 7 | # undeletable.
 8 | case "${NEXTSTRAIN_DELETE_ENVD:-}" in
 9 |     1|yes|true)
10 |         rm -rf /nextstrain/env.d/*
11 | 
12 |         if [[ -n "${NEXTSTRAIN_ENVD_URL:-}" ]]; then
13 |             case "$NEXTSTRAIN_ENVD_URL" in
14 |                 s3://*)
15 |                     aws s3 rm "$NEXTSTRAIN_ENVD_URL"
16 |                     ;;
17 |                 *)
18 |                     echo "delete-envd: No handler for NEXTSTRAIN_ENVD_URL <$NEXTSTRAIN_ENVD_URL>" >&2
19 |                     exit 1
20 |                     ;;
21 |             esac
22 |         fi
23 |         ;;
24 | esac
25 | 
26 | exec "$@"
27 | 


--------------------------------------------------------------------------------
/create-envd:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -euo pipefail
 3 | 
 4 | # Make an empty directory, at the least, so subsequent steps and programs can
 5 | # expect it.  Doing this at container run time instead of image build time
 6 | # means the permissions match the current process.  This is made possible by
 7 | # the intentionally open, /tmp-like permissions of /nextstrain.
 8 | mkdir -p /nextstrain/env.d
 9 | 
10 | # Populate env.d from a remote archive, if given.
11 | if [[ -n "${NEXTSTRAIN_ENVD_URL:-}" ]]; then
12 |     case "$NEXTSTRAIN_ENVD_URL" in
13 |         s3://*.zip)
14 |             aws s3 cp --no-progress "$NEXTSTRAIN_ENVD_URL" /nextstrain/env.d.zip
15 |             unzip -d /nextstrain/env.d{,.zip}
16 |             rm -v /nextstrain/env.d.zip
17 |             ;;
18 |         *)
19 |             echo "create-envd: No handler for NEXTSTRAIN_ENVD_URL <$NEXTSTRAIN_ENVD_URL>" >&2
20 |             exit 1
21 |             ;;
22 |     esac
23 | fi
24 | 
25 | exec "$@"
26 | 


--------------------------------------------------------------------------------
/devel/start-localhost-registry:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | #
 3 | # Starts a Docker registry on localhost using a Docker container.
 4 | #
 5 | set -euo pipefail
 6 | 
 7 | # Paths to use for registry data.
 8 | REPO="$(cd "$(dirname "$0")/.."; pwd)"
 9 | DATA="$REPO"/build/registry
10 | mkdir -p "$DATA"
11 | 
12 | # Port to run the registry on. If not provided, default to 5000.
13 | PORT="${1:-5000}"
14 | 
15 | # Name of the docker container.
16 | NAME=nextstrain-local-registry
17 | 
18 | # Docker image that provides the registry service.
19 | IMAGE=registry:2
20 | 
21 | if docker container inspect "$NAME" &>/dev/null; then
22 |     docker container start "$NAME"
23 | else
24 |     docker run \
25 |         --detach \
26 |         --publish 127.0.0.1:"$PORT":"$PORT" \
27 |         --restart always \
28 |         --name "$NAME" \
29 |         --volume "$DATA":/var/lib/registry \
30 |         --user "$(id -u):$(id -g)" \
31 |         "$IMAGE" \
32 |         > /dev/null
33 | fi
34 | 


--------------------------------------------------------------------------------
/tests/basic.t:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env cram
 2 | 
 3 | Setup.
 4 | 
 5 |   $ : "${IMAGE:=localhost:5000/nextstrain/base:latest}"
 6 |   $ (docker image inspect "$IMAGE" || docker image pull "$IMAGE") &>/dev/null
 7 | 
 8 | Default working directory.
 9 | 
10 |   $ docker run --rm "$IMAGE" pwd
11 |   /nextstrain/build
12 | 
13 | Default home directory.
14 | 
15 |   $ docker run --rm "$IMAGE" env | grep ^HOME=
16 |   HOME=/nextstrain
17 | 
18 | Drops default root privileges.
19 | 
20 |   $ docker run --rm "$IMAGE" id
21 |   uid=*(nextstrain) gid=*(nextstrain) groups=*(nextstrain) (glob)
22 | 
23 | Respects externally-set user/group.
24 | 
25 |   $ docker run --rm --user 1234:5678 "$IMAGE" id
26 |   uid=1234 gid=5678 groups=5678
27 | 
28 | /nextstrain has open, /tmp-like permissions.
29 | 
30 |   $ docker run --rm "$IMAGE" ls -ld /nextstrain
31 |   drwxrwxrwt * /nextstrain (glob)
32 | 
33 | /nextstrain/build is writable by default nextstrain user.
34 | 
35 |   $ docker run --rm "$IMAGE" touch /nextstrain/build/test
36 | 


--------------------------------------------------------------------------------
/tests/aws-batch-endpoint-url.t:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env cram
 2 | 
 3 | Setup.
 4 | 
 5 |   $ : "${IMAGE:=localhost:5000/nextstrain/base:latest}"
 6 |   $ (docker image inspect "$IMAGE" || docker image pull "$IMAGE") &>/dev/null
 7 | 
 8 |   $ export NEXTSTRAIN_AWS_BATCH_VERBOSE=1
 9 | 
10 | --endpoint-url is used when AWS_ENDPOINT_URL is available.
11 | 
12 |   $ export NEXTSTRAIN_AWS_BATCH_WORKDIR_URL="s3://dummy-value/dummy-value.zip"
13 |   $ export AWS_ENDPOINT_URL="https://custom-endpoint.example.com"
14 | 
15 |   $ docker run --rm --env=NEXTSTRAIN_AWS_BATCH_{WORKDIR_URL,VERBOSE} --env=AWS_ENDPOINT_URL "$IMAGE" \
16 |   >   /sbin/entrypoint-aws-batch true 2>&1 | grep --only-matching 'aws s3 cp --endpoint-url [^ ]*'
17 |   aws s3 cp --endpoint-url https://custom-endpoint.example.com
18 | 
19 | --endpoint-url is not used when AWS_ENDPOINT_URL is unavailable.
20 | 
21 |   $ docker run --rm --env=NEXTSTRAIN_AWS_BATCH_{WORKDIR_URL,VERBOSE} "$IMAGE" \
22 |   >   /sbin/entrypoint-aws-batch true 2>&1 | grep --only-matching 'aws s3 cp --no-progress [^ ]*'
23 |   aws s3 cp --no-progress s3://dummy-value/dummy-value.zip
24 | 


--------------------------------------------------------------------------------
/entrypoint:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -euo pipefail
 3 | 
 4 | if [[ $# -eq 0 ]]; then
 5 |     # If the container is run with no arguments, then print a message and exit.
 6 |     cut -c 9- <<<"
 7 |         This is the Nextstrain pathogen build container.  It has a complete
 8 |         Nextstrain environment installed which is normally accessed via the
 9 |         \`nextstrain\` command on your computer (not in the container).
10 |         
11 |         If you're seeing this message though, you're probably not using the
12 |         \`nextstrain\` command.  Welcome!  :-)
13 |         
14 |         The default container entrypoint will exec a command-line of your
15 |         choosing in the build environment.  You can use this functionality to
16 |         debug or develop Nextstrain pathogen builds and components.  Refer to
17 |         the source of the \`nextstrain\` command for examples.
18 |     "
19 | else
20 |     # Otherwise, exec chain into whatever command is provided.
21 |     exec \
22 |         drop-privs \
23 |         create-envd \
24 |         envdir /nextstrain/env.d \
25 |         delete-envd \
26 |         chdir-workdir \
27 |         "$@"
28 | fi
29 | 


--------------------------------------------------------------------------------
/tests/workdir.t:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env cram
 2 | 
 3 | Setup.
 4 | 
 5 |   $ : "${IMAGE:=localhost:5000/nextstrain/base:latest}"
 6 |   $ (docker image inspect "$IMAGE" || docker image pull "$IMAGE") &>/dev/null
 7 | 
 8 | NEXTSTRAIN_WORKDIR changes initial working directory.
 9 | 
10 |   $ docker run --rm --env=NEXTSTRAIN_WORKDIR=/nextstrain/augur "$IMAGE" \
11 |   >   bash -eu -c 'echo "$PWD"'
12 |   /nextstrain/augur
13 | 
14 |   $ docker run --rm --env=NEXTSTRAIN_WORKDIR=/nextstrain/augur -u 1234:5678 "$IMAGE" \
15 |   >   bash -eu -c 'echo "$PWD"'
16 |   /nextstrain/augur
17 | 
18 | Missing directories are created, like with the `--workdir` option of `docker run`.
19 | 
20 |   $ docker run --rm --env=NEXTSTRAIN_WORKDIR=/nextstrain/a/b/c "$IMAGE" \
21 |   >   bash -eu -c 'ls -ld "$PWD"'
22 |   drwxr-xr-x * nextstrain nextstrain * /nextstrain/a/b/c (glob)
23 | 
24 |   $ docker run --rm --env=NEXTSTRAIN_WORKDIR=/nextstrain/a/b/c -u 1234:5678 "$IMAGE" \
25 |   >   bash -eu -c 'ls -ld "$PWD"'
26 |   drwxr-xr-x * 1234 5678 * /nextstrain/a/b/c (glob)
27 | 
28 | …but permissions still apply, as the `mkdir` happens after drop-privs.
29 | 
30 |   $ docker run --rm --env=NEXTSTRAIN_WORKDIR=/nope "$IMAGE" \
31 |   >   bash -eu -c 'echo "$PWD"'
32 |   mkdir: cannot create directory ‘/nope’: Permission denied
33 |   [1]
34 | 
35 |   $ docker run --rm --env=NEXTSTRAIN_WORKDIR=/nope -u 1234:5678 "$IMAGE" \
36 |   >   bash -eu -c 'echo "$PWD"'
37 |   mkdir: cannot create directory ‘/nope’: Permission denied
38 |   [1]
39 | 


--------------------------------------------------------------------------------
/tests/envdir.t:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env cram
 2 | 
 3 | Setup.
 4 | 
 5 |   $ : "${IMAGE:=localhost:5000/nextstrain/base:latest}"
 6 |   $ (docker image inspect "$IMAGE" || docker image pull "$IMAGE") &>/dev/null
 7 | 
 8 |   $ mkdir env.d
 9 |   $ chmod a+rx env.d
10 |   $ echo AAAA     > env.d/a
11 |   $ echo BB BB BB > env.d/b
12 |   $ touch           env.d/z
13 | 
14 | Bind-mounted env.d.
15 | 
16 |   $ docker run --rm -v "$PWD"/env.d:/nextstrain/env.d "$IMAGE" \
17 |   >   bash -eu -c 'echo "$a"'
18 |   AAAA
19 | 
20 |   $ docker run --rm -v "$PWD"/env.d:/nextstrain/env.d "$IMAGE" \
21 |   >   bash -eu -c 'echo "$b"'
22 |   BB BB BB
23 | 
24 |   $ docker run --rm -v "$PWD"/env.d:/nextstrain/env.d "$IMAGE" \
25 |   >   bash -eu -c 'echo "$z"'
26 |   bash: line 1: z: unbound variable
27 |   [1]
28 | 
29 | Works with externally-set user/group.
30 | 
31 |   $ docker run --rm -v "$PWD"/env.d:/nextstrain/env.d -u 1234:5678 "$IMAGE" \
32 |   >   bash -eu -c 'echo "$a"'
33 |   AAAA
34 | 
35 |   $ docker run --rm -v "$PWD"/env.d:/nextstrain/env.d -u 1234:5678 "$IMAGE" \
36 |   >   bash -eu -c 'echo "$b"'
37 |   BB BB BB
38 | 
39 |   $ docker run --rm -v "$PWD"/env.d:/nextstrain/env.d -u 1234:5678 "$IMAGE" \
40 |   >   bash -eu -c 'echo "$z"'
41 |   bash: line 1: z: unbound variable
42 |   [1]
43 | 
44 | Files are removed with NEXTSTRAIN_DELETE_ENVD=1.
45 | 
46 |   $ ls -1 env.d
47 |   a
48 |   b
49 |   z
50 | 
51 |   $ docker run --rm -e NEXTSTRAIN_DELETE_ENVD=1 -v "$PWD"/env.d:/nextstrain/env.d -u "$(id -u):$(id -g)" "$IMAGE" \
52 |   >   bash -eu -c 'echo "$a"; echo "$b"; ls -1 /nextstrain/env.d'
53 |   AAAA
54 |   BB BB BB
55 | 
56 |   $ ls -1 env.d
57 | 


--------------------------------------------------------------------------------
/tests/aws-batch-verbose.t:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env cram
 2 | 
 3 | Setup.
 4 | 
 5 |   $ : "${IMAGE:=localhost:5000/nextstrain/base:latest}"
 6 |   $ (docker image inspect "$IMAGE" || docker image pull "$IMAGE") &>/dev/null
 7 | 
 8 | A workdir URL is required and not setting one here causes the entrypoint to
 9 | error, but that's enough for testing verbose mode.
10 | 
11 |   $ export NEXTSTRAIN_AWS_BATCH_WORKDIR_URL=
12 | 
13 | Verbose mode is default.
14 | 
15 |   $ docker run --rm --env=NEXTSTRAIN_AWS_BATCH_WORKDIR_URL "$IMAGE" \
16 |   >   /sbin/entrypoint-aws-batch true
17 |   + case "$NEXTSTRAIN_AWS_BATCH_WORKDIR_URL" in
18 |   + echo 'entrypoint-aws-batch: No handler for NEXTSTRAIN_AWS_BATCH_WORKDIR_URL <>'
19 |   entrypoint-aws-batch: No handler for NEXTSTRAIN_AWS_BATCH_WORKDIR_URL <>
20 |   + exit 1
21 |   [1]
22 | 
23 | Verbose mode is anything not zero.
24 | 
25 |   $ docker run --rm --env=NEXTSTRAIN_AWS_BATCH_{WORKDIR_URL,VERBOSE=yes} "$IMAGE" \
26 |   >   /sbin/entrypoint-aws-batch true
27 |   + case "$NEXTSTRAIN_AWS_BATCH_WORKDIR_URL" in
28 |   + echo 'entrypoint-aws-batch: No handler for NEXTSTRAIN_AWS_BATCH_WORKDIR_URL <>'
29 |   entrypoint-aws-batch: No handler for NEXTSTRAIN_AWS_BATCH_WORKDIR_URL <>
30 |   + exit 1
31 |   [1]
32 | 
33 |   $ docker run --rm --env=NEXTSTRAIN_AWS_BATCH_{WORKDIR_URL,VERBOSE=} "$IMAGE" \
34 |   >   /sbin/entrypoint-aws-batch true
35 |   + case "$NEXTSTRAIN_AWS_BATCH_WORKDIR_URL" in
36 |   + echo 'entrypoint-aws-batch: No handler for NEXTSTRAIN_AWS_BATCH_WORKDIR_URL <>'
37 |   entrypoint-aws-batch: No handler for NEXTSTRAIN_AWS_BATCH_WORKDIR_URL <>
38 |   + exit 1
39 |   [1]
40 | 
41 | Verbose mode can be turned off.
42 | 
43 |   $ docker run --rm --env=NEXTSTRAIN_AWS_BATCH_{WORKDIR_URL,VERBOSE=0} "$IMAGE" \
44 |   >   /sbin/entrypoint-aws-batch true
45 |   entrypoint-aws-batch: No handler for NEXTSTRAIN_AWS_BATCH_WORKDIR_URL <>
46 |   [1]
47 | 


