Merge pull request #505 from nipreps/gha-docker

effigies · web-flow · commit da4ee07e0883 · 2025-11-04T16:20:43.000+01:00
feat: Add base Docker image
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -109,8 +109,25 @@ jobs:
       - run: *docker_auth
       - run: *setup_docker_registry
       - run:
-          name: Create named builder
-          command: docker buildx create --use --name=builder --driver=docker-container
+          name: Get base image information
+          command: |
+            export BASE_IMAGE=$( grep BASE_IMAGE= Dockerfile | cut -d= -f2 )
+            export BASE_IMAGE_NAME=${BASE_IMAGE%:*}
+            export BASE_TAG=${BASE_IMAGE#*:}
+            echo "BASE_IMAGE=$BASE_IMAGE" >> $BASH_ENV
+            echo "BASE_IMAGE_NAME=$BASE_IMAGE_NAME" >> $BASH_ENV
+            echo "BASE_TAG=$BASE_TAG" >> $BASH_ENV
+            env
+      - run:
+          name: Build base image, if needed
+          command: |
+            if ! docker manifest inspect $BASE_IMAGE; then
+              docker buildx build --load \
+                  --cache-from $BASE_IMAGE_NAME:latest \
+                  -t $BASE_IMAGE \
+                  --platform linux/amd64 \
+                  -f Dockerfile.base .
+            fi
       - run:
           name: Build Docker image
           no_output_timeout: 60m
@@ -126,7 +143,7 @@ jobs:
               echo "them to your fork with ``git push origin --tags``"
             fi
             # Build docker image
-            docker buildx build --load --builder builder \
+            docker buildx build --load \
                 --cache-from localhost:5000/smriprep \
                 --cache-from nipreps/smriprep:latest \
                 -t nipreps/smriprep:latest \
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -0,0 +1,99 @@
+name: Docker build
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [ "master", "main", "maint/*", "gha-docker*" ]
+    tags: "*"
+  pull_request:
+    branches: [ "master", "main", "maint/*" ]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: ${{ github.repository }}
+  FORCE_COLOR: true
+
+jobs:
+  build-container:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        with:
+          fetch-depth: 200
+          fetch-tags: true
+          ref: ${{ github.ref }}
+          persist-credentials: false
+
+      - name: Setup Docker buildx
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3
+        with:
+          driver: docker
+
+      - name: Log into registry ${{ env.REGISTRY }}
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Get base image tag, check
+        id: base
+        run: |
+          export BASE_IMAGE=$( grep BASE_IMAGE= Dockerfile | cut -d= -f2 )
+          export BASE_IMAGE_NAME=${BASE_IMAGE%:*}
+          export BASE_TAG=${BASE_IMAGE#*:}
+          echo "image=$BASE_IMAGE" >> $GITHUB_OUTPUT
+          echo "name=$BASE_IMAGE_NAME" >> $GITHUB_OUTPUT
+          echo "tag=$BASE_TAG" >> $GITHUB_OUTPUT
+          env
+          if docker manifest inspect $BASE_IMAGE; then
+            echo "build=false" >> $GITHUB_OUTPUT
+          else
+            echo "build=true" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Build base image
+        if: steps.base.outputs.build == 'true'
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
+        with:
+          file: Dockerfile.base
+          load: true
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: |
+            ${{ steps.base.outputs.image }}
+            ${{ steps.base.outputs.name }}:latest
+          platforms: linux/amd64
+          cache-from: |
+            type=registry,ref=${{ steps.base.outputs.name }}:latest
+          cache-to: type=inline
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6
+        with:
+          context: .
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: linux/amd64
+          cache-from: |
+            type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:gha-docker
+            type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TARGET_BRANCH }}
+            type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.tags[0] }}
+          cache-to: type=inline
+        env:
+          TARGET_BRANCH: ${{ github.base_ref || github.ref_name }}
diff --git a/Dockerfile b/Dockerfile
@@ -22,8 +22,7 @@
 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
 # SOFTWARE.
 
-# Ubuntu 22.04 LTS - Jammy
-ARG BASE_IMAGE=ubuntu:jammy-20240125
+ARG BASE_IMAGE=ghcr.io/nipreps/smriprep-base:20251104
 
 #
 # Build wheel
@@ -38,7 +37,7 @@ RUN uvx --from=build pyproject-build --installer=uv /src
 #
 
 # Utilities for downloading packages
-FROM ${BASE_IMAGE} as downloader
+FROM ubuntu:jammy-20240125 AS downloader
 # Bump the date to current to refresh curl/certificates/etc
 RUN echo "2023.07.20"
 RUN apt-get update && \
@@ -50,20 +49,8 @@ RUN apt-get update && \
                     unzip && \
     apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
-# FreeSurfer 7.3.2
-FROM downloader as freesurfer
-COPY docker/files/freesurfer7.3.2-exclude.txt /usr/local/etc/freesurfer7.3.2-exclude.txt
-RUN curl -sSL https://surfer.nmr.mgh.harvard.edu/pub/dist/freesurfer/7.3.2/freesurfer-linux-ubuntu22_amd64-7.3.2.tar.gz \
-     | tar zxv --no-same-owner -C /opt --exclude-from=/usr/local/etc/freesurfer7.3.2-exclude.txt
-
 # Micromamba
-FROM downloader as micromamba
-
-# Install a C compiler to build extensions when needed.
-# traits<6.4 wheels are not available for Python 3.11+, but build easily.
-RUN apt-get update && \
-    apt-get install -y --no-install-recommends build-essential && \
-    apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+FROM downloader AS micromamba
 
 WORKDIR /
 # Bump the date to current to force update micromamba
@@ -87,65 +74,20 @@ RUN npm install -g svgo@^3.2.0 bids-validator@^1.14.0 && \
 #
 # Main stage
 #
-FROM ${BASE_IMAGE} as smriprep
-
-# Configure apt
-ENV DEBIAN_FRONTEND="noninteractive" \
-    LANG="en_US.UTF-8" \
-    LC_ALL="en_US.UTF-8"
-
-# Some baseline tools
-# bc, tcsh are needed for FreeSurfer
-# libglu1-mesa is needed for Connectome Workbench
-RUN apt-get update && \
-    apt-get install -y --no-install-recommends \
-                    bc \
-                    ca-certificates \
-                    curl \
-                    git \
-                    gnupg \
-                    libglu1-mesa \
-                    lsb-release \
-                    netbase \
-                    tcsh \
-                    xvfb && \
-    apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
-
-# Install files from stages
-COPY --from=freesurfer /opt/freesurfer /opt/freesurfer
-
-# Simulate SetUpFreeSurfer.sh
-ENV OS="Linux" \
-    FS_OVERRIDE=0 \
-    FIX_VERTEX_AREA="" \
-    FSF_OUTPUT_FORMAT="nii.gz" \
-    FREESURFER_HOME="/opt/freesurfer"
-ENV SUBJECTS_DIR="$FREESURFER_HOME/subjects" \
-    FUNCTIONALS_DIR="$FREESURFER_HOME/sessions" \
-    MNI_DIR="$FREESURFER_HOME/mni" \
-    LOCAL_DIR="$FREESURFER_HOME/local" \
-    MINC_BIN_DIR="$FREESURFER_HOME/mni/bin" \
-    MINC_LIB_DIR="$FREESURFER_HOME/mni/lib" \
-    MNI_DATAPATH="$FREESURFER_HOME/mni/data"
-ENV PERL5LIB="$MINC_LIB_DIR/perl5/5.8.5" \
-    MNI_PERL5LIB="$MINC_LIB_DIR/perl5/5.8.5" \
-    PATH="$FREESURFER_HOME/bin:$FREESURFER_HOME/tktools:$MINC_BIN_DIR:$PATH"
+FROM ${BASE_IMAGE} AS smriprep
 
 # Create a shared $HOME directory
 RUN useradd -m -s /bin/bash -G users smriprep
 WORKDIR /home/smriprep
-ENV HOME="/home/smriprep" \
-    LD_LIBRARY_PATH="/usr/lib/x86_64-linux-gnu:$LD_LIBRARY_PATH"
+ENV HOME="/home/smriprep"
 
 COPY --from=micromamba /bin/micromamba /bin/micromamba
 COPY --from=micromamba /opt/conda/envs/smriprep /opt/conda/envs/smriprep
 
 ENV MAMBA_ROOT_PREFIX="/opt/conda"
 RUN micromamba shell init -s bash && \
     echo "micromamba activate smriprep" >> $HOME/.bashrc
-ENV PATH="/opt/conda/envs/smriprep/bin:$PATH" \
-    CPATH="/opt/conda/envs/smriprep/include:$CPATH" \
-    LD_LIBRARY_PATH="/opt/conda/envs/smriprep/lib:$LD_LIBRARY_PATH"
+ENV PATH="/opt/conda/envs/smriprep/bin:$PATH"
 
 # Precaching atlases
 COPY scripts/fetch_templates.py fetch_templates.py
@@ -155,20 +97,7 @@ RUN python fetch_templates.py && \
     find $HOME/.cache/templateflow -type f -exec chmod go=u {} +
 
 # FSL environment
-ENV LANG="C.UTF-8" \
-    LC_ALL="C.UTF-8" \
-    PYTHONNOUSERSITE=1 \
-    FSLDIR="/opt/conda/envs/smriprep" \
-    FSLOUTPUTTYPE="NIFTI_GZ" \
-    FSLMULTIFILEQUIT="TRUE" \
-    FSLLOCKDIR="" \
-    FSLMACHINELIST="" \
-    FSLREMOTECALL="" \
-    FSLGECUDAQ="cuda.q"
-
-# MSM
-RUN curl -L -H "Accept: application/octet-stream" https://api.github.com/repos/ecr05/MSM_HOCR/releases/assets/16253707 -o /usr/local/bin/msm \
-    && chmod +x /usr/local/bin/msm
+ENV FSLDIR="/opt/conda/envs/smriprep"
 
 # Unless otherwise specified each process should only use one thread - nipype
 # will handle parallelization
diff --git a/Dockerfile.base b/Dockerfile.base
