From d14730f655c8227010cb2e59fdf677cf8929dcb2 Mon Sep 17 00:00:00 2001 From: Jason Boxman Date: Tue, 9 Apr 2024 17:00:27 -0400 Subject: [PATCH 1/4] Describe use of sha256 hash with Wave - https://github.com/seqeralabs/nf-tower-docs/issues/624 --- docs/{guide.md => guide.mdx} | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) rename docs/{guide.md => guide.mdx} (88%) diff --git a/docs/guide.md b/docs/guide.mdx similarity index 88% rename from docs/guide.md rename to docs/guide.mdx index a71fb1aed..61230557b 100644 --- a/docs/guide.md +++ b/docs/guide.mdx @@ -54,6 +54,26 @@ If an access token is not provided, the following rate limits apply: - 25 container builds per day - 250 container pulls per hour +## Reproducible builds with SHA256 container image references + +Referring to the SHA256 hash of a container imagine is a common best practice in pipeline development. For example, the SHA256 hash for a container might be similar to `sha256:3235...ce8f`. If you use the Wave service to augment your containers, such as to add Fusion to a container, the original SHA256 hash of the image is no longer correct. + +To accommodate the new layers added to a container image augmented with Wave, you can use the freeze feature of Wave. In your pipeline configuration, ensure that you specify the following settings: + +``` +wave.enabled = true +wave.freeze = true +wave.strategy = ['dockerfile'] +wave.build.repository = 'docker.io//' +``` + +In your pipeline, you can use the SHA256 of the Wave augmented container, available in the target repository that you specify with the `wave.build.repository` parameter. For example: + +``` +docker.enabled = 'true' +process.container = 'docker.io//my-bio-container@sha256:3235....ce8f' +``` + ## Tutorials ### Authenticate private repositories From c6b953e2cbdc4e0c90924460f0cd191fe6dfa371 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=CD=BFason=20=CE=92oxman?= <141646877+jason-seqera@users.noreply.github.com> Date: Wed, 17 Apr 2024 14:10:11 -0400 Subject: [PATCH 2/4] Apply suggestions from code review Co-authored-by: Phil Ewels --- docs/guide.mdx | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/guide.mdx b/docs/guide.mdx index 61230557b..25084ce85 100644 --- a/docs/guide.mdx +++ b/docs/guide.mdx @@ -60,7 +60,7 @@ Referring to the SHA256 hash of a container imagine is a common best practice in To accommodate the new layers added to a container image augmented with Wave, you can use the freeze feature of Wave. In your pipeline configuration, ensure that you specify the following settings: -``` +```groovy wave.enabled = true wave.freeze = true wave.strategy = ['dockerfile'] @@ -69,8 +69,8 @@ wave.build.repository = 'docker.io//' In your pipeline, you can use the SHA256 of the Wave augmented container, available in the target repository that you specify with the `wave.build.repository` parameter. For example: -``` -docker.enabled = 'true' +```groovy +docker.enabled = true process.container = 'docker.io//my-bio-container@sha256:3235....ce8f' ``` From 766da1a30648e30993beef79f7d01b961b995e5f Mon Sep 17 00:00:00 2001 From: Jason Boxman Date: Fri, 19 Apr 2024 09:52:12 -0400 Subject: [PATCH 3/4] Add NF inspect --- docs/guide.mdx | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/guide.mdx b/docs/guide.mdx index 25084ce85..f9f21396b 100644 --- a/docs/guide.mdx +++ b/docs/guide.mdx @@ -67,6 +67,8 @@ wave.strategy = ['dockerfile'] wave.build.repository = 'docker.io//' ``` +You can run `nextflow inspect` to find the SHA256 hash of the Wave augmented container. + In your pipeline, you can use the SHA256 of the Wave augmented container, available in the target repository that you specify with the `wave.build.repository` parameter. For example: ```groovy From 46b80902f16fdb4e5a60641ef06b474b9dd8fbff Mon Sep 17 00:00:00 2001 From: Paolo Di Tommaso Date: Mon, 29 Apr 2024 23:04:35 +0200 Subject: [PATCH 4/4] Update docs [ci skip] Signed-off-by: Paolo Di Tommaso --- docs/guide.mdx | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/docs/guide.mdx b/docs/guide.mdx index 2da6fbb74..59fd11644 100644 --- a/docs/guide.mdx +++ b/docs/guide.mdx @@ -54,11 +54,17 @@ If an access token isn't provided, the following rate limits apply: - 25 container builds per day - 250 container pulls per hour -## Reproducible builds with SHA256 container image references +## Known limitation -Referring to the SHA256 hash of a container imagine is a common best practice in pipeline development. For example, the SHA256 hash for a container might be similar to `sha256:3235...ce8f`. If you use the Wave service to augment your containers, such as to add Fusion to a container, the original SHA256 hash of the image is no longer correct. +### Use of sha256 digest in the image name -To accommodate the new layers added to a container image augmented with Wave, you can use the freeze feature of Wave. In your pipeline configuration, ensure that you specify the following settings: +The Wave does not support the use of sha256 digest in the image name, e.g. `ubuntu@sha256:3235...ce8f`, when using +the augmentation process to extend container images. + +In order to reference a container via sha256 digest in the image name with Wave you will need to *freeze* image mode +that will force the creation of a new container image using the container you have specified as base image. + +In your pipeline configuration, ensure that you specify the following settings: ```groovy wave.enabled = true @@ -67,15 +73,6 @@ wave.strategy = ['dockerfile'] wave.build.repository = 'docker.io//' ``` -You can run `nextflow inspect` to find the SHA256 hash of the Wave augmented container. - -In your pipeline, you can use the SHA256 of the Wave augmented container, available in the target repository that you specify with the `wave.build.repository` parameter. For example: - -```groovy -docker.enabled = true -process.container = 'docker.io//my-bio-container@sha256:3235....ce8f' -``` - ## Tutorials ### Authenticate private repositories