Split dockerfile into multi-stage build to separate pre-req builds, runner, and full layers

Author: joshhvulcan

.dockerignore

@@ -7,3 +7,4 @@ lightning_logs
 wandb
 **/test_data/**/**/*.tif
 **/project_data
+one_off_projects

.github/workflows/build_test.yaml

@@ -55,45 +55,108 @@ jobs:
           sudo rm -rf /opt/ghc
           sudo rm -rf /usr/local/share/boost
 
-      # Add deploy key and clone olmoearth_pretrain repository.
-      - name: Start ssh-agent and add olmoearth_pretrain deploy key
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      # ============================================================================
+      # SSH Multi-Key Setup for Private Repository Access
+      # ============================================================================
+      # The Docker build needs to clone from multiple private GitHub repositories:
+      # - allenai/rslearn
+      # - allenai/olmoearth_pretrain
+      # - allenai/olmoearth_run
+      #
+      # PROBLEM: GitHub deploy keys are scoped to a single repository. We need
+      # separate deploy keys for each repo. However, when SSH connects to github.com
+      # with multiple keys loaded in the agent, it tries them in order. If the first
+      # key authenticates successfully but lacks access to a specific repository,
+      # GitHub returns "Repository not found" and SSH stops trying other keys.
+      #
+      # SOLUTION: We use SSH host aliases to route each repository to its specific key.
+      # webfactory/ssh-agent sets up the SSH agent on the runner, but Docker builds
+      # run in an isolated container that doesn't have access to the runner's SSH
+      # config or git URL rewrites. So we must recreate this setup inside the container.
+
+      - name: Setup SSH agent with deploy keys
         uses: webfactory/[email protected]
         with:
-          ssh-private-key: ${{ secrets.DEPLOY_KEY_FOR_HELIOS_CLONE }}
-      - name: Clone olmoearth_pretrain and update requirements-extra.txt.
+          ssh-private-key: |
+            ${{ secrets.DEPLOY_KEY_FOR_OLMOEARTH_PRETRAIN_CLONE }}
+            ${{ secrets.DEPLOY_KEY_FOR_OLMOEARTH_RUN_CLONE }}
+
+      - name: Debug SSH keys
         run: |
-          mkdir docker_build
-          git clone [email protected]:allenai/olmoearth_pretrain.git docker_build/olmoearth_pretrain
-          git -C docker_build/olmoearth_pretrain checkout 0cd82b4784bc2f246a23f6da98a9bab27761c1ba
-          echo "olmoearth_pretrain @ /opt/rslearn_projects/docker_build/olmoearth_pretrain/" >> requirements-extra.txt
+          echo "=== SSH Agent Keys ==="
+          ssh-add -L
+          echo ""
+          echo "=== SSH Config (if any) ==="
+          cat ~/.ssh/config || echo "No SSH config found"
+          echo ""
+          echo "=== Git Config URL Rewrites ==="
+          git config --global --get-regexp 'url\..*\.insteadof' || echo "No git URL rewrites found"
 
-      # Same thing for olmoearth_run repository.
-      - name: Start ssh-agent and add olmoearth_run deploy key
-        uses: webfactory/[email protected]
-        with:
-          ssh-private-key: ${{ secrets.DEPLOY_KEY_FOR_OLMOEARTH_RUN_CLONE }}
-      - name: Clone olmoearth_run and update requirements-extra.txt.
+      # Prepare all SSH configuration files for Docker build
+      # The SSH agent runs on the runner but we need actual key files and config
+      # inside the Docker container. We pre-build everything here in the workflow
+      # to keep the Dockerfile simple and free of CI-specific logic.
+      - name: Prepare SSH keys for Docker build
         run: |
-          git clone [email protected]:allenai/olmoearth_run.git docker_build/olmoearth_run
-          echo "olmoearth_run @ /opt/rslearn_projects/docker_build/olmoearth_run/" >> requirements-extra.txt
+          mkdir -p .docker-ssh
+
+          # Write SSH private keys
+          echo "${{ secrets.DEPLOY_KEY_FOR_OLMOEARTH_PRETRAIN_CLONE }}" > .docker-ssh/olmoearth_pretrain_key
+          echo "${{ secrets.DEPLOY_KEY_FOR_OLMOEARTH_RUN_CLONE }}" > .docker-ssh/olmoearth_run_key
+          chmod 600 .docker-ssh/*_key
 
-      - name: Build and push Docker image
+          # Create SSH config with host aliases
+          cat > .docker-ssh/config << 'EOF'
+          Host github-olmoearth-pretrain
+            HostName github.com
+            IdentityFile /root/.ssh/olmoearth_pretrain_key
+            IdentitiesOnly yes
+
+          Host github-olmoearth-run
+            HostName github.com
+            IdentityFile /root/.ssh/olmoearth_run_key
+            IdentitiesOnly yes
+          EOF
+
+          # Create modified requirements files with host aliases
+          sed 's|git@github\.com/allenai/olmoearth_pretrain|git@github-olmoearth-pretrain/allenai/olmoearth_pretrain|g' \
+            requirements-olmoearth_pretrain.txt > .docker-ssh/requirements-olmoearth_pretrain.txt
+          sed 's|git@github\.com/allenai/olmoearth_run|git@github-olmoearth-run/allenai/olmoearth_run|g' \
+            requirements-olmoearth_run.txt > .docker-ssh/requirements-olmoearth_run.txt
+
+## REMOVE BEFORE MERGE! ####
+#      - name: Clone olmoearth repositories and update requirements-extra.txt
+#        run: |
+#          mkdir docker_build
+#          git clone [email protected]:allenai/olmoearth_pretrain.git docker_build/olmoearth_pretrain
+#          git -C docker_build/olmoearth_pretrain checkout 0cd82b4784bc2f246a23f6da98a9bab27761c1ba
+#          echo "olmoearth_pretrain @ /opt/rslearn_projects/docker_build/olmoearth_pretrain/" >> requirements-extra.txt
+#          git clone [email protected]:allenai/olmoearth_run.git docker_build/olmoearth_run
+#          echo "olmoearth_run @ /opt/rslearn_projects/docker_build/olmoearth_run/" >> requirements-extra.txt
+############################
+
+      - name: Build and push Docker images with Bake
         id: build-push
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          build-args: |
-            GIT_USERNAME=${{ secrets.GIT_USERNAME }}
-            GIT_TOKEN=${{ secrets.GIT_TOKEN }}
+        run: |
+          docker buildx bake \
+            --allow=ssh \
+            --file ./docker-bake.hcl \
+            --file ${{ steps.meta.outputs.bake-file }} \
+            --set "*.cache-from=type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:buildcache" \
+            --set "*.cache-to=type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:buildcache,mode=max" \
+            --metadata-file /tmp/bake-metadata.json \
+            --push
 
       - name: Store Image Names
         # We need the docker image name downstream in test & deploy. This saves the full docker image names to outputs
         id: image-names
         run: |-
-          GHCR_IMAGE="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-push.outputs.digest }}"
+          # Extract the digest for the 'full' target from bake metadata
+          FULL_DIGEST=$(cat /tmp/bake-metadata.json | jq -r '.full."containerimage.digest"')
+          GHCR_IMAGE="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${FULL_DIGEST}"
           GHCR_IMAGE=`echo ${GHCR_IMAGE} | tr '[:upper:]' '[:lower:]'` # docker requires that all image names be lowercase
           echo "ghcr.io Docker image name is ${GHCR_IMAGE}"
           echo "ghcr_image_name=\"${GHCR_IMAGE}\"" >> $GITHUB_OUTPUT

.gitignore

@@ -19,6 +19,7 @@ olmoearth_run_data/nandi/finetune/annotation*.geojson
 lightning_logs/
 /tmp*/
 docker_build
+.docker-ssh/
 
 # misc from one off projects
 one_off_projects/2025_07_joint_finetune/data

Dockerfile

@@ -1,37 +1,127 @@
-FROM pytorch/pytorch:2.7.0-cuda12.8-cudnn9-runtime@sha256:7db0e1bf4b1ac274ea09cf6358ab516f8a5c7d3d0e02311bed445f7e236a5d80
+###
+### docker build --ssh default=/path/to/private.key -f Dockerfile .
 
-RUN apt update
-RUN apt install -y libpq-dev ffmpeg libsm6 libxext6 git wget
+ARG BASE=ubuntu:22.04
+ARG BASE_PYTORCH=pytorch/pytorch:2.7.0-cuda12.8-cudnn9-runtime@sha256:7db0e1bf4b1ac274ea09cf6358ab516f8a5c7d3d0e02311bed445f7e236a5d80
+ARG PLATFORM=linux/amd64
 
-# Install Go (used for Satlas smooth_point_labels_viterbi.go).
-RUN wget https://go.dev/dl/go1.22.12.linux-amd64.tar.gz
-RUN rm -rf /usr/local/go && tar -C /usr/local -xzf go1.22.12.linux-amd64.tar.gz
-ENV PATH="${PATH}:/usr/local/go/bin"
+FROM --platform=${PLATFORM} ${BASE} AS tippecanoe
 
-# Install tippecanoe (used by forest loss driver).
-RUN apt install -y build-essential libsqlite3-dev zlib1g-dev
-RUN git clone https://github.com/mapbox/tippecanoe /opt/tippecanoe
-WORKDIR /opt/tippecanoe
+RUN apt-get update && apt-get install -y --no-install-recommends build-essential ca-certificates curl libsqlite3-dev zlib1g-dev
+
+RUN mkdir -p /tmp/tippecanoe && curl -L https://github.com/mapbox/tippecanoe/archive/refs/tags/1.36.0.tar.gz | tar -xz --strip 1 -C /tmp/tippecanoe
+WORKDIR /tmp/tippecanoe
 RUN make -j
-RUN make install
+RUN PREFIX=/opt/tippecanoe make install
+
+# To use this:
+#  COPY --from=tippecanoe /opt/tippecanoe /opt/tippecanoe
+#  ENV PATH="/opt/tippecanoe/bin:${PATH}"
+
+FROM --platform=${PLATFORM} ${BASE} AS golang
+
+## Build Satlas smooth_point_labels_viterbi.go (Requires golang)
+RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates curl
+RUN curl -L https://go.dev/dl/go1.22.12.linux-amd64.tar.gz | tar -xz -C /usr/local
+ENV PATH="/usr/local/go/bin:${PATH}"
+
+COPY rslp/satlas/scripts /tmp/smooth_point_labels_viterbi/
+WORKDIR /tmp/smooth_point_labels_viterbi/
+RUN go build smooth_point_labels_viterbi.go
+
+# To use this:
+#  COPY --from=golang /tmp/smooth_point_labels_viterbi/smooth_point_labels_viterbi /usr/local/bin/smooth_point_labels_viterbi
+
+FROM --platform=${PLATFORM} pytorch/pytorch:2.7.0-cuda12.8-cudnn9-runtime@sha256:7db0e1bf4b1ac274ea09cf6358ab516f8a5c7d3d0e02311bed445f7e236a5d80 AS base
+
+RUN apt-get update && apt-get install -y --no-install-recommends ca-certificates git openssh-client
+
+# Pin GitHub's host keys so SSH won't prompt
+RUN mkdir -p -m 700 /root/.ssh && \
+    ssh-keyscan -t rsa,ecdsa,ed25519 github.com >> /root/.ssh/known_hosts
+
+COPY --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/uv
+
+COPY . /opt/rslearn_projects/
+
+# ============================================================================
+# SSH Multi-Key Configuration for GitHub Actions
+# ============================================================================
+# This section handles SSH authentication for multiple private GitHub repositories
+# when building in CI/CD environments that use separate deploy keys per repository.
+#
+# CONTEXT:
+# - GitHub deploy keys are scoped to a single repository for security
+# - We need to clone from multiple repos: rslearn, olmoearth_pretrain, olmoearth_run
+# - Each repository has its own deploy key stored as a GitHub Actions secret
+#
+# THE PROBLEM:
+# When SSH tries to connect to github.com with multiple keys in the agent:
+#   1. SSH tries the first key
+#   2. If it authenticates successfully, SSH stops trying other keys
+#   3. If that key lacks access to a specific repo, GitHub returns "Repository not found"
+#   4. The connection fails even though other keys in the agent might have access
+#
+# This happens because SSH authenticates at the HOST level (github.com), not the
+# repository level. Once any key authenticates with github.com, SSH considers the
+# connection successful and doesn't try other keys.
+#
+# THE SOLUTION:
+# We use SSH host aliases to make SSH think each repository is on a different host:
+#   - git@github-olmoearth-pretrain:allenai/olmoearth_pretrain.git
+#   - git@github-olmoearth-run:allenai/olmoearth_run.git
+#
+# Each alias points to github.com but specifies which SSH key to use via IdentityFile.
+# With IdentitiesOnly=yes, SSH only tries the specified key for that alias.
+#
+# IMPLEMENTATION:
+# The GitHub Actions workflow writes deploy keys to .docker-ssh/ and sets
+# USE_SSH_KEYS_FROM_BUILD=true. This code then:
+#   1. Copies the key files to ~/.ssh/
+#   2. Creates SSH config with host aliases mapped to specific keys
+#   3. Rewrites requirements*.txt files to use the host aliases
+#
+# LOCAL DEVELOPMENT:
+# Local developers typically have a single SSH key with access to all repositories,
+# so this complexity is unnecessary. When USE_SSH_KEYS_FROM_BUILD=false (default),
+# this entire setup is skipped and standard SSH agent forwarding is used.
+
+ARG USE_SSH_KEYS_FROM_BUILD=false
+RUN if [ "$USE_SSH_KEYS_FROM_BUILD" = "true" ] && [ -d /opt/rslearn_projects/.docker-ssh ]; then \
+      echo "Setting up SSH keys from build context..." && \
+      cp /opt/rslearn_projects/.docker-ssh/*_key /root/.ssh/ && \
+      cp /opt/rslearn_projects/.docker-ssh/config /root/.ssh/config && \
+      chmod 600 /root/.ssh/*_key /root/.ssh/config && \
+      cp /opt/rslearn_projects/.docker-ssh/requirements-olmoearth_pretrain.txt /opt/rslearn_projects/requirements-olmoearth_pretrain.txt && \
+      cp /opt/rslearn_projects/.docker-ssh/requirements-olmoearth_run.txt /opt/rslearn_projects/requirements-olmoearth_run.txt && \
+      echo "SSH multi-key setup complete."; \
+    else \
+      echo "Using default SSH configuration (single key or SSH agent)."; \
+    fi
+
+RUN --mount=type=ssh \
+    --mount=type=cache,target=/root/.cache/uv \
+    uv pip install --system /opt/rslearn_projects[olmoearth_run,olmoearth_pretrain]
 
+FROM base AS full
+
+COPY --from=tippecanoe /opt/tippecanoe /opt/tippecanoe
+COPY --from=golang /tmp/smooth_point_labels_viterbi/smooth_point_labels_viterbi /usr/local/bin/smooth_point_labels_viterbi
 COPY --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/uv
 
-# Install rslearn.
-# We use git clone and then git checkout instead of git clone -b so that the user could
-# specify a commit name or branch instead of only accepting a branch.
+ENV PATH="/opt/tippecanoe/bin:${PATH}"
+
+## Install rslearn.
+## We use git clone and then git checkout instead of git clone -b so that the user could
+## specify a commit name or branch instead of only accepting a branch.
 ARG RSLEARN_BRANCH=master
-RUN git clone https://github.com/allenai/rslearn.git /opt/rslearn
+RUN --mount=type=ssh git clone git@github.com:allenai/rslearn.git /opt/rslearn
 WORKDIR /opt/rslearn
 RUN git checkout $RSLEARN_BRANCH
-RUN uv pip install --system /opt/rslearn[extra]
+RUN --mount=type=cache,target=/root/.cache/uv \
+    uv pip install --system /opt/rslearn[extra]
 
-# Install rslearn_projects.
 COPY . /opt/rslearn_projects/
-RUN uv pip install --system /opt/rslearn_projects[dev,extra]
-
-# Build Satlas smooth_point_labels_viterbi.go program.
-WORKDIR /opt/rslearn_projects/rslp/satlas/scripts
-RUN go build smooth_point_labels_viterbi.go
-
-WORKDIR /opt/rslearn_projects
+RUN --mount=type=ssh \
+    --mount=type=cache,target=/root/.cache/uv \
+    uv pip install --system /opt/rslearn_projects[dev,extra]

README.md

@@ -33,6 +33,43 @@ environment variable:
     echo "RSLP_PREFIX=project_data/" > .env
 
 
+Docker Build
+------------
+
+The project includes a multi-stage Docker build for creating containerized environments.
+
+### Prerequisites
+
+- Docker with BuildKit support
+- SSH access to the following private repositories:
+  - `github.com:allenai/rslearn`
+  - `github.com:allenai/olmoearth_pretrain`
+  - `github.com:allenai/olmoearth_run`
+- Your SSH key should be loaded in your SSH agent
+
+### Building Images
+
+To build all targets:
+
+    docker buildx bake
+
+To build a specific target:
+
+    docker buildx bake base   # Base image with core dependencies
+    docker buildx bake full   # Full image with all tools and rslearn
+
+### Build Targets
+
+- **base**: Core PyTorch environment with rslearn_projects and olmoearth dependencies
+- **full**: Includes rslearn, tippecanoe, and additional development tools
+
+### Notes for Local Development
+
+Local developers with a single SSH key that has access to all repositories can build directly
+without additional configuration. The multi-key SSH setup is only required in CI/CD environments
+where separate deploy keys are used for each repository.
+
+
 Applications
 ------------
 

SECRETS.md

@@ -0,0 +1,29 @@
+This is a listing of all Github Actions secrets used in this repository and what they are for.
+They are mostly managed by @favyen2 and @joshhvulcan.
+
+| Secret Name                                  | Description                                                       |
+|----------------------------------------------|-------------------------------------------------------------------|
+| AWS_ACCESS_KEY_ID                            | AWS Access Key for accessing requestor pays buckets.              |
+| AWS_SECRET_ACCESS_KEY                        | AWS Access Key for accessing requestor pays buckets.              |
+| BEAKER_ADDR                                  | Address of the beaker API                                         |
+| BEAKER_BUDGET                                | Which beaker budget to use when submitting jobs.                  |
+| BEAKER_CLUSTER_INFERENCE                     | Which beaker cluster to use.                                      |
+| BEAKER_TOKEN                                 | Beaker token                                                      |
+| BEAKER_TOKEN_2                               | Beaker token                                                      |
+| BEAKER_USERNAME                              | Beaker username. (Favyen?)                                        |
+| BEAKER_WORKSPACE                             | Which beaker workspace to use.                                    |
+| DEPLOY_KEY_FOR_ESRUN_CLONE                   | Deploy key to use when cloning earthsystem_run repository.        |
+| DEPLOY_KEY_FOR_HELIOS_CLONE                  | Deploy keyt o use when cloning helios repo.                       |
+| DEPLOY_KEY_FOR_OLMOEