jfraeysd/fetch_ml
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
fetch_ml/podman/README.md

333 lines
7.3 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Secure ML Runner
Fast, secure ML experiment runner using Podman isolation with optimized package management.
## 🚀 Why Secure ML Runner?
### **⚡ Lightning Fast**
- **6x faster** package resolution than pip
- **Binary packages** - no compilation needed
- **Smart caching** - faster subsequent runs
### **🐍 Data Scientist Friendly**
- **Native environment** - Isolated ML workspace
- **Popular packages** - PyTorch, scikit-learn, XGBoost, Jupyter
- **Easy sharing** - `environment.yml` for team collaboration
### **🛡️ Secure Isolation**
- **Rootless Podman** - No daemon, no root privileges
- **Network blocking** - Prevents unsafe downloads
- **Package filtering** - Security policies enforced
- **Non-root execution** - Container runs as limited user
## 🧪 Automated Testing
The podman directory is now automatically managed by the test suite:
### **Workspace Management**
- **Automated Sync**: `make sync-examples` automatically copies all example projects
- **Clean Structure**: Only contains synced example projects in `workspace/`
- **No Manual Copying**: Everything is handled by automated tests
### **Testing Integration**
- **Example Validation**: `make test-examples` validates project structure
- **Container Testing**: `make test-podman` tests full workflow
- **Consistency**: Tests ensure workspace stays in sync with examples/
### **Workspace Contents**
The `workspace/` directory contains:
- `standard_ml_project/` - Standard ML example
- `sklearn_project/` - Scikit-learn example
- `pytorch_project/` - PyTorch example
- `tensorflow_project/` - TensorFlow example
- `xgboost_project/` - XGBoost example
- `statsmodels_project/` - Statsmodels example
> **Note**: Do not manually modify files in `workspace/`. Use `make sync-examples` to update from the canonical examples in `tests/examples/`.
## 🎯 Quick Start
### 1. Sync Examples (Required)
```bash
make sync-examples
```
### 2. Build the Container
```bash
make secure-build
```
### 3. Run an Experiment
```bash
make secure-run
```
### 4. Start Jupyter (Optional)
```bash
make secure-dev
```
### 5. Interactive Shell
```bash
make secure-shell
```
| Command | Description |
| ------------------- | -------------------------- |
| `make secure-build` | Build secure ML runner |
| `make secure-run` | Run ML experiment securely |
| `make secure-test` | Test GPU access |
| `make secure-dev` | Start Jupyter notebook |
| `make secure-shell` | Open interactive shell |
## 📁 Configuration
### **Pre-installed Packages**
```bash
# ML Frameworks
pytorch>=1.9.0
torchvision>=0.10.0
numpy>=1.21.0
pandas>=1.3.0
scikit-learn>=1.0.0
xgboost>=1.5.0
# Data Science Tools
matplotlib>=3.5.0
seaborn>=0.11.0
jupyter>=1.0.0
```
### **Security Policy**
```json
{
"allow_network": false,
"blocked_packages": ["requests", "urllib3", "httpx"],
"max_execution_time": 3600,
"gpu_devices": ["/dev/dri"],
"ml_env": "ml_env",
"package_manager": "mamba"
}
```
## 📁 Directory Structure
```
podman/
├── secure-ml-runner.podfile # Container definition
├── secure_runner.py # Security wrapper
├── environment.yml # Environment spec
├── security_policy.json # Security rules
├── workspace/ # Experiment files
│ ├── train.py # Training script
│ └── requirements.txt # Dependencies
└── results/ # Experiment outputs
├── execution_results.json
├── results.json
└── pytorch_model.pth
```
## 🚀 Usage Examples
### **Run Custom Experiment**
```bash
# Copy your files
cp ~/my_experiment/train.py workspace/
cp ~/my_experiment/requirements.txt workspace/
# Run securely
make secure-run
```
### **Use Jupyter**
```bash
# Start notebook server
make secure-dev
# Access at http://localhost:8888
```
### **Interactive Development**
```bash
# Get shell with environment activated
make secure-shell
# Inside container:
conda activate ml_env
python train.py --epochs 10
```
## <20> Security Features
### **Container Security**
- **Rootless Podman** - No daemon running as root
- **Non-root user** - Container runs as `mlrunner`
- **No privileges** - `--cap-drop ALL`
- **Read-only filesystem** - Immutable base image
### **Network Isolation**
- **No internet access** - Prevents unsafe downloads
- **Package filtering** - Blocks dangerous packages
- **Controlled execution** - Time and memory limits
### **Package Safety**
```bash
# Blocked packages (security)
requests, urllib3, httpx, aiohttp, socket, telnetlib, ftplib
# Allowed packages (pre-installed)
torch, numpy, pandas, scikit-learn, xgboost, matplotlib
```
## 📊 Performance
### **Speed Comparison**
| Operation | Pip | Mamba | Improvement |
| ------------------------ | ---- | ----- | --------------- |
| **Environment Setup** | 45s | 10s | **4.5x faster** |
| **Package Resolution** | 30s | 5s | **6x faster** |
| **Experiment Execution** | 2.0s | 3.7s | Similar |
### **Resource Usage**
- **Memory**: ~8GB limit
- **CPU**: 2 cores limit
- **Storage**: ~2GB image size
- **Network**: Isolated (no internet)
## <20> Cross-Platform
### **Development (macOS)**
```bash
# Works on macOS with Podman
make secure-build
make secure-run
```
### **Production (Rocky Linux)**
```bash
# Same commands, GPU enabled
make secure-build
make secure-run # Auto-detects GPU
```
### **Storage (NAS/Debian)**
```bash
# Lightweight version, no GPU
make secure-build
make secure-run
```
## 🎮 GPU Support
### **Detection**
```bash
make secure-test
# Output: ✅ GPU access available (if present)
```
### **Usage**
- **Automatic detection** - Uses GPU if available
- **Fallback to CPU** - Works without GPU
- **CUDA support** - Pre-installed in container
## 📝 Experiment Results
### **Output Files**
```json
{
"status": "success",
"execution_time": 3.7,
"container_type": "secure",
"ml_env": "ml_env",
"package_manager": "mamba",
"gpu_accessible": true,
"security_mode": "enabled"
}
```
### **Artifacts**
- `results.json` - Training metrics
- `pytorch_model.pth` - Trained model
- `execution_results.json` - Execution metadata
## 🛠️ Troubleshooting
### **Common Issues**
```bash
# Check Podman status
podman info
# Rebuild container
make secure-build
# Clean up
podman system prune -f
```
### **Debug Mode**
```bash
# Interactive shell for debugging
make secure-shell
# Check environment
conda info --envs
conda list -n ml_env
```
## 🎯 Best Practices
### **For Data Scientists**
1. **Use `environment.yml`** - Share environments easily
2. **Leverage pre-installed packages** - Skip installation time
3. **Use Jupyter** - Interactive development
4. **Test locally** - Use `make secure-shell` for debugging
### **For Production**
1. **Security first** - Keep network isolation
2. **Resource limits** - Monitor CPU/memory usage
3. **GPU optimization** - Enable on Rocky Linux servers
4. **Regular updates** - Rebuild with latest packages
## 🎉 Conclusion
**Secure ML Runner** provides the perfect balance:
- **⚡ Speed** - 6x faster package management
- **🐍 DS Experience** - Native ML environment
- **🛡️ Security** - Rootless isolation
- **🔄 Portability** - Works across platforms
Perfect for data scientists who want speed without sacrificing security! 🚀
Reference in a new issue View git blame Copy permalink