--------------------------------------------------------------------------------
/devel/clean:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | #
 3 | # Cleans up after the build process by removing build artifacts, caches, and logs.
 4 | #
 5 | set -euo pipefail
 6 | 
 7 | # Set defaults and fixed values.
 8 | repo="$(cd "$(dirname "$0")/.."; pwd)"
 9 | registry=nextstrain-local-registry
10 | registry_addr=localhost:5000
11 | build_dir="$repo"/build
12 | builder=nextstrain-builder
13 | build_logs_dir="$repo"/logs
14 | 
15 | # Read command-line arguments.
16 | while getopts "r:" opt; do
17 |     case "$opt" in
18 |         r) registry_addr="$OPTARG";;
19 |         *) echo "Usage: $0 [-r <registry>]" 1>&2; exit 1;;
20 |     esac
21 | done
22 | 
23 | 
24 | echo "--> Deleting $registry container"
25 | 
26 | if docker container inspect "$registry" &>/dev/null; then
27 |     "$repo"/devel/stop-localhost-registry
28 | else
29 |     echo "skipped; $registry container does not exist"
30 | fi
31 | 
32 | 
33 | echo "--> Deleting artifacts in $build_dir"
34 | 
35 | if [[ -d "$build_dir" ]]; then
36 |     du -hs "$build_dir"
37 |     rm -rf "$build_dir"
38 | else
39 |     echo "skipped; $build_dir does not exist"
40 | fi
41 | 
42 | 
43 | echo "--> Deleting $builder (and its caches)"
44 | 
45 | if docker buildx inspect "$builder" &>/dev/null; then
46 |     docker buildx du --builder "$builder"
47 |     docker buildx rm --builder "$builder"
48 | else
49 |     echo "skipped; $builder does not exist"
50 | fi
51 | 
52 | 
53 | echo "--> Deleting local images pulled from $registry_addr"
54 | 
55 | for image in "$registry_addr"/nextstrain/base{,-builder}; do
56 |     for id in $(docker image ls -q "$image"); do
57 |         docker image rm "$id"
58 |     done
59 | done
60 | if [[ -z "${id:-}" ]]; then
61 |     echo "skipped; no local images"
62 | fi
63 | 
64 | 
65 | echo "--> Deleting build logs in $build_logs_dir"
66 | 
67 | if [[ -d "$build_logs_dir" ]]; then
68 |     du -hs "$build_logs_dir"
69 |     rm -rf "$build_logs_dir"
70 | else
71 |     echo "skipped; $build_logs_dir does not exist"
72 | fi
73 | 


--------------------------------------------------------------------------------
/tests/envdir-url.t:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/env cram
 2 | 
 3 | Setup.
 4 | 
 5 |   $ [[ -n "$AWS_ACCESS_KEY_ID" && -n "$AWS_SECRET_ACCESS_KEY" ]] || exit 80
 6 | 
 7 |   $ : "${IMAGE:=localhost:5000/nextstrain/base:latest}"
 8 |   $ (docker image inspect "$IMAGE" || docker image pull "$IMAGE") &>/dev/null
 9 | 
10 |   $ mkdir env.d
11 |   $ chmod a+rx env.d
12 |   $ echo AAAA     > env.d/a
13 |   $ echo BB BB BB > env.d/b
14 |   $ touch           env.d/z
15 | 
16 | Files are populated from NEXTSTRAIN_ENVD_URL.
17 | 
18 |   $ zip --junk-paths env.d{.zip,/*}
19 |     adding: a (*) (glob)
20 |     adding: b (*) (glob)
21 |     adding: z (*) (glob)
22 | 
23 |   $ export NEXTSTRAIN_ENVD_URL="s3://nextstrain-tmp/$(python3 -c 'import uuid; print(uuid.uuid4())').zip"
24 | 
25 |   $ aws s3 cp --quiet env.d.zip "$NEXTSTRAIN_ENVD_URL"
26 | 
27 |   $ docker run --rm -e NEXTSTRAIN_ENVD_URL --env=AWS_{ACCESS_KEY_ID,SECRET_ACCESS_KEY,SESSION_TOKEN} "$IMAGE" \
28 |   >   bash -eu -c 'echo "$a"; echo "$b"'
29 |   download: s3://nextstrain-tmp/*.zip to ../env.d.zip (glob)
30 |   Archive:  /nextstrain/env.d.zip
31 |    extracting: /nextstrain/env.d/a     
32 |     inflating: /nextstrain/env.d/b     
33 |    extracting: /nextstrain/env.d/z     
34 |   removed '/nextstrain/env.d.zip'
35 |   AAAA
36 |   BB BB BB
37 | 
38 | Files and NEXTSTRAIN_ENVD_URL are removed with NEXTSTRAIN_DELETE_ENVD=1.
39 | 
40 |   $ docker run --rm -e NEXTSTRAIN_DELETE_ENVD=1 -e NEXTSTRAIN_ENVD_URL --env=AWS_{ACCESS_KEY_ID,SECRET_ACCESS_KEY,SESSION_TOKEN} "$IMAGE" \
41 |   >   bash -eu -c 'echo "$a"; echo "$b"; ls -1 /nextstrain/env.d'
42 |   download: s3://nextstrain-tmp/*.zip to ../env.d.zip (glob)
43 |   Archive:  /nextstrain/env.d.zip
44 |    extracting: /nextstrain/env.d/a     
45 |     inflating: /nextstrain/env.d/b     
46 |    extracting: /nextstrain/env.d/z     
47 |   removed '/nextstrain/env.d.zip'
48 |   delete: s3://nextstrain-tmp/*.zip (glob)
49 |   AAAA
50 |   BB BB BB
51 | 
52 |   $ aws s3 ls "$NEXTSTRAIN_ENVD_URL"
53 |   [1]
54 | 


--------------------------------------------------------------------------------
/entrypoint-aws-batch:
--------------------------------------------------------------------------------
 1 | #!/bin/bash
 2 | set -euo pipefail
 3 | 
 4 | # Show what we're running for the benefit of the logs.
 5 | if [[ "${NEXTSTRAIN_AWS_BATCH_VERBOSE:=1}" != 0 ]]; then
 6 |     set -x
 7 | fi
 8 | 
 9 | # Download the working dir.
10 | case "$NEXTSTRAIN_AWS_BATCH_WORKDIR_URL" in
11 |     s3://*.zip)
12 |         aws s3 cp ${AWS_ENDPOINT_URL:+--endpoint-url "$AWS_ENDPOINT_URL"} --no-progress "$NEXTSTRAIN_AWS_BATCH_WORKDIR_URL" "$PWD.zip"
13 | 
14 |         for dir in /nextstrain/{augur,auspice,fauna}; do
15 |             relative_dir="$(realpath "$dir" --relative-to="$PWD")"/
16 | 
17 |             if zipinfo -1 "$PWD.zip" "$relative_dir" &>/dev/null; then
18 |                 echo "removing $dir because workdir ZIP contains $relative_dir overlay"
19 |                 rm -rf "$dir"
20 |             fi
21 |         done
22 | 
23 |         unzip -: -o "$PWD.zip"
24 |         ;;
25 |     s3://*)
26 |         # Note that this doesn't preserve file permissions/modes.
27 |         aws s3 ${AWS_ENDPOINT_URL:+--endpoint-url "$AWS_ENDPOINT_URL"}  sync --no-progress "$NEXTSTRAIN_AWS_BATCH_WORKDIR_URL" .
28 |         ;;
29 |     *)
30 |         echo "entrypoint-aws-batch: No handler for NEXTSTRAIN_AWS_BATCH_WORKDIR_URL <$NEXTSTRAIN_AWS_BATCH_WORKDIR_URL>" >&2
31 |         exit 1
32 |         ;;
33 | esac
34 | 
35 | # Run the passed command, with the effect of "set -e" temporarily disabled,
36 | # saving the exit status for later.
37 | "$@" && exited=0 || exited=$?
38 | 
39 | # Upload the new workdir state with results.
40 | #
41 | # XXX TODO: In the future this may want to be separate from the initial workdir
42 | # state instead of overwriting it.  That would let us hash the local workdir
43 | # before uploading and re-use previously uploaded initial workdirs.
44 | #   -trs, 13 Sept 2018
45 | case "$NEXTSTRAIN_AWS_BATCH_WORKDIR_URL" in
46 |     s3://*.zip)
47 |         succeed-when-nothing-to-update() {
48 |             local zipstatus="$1"
49 |             if [[ $zipstatus -eq 12 ]]; then
50 |                 return 0
51 |             else
52 |                 return "$zipstatus"
53 |             fi
54 |         }
55 |         zip -u "$PWD.zip" -r . --exclude ".snakemake/*"                                                    || succeed-when-nothing-to-update $?
56 |         zip -u "$PWD.zip" -r . --include ".snakemake/log/*" ".snakemake/metadata/*" ".snakemake/storage/*" || succeed-when-nothing-to-update $?
57 |         aws s3 cp ${AWS_ENDPOINT_URL:+--endpoint-url "$AWS_ENDPOINT_URL"}  --no-progress "$PWD.zip" "$NEXTSTRAIN_AWS_BATCH_WORKDIR_URL"
58 |         ;;
59 |     s3://*)
60 |         aws s3 sync ${AWS_ENDPOINT_URL:+--endpoint-url "$AWS_ENDPOINT_URL"} --no-progress . "$NEXTSTRAIN_AWS_BATCH_WORKDIR_URL" --exclude ".snakemake/*" --include ".snakemake/log/*"
61 |         ;;
62 |     *)
63 |         echo "entrypoint-aws-batch: No handler for NEXTSTRAIN_AWS_BATCH_WORKDIR_URL <$NEXTSTRAIN_AWS_BATCH_WORKDIR_URL>" >&2
64 |         exit 1
65 |         ;;
66 | esac
67 | 
68 | # Exit with the same status as the passed command.
69 | exit "$exited"
70 | 


--------------------------------------------------------------------------------
/devel/validate-platforms:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | #
  3 | # Validate different platform builds of the final Nextstrain image.
  4 | #
  5 | set -euo pipefail
  6 | 
  7 | # Set default values.
  8 | registry=localhost:5000
  9 | tag=latest
 10 | 
 11 | # Read command-line arguments.
 12 | while getopts "r:t:" opt; do
 13 |     case "$opt" in
 14 |         r) registry="$OPTARG";;
 15 |         t) tag="$OPTARG";;
 16 |         *) echo "Usage: $0 [-r <registry>] [-t <tag>]" 1>&2; exit 1;;
 17 |     esac
 18 | done
 19 | 
 20 | IMAGE="$registry/nextstrain/base:$tag"
 21 | PLATFORMS=(linux/amd64 linux/arm64)
 22 | 
 23 | main() {
 24 |     # Check that every platform image got the same versions of important (e.g.
 25 |     # first-party) software for which we don't pin a specific version (e.g. we
 26 |     # install whatever the latest version is at build time).
 27 | 
 28 |     local report_dir
 29 |     report_dir="$(mktemp -dt "$(basename "$0")"-XXXXXX)"
 30 | 
 31 |     for platform in "${PLATFORMS[@]}"; do
 32 |         echo "[$platform] Pulling image..."
 33 |         docker pull -q --platform "$platform" "$IMAGE"
 34 | 
 35 |         echo "[$platform] Checking that the platform is expected..."
 36 |         check-platform "$platform"
 37 | 
 38 |         # Initialize a directory for the report file, ensuring slashes in the
 39 |         # platform name are subdirs.
 40 |         report="$report_dir/$platform"
 41 |         echo "[$platform] Generating report file: $report"
 42 |         mkdir -p "$(dirname "$report")"
 43 | 
 44 |         # Create a report file for the platform.
 45 |         # This should include all software below ARG CACHE_DATE in the Dockerfile
 46 |         # in addition to other important software.
 47 |         echo "[$platform] Determining software versions..."
 48 |         # shellcheck disable=SC2016
 49 |         docker-run "$platform" bash -c '
 50 |             function echo-command {
 51 |                 echo "$ $BASH_COMMAND"
 52 |             }
 53 |             trap echo-command DEBUG
 54 | 
 55 |             nextstrain --version
 56 |             nextalign --version
 57 |             nextclade --version
 58 |             augur --version
 59 |             auspice --version
 60 |             python3 -c "from importlib.metadata import version; print(version(\"evofr\"))"
 61 |             datasets --version
 62 |             dataformat version
 63 | 
 64 |             python3 -c "from importlib.metadata import version; print(version(\"phylo-treetime\"))"
 65 |         ' >"$report"
 66 |     done
 67 | 
 68 |     # Compare contents of the first platform's report file against others.
 69 |     first_report="$report_dir/${PLATFORMS[0]}"
 70 |     echo "The report for ${PLATFORMS[0]} has the following contents:"
 71 |     cat "$first_report"
 72 | 
 73 |     echo "Comparing against other platforms..."
 74 |     # NOTE: if running on macOS ≥13, you may need to install GNU diff for the
 75 |     # --from-file option.
 76 |     if cd "$report_dir" && diff --unified=1 --from-file="${PLATFORMS[0]}" "${PLATFORMS[@]:1}"; then
 77 |         echo "Success!  All versions the same." >&2
 78 |     else
 79 |         echo "Failure!" >&2
 80 |         exit 1
 81 |      fi
 82 | }
 83 | 
 84 | check-platform() {
 85 |     # Check that the platform is actually what we expect it to be.
 86 |     local platform="$1"
 87 | 
 88 |     python_platform_string="$(docker-run "$platform" python -c "import platform; print(platform.platform())")"
 89 | 
 90 |     case "$platform" in
 91 |         linux/amd64)
 92 |             if [[ "$python_platform_string" != *"x86_64"* ]]; then
 93 |                 echo "Platform $platform not detected." 1>&2; exit 1
 94 |             fi;;
 95 |         linux/arm64)
 96 |             if [[ "$python_platform_string" != *"aarch64"* ]]; then
 97 |                 echo "Platform $platform not detected." 1>&2; exit 1
 98 |             fi;;
 99 |         *)
100 |             echo "Platform $platform not supported." 1>&2; exit 1;;
101 |     esac
102 | }
103 | 
104 | docker-run() {
105 |     # Run a command under the final Nextstrain image built for a specific
106 |     # platform.
107 |     local platform="$1"
108 |     local command=("${@:2}")
109 | 
110 |     docker run --rm --platform "$platform" "$IMAGE" "${command[@]}"
111 | }
112 | 
113 | main
114 | 


--------------------------------------------------------------------------------
/devel/copy-images:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | #
  3 | # Copy the Nextstrain images from one Docker registry (-i <registry>) to
  4 | # another (-o <registry>).
  5 | #
  6 | # If authentication is required for a registry, ensure the credentials are
  7 | # available in ~/.docker/config.json.
  8 | #
  9 | # This copies just the tag specified by -t <tag>. If the boolean -l flag is
 10 | # specified, the tag will also be copied to "latest" on the destnation.
 11 | #
 12 | set -euo pipefail
 13 | 
 14 | # Set default values.
 15 | registry_in=localhost:5000
 16 | registry_out=docker.io
 17 | tag=""
 18 | push_latest=false
 19 | 
 20 | # Read command-line arguments.
 21 | while getopts "i:o:t:l" opt; do
 22 |     case "$opt" in
 23 |         i) registry_in="$OPTARG";;
 24 |         o) registry_out="$OPTARG";;
 25 |         t) tag="$OPTARG";;
 26 |         l) push_latest=true;;
 27 |         *) echo "Usage: $0 [-i <registry>] [-o <registry>] [-t <tag>] [-l]" 1>&2; exit 1;;
 28 |     esac
 29 | done
 30 | 
 31 | if [[ "$tag" = "" ]]; then
 32 |     echo "Please provide a tag." >&2
 33 |     exit 1
 34 | fi
 35 | 
 36 | BUILDER_BUILD_PLATFORM_IMAGE=nextstrain/base-builder-build-platform
 37 | BUILDER_TARGET_PLATFORM_IMAGE=nextstrain/base-builder-target-platform
 38 | FINAL_IMAGE=nextstrain/base
 39 | 
 40 | 
 41 | # Use Skopeo via a Docker container¹ to copy a tagged image between registries.
 42 | #
 43 | # Two positional parameters are required, representing the source and
 44 | # destination images each qualified with a Docker registry.
 45 | # Format should be <registry>/image:tag, e.g. docker.io/nextstrain/base:latest.
 46 | #
 47 | # If a registry starts with localhost, do not require HTTPS or verify
 48 | # certificates, and access the registry without authentication.
 49 | #
 50 | # ¹ https://github.com/containers/skopeo/blob/07da29fd371dd88615a0b86e91c6824237484172/install.md#container-images
 51 | copy-image() {
 52 |     local src="$1"
 53 |     local dest="$2"
 54 | 
 55 |     docker_run_params=(--rm --network=host)
 56 |     skopeo_copy_params=(--multi-arch=all)
 57 | 
 58 |     if [[ "$src" == localhost* ]]; then
 59 |         skopeo_copy_params+=(--src-tls-verify=false)
 60 |     else
 61 |         docker_run_params+=(-v "$HOME"/.docker/config.json:/config.json:ro)
 62 |         skopeo_copy_params+=(--src-authfile config.json)
 63 |     fi
 64 | 
 65 |     if [[ "$dest" == localhost* ]]; then
 66 |         skopeo_copy_params+=(--dest-tls-verify=false)
 67 |     else
 68 |         docker_run_params+=(-v "$HOME"/.docker/config.json:/config.json:ro)
 69 |         skopeo_copy_params+=(--dest-authfile config.json)
 70 |     fi
 71 | 
 72 |     docker run "${docker_run_params[@]}" \
 73 |         quay.io/skopeo/stable \
 74 |         copy "${skopeo_copy_params[@]}" \
 75 |         "docker://$src" \
 76 |         "docker://$dest"
 77 | }
 78 | 
 79 | # Copy $tag between registries.
 80 | 
 81 | echo "Copying $registry_in/$BUILDER_BUILD_PLATFORM_IMAGE:$tag to $registry_out/$BUILDER_BUILD_PLATFORM_IMAGE:$tag."
 82 | copy-image \
 83 |     "$registry_in/$BUILDER_BUILD_PLATFORM_IMAGE:$tag" \
 84 |     "$registry_out/$BUILDER_BUILD_PLATFORM_IMAGE:$tag"
 85 | 
 86 | echo "Copying $registry_in/$BUILDER_TARGET_PLATFORM_IMAGE:$tag to $registry_out/$BUILDER_TARGET_PLATFORM_IMAGE:$tag."
 87 | copy-image \
 88 |     "$registry_in/$BUILDER_TARGET_PLATFORM_IMAGE:$tag" \
 89 |     "$registry_out/$BUILDER_TARGET_PLATFORM_IMAGE:$tag"
 90 | 
 91 | echo "Copying $registry_in/$FINAL_IMAGE:$tag to $registry_out/$FINAL_IMAGE:$tag."
 92 | copy-image \
 93 |     "$registry_in/$FINAL_IMAGE:$tag" \
 94 |     "$registry_out/$FINAL_IMAGE:$tag"
 95 | 
 96 | if [[ "$push_latest" = true ]]; then
 97 |     # Copy $tag to latest.
 98 | 
 99 |     echo "Copying $registry_in/$BUILDER_BUILD_PLATFORM_IMAGE:$tag to $registry_out/$BUILDER_BUILD_PLATFORM_IMAGE:latest."
100 |     copy-image \
101 |         "$registry_in/$BUILDER_BUILD_PLATFORM_IMAGE:$tag" \
102 |         "$registry_out/$BUILDER_BUILD_PLATFORM_IMAGE:latest"
103 | 
104 |     echo "Copying $registry_in/$BUILDER_TARGET_PLATFORM_IMAGE:$tag to $registry_out/$BUILDER_TARGET_PLATFORM_IMAGE:latest."
105 |     copy-image \
106 |         "$registry_in/$BUILDER_TARGET_PLATFORM_IMAGE:$tag" \
107 |         "$registry_out/$BUILDER_TARGET_PLATFORM_IMAGE:latest"
108 | 
109 |     echo "Copying $registry_in/$FINAL_IMAGE:$tag to $registry_out/$FINAL_IMAGE:latest."
110 |     copy-image \
111 |         "$registry_in/$FINAL_IMAGE:$tag" \
112 |         "$registry_out/$FINAL_IMAGE:latest"
113 | fi
114 | 


--------------------------------------------------------------------------------
/devel/build:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | #
  3 | # Builds the nextstrain/base and nextstrain/base-builder images with useful
  4 | # caching and pushes to a registry.
  5 | #
  6 | # By default this tags images using "latest" and pushes to localhost:5000, but
  7 | # you can provide a custom tag with -t <tag> and specify a different
  8 | # registry with -r <registry>.
  9 | #
 10 | # Set CACHE_DATE in your environment to force layers after our custom cache
 11 | # point to be re-built. See the ARG CACHE_DATE line in the Dockerfile for more
 12 | # information.
 13 | #
 14 | set -euo pipefail
 15 | 
 16 | devel="$(dirname "$0")"
 17 | 
 18 | # Set default values.
 19 | platform="$("$devel"/platform)"
 20 | registry=localhost:5000
 21 | tag=latest
 22 | log_directory="logs/"
 23 | 
 24 | # Read command-line arguments.
 25 | while getopts "p:r:t:l:" opt; do
 26 |     case "$opt" in
 27 |         p) platform="$OPTARG";;
 28 |         r) registry="$OPTARG";;
 29 |         t) tag="$OPTARG";;
 30 |         l) log_directory="$OPTARG";;
 31 |         *) echo "Usage: $0 [-p <platform>] [-r <registry>] [-t <tag>] [-l <log directory>]" 1>&2; exit 1;;
 32 |     esac
 33 | done
 34 | 
 35 | # shellcheck disable=SC2155
 36 | export GIT_REVISION=$(git describe --tags --abbrev=40 --always --dirty || true)
 37 | 
 38 | # The nextstrain/base Dockerfile is a multi-stage with both a "builder" target
 39 | # and a main target.  To enable proper caching via --cache-from we need both
 40 | # these images available to pull layers from.  This means pulling both in at
 41 | # the start and pushing both up at the end.
 42 | #
 43 | # Calling `docker run nextstrain/base` will still only pull down the small base
 44 | # image rather than pulling down the larger nextstrain/base-builder image.
 45 | 
 46 | # `buildx create` is necessary to use a driver that supports multi-platform
 47 | # images.
 48 | builder=nextstrain-builder
 49 | 
 50 | if ! docker buildx inspect "$builder" &>/dev/null; then
 51 |     # Using a persistent builder allows for faster local development.
 52 |     # However, if this is changed and it was previously run on your machine,
 53 |     # you may need to remove the builder manually before running the script:
 54 |     #     docker buildx rm "nextstrain-builder"
 55 |     docker buildx create --name "$builder" --driver docker-container --driver-opt network=host
 56 | fi
 57 | 
 58 | mkdir -p "$log_directory"
 59 | 
 60 | BUILDER_BUILD_PLATFORM_IMAGE=nextstrain/base-builder-build-platform
 61 | BUILDER_TARGET_PLATFORM_IMAGE=nextstrain/base-builder-target-platform
 62 | FINAL_IMAGE=nextstrain/base
 63 | 
 64 | docker buildx build \
 65 |     --target builder-build-platform \
 66 |     --builder "$builder" \
 67 |     --platform "$platform" \
 68 |     --build-arg CACHE_DATE \
 69 |     --cache-from "$BUILDER_BUILD_PLATFORM_IMAGE:latest" \
 70 |     --cache-from "$BUILDER_BUILD_PLATFORM_IMAGE:$tag" \
 71 |     --cache-from "$registry/$BUILDER_BUILD_PLATFORM_IMAGE:latest" \
 72 |     --cache-from "$registry/$BUILDER_BUILD_PLATFORM_IMAGE:$tag" \
 73 |     --cache-to type=inline \
 74 |     --tag "$registry/$BUILDER_BUILD_PLATFORM_IMAGE:$tag" \
 75 |     --push \
 76 |     --provenance false \
 77 |     --progress=plain \
 78 |     . 2>&1 | tee "$log_directory"/builder-build-platform
 79 | 
 80 | 
 81 | docker buildx build \
 82 |     --target builder-target-platform \
 83 |     --builder "$builder" \
 84 |     --platform "$platform" \
 85 |     --build-arg CACHE_DATE \
 86 |     --cache-from "$BUILDER_TARGET_PLATFORM_IMAGE:latest" \
 87 |     --cache-from "$BUILDER_TARGET_PLATFORM_IMAGE:$tag" \
 88 |     --cache-from "$registry/$BUILDER_TARGET_PLATFORM_IMAGE:latest" \
 89 |     --cache-from "$registry/$BUILDER_TARGET_PLATFORM_IMAGE:$tag" \
 90 |     --cache-to type=inline \
 91 |     --tag "$registry/$BUILDER_TARGET_PLATFORM_IMAGE:$tag" \
 92 |     --push \
 93 |     --provenance false \
 94 |     --progress=plain \
 95 |     . 2>&1 | tee "$log_directory"/builder-target-platform
 96 | 
 97 | docker buildx build \
 98 |     --target final \
 99 |     --builder "$builder" \
100 |     --platform "$platform" \
101 |     --build-arg GIT_REVISION \
102 |     --build-arg CACHE_DATE \
103 |     --cache-from "$BUILDER_BUILD_PLATFORM_IMAGE:latest" \
104 |     --cache-from "$BUILDER_BUILD_PLATFORM_IMAGE:$tag" \
105 |     --cache-from "$BUILDER_TARGET_PLATFORM_IMAGE:latest" \
106 |     --cache-from "$BUILDER_TARGET_PLATFORM_IMAGE:$tag" \
107 |     --cache-from "$FINAL_IMAGE:latest" \
108 |     --cache-from "$FINAL_IMAGE:$tag" \
109 |     --cache-from "$registry/$BUILDER_BUILD_PLATFORM_IMAGE:latest" \
110 |     --cache-from "$registry/$BUILDER_BUILD_PLATFORM_IMAGE:$tag" \
111 |     --cache-from "$registry/$BUILDER_TARGET_PLATFORM_IMAGE:latest" \
112 |     --cache-from "$registry/$BUILDER_TARGET_PLATFORM_IMAGE:$tag" \
113 |     --cache-from "$registry/$FINAL_IMAGE:latest" \
114 |     --cache-from "$registry/$FINAL_IMAGE:$tag" \
115 |     --cache-to type=inline \
116 |     --tag "$registry/$FINAL_IMAGE:$tag" \
117 |     --push \
118 |     --provenance false \
119 |     --progress=plain \
120 |     . 2>&1 | tee "$log_directory"/final
121 | 


--------------------------------------------------------------------------------
/devel/summarize-buildkit-output:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env python3
  2 | import re
  3 | import sys
  4 | """
  5 | Summarize BuildKit output by layer execution time.
  6 | """
  7 | 
  8 | 
  9 | def main(file):
 10 |     with open(file) as f:
 11 |         id_map = get_id_map(f)
 12 |         print_summary(id_map)
 13 | 
 14 | 
 15 | def get_id_map(f):
 16 |     """Return information extracted from a BuildKit output file handle.
 17 | 
 18 |     Returns
 19 |     -------
 20 |     {
 21 |         <Layer ID>: {
 22 |             "line": The full layer start line from the output.
 23 |             "name": A shorter version of the line that should still uniquely identify the layer.
 24 |             "time": The build time for the layer, or None if it was cached.
 25 |         }
 26 |     }
 27 |     """
 28 |     start_pattern = re.compile(r'^(?P<layer_id>#\d+) \[(?P<tag>.*?)\] (?P<command>.*)$')
 29 |     cached_pattern = re.compile(r'^(?P<layer_id>#\d+) CACHED$')
 30 |     done_pattern = re.compile(r'^(?P<layer_id>#\d+) DONE (?P<time>\d+.\d+s)$')
 31 | 
 32 |     id_map = {}
 33 |     for line in f:
 34 |         if start_match := start_pattern.match(line):
 35 |             layer_id = start_match["layer_id"]
 36 |             if layer_id in id_map:
 37 |                 assert line == id_map[layer_id]["line"]
 38 |                 # Skip duplicate start lines.
 39 |                 continue
 40 | 
 41 |             id_map[layer_id] = dict()
 42 |             platform_info = get_platform_info(start_match["tag"])
 43 |             command = start_match["command"]
 44 |             id_map[layer_id]["line"] = line
 45 |             id_map[layer_id]["name"] = f"[{platform_info}] {command}"
 46 | 
 47 |         elif cached_match := cached_pattern.match(line):
 48 |             layer_id = cached_match["layer_id"]
 49 |             id_map[layer_id]["time"] = None
 50 | 
 51 |         elif done_match := done_pattern.match(line):
 52 |             layer_id = done_match["layer_id"]
 53 |             if layer_id not in id_map:
 54 |                 # This can happen for tasks such as "importing cache manifest" that do not have start lines.
 55 |                 continue
 56 |             id_map[layer_id]["time"] = get_seconds(done_match["time"])
 57 | 
 58 |     # Handle incomplete layers.
 59 |     incomplete = False
 60 |     for layer_id, info in list(id_map.items()):
 61 |         if "time" not in info:
 62 |             warn(f'WARNING: Build for layer {layer_id} was started but not finished.')
 63 |             del id_map[layer_id]
 64 |             incomplete = True
 65 | 
 66 |     if incomplete:
 67 |         warn("WARNING: This log is from an incomplete build.")
 68 | 
 69 |     return id_map
 70 | 
 71 | 
 72 | def print_summary(id_map):
 73 |     """Print a summary of execution times per layer.
 74 | 
 75 |     Bar charts inspired by https://alexwlchan.net/2018/ascii-bar-charts/
 76 |     """
 77 |     total_time = sum(info["time"] or 0 for _, info in id_map.items())
 78 |     print(f"Total time: {total_time:.1f}s")
 79 |     print()
 80 | 
 81 |     longest_time = max(info["time"] or 0 for _, info in id_map.items())
 82 | 
 83 |     # Set column widths.
 84 |     max_name_width = 100
 85 |     max_time_width = len(f"{longest_time}s (100.0%)")
 86 |     max_bar_width = 20
 87 | 
 88 |     # Calculate how much time a bar chunk should represent.
 89 |     increment = longest_time / max_bar_width
 90 | 
 91 |     print(f'{"Layer information":<{max_name_width}} | {"Time":<{max_time_width}} {"▏Time bar"}')
 92 |     print(f'{"-" * max_name_width} | {"-" * max_time_width} {"-" * max_bar_width}')
 93 | 
 94 |     for layer_id, info in id_map.items():
 95 | 
 96 |         time = info["time"] or 0
 97 |         time_percent = time / total_time * 100
 98 |         time_str = f'{info["time"]:.1f}s ({time_percent:.1f}%)' if info["time"] else "CACHED"
 99 | 
100 |         bar_chunks, remainder = divmod(int(time * 8 / increment), 8)
101 | 
102 |         # First draw the full width chunks, then add the fractional part.
103 |         bar = '█' * bar_chunks
104 |         if remainder > 0:
105 |             bar += chr(ord('█') + (8 - remainder))
106 | 
107 |         # Handle empty bars.
108 |         bar = bar or  '▏'
109 | 
110 |         print(f'{info["name"][:max_name_width]:<{max_name_width}} | {time_str:<{max_time_width}} {bar}')
111 | 
112 | 
113 | def get_platform_info(tag):
114 |     """Return platform info from the tag enclosed by brackets in BuildKit output.
115 | 
116 |     Uses a hardcoded list of possible strings and returns the first match.
117 |     """
118 |     for s in possible_platform_strings:
119 |         if s in tag:
120 |             return s
121 | 
122 | 
123 | # Order by most→least specific to return the most specific match.
124 | possible_platform_strings = [
125 |     "linux/amd64->arm64",
126 |     "linux/amd64",
127 |     "linux/arm64",
128 | ]
129 | 
130 | 
131 | def get_seconds(s):
132 |     """Get the amount of seconds from BuildKit output as a numeric type."""
133 |     pattern = re.compile(r'^(?P<time>\d+.\d+)s$')
134 |     match = pattern.match(s)
135 |     assert match is not None
136 |     return float(match["time"])
137 | 
138 | 
139 | def warn(message):
140 |     print(message, file=sys.stderr)
141 | 
142 | 
143 | if __name__ == "__main__":
144 |     main(sys.argv[1])
145 | 


--------------------------------------------------------------------------------
/devel/delete-from-ghcr.js:
--------------------------------------------------------------------------------
  1 | // Delete Nextstrain images associated with a tagged manifest list from the
  2 | // GitHub Container registry.
  3 | //
  4 | // This file is intended for use by the GitHub action "actions/github-script".
  5 | // To use locally, set `octokit`¹ as an Octokit instance with a personal access
  6 | // token that can delete packages².
  7 | // ¹ https://github.com/octokit/core.js#authentication
  8 | // ² https://github.com/settings/tokens/new?scopes=delete:packages
  9 | 
 10 | module.exports = async ({fetch, octokit, tag, token}) => {
 11 |   org = 'nextstrain';
 12 |   packages = [
 13 |     'base',
 14 |     'base-builder-build-platform',
 15 |     'base-builder-target-platform',
 16 |   ];
 17 | 
 18 |   // Try all packages before terminating with any errors.
 19 |   let errorEncountered = false;
 20 | 
 21 |   for (const packageName of packages) {
 22 |     // First, get a list of package "version" objects containing information
 23 |     // used for deletion.
 24 |     let packageVersions;
 25 |     try {
 26 |       packageVersions = (await octokit.request('GET /orgs/{org}/packages/{package_type}/{package_name}/versions', {
 27 |         org: org,
 28 |         package_type: 'container',
 29 |         package_name: packageName,
 30 |       })).data;
 31 |     } catch (listPackageVersionsError) {
 32 |       console.log(listPackageVersionsError);
 33 |       console.error(`Could not list versions of package ${org}/${packageName}.`);
 34 |       errorEncountered = true;
 35 |       continue;
 36 |     }
 37 | 
 38 |     // The manifest list + one manifest per platform are pushed from the build.
 39 |     // Only the manifest list is tagged for direct removal via GitHub's REST API.
 40 | 
 41 |     // The GitHub REST API does not provide a way to retrieve manifest digests
 42 |     // from the manifest list, so use GHCR's (undocumented) Docker Registry API
 43 |     // to do that.
 44 |     // This works when a GitHub token with the right permissions is passed in
 45 |     // base64 form as a Bearer token¹.
 46 |     // ¹ https://github.com/orgs/community/discussions/26279#discussioncomment-3251172
 47 |     const res = await fetch(`https://ghcr.io/v2/${org}/${packageName}/manifests/${tag}`,
 48 |       {
 49 |         headers: {
 50 |           Accept: "application/vnd.docker.distribution.manifest.list.v2+json",
 51 |           Authorization: `Bearer ${btoa(token)}`
 52 |         }
 53 |       });
 54 |     const resData = await res.json();
 55 |     const manifestDigests = resData.manifests.map(manifest => manifest.digest);
 56 | 
 57 |     const versions = packageVersions.filter(version => manifestDigests.includes(version.name));
 58 |     for (const version of versions) {
 59 |       console.log(`Deleting the package version for ${org}/${packageName}:${version.name} ...`);
 60 |       try {
 61 |         await octokit.request('DELETE /orgs/{org}/packages/{package_type}/{package_name}/versions/{package_version_id}', {
 62 |           org: org,
 63 |           package_type: 'container',
 64 |           package_name: packageName,
 65 |           package_version_id: version.id,
 66 |         });
 67 |         console.log("Done.");
 68 |       } catch (deleteVersionError) {
 69 |         console.log(deleteVersionError);
 70 |         errorEncountered = true;
 71 |         continue;
 72 |       }
 73 |     }
 74 | 
 75 |     // Delete the manifest list after deleting individual manifests.
 76 | 
 77 |     const versionsWithTag = packageVersions.filter(version => version.metadata.container.tags.includes(tag));
 78 | 
 79 |     if (versionsWithTag.length == 0) {
 80 |       console.error(`${org}/${packageName}:${tag} was not found.`);
 81 |       errorEncountered = true;
 82 |       continue;
 83 |     }
 84 | 
 85 |     // Each tag should only correspond to one package version.
 86 |     // Pushing an existing tag will untag the existing version and add the tag
 87 |     // to the newly pushed version.
 88 |     versionId = versionsWithTag[0].id;
 89 |     console.log(`Version for ${org}/${packageName}:${tag} is ${versionId}.`);
 90 | 
 91 |     console.log(`Deleting the package version for ${org}/${packageName}:${tag} ...`);
 92 |     try {
 93 |       await octokit.request('DELETE /orgs/{org}/packages/{package_type}/{package_name}/versions/{package_version_id}', {
 94 |         org: org,
 95 |         package_type: 'container',
 96 |         package_name: packageName,
 97 |         package_version_id: versionId,
 98 |       });
 99 |       console.log("Done.");
100 |     } catch (deleteVersionError) {
101 |       console.log(deleteVersionError);
102 | 
103 |       if (deleteVersionError.response.data.message == "You cannot delete the last tagged version of a package. You must delete the package instead.") {
104 | 
105 |         // The right thing to do would be to delete the package
106 |         // ${org}/${packageName}. However, this is a potential cause for
107 |         // transient 403 errors¹ on GitHub Actions, so we'll keep one tagged
108 |         // version around as a workaround until the underlying issue is fixed.
109 |         // ¹ https://github.com/nextstrain/docker-base/issues/131
110 |         console.log(`Not deleting ${org}/${packageName}:${tag} since that requires deleting the package.`);
111 | 
112 |       } else {
113 |         console.error(`Could not delete ${org}/${packageName}:${tag}.`);
114 |         errorEncountered = true;
115 |         continue;
116 |       }
117 |     }
118 |   }
119 | 
120 |   if (errorEncountered) {
121 |     throw new Error(`Some package versions could not be deleted.`)
122 |   }
123 | }
124 | 


--------------------------------------------------------------------------------
/tests/aws-batch-workdir-url.t:
--------------------------------------------------------------------------------
  1 | #!/usr/bin/env cram
  2 | 
  3 | Setup.
  4 | 
  5 |   $ [[ -n "$AWS_ACCESS_KEY_ID" && -n "$AWS_SECRET_ACCESS_KEY" ]] || exit 80
  6 | 
  7 |   $ : "${IMAGE:=localhost:5000/nextstrain/base:latest}"
  8 |   $ (docker image inspect "$IMAGE" || docker image pull "$IMAGE") &>/dev/null
  9 | 
 10 |   $ export NEXTSTRAIN_AWS_BATCH_VERBOSE=0
 11 | 
 12 | Workdir ZIP archive is downloaded and extracted.
 13 | 
 14 |   $ export NEXTSTRAIN_AWS_BATCH_WORKDIR_URL="s3://nextstrain-tmp/$(python3 -c 'import uuid; print(uuid.uuid4())').zip"
 15 | 
 16 |   $ aws s3 cp --quiet "$TESTDIR/data/workdir-without-overlays.zip" "$NEXTSTRAIN_AWS_BATCH_WORKDIR_URL"
 17 | 
 18 |   $ docker run --rm --env=NEXTSTRAIN_AWS_BATCH_{WORKDIR_URL,VERBOSE} --env=AWS_{ACCESS_KEY_ID,SECRET_ACCESS_KEY,SESSION_TOKEN} "$IMAGE" \
 19 |   >   /sbin/entrypoint-aws-batch bash -euo pipefail -xc 'ls -l'
 20 |   download: s3://nextstrain-tmp/*.zip to ../build.zip (glob)
 21 |   Archive:  /nextstrain/build.zip
 22 |    extracting: reticulating            
 23 |    extracting: splines                 
 24 |   + ls -l
 25 |   total 0
 26 |   -rw-rw-r-- 1 nextstrain nextstrain 0 Mar 10  2025 reticulating
 27 |   -rw-rw-r-- 1 nextstrain nextstrain 0 Mar 10  2025 splines
 28 |   upload: ../build.zip to s3://nextstrain-tmp/*.zip (glob)
 29 | 
 30 | /nextstrain/{augur,auspice} are removed when the workdir ZIP contains overlays.
 31 | 
 32 |   $ export NEXTSTRAIN_AWS_BATCH_WORKDIR_URL="s3://nextstrain-tmp/$(python3 -c 'import uuid; print(uuid.uuid4())').zip"
 33 | 
 34 |   $ aws s3 cp --quiet "$TESTDIR/data/workdir-with-augur-auspice-overlays.zip" "$NEXTSTRAIN_AWS_BATCH_WORKDIR_URL"
 35 | 
 36 |   $ docker run --rm --env=NEXTSTRAIN_AWS_BATCH_{WORKDIR_URL,VERBOSE} --env=AWS_{ACCESS_KEY_ID,SECRET_ACCESS_KEY,SESSION_TOKEN} "$IMAGE" \
 37 |   >   /sbin/entrypoint-aws-batch bash -euo pipefail -xc 'ls -lR . ../augur ../auspice'
 38 |   download: s3://nextstrain-tmp/*.zip to ../build.zip (glob)
 39 |   removing /nextstrain/augur because workdir ZIP contains ../augur/ overlay
 40 |   removing /nextstrain/auspice because workdir ZIP contains ../auspice/ overlay
 41 |   Archive:  /nextstrain/build.zip
 42 |    extracting: reticulating            
 43 |    extracting: splines                 
 44 |      creating: ../augur/
 45 |      creating: ../augur/a/
 46 |      creating: ../augur/a/b/
 47 |      creating: ../augur/a/b/c/
 48 |    extracting: ../augur/a/b/c/world.txt  
 49 |    extracting: ../augur/a/b/c/hello.txt  
 50 |      creating: ../augur/augur/
 51 |    extracting: ../augur/augur/__init__.py  
 52 |    extracting: ../augur/README.md      
 53 |      creating: ../auspice/
 54 |   + ls -lR . ../augur ../auspice
 55 |   .:
 56 |   total 0
 57 |   -rw-rw-r-- 1 nextstrain nextstrain 0 Mar 10  2025 reticulating
 58 |   -rw-rw-r-- 1 nextstrain nextstrain 0 Mar 10  2025 splines
 59 |   
 60 |   ../augur:
 61 |   total 12
 62 |   -rw-rw-r-- 1 nextstrain nextstrain   22 Mar 10  2025 README.md
 63 |   drwxrwxr-x 3 nextstrain nextstrain 4096 Mar 10  2025 a
 64 |   drwxrwxr-x 2 nextstrain nextstrain 4096 Mar 10  2025 augur
 65 |   
 66 |   ../augur/a:
 67 |   total 4
 68 |   drwxrwxr-x 3 nextstrain nextstrain 4096 Mar 10  2025 b
 69 |   
 70 |   ../augur/a/b:
 71 |   total 4
 72 |   drwxrwxr-x 2 nextstrain nextstrain 4096 Mar 10  2025 c
 73 |   
 74 |   ../augur/a/b/c:
 75 |   total 8
 76 |   -rw-rw-r-- 1 nextstrain nextstrain 6 Mar 10  2025 hello.txt
 77 |   -rw-rw-r-- 1 nextstrain nextstrain 6 Mar 10  2025 world.txt
 78 |   
 79 |   ../augur/augur:
 80 |   total 4
 81 |   -rw-rw-r-- 1 nextstrain nextstrain 34 Mar 10  2025 __init__.py
 82 |   
 83 |   ../auspice:
 84 |   total 0
 85 |   upload: ../build.zip to s3://nextstrain-tmp/*.zip (glob)
 86 | 
 87 | …even when the workdir is not /nextstrain/build, e.g. when it's a sibling.
 88 | 
 89 |   $ docker run --rm --env=NEXTSTRAIN_WORKDIR=/nextstrain/abc --env=NEXTSTRAIN_AWS_BATCH_{WORKDIR_URL,VERBOSE} --env=AWS_{ACCESS_KEY_ID,SECRET_ACCESS_KEY,SESSION_TOKEN} "$IMAGE" \
 90 |   >   /sbin/entrypoint-aws-batch bash -euo pipefail -xc 'ls -lR . ../augur ../auspice'
 91 |   download: s3://nextstrain-tmp/*.zip to ../abc.zip (glob)
 92 |   removing /nextstrain/augur because workdir ZIP contains ../augur/ overlay
 93 |   removing /nextstrain/auspice because workdir ZIP contains ../auspice/ overlay
 94 |   Archive:  /nextstrain/abc.zip
 95 |    extracting: reticulating            
 96 |    extracting: splines                 
 97 |      creating: ../augur/
 98 |      creating: ../augur/a/
 99 |      creating: ../augur/a/b/
100 |      creating: ../augur/a/b/c/
101 |    extracting: ../augur/a/b/c/world.txt  
102 |    extracting: ../augur/a/b/c/hello.txt  
103 |      creating: ../augur/augur/
104 |    extracting: ../augur/augur/__init__.py  
105 |    extracting: ../augur/README.md      
106 |      creating: ../auspice/
107 |   + ls -lR . ../augur ../auspice
108 |   .:
109 |   total 0
110 |   -rw-rw-r-- 1 nextstrain nextstrain 0 Mar 10  2025 reticulating
111 |   -rw-rw-r-- 1 nextstrain nextstrain 0 Mar 10  2025 splines
112 |   
113 |   ../augur:
114 |   total 12
115 |   -rw-rw-r-- 1 nextstrain nextstrain   22 Mar 10  2025 README.md
116 |   drwxrwxr-x 3 nextstrain nextstrain 4096 Mar 10  2025 a
117 |   drwxrwxr-x 2 nextstrain nextstrain 4096 Mar 10  2025 augur
118 |   
119 |   ../augur/a:
120 |   total 4
121 |   drwxrwxr-x 3 nextstrain nextstrain 4096 Mar 10  2025 b
122 |   
123 |   ../augur/a/b:
124 |   total 4
125 |   drwxrwxr-x 2 nextstrain nextstrain 4096 Mar 10  2025 c
126 |   
127 |   ../augur/a/b/c:
128 |   total 8
129 |   -rw-rw-r-- 1 nextstrain nextstrain 6 Mar 10  2025 hello.txt
130 |   -rw-rw-r-- 1 nextstrain nextstrain 6 Mar 10  2025 world.txt
131 |   
132 |   ../augur/augur:
133 |   total 4
134 |   -rw-rw-r-- 1 nextstrain nextstrain 34 Mar 10  2025 __init__.py
135 |   
136 |   ../auspice:
137 |   total 0
138 |   upload: ../abc.zip to s3://nextstrain-tmp/*.zip (glob)
139 | 
140 | …but not when the workdir is somewhere completely different.
141 | 
142 |   $ docker run --rm --env=NEXTSTRAIN_WORKDIR=/nextstrain/x/y/z --env=NEXTSTRAIN_AWS_BATCH_{WORKDIR_URL,VERBOSE} --env=AWS_{ACCESS_KEY_ID,SECRET_ACCESS_KEY,SESSION_TOKEN} "$IMAGE" \
143 |   >   /sbin/entrypoint-aws-batch bash -euo pipefail -xc 'ls -lR . ../augur ../auspice; realpath ../augur ../auspice'
144 |   download: s3://nextstrain-tmp/*.zip to ../z.zip (glob)
145 |   Archive:  /nextstrain/x/y/z.zip
146 |    extracting: reticulating            
147 |    extracting: splines                 
148 |      creating: ../augur/
149 |      creating: ../augur/a/
150 |      creating: ../augur/a/b/
151 |      creating: ../augur/a/b/c/
152 |    extracting: ../augur/a/b/c/world.txt  
153 |    extracting: ../augur/a/b/c/hello.txt  
154 |      creating: ../augur/augur/
155 |    extracting: ../augur/augur/__init__.py  
156 |    extracting: ../augur/README.md      
157 |      creating: ../auspice/
158 |   + ls -lR . ../augur ../auspice
159 |   .:
160 |   total 0
161 |   -rw-rw-r-- 1 nextstrain nextstrain 0 Mar 10  2025 reticulating
162 |   -rw-rw-r-- 1 nextstrain nextstrain 0 Mar 10  2025 splines
163 |   
164 |   ../augur:
165 |   total 12
166 |   -rw-rw-r-- 1 nextstrain nextstrain   22 Mar 10  2025 README.md
167 |   drwxrwxr-x 3 nextstrain nextstrain 4096 Mar 10  2025 a
168 |   drwxrwxr-x 2 nextstrain nextstrain 4096 Mar 10  2025 augur
169 |   
170 |   ../augur/a:
171 |   total 4
172 |   drwxrwxr-x 3 nextstrain nextstrain 4096 Mar 10  2025 b
173 |   
174 |   ../augur/a/b:
175 |   total 4
176 |   drwxrwxr-x 2 nextstrain nextstrain 4096 Mar 10  2025 c
177 |   
178 |   ../augur/a/b/c:
179 |   total 8
180 |   -rw-rw-r-- 1 nextstrain nextstrain 6 Mar 10  2025 hello.txt
181 |   -rw-rw-r-- 1 nextstrain nextstrain 6 Mar 10  2025 world.txt
182 |   
183 |   ../augur/augur:
184 |   total 4
185 |   -rw-rw-r-- 1 nextstrain nextstrain 34 Mar 10  2025 __init__.py
186 |   
187 |   ../auspice:
188 |   total 0
189 |   + realpath ../augur ../auspice
190 |   /nextstrain/x/y/augur
191 |   /nextstrain/x/y/auspice
192 |   upload: ../z.zip to s3://nextstrain-tmp/*.zip (glob)
193 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Docker image for nextstrain/base
  2 | 
  3 | This is the source for creating the `nextstrain/base` Docker image.  Currently
  4 | the image is published as [`nextstrain/base`][].
  5 | 
  6 | Ideally most pathogen builds are supported by this base image without further
  7 | customization.  The possibility remains, however, for pathogens to define and
  8 | use an image derived from this base layer.  This would be desirable for
  9 | pathogen builds requiring custom external software, like Python modules or
 10 | tree-builders.
 11 | 
 12 | The image includes the standard Nextstrain components Fauna, Augur, and Auspice,
 13 | as well as other bioinformatics tools like MAFFT, RAxML, FastTree, IQ-TREE, and
 14 | TreeTime.
 15 | 
 16 | This image is best interacted with using the [Nextstrain command-line
 17 | tool][nextstrain-cli].
 18 | 
 19 | [nextstrain-cli]: https://github.com/nextstrain/cli
 20 | 
 21 | 
 22 | ## Developing
 23 | 
 24 | ### Rebuilding an image and pushing to Docker Hub
 25 | 
 26 | To rebuild the image with the latest versions of its software and push to Docker Hub, go to [the GitHub Actions workflow](https://github.com/nextstrain/docker-base/actions/workflows/ci.yml), select **Run workflow**, and confirm.
 27 | This is most helpful when you want the image to contain the latest version of a tool whose release does not automatically trigger a new build of the image and you do not need to modify the `Dockerfile`.
 28 | 
 29 | ### Building
 30 | 
 31 | _You can build this image locally during development, but it's important for
 32 | production releases to happen via CI so a complete multi-platform image is
 33 | built and validated._
 34 | 
 35 | To build this image for local development and testing, run:
 36 | 
 37 |     make local-image    # or just: make
 38 | 
 39 | This will leave you with a `localhost:5000/nextstrain/base:latest` image loaded
 40 | into your local Docker daemon and available to `docker run` commands (and thus
 41 | `nextstrain` commands).  Run `make` again to update the image after source
 42 | modifications.
 43 | 
 44 | Alternatively, you can take the steps yourself,
 45 | 
 46 | 1. Start a local Docker registry.
 47 | 
 48 |     ```
 49 |     ./devel/start-localhost-registry
 50 |     ```
 51 | 
 52 |     It will be served at `localhost:5000`. Optionally, specify another port as
 53 |     an argument. Running a local Docker registry allows us to mimic direct push
 54 |     to a registry done in the GitHub Actions CI workflow.
 55 | 
 56 | 2. Build the image.
 57 | 
 58 |     ```
 59 |     ./devel/build
 60 |     ```
 61 | 
 62 |     By default, this builds for a single platform (`linux/amd64` or
 63 |     `linux/arm64` depending on your Docker server's arch), tags the image with
 64 |     `latest`, and pushes to `localhost:5000`. See instructions at the top of
 65 |     the script for additional options.
 66 | 
 67 |     If the target platform is different from the build platform, set up emulation before running `./devel/build`. This can be achieved using [`tonistiigi/binfmt`](https://github.com/tonistiigi/binfmt). For example, to set up emulation for `linux/arm64`, run:
 68 | 
 69 |     ```
 70 |     docker run --privileged --rm tonistiigi/binfmt --install arm64
 71 |     ```
 72 | 
 73 | On each subsequent change during your development iterations, you can run just
 74 | the `./devel/build` command again.
 75 | 
 76 | If you need to force the cached Nextstrain layers to rebuild to, for example,
 77 | pick up a new version of augur or auspice, set the `CACHE_DATE` environment
 78 | variable to a new timestamp first:
 79 | 
 80 |     export CACHE_DATE=$(date --utc +%Y%m%dT%H%M%SZ)
 81 | 
 82 | Otherwise, letting the build process use the cached layers will save you time
 83 | during development iterations.
 84 | 
 85 | ### Validate the images
 86 | 
 87 | Before using the images, they should be checked for any inconsistencies.
 88 | 
 89 |     ./devel/validate-platforms
 90 | 
 91 | The output and exit code will tell you whether validation is successful.
 92 | 
 93 | ### Using the images locally
 94 | 
 95 | Since the images are pushed directly to the local registry, they are not
 96 | available to the local Docker daemon after building (i.e.
 97 | `nextstrain build --image nextstrain/base` does not refer to the latest built
 98 | image). To pull the images for local usage, run:
 99 | 
100 |     ./devel/pull-from-registry
101 | 
102 | When building with `make`, the newly built
103 | `localhost:5000/nextstrain/base:latest` image is automatically made available
104 | for you.  However, the corresponding `base-builder` image is _not_.
105 | 
106 | ### Pushing images to Docker Hub
107 | 
108 | To push images you've built locally to Docker Hub, you can run:
109 | 
110 |     ./devel/copy-images -t <tag>
111 | 
112 | This will copy the Nextstrain images from the local Docker registry to Docker
113 | Hub. See instructions at the top of the script for more options.
114 | 
115 | ### Adding a new software program
116 | 
117 | To add a software program to `nextstrain/base`, follow steps in this order:
118 | 
119 | 1. Check if it is available via the Ubuntu package manager. You can use
120 |    `apt-cache search` or [Ubuntu Packages Search](https://packages.ubuntu.com/)
121 |    if you do not have an Ubuntu machine. If available, add it to the `apt-get
122 |    install` command following `FROM … AS final`
123 |    ([example](https://github.com/nextstrain/docker-base/commit/8f5e059ce897a85194f35517e56b31424e89472e)).
124 | 2. Check if it is available via PyPI. You can search on [PyPI's
125 |    website](https://pypi.org/search/). If available, add an install command to
126 |    the section labeled with `Install programs via pip`.
127 | 3. Check if a pre-built binary for the `linux/amd64` platform (name contains
128 |    `linux` and `amd64`/`x86_64`) is available on the software's website (e.g.
129 |    GitHub release assets). If available, add a download command to the section
130 |    labeled with `Download pre-built programs`.
131 |     - If a pre-built binary supporting `linux/arm64` (name contains `linux` and
132 |       `arm64`/`aarch64`) is also available, that should be used conditionally on
133 |       `ARG`s `TARGETPLATFORM` or `TARGETOS`+`TARGETARCH` in the Dockerfile. See
134 |       existing usage of those arguments for examples.
135 | 4. The last resort is to build from source. Look for instructions on the
136 |    software's website. Add a build command to the section labeled with `Build
137 |    programs from source`. Note that this can require platform-specific
138 |    instructions. You should utilize cross-compilation tool available in the
139 |    builder stage that runs on the build platform.
140 | 
141 | If possible, pin the software to a specific version. Otherwise, add the
142 | download/install/build command to the section labeled with `Add unpinned
143 | programs` to ensure the latest version is included in every Docker image build.
144 | 
145 | If possible, add the program to the builder stage that runs on the build
146 | platform to avoid slowness that may arise from emulation.
147 | 
148 | ### Best practices
149 | 
150 | The smaller the image size, the better.  To this end we build upon a ["slim"
151 | Python image][] and use a [multi-stage build][] where only _artifacts_ are
152 | included in the final image without any of the software required only for
153 | compiling, installing, building, etc.
154 | 
155 | Try to follow [Docker best practices][] for images, although not all apply to our
156 | use case, which is somewhat atypical.
157 | 
158 | The [Dockerfile reference documentation][] is quite handy for looking up the
159 | details of each Dockerfile command (`COPY`, `ADD`, etc).
160 | 
161 | Use `bash` as the default shell for all stages in the Dockerfile to use handy
162 | modern shell features.
163 | 
164 | Run bash scripts and Dockerfile commands with the `-euo pipefail` options for
165 | proper error handling. That is, these options should be set at the start of each
166 | script and build stage in the Dockerfile.
167 | 
168 | ### Continuous integration
169 | 
170 | Every push to this repository triggers a new build of the image with [a GitHub Actions workflow](https://github.com/nextstrain/docker-base/actions/workflows/ci.yml).  This helps ensure the image builds successfully with the new commits.
171 | 
172 | Images built from the `master` branch are additionally pushed to the [Docker
173 | registry][`nextstrain/base`].  The build instructions used by the workflow are in
174 | this repo's `.github/workflows/ci.yml`.
175 | 
176 | ### Tests
177 | 
178 | A local test suite of the image's properties and behaviours can be run with:
179 | 
180 |     make test
181 | 
182 | These tests use [Cram][], which can be used directly to run individual test
183 | files, e.g.:
184 | 
185 |     cram tests/basic.t
186 | 
187 | Separate integration and validation tests are also run in CI.
188 | 
189 | ### Cleaning up
190 | 
191 | To remove all build artifacts and caches:
192 | 
193 |     make clean
194 | 
195 | This will recover potentially many gigabytes of disk space.  Subsequent builds
196 | will start with a clean slate.
197 | 
198 | Less all-inclusive cleaning can be done manually using selected commands found
199 | in `./devel/clean`.
200 | 
201 | 
202 | [`nextstrain/base`]: https://hub.docker.com/r/nextstrain/base/
203 | ["slim" Python image]: https://hub.docker.com/_/python
204 | [multi-stage build]: https://docs.docker.com/develop/develop-images/multistage-build/
205 | [Docker best practices]: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/
206 | [Dockerfile reference documentation]: https://docs.docker.com/engine/reference/builder/
207 | [Cram]: https://bitheap.org/cram/
208 | 


--------------------------------------------------------------------------------
/.github/workflows/ci.yml:
--------------------------------------------------------------------------------
  1 | name: CI
  2 | on: [push, pull_request, workflow_dispatch]
  3 | 
  4 | # Prevent intermediate images from being used by another run.
  5 | # Concurrency group is unique:
  6 | # 1. to this workflow (github.workflow)
  7 | # 2. per event ref (github.ref)
  8 | # 3. per run on the default branch (github.run_id)
  9 | concurrency:
 10 |   group: ${{ github.workflow }}-${{ github.ref }}-${{ github.ref_type == 'branch' && github.ref_name == github.event.repository.default_branch && github.run_id }}
 11 |   cancel-in-progress: true
 12 | 
 13 | jobs:
 14 |   lint:
 15 |     runs-on: ubuntu-latest
 16 |     steps:
 17 |       - uses: actions/checkout@v6
 18 |       - uses: nextstrain/.github/actions/shellcheck@master
 19 | 
 20 |   # Build multi-platform builder and final images with caching from Docker Hub
 21 |   # and GitHub Container Registry; push to GitHub Container Registry.
 22 |   build:
 23 |     runs-on: ubuntu-latest
 24 |     steps:
 25 | 
 26 |     - uses: actions/checkout@v6
 27 | 
 28 |     - uses: actions/setup-python@v6
 29 |       with:
 30 |         python-version: '>=3.8'
 31 | 
 32 |     - name: Set $CACHE_DATE
 33 |       run: echo "CACHE_DATE=$(date --utc +%Y%m%dT%H%M%SZ)" | tee -a "$GITHUB_ENV"
 34 | 
 35 |     - if: github.event_name != 'pull_request' && github.ref_type == 'branch' && github.ref_name == github.event.repository.default_branch
 36 |       name: Set $TAG (default branch)
 37 |       run: echo "TAG=build-$CACHE_DATE" | tee -a "$GITHUB_ENV"
 38 |     - if: env.TAG == ''
 39 |       name: Set $TAG (PRs, non-default branch)
 40 |       # From `man docker-image-tag`: The tag name must be valid ASCII and may
 41 |       # contain lowercase and uppercase letters, digits, underscores, periods
 42 |       # and hyphens.
 43 |       run: echo "TAG=branch-${GITHUB_REF_NAME//[^A-Za-z0-9._-]/-}" | tee -a "$GITHUB_ENV"
 44 | 
 45 |     - uses: docker/setup-qemu-action@v3
 46 | 
 47 |     # GITHUB_TOKEN is unreliable¹ so use a token from nextstrain-bot.
 48 |     # ¹ https://github.com/docker/build-push-action/issues/463#issuecomment-939394233
 49 |     - uses: docker/login-action@v3
 50 |       with:
 51 |         registry: ghcr.io
 52 |         username: nextstrain-bot
 53 |         password: ${{ secrets.GH_TOKEN_NEXTSTRAIN_BOT_MANAGE_PACKAGES }}
 54 | 
 55 |     - run: ./devel/build -p linux/amd64,linux/arm64 -r ghcr.io -t "$TAG" -l logs/
 56 | 
 57 |     - if: always()
 58 |       name: Upload build logs as artifacts
 59 |       uses: actions/upload-artifact@v5
 60 |       with:
 61 |         name: build-logs
 62 |         path: logs/
 63 | 
 64 |     - if: always()
 65 |       name: Summarize build logs for the GitHub Actions run summary page
 66 |       run: |
 67 |         for log in logs/*; do
 68 |         {
 69 |           echo "## $(basename "$log")"
 70 |           echo ''
 71 |           echo '```'
 72 |           ./devel/summarize-buildkit-output "$log" 2>&1
 73 |           echo '```'
 74 |           echo ''
 75 |         } >> "$GITHUB_STEP_SUMMARY"
 76 |         done
 77 | 
 78 |     outputs:
 79 |       tag: ${{ env.TAG }}
 80 | 
 81 |   # Run tests with the final image from GitHub Container Registry.
 82 |   test:
 83 |     name: test (${{ matrix.platform }})
 84 |     needs: build
 85 |     runs-on: ubuntu-latest
 86 |     strategy:
 87 |       matrix:
 88 |         platform:
 89 |           - linux/amd64
 90 |           - linux/arm64
 91 |     permissions:
 92 |       contents: read
 93 |       id-token: write
 94 |     steps:
 95 |     - uses: docker/login-action@v3
 96 |       with:
 97 |         registry: ghcr.io
 98 |         username: nextstrain-bot
 99 |         password: ${{ secrets.GH_TOKEN_NEXTSTRAIN_BOT_MANAGE_PACKAGES }}
100 | 
101 |     - uses: aws-actions/configure-aws-credentials@v5
102 |       with:
103 |         aws-region: us-east-1
104 |         role-to-assume: arn:aws:iam::827581582529:role/GitHubActionsRoleNextstrainTmpBucket
105 |     - run: aws sts get-caller-identity
106 | 
107 |     - uses: actions/setup-python@v6
108 |       with:
109 |         python-version: ~3
110 | 
111 |     # The ubuntu-latest runner is linux/amd64 so anything else will
112 |     # run with emulation, which is still better than nothing.
113 |     - if: matrix.platform != 'linux/amd64'
114 |       uses: docker/setup-qemu-action@v3
115 | 
116 |     - uses: actions/checkout@v6
117 | 
118 |     - run: pip install cram
119 | 
120 |     - run: make test
121 |       env:
122 |         IMAGE: ghcr.io/nextstrain/base:${{ needs.build.outputs.tag }}
123 |         DOCKER_DEFAULT_PLATFORM: ${{ matrix.platform }}
124 | 
125 |     - uses: nextstrain/.github/actions/setup-nextstrain-cli@master
126 | 
127 |     - name: Run zika-tutorial
128 |       run: |
129 |         git clone https://github.com/nextstrain/zika-tutorial
130 |         nextstrain build --image ghcr.io/nextstrain/base:${{ needs.build.outputs.tag }} zika-tutorial -F
131 |       env:
132 |         DOCKER_DEFAULT_PLATFORM: ${{ matrix.platform }}
133 | 
134 |   validate-platforms:
135 |     name: Validate platforms
136 |     needs: build
137 |     runs-on: ubuntu-latest
138 |     steps:
139 |     - uses: actions/checkout@v6
140 | 
141 |     - uses: docker/setup-qemu-action@v3
142 | 
143 |     - uses: docker/login-action@v3
144 |       with:
145 |         registry: ghcr.io
146 |         username: nextstrain-bot
147 |         password: ${{ secrets.GH_TOKEN_NEXTSTRAIN_BOT_MANAGE_PACKAGES }}
148 | 
149 |     - name: Validate final images
150 |       run: ./devel/validate-platforms -r ghcr.io -t ${{ needs.build.outputs.tag }}
151 | 
152 |   # "Push" (copy) the builder and final images from GitHub Container Registry to
153 |   # Docker Hub, where they will persist. Do this regardless of test results.
154 |   push-branch:
155 |     if: startsWith(needs.build.outputs.tag, 'branch-') && github.event_name != 'pull_request'
156 |     needs: build
157 |     runs-on: ubuntu-latest
158 |     steps:
159 |     - uses: actions/checkout@v6
160 | 
161 |     - uses: docker/login-action@v3
162 |       with:
163 |         registry: ghcr.io
164 |         username: nextstrain-bot
165 |         password: ${{ secrets.GH_TOKEN_NEXTSTRAIN_BOT_MANAGE_PACKAGES }}
166 | 
167 |     - uses: docker/login-action@v3
168 |       with:
169 |         registry: docker.io
170 |         username: nextstrainbot
171 |         password: ${{ secrets.DOCKER_TOKEN }}
172 | 
173 |     - name: Copy $TAG images to Docker Hub
174 |       run: ./devel/copy-images -i ghcr.io -o docker.io -t ${{ needs.build.outputs.tag }}
175 | 
176 |   # "Push" (copy) the builder and final images from GitHub Container Registry to
177 |   # Docker Hub, where they will persist. Only do this if tests pass.
178 |   push-build:
179 |     if: startsWith(needs.build.outputs.tag, 'build-')
180 |     needs: [build, test, validate-platforms]
181 |     runs-on: ubuntu-latest
182 |     steps:
183 |     - uses: actions/checkout@v6
184 | 
185 |     - uses: docker/login-action@v3
186 |       with:
187 |         registry: ghcr.io
188 |         username: nextstrain-bot
189 |         password: ${{ secrets.GH_TOKEN_NEXTSTRAIN_BOT_MANAGE_PACKAGES }}
190 | 
191 |     - uses: docker/login-action@v3
192 |       with:
193 |         registry: docker.io
194 |         username: nextstrainbot
195 |         password: ${{ secrets.DOCKER_TOKEN }}
196 | 
197 |     - name: Copy $TAG + latest images to Docker Hub
198 |       run: |
199 |         ./devel/copy-images -i ghcr.io -o docker.io -t ${{ needs.build.outputs.tag }} -l
200 | 
201 |   # Run pathogen repo CI builds with the final image
202 |   # This is running pathogen-repo-ci@v0 for pathogen repos that do not conform
203 |   # to the standard pathogen repo structure and is not expected to be updated.
204 |   # Any new pathogen repos should be added to the job using the latest version
205 |   # of the pathogen-repo-ci below.
206 |   test-pathogen-repo-ci-v0:
207 |     # Only one of push-{branch,build} runs for any given workflow run, and
208 |     # we're ok with either of them.
209 |     needs: [build, push-branch, push-build]
210 |     if: |2
211 |          success()
212 |       || needs.push-branch.result == 'success'
213 |       || needs.push-build.result == 'success'
214 |     strategy:
215 |       matrix:
216 |         include:
217 |           - { pathogen: avian-flu,       build-args: --snakefile segment-focused/Snakefile --configfile build-configs/ci/config.yaml }
218 |           - { pathogen: ncov,            build-args: all_regions -j 2 --profile nextstrain_profiles/nextstrain-ci }
219 |           - { pathogen: rsv,             build-args: --configfile config/ci.yaml }
220 |           - { pathogen: seasonal-flu,    build-args: --configfile profiles/ci/builds.yaml -p }
221 | 
222 |     name: test-pathogen-repo-ci-v0 (${{ matrix.pathogen }})
223 |     uses: nextstrain/.github/.github/workflows/pathogen-repo-ci.yaml@v0
224 |     with:
225 |       repo: nextstrain/${{ matrix.pathogen }}
226 |       build-args: ${{ matrix.build-args }}
227 |       runtimes: |
228 |         - docker
229 |       env: |
230 |         NEXTSTRAIN_DOCKER_IMAGE: nextstrain/base:${{ needs.build.outputs.tag }}
231 |       artifact-name: ${{ matrix.pathogen }}-outputs
232 |       continue-on-error: true
233 |     secrets: inherit
234 | 
235 |   # Run pathogen repo CI builds with the final image
236 |   # This is running pathogen-repo-ci@master for pathogen repos that _do_ follow
237 |   # standard pathogen repo structure and new pathogens should be added here
238 |   # to be supported for future updates such as testing on multiple platforms.
239 |   test-pathogen-repo-ci:
240 |     # Only one of push-{branch,build} runs for any given workflow run, and
241 |     # we're ok with either of them.
242 |     needs: [build, push-branch, push-build]
243 |     if: |2
244 |          success()
245 |       || needs.push-branch.result == 'success'
246 |       || needs.push-build.result == 'success'
247 |     strategy:
248 |       # XXX TODO: Test on multiple platforms via the matrix too, as above?
249 |       matrix:
250 |         pathogen:
251 |           - dengue
252 |           - lassa
253 |           - measles
254 |           - mpox
255 |           - mumps
256 |           - oropouche
257 |           - rabies
258 |           - seasonal-cov
259 |           - wnv
260 |           - yellow-fever
261 |           - zika
262 | 
263 |     name: test-pathogen-repo-ci (${{ matrix.pathogen }})
264 |     uses: nextstrain/.github/.github/workflows/pathogen-repo-ci.yaml@master
265 |     with:
266 |       repo: nextstrain/${{ matrix.pathogen }}
267 |       runtimes: |
268 |         - docker
269 |       env: |
270 |         NEXTSTRAIN_DOCKER_IMAGE: nextstrain/base:${{ needs.build.outputs.tag }}
271 |       artifact-name: ${{ matrix.pathogen }}-outputs
272 |       continue-on-error: true
273 |     secrets: inherit
274 | 
275 |   # Delete the builder and final images from GitHub Container Registry.
276 |   cleanup-registry:
277 |     if: always()
278 |     needs: [build, test, validate-platforms, push-branch, push-build]
279 |     runs-on: ubuntu-latest
280 |     steps:
281 |     - uses: actions/checkout@v6
282 | 
283 |     - uses: actions/github-script@v8
284 |       with:
285 |         github-token: ${{ secrets.GH_TOKEN_NEXTSTRAIN_BOT_MANAGE_PACKAGES }}
286 |         script: |
287 |           const script = require('./devel/delete-from-ghcr.js');
288 |           const tag = "${{ needs.build.outputs.tag }}";
289 |           const token = "${{ secrets.GH_TOKEN_NEXTSTRAIN_BOT_MANAGE_PACKAGES }}";
290 |           script({fetch, octokit: github, tag, token});
291 | 


--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
  1 | # This is a multi-stage image build.
  2 | #
  3 | # We first create two builder images (builder-build-platform,
  4 | # builder-target-platform). Then we create our final image by copying things
  5 | # from the builder images. The point is to avoid bloating the final image with
  6 | # tools only needed during the image build.
  7 | 
  8 | # Setup: pull cross-compilation tools.
  9 | FROM --platform=$BUILDPLATFORM tonistiigi/xx AS xx
 10 | 
 11 | # ———————————————————————————————————————————————————————————————————— #
 12 | 
 13 | # Define a builder stage that runs on the build platform.
 14 | # Even if the target platform is different, instructions will run natively for
 15 | # faster compilation.
 16 | FROM --platform=$BUILDPLATFORM debian:bookworm-slim AS builder-build-platform
 17 | 
 18 | SHELL ["/bin/bash", "-e", "-u", "-o", "pipefail", "-c"]
 19 | 
 20 | # Copy cross-compilation tools.
 21 | COPY --from=xx / /
 22 | 
 23 | # Add system deps for building
 24 | # autoconf, automake: for building VCFtools; may be used by package managers to build from source
 25 | # ca-certificates: for secure HTTPS connections
 26 | # curl: for downloading source files
 27 | # git: used in builder-scripts/download-repo
 28 | # make: used for building from Makefiles (search for usage); may be used by package managers to build from source
 29 | # nodejs: for installing Auspice
 30 | # clang: for compiling C/C++ projects; may be used by package managers to build from source
 31 | RUN apt-get update && apt-get install -y --no-install-recommends \
 32 |         autoconf \
 33 |         automake \
 34 |         clang \
 35 |         ca-certificates \
 36 |         curl \
 37 |         git \
 38 |         make \
 39 |         dpkg-dev
 40 | 
 41 | # Install a specific Node.js version
 42 | # https://github.com/nodesource/distributions/blob/ba48c1fe6e843e9ffb60aefc5da5d00234c83f04/README.md#using-debian-as-root-nodejs-20
 43 | RUN apt-get update && apt-get install -y curl \
 44 |  && curl -fsSL https://deb.nodesource.com/setup_20.x -o nodesource_setup.sh \
 45 |  && bash nodesource_setup.sh \
 46 |  && apt-get install -y nodejs
 47 | 
 48 | # Used for platform-specific instructions
 49 | ARG TARGETPLATFORM
 50 | ARG TARGETOS
 51 | ARG TARGETARCH
 52 | 
 53 | # Install packages that generate binaries for the target architecture.
 54 | # https://github.com/tonistiigi/xx#building-on-debian
 55 | # binutils, gcc, libc6-dev: for compiling C/C++ programs (TODO: verify)
 56 | # g++: for building VCFtools; may be used by package managers to build from source
 57 | # pkg-config: for building VCFtools; may be used by package managers to build from source
 58 | # zlib1g-dev: for building VCFtools; may be used by package managers to build from source
 59 | RUN xx-apt-get install -y \
 60 |   binutils \
 61 |   gcc \
 62 |   g++ \
 63 |   libc6-dev \
 64 |   pkg-config \
 65 |   zlib1g-dev
 66 | 
 67 | # Add dependencies. All should be pinned to specific versions, except
 68 | # Nextstrain-maintained software.
 69 | # This includes pathogen-specific workflow dependencies. Since we only maintain a
 70 | # single Docker image to support all pathogen workflows, some pathogen-specific
 71 | # functionality must live in this Dockerfile. The following dependencies may be
 72 | # used by multiple pathogen workflows, but they have been commented according to
 73 | # the original pathogen that added these dependencies.
 74 | 
 75 | # Create directories to be copied in final stage.
 76 | RUN mkdir -p /final/bin /final/share /final/libexec
 77 | 
 78 | 
 79 | # 1. Build programs from source
 80 | 
 81 | # Build RAxML
 82 | # Some changes are necessary to allow the Makefile to work with cross-compilation.
 83 | # Make these changes in a fork for now: https://github.com/nextstrain/standard-RAxML/tree/fix-cross-compile
 84 | # TODO: Use the official repository if this PR is ever merged: https://github.com/stamatak/standard-RAxML/pull/50
 85 | WORKDIR /build/RAxML
 86 | RUN curl -fsSL https://api.github.com/repos/nextstrain/standard-RAxML/tarball/4868de62a62be8901259807cfea26f336c2ca477 \
 87 |   | tar xzvpf - --no-same-owner --strip-components=1 \
 88 |   && CC=xx-clang make -f Makefile.AVX.PTHREADS.gcc \
 89 |   && cp -p raxmlHPC-PTHREADS-AVX /final/bin
 90 | 
 91 | # Build FastTree
 92 | WORKDIR /build/FastTree
 93 | RUN curl -fsSL https://api.github.com/repos/nextstrain/FastTree/tarball/df4212c8c9991e7e0d432e42d53c21cd8408a181 \
 94 |   | tar xzvpf - --no-same-owner --strip-components=1 \
 95 |  && CC=$(xx-info)-gcc make FastTreeDblMP \
 96 |  && cp -p FastTreeDblMP /final/bin
 97 | 
 98 | # Build vcftools
 99 | # Some unreleased changes are necessary to allow Autoconf to work with cross-compilation¹.
100 | # ¹ https://github.com/vcftools/vcftools/commit/1cab5204eb0ce01664178bafd0ad6104525709d1
101 | WORKDIR /build/vcftools
102 | RUN curl -fsSL https://api.github.com/repos/vcftools/vcftools/tarball/1cab5204eb0ce01664178bafd0ad6104525709d1 \
103 |   | tar xzvpf - --no-same-owner --strip-components=1 \
104 |  && ./autogen.sh && ./configure --prefix=$PWD/built \
105 |       --build=$(TARGETPLATFORM= xx-clang --print-target-triple) \
106 |       --host=$(xx-clang --print-target-triple) \
107 |  && make && make install \
108 |  && cp -rp built/bin/*    /final/bin \
109 |  && cp -rp built/share/*  /final/share
110 | 
111 | 
112 | # 2. Download pre-built programs
113 | 
114 | # Download MAFFT
115 | # NOTE: Running this program requires support for emulation on the Docker host
116 | # if the processor architecture is not amd64.
117 | # TODO: Build from source to avoid emulation. Instructions: https://mafft.cbrc.jp/alignment/software/installation_without_root.html
118 | WORKDIR /download/mafft
119 | RUN curl -fsSL https://mafft.cbrc.jp/alignment/software/mafft-7.475-linux.tgz \
120 |   | tar xzvpf - --no-same-owner --strip-components=2 mafft-linux64/mafftdir/ \
121 |  && cp -p bin/*     /final/bin \
122 |  && cp -p libexec/* /final/libexec
123 | 
124 | # Download IQ-TREE
125 | WORKDIR /download/IQ-TREE
126 | RUN case "$TARGETARCH" in \
127 |       amd64) IQTREE_URL="https://github.com/iqtree/iqtree3/releases/download/v3.0.1/iqtree-3.0.1-Linux-intel.tar.gz" ;; \
128 |       arm64) IQTREE_URL="https://github.com/iqtree/iqtree3/releases/download/v3.0.1/iqtree-3.0.1-Linux-arm.tar.gz" ;; \
129 |       *) echo "Unsupported TARGETARCH: $TARGETARCH" >&2; exit 1 ;; \
130 |     esac \
131 |  && curl -fsSL "$IQTREE_URL" \
132 |   | tar xzvpf - --no-same-owner --strip-components=1 \
133 |  && mv bin/iqtree3 /final/bin/iqtree
134 | 
135 | # Add helper scripts
136 | COPY builder-scripts/ /builder-scripts/
137 | 
138 | # Download Nextalign v2
139 | # Set default Nextalign version to 2
140 | RUN curl -fsSL https://github.com/nextstrain/nextclade/releases/download/2.14.0/nextalign-$(/builder-scripts/target-triple) \
141 |   -o /final/bin/nextalign2 \
142 |   && ln -sv nextalign2 /final/bin/nextalign
143 | 
144 | # Download Nextclade v2
145 | RUN curl -fsSL https://github.com/nextstrain/nextclade/releases/download/2.14.0/nextclade-$(/builder-scripts/target-triple) \
146 |   -o /final/bin/nextclade2
147 | 
148 | # Download tsv-utils
149 | # NOTE: Running this program requires support for emulation on the Docker host
150 | # if the processor architecture is not amd64.
151 | # TODO: Build from source to avoid emulation. Instructions: https://github.com/eBay/tsv-utils/tree/v2.2.0#build-from-source-files
152 | RUN curl -L -o tsv-utils.tar.gz https://github.com/eBay/tsv-utils/releases/download/v2.2.0/tsv-utils-v2.2.0_linux-x86_64_ldc2.tar.gz \
153 |  && tar -x --no-same-owner -v -C /final/bin -z --strip-components 2 --wildcards -f tsv-utils.tar.gz "*/bin/*" \
154 |  && rm -f tsv-utils.tar.gz
155 | 
156 | # Download csvtk
157 | RUN curl -L https://github.com/shenwei356/csvtk/releases/download/v0.35.0/csvtk_${TARGETOS}_${TARGETARCH}.tar.gz | tar xz --no-same-owner -C /final/bin
158 | 
159 | # Download seqkit
160 | RUN curl -L https://github.com/shenwei356/seqkit/releases/download/v2.10.1/seqkit_${TARGETOS}_${TARGETARCH}.tar.gz | tar xz --no-same-owner -C /final/bin
161 | 
162 | # 3. Add unpinned programs
163 | 
164 | # Allow caching to be avoided from here on out in this stage by calling
165 | # docker build --build-arg CACHE_DATE="$(date)"
166 | # NOTE: All versioned software added below should be checked in
167 | # devel/validate-platforms.
168 | ARG CACHE_DATE
169 | 
170 | # Download Nextclade v3
171 | # Set default Nextclade version to 3
172 | RUN curl -fsSL https://github.com/nextstrain/nextclade/releases/latest/download/nextclade-$(/builder-scripts/target-triple) \
173 |   -o /final/bin/nextclade3 \
174 |   && ln -sv nextclade3 /final/bin/nextclade
175 | 
176 | # Auspice
177 | # Building auspice means we can run it without hot-reloading, which is
178 | # time-consuming and generally unnecessary in the container image.
179 | # Linking is used so we can overlay the auspice version in the image with
180 | # --volume=.../auspice:/nextstrain/auspice and still have it globally accessible
181 | # and importable.
182 | #
183 | # Versions of NPM might differ in platform between where Auspice is installed
184 | # and where it is used (the final image). This does not matter since Auspice
185 | # (and its runtime dependencies at the time of writing) are not
186 | # platform-specific.
187 | # This may change in the future, which would call for cross-platform
188 | # installation using npm_config_arch (if using node-gyp¹ or prebuild-install²)
189 | # or npm_config_target_arch (if using node-pre-gyp³⁴).
190 | #
191 | # ¹ https://github.com/nodejs/node-gyp#environment-variables
192 | # ² https://github.com/prebuild/prebuild-install#help
193 | # ³ https://github.com/mapbox/node-pre-gyp#options
194 | # ⁴ https://github.com/mapbox/node-pre-gyp/blob/v1.0.10/lib/node-pre-gyp.js#L186
195 | WORKDIR /nextstrain/auspice
196 | RUN /builder-scripts/download-repo https://github.com/nextstrain/auspice release . \
197 |  && npm install --omit dev && npm link
198 | 
199 | # Add NCBI Datasets command line tools for access to NCBI Datsets Virus Data Packages
200 | RUN curl -fsSL https://ftp.ncbi.nlm.nih.gov/pub/datasets/command-line/v2/linux-${TARGETARCH}/datasets \
201 |   -o /final/bin/datasets
202 | RUN curl -fsSL https://ftp.ncbi.nlm.nih.gov/pub/datasets/command-line/v2/linux-${TARGETARCH}/dataformat \
203 |   -o /final/bin/dataformat
204 | 
205 | # ———————————————————————————————————————————————————————————————————— #
206 | 
207 | # Define a builder stage that runs on the target platform.
208 | # If the target platform is different from the build platform, instructions will
209 | # run under emulation which can be slower.
210 | # This is in place for Python programs which are not easy to install for a
211 | # different target platform¹.
212 | # ¹ https://github.com/pypa/pip/issues/5453
213 | FROM --platform=$TARGETPLATFORM python:3.11-slim-bookworm AS builder-target-platform
214 | 
215 | SHELL ["/bin/bash", "-e", "-u", "-o", "pipefail", "-c"]
216 | 
217 | # Used for platform-specific instructions
218 | ARG TARGETPLATFORM
219 | ARG TARGETOS
220 | ARG TARGETARCH
221 | 
222 | # Add system deps for building
223 | # curl, jq: used in builder-scripts/latest-augur-release-tag
224 | # git: for git pip installs
225 | # gcc, libc6-dev: for building datrie (for Snakemake)
226 | # make: for building isal (if necessary, for Augur)
227 | RUN apt-get update && apt-get install -y --no-install-recommends \
228 |         curl \
229 |         gcc \
230 |         git \
231 |         libc6-dev \
232 |         make \
233 |         jq
234 | 
235 | 
236 | # 1. Install programs via pip
237 | 
238 | # Install envdir, which is used by pathogen builds
239 | RUN pip3 install envdir==1.0.1
240 | 
241 | # Install tooling for our AWS Batch builds, which use `aws s3`.
242 | RUN python3 -m venv /usr/local/libexec/awscli \
243 |  && /usr/local/libexec/awscli/bin/python -m pip install awscli==1.18.195 \
244 |  && ln -sv /usr/local/libexec/awscli/bin/aws /usr/local/bin/aws
245 | 
246 | # Install Snakemake and related optional dependencies.
247 | # Pinned to 9.6.2 for stability (latest version on 2025-07-03)
248 | RUN pip3 install snakemake[reports]==9.6.2
249 | # Snakemake plugins for remote storage providers
250 | # Pinned for stability (latest versions on 2025-07-03)
251 | RUN pip3 install snakemake-storage-plugin-http==0.3.0
252 | RUN pip3 install snakemake-storage-plugin-s3==0.3.3
253 | 
254 | # Install epiweeks (for ncov)
255 | RUN pip3 install epiweeks==2.1.2
256 | 
257 | # Install pango_aliasor (for forecasts-ncov)
258 | RUN pip3 install pango_aliasor==0.3.0
259 | 
260 | RUN pip3 install pathogen-embed==3.0.0
261 | RUN pip3 install xlrd==2.0.1
262 | 
263 | # Install openpyxl for pandas in GenoFLU
264 | RUN pip3 install openpyxl==3.1.0
265 | 
266 | # Install pyarrow for pandas to support parquet files.
267 | RUN pip3 install pyarrow==20.0.0
268 | 
269 | # Install bio, which is used by pathogen builds
270 | RUN pip3 install bio==1.8.0
271 | 
272 | # 2. Add unpinned programs
273 | 
274 | # Allow caching to be avoided from here on out in this stage by calling
275 | # docker build --build-arg CACHE_DATE="$(date)"
276 | # NOTE: All versioned software added below should be checked in
277 | # devel/validate-platforms.
278 | ARG CACHE_DATE
279 | 
280 | # Add helper scripts
281 | COPY builder-scripts/ /builder-scripts/
282 | 
283 | # Install our own CLI so builds can do things like `nextstrain deploy`
284 | RUN pip3 install nextstrain-cli
285 | 
286 | # Fauna
287 | WORKDIR /nextstrain/fauna
288 | RUN /builder-scripts/download-repo https://github.com/nextstrain/fauna master . \
289 |  && pip3 install --requirement=requirements.txt
290 | 
291 | # Add Treetime
292 | RUN pip3 install phylo-treetime
293 | 
294 | # Augur
295 | # Augur is an editable install so we can overlay the augur version in the image
296 | # with --volume=.../augur:/nextstrain/augur and still have it globally
297 | # accessible and importable.
298 | WORKDIR /nextstrain/augur
299 | RUN /builder-scripts/download-repo https://github.com/nextstrain/augur "$(/builder-scripts/latest-augur-release-tag)" . \
300 |  && pip3 install --editable .
301 | 
302 | # Add evofr for forecasting
303 | RUN pip3 install evofr
304 | 
305 | # ———————————————————————————————————————————————————————————————————— #
306 | 
307 | # Now build the final image.
308 | FROM python:3.11-slim-bookworm AS final
309 | 
310 | SHELL ["/bin/bash", "-e", "-u", "-o", "pipefail", "-c"]
311 | 
312 | # Add system runtime deps
313 | # bzip2, gzip, xz-utils, zip, unzip, zstd: install compression tools
314 | # ca-certificates: [Dockerfile] for secure HTTPS connections; may be used by workflows
315 | # curl: [Dockerfile] for downloading binaries directly; may be used by workflows
316 | # dos2unix: tsv-utils needs unix line endings
317 | # git: used to clone workflows within a Docker instance (e.g., through GitPod)
318 | # jq: may be used by workflows
319 | # less: for usability in an interactive prompt
320 | # libgomp1: for running FastTree
321 | # libsqlite3: for pyfastx (for Augur)
322 | # nano: for usability in an interactive prompt
323 | # ncbi-blast+: for GenoFLU in avian-flu
324 | # perl: for running VCFtools
325 | # ruby: may be used by workflows
326 | # sqlite3: for `augur merge`
327 | # vim-tiny: for usability in an interactive prompt
328 | # wget: may be used by workflows
329 | # zlib1g: for pyfastx (for Augur)
330 | # nodejs: for running Auspice
331 | RUN apt-get update && apt-get install -y --no-install-recommends \
332 |         bzip2 \
333 |         ca-certificates \
334 |         curl \
335 |         dos2unix \
336 |         git \
337 |         gzip \
338 |         jq \
339 |         less \
340 |         libgomp1 \
341 |         libsqlite3-0 \
342 | 	      nano \
343 |         ncbi-blast+ \
344 |         perl \
345 |         ruby \
346 |         sqlite3 \
347 |         util-linux \
348 |         vim-tiny \
349 |         wget \
350 |         xz-utils \
351 |         zip unzip \
352 |         zlib1g \
353 |         zstd
354 | 
355 | # Install a specific Node.js version
356 | # https://github.com/nodesource/distributions/blob/ba48c1fe6e843e9ffb60aefc5da5d00234c83f04/README.md#using-debian-as-root-nodejs-20
357 | RUN apt-get update && apt-get install -y curl \
358 |  && curl -fsSL https://deb.nodesource.com/setup_20.x -o nodesource_setup.sh \
359 |  && bash nodesource_setup.sh \
360 |  && apt-get install -y nodejs
361 | 
362 | # Used for platform-specific instructions
363 | ARG TARGETPLATFORM
364 | 
365 | # Configure bash for interactive usage
366 | COPY bashrc /etc/bash.bashrc
367 | 
368 | # Copy binaries
369 | COPY --from=builder-build-platform  /final/bin/     /usr/local/bin/
370 | COPY --from=builder-build-platform  /final/share/   /usr/local/share/
371 | COPY --from=builder-build-platform  /final/libexec/ /usr/local/libexec/
372 | 
373 | # Set MAFFT_BINARIES explicitly for MAFFT
374 | ENV MAFFT_BINARIES=/usr/local/libexec
375 | 
376 | # Ensure all container users can execute these programs
377 | RUN chmod a+rx /usr/local/bin/* /usr/local/libexec/*
378 | 
379 | # Add installed Python libs
380 | COPY --from=builder-target-platform /usr/local/lib/python3.11/site-packages/ /usr/local/lib/python3.11/site-packages/
381 | 
382 | # AWS CLI
383 | COPY --from=builder-target-platform /usr/local/libexec/awscli/ /usr/local/libexec/awscli/
384 | 
385 | # Add installed Python scripts that we need.
386 | #
387 | # XXX TODO: This isn't great.  It's prone to needing manual updates because it
388 | # doesn't pull in scripts which got installed but that we don't list.  Consider
389 | # alternatives (like installing the deps into an empty prefix tree and then
390 | # copying the whole prefix tree, or using pip's installed-files.txt manifests
391 | # as the set of things to copy) in the future if the maintenance burden becomes
392 | # troublesome or excessive.
393 | #   -trs, 15 June 2018
394 | COPY --from=builder-target-platform \
395 |     /usr/local/bin/augur \
396 |     /usr/local/bin/aws \
397 |     /usr/local/bin/bio \
398 |     /usr/local/bin/envdir \
399 |     /usr/local/bin/evofr \
400 |     /usr/local/bin/nextstrain \
401 |     /usr/local/bin/pathogen-distance \
402 |     /usr/local/bin/pathogen-embed \
403 |     /usr/local/bin/pathogen-cluster \
404 |     /usr/local/bin/snakemake \
405 |     /usr/local/bin/treetime \
406 |     /usr/local/bin/
407 | 
408 | # Add installed Node libs
409 | COPY --from=builder-build-platform /usr/lib/node_modules/ /usr/lib/node_modules/
410 | 
411 | # Add globally linked Auspice script.
412 | #
413 | # This symlink is present in the "builder" image, but using COPY results in the
414 | # _contents_ of the target being copied instead of a symlink being created.
415 | # The symlink is required so that Auspice's locally-installed deps are
416 | # correctly discovered by node.
417 | RUN ln -sv /usr/lib/node_modules/auspice/auspice.js /usr/local/bin/auspice
418 | 
419 | # Setup a non-root user for optional use
420 | RUN useradd nextstrain \
421 |     --system \
422 |     --user-group \
423 |     --shell /bin/bash \
424 |     --home-dir /nextstrain \
425 |     --no-log-init
426 | 
427 | # Add Nextstrain components
428 | COPY --from=builder-build-platform  --chown=nextstrain:nextstrain /nextstrain /nextstrain
429 | COPY --from=builder-target-platform --chown=nextstrain:nextstrain /nextstrain /nextstrain
430 | 
431 | # Add our entrypoints and helpers
432 | COPY entrypoint entrypoint-aws-batch drop-privs create-envd delete-envd chdir-workdir /sbin/
433 | RUN chmod a+rx /sbin/entrypoint* /sbin/drop-privs /sbin/{create,delete}-envd /sbin/chdir-workdir
434 | 
435 | # Make /nextstrain a global HOME, writable by any UID (like /tmp)
436 | RUN chmod a+rwXt /nextstrain
437 | ENV HOME=/nextstrain
438 | 
439 | # Run the final setup as our target user for permissions reasons.
440 | USER nextstrain:nextstrain
441 | 
442 | # No nesting of runtimes, please.  Use the ambient runtime inside this runtime.
443 | ENV NEXTSTRAIN_HOME=/nextstrain
444 | RUN nextstrain check-setup --set-default ambient \
445 |  && chown nextstrain:nextstrain /nextstrain/config \
446 |  && chmod a+rw /nextstrain/config \
447 |  && rm -f /nextstrain/lock
448 | 
449 | # The host should bind mount the pathogen build dir into /nextstrain/build.
450 | WORKDIR /nextstrain/build
451 | RUN chown nextstrain:nextstrain /nextstrain/build
452 | 
453 | # Switch back to root.  The entrypoint will drop to nextstrain:nextstrain as
454 | # necessary when a container starts.
455 | USER root
456 | ENTRYPOINT ["/sbin/entrypoint"]
457 | 
458 | # Finally, add metadata at the end so it doesn't bust cached layers.
459 | #
460 | # Optionally passed in during build.  Used by a label below.
461 | ARG GIT_REVISION
462 | 
463 | # Add some metadata to our image for searching later.  The "maintainer" label
464 | # is community convention and comes from the old MAINTAINER command.  Other
465 | # labels should be namedspaced a la Java classes.  We mostly use the keys
466 | # defined in the OpenContainers spec:
467 | #
468 | #   https://github.com/opencontainers/image-spec/blob/master/annotations.md#pre-defined-annotation-keys
469 | #
470 | # The custom "org.nextstrain.image.name" label in particular will likely be
471 | # used by nextstrain-cli's image pruning, as labels are the only way to have
472 | # persistent metadata values (tags are removed from old images after pulling a
473 | # new image with the tag).
474 | LABEL maintainer="Nextstrain team <hello@nextstrain.org>"
475 | LABEL org.opencontainers.image.authors="Nextstrain team <hello@nextstrain.org>"
476 | LABEL org.opencontainers.image.source="https://github.com/nextstrain/docker-base"
477 | LABEL org.opencontainers.image.revision="${GIT_REVISION}"
478 | LABEL org.nextstrain.image.name="nextstrain/base"
479 | 


--------------------------------------------------------------------------------