Bump FAISS container base to Debian 12 and fix up various issues #73
Conversation
Following up from #61.
| RUN mkdir /build | ||
| WORKDIR /build | ||
| ADD https://github.com/facebookresearch/faiss/archive/refs/tags/v1.7.4.tar.gz /build/ | ||
| # XXX For whatever reason, Podman *doesn't* automatically unpack the source |
There was a problem hiding this comment.
Unfortunate. You may want to wrap the tar in a test to ensure the file exists then, that way this should work with Docker (which I don't believe keeps the downloaded "archive" around) and in Podman, which apparently does.
There was a problem hiding this comment.
There is limited value in supporting multiple competing toolchains to produce our packaging.
Why should we do so?
| ADD https://github.com/facebookresearch/faiss/archive/refs/tags/v1.7.4.tar.gz /build/ | ||
| # XXX For whatever reason, Podman *doesn't* automatically unpack the source | ||
| # tarball. This is fine, but at odds with Docker's behavior. | ||
| RUN tar zxf v1.7.4.tar.gz | ||
|
|
||
| RUN virtualenv /build/local |
There was a problem hiding this comment.
Do we need a virtualenv here? I know python complains about root owned files, but as this container is really a build container and not a runtime service, this may be overkill.
There was a problem hiding this comment.
Containers should be written to run with unprivileged users. I can't find it, but I could have sworn that it was official Debian policy to recommend virtualenv over system pip in all cases.
That said, I don't think that we need a virtualenv, and I primarily reached for it because Debian.
There was a problem hiding this comment.
I agree that containers with very limited capabilities are of strong value.
We are using the container to provide build-time isolation while generating faiss. We have no intent of running the container, so run-time isolation is of no value.
Maybe we should simplify and remove the container entirely from the equation.
| @@ -1,4 +1,4 @@ | |||
| #!/bin/sh | |||
|
|
|||
| . /opt/intel/oneapi/setvars.sh | |||
| cmake -B build faiss-1.7.3 -DBUILD_SHARED_LIBS=ON -DFAISS_ENABLE_GPU=ON -DFAISS_ENABLE_PYTHON=ON -DFAISS_ENABLE_RAFT=OFF -DBUILD_TESTING=ON -DBUILD_SHARED_LIBS=ON -DFAISS_ENABLE_C_API=ON -DCMAKE_BUILD_TYPE=Release -DFAISS_OPT_LEVEL=avx2 -Wno-dev | |||
| cmake -B build faiss-1.7.4 -DBUILD_SHARED_LIBS=ON -DFAISS_ENABLE_GPU=ON -DFAISS_ENABLE_PYTHON=ON -DFAISS_ENABLE_RAFT=OFF -DBUILD_TESTING=ON -DBUILD_SHARED_LIBS=ON -DFAISS_ENABLE_C_API=ON -DCMAKE_BUILD_TYPE=Release -DFAISS_OPT_LEVEL=avx2 -Wno-dev | |||
There was a problem hiding this comment.
Does this step work for you to build the avx2 .so file? It didn't in my previous Debian12 test.
To that end, can we at least add a validation in the build process to determine if the resultant libraries and python whl file exist on disk? That would be a necessary precursor to uploading them to an archive.
There was a problem hiding this comment.
Yeah, I'm still slowly working on building a Debian-style FAISS package. I am not good at Debian packaging, though, so it's taking me a while.
| RUN mkdir /build | ||
| WORKDIR /build | ||
| ADD https://github.com/facebookresearch/faiss/archive/refs/tags/v1.7.4.tar.gz /build/ | ||
| # XXX For whatever reason, Podman *doesn't* automatically unpack the source |
There was a problem hiding this comment.
There is limited value in supporting multiple competing toolchains to produce our packaging.
Why should we do so?
| ADD https://github.com/facebookresearch/faiss/archive/refs/tags/v1.7.4.tar.gz /build/ | ||
| # XXX For whatever reason, Podman *doesn't* automatically unpack the source | ||
| # tarball. This is fine, but at odds with Docker's behavior. | ||
| RUN tar zxf v1.7.4.tar.gz | ||
|
|
||
| RUN virtualenv /build/local |
There was a problem hiding this comment.
I agree that containers with very limited capabilities are of strong value.
We are using the container to provide build-time isolation while generating faiss. We have no intent of running the container, so run-time isolation is of no value.
Maybe we should simplify and remove the container entirely from the equation.
| RUN apt-get update && \ | ||
| apt-get install -y --no-install-recommends \ | ||
| python3-dev python3-numpy-dev swig python3-virtualenv \ | ||
| cmake git gpg default-jre |
There was a problem hiding this comment.
unclear why JRE is needed, although not sure it matters.
There was a problem hiding this comment.
ca-certificates appears to fail to configure during post-install without a JRE present.
| >> /etc/apt/sources.list.d/oneAPI.list | ||
| # Add Intel keyring. | ||
| ADD https://apt.repos.intel.com/intel-gpg-keys/GPG-PUB-KEY-INTEL-SW-PRODUCTS.PUB /build/ | ||
| RUN < GPG-PUB-KEY-INTEL-SW-PRODUCTS.PUB gpg --dearmor > /usr/share/keyrings/oneapi-archive-keyring.gpg |
There was a problem hiding this comment.
Does gpg --dearmor ./GPG-PUB-KEY-INTEL-SW-PRODUCTS.PUB > /usr/share/keyrings/oneapi-archive-keyring.gpg work here?
|
@MostAwesomeDude |
|
Please note current repo does not build. |
|
@MostAwesomeDude you had mentioned in this review that you are working on Debian packaging. Debian packages this upstream, although it may lack CUDA support. The Debian installation is here: (the debian dir) contains the control files. |
Following up from #61. This is more work towards #49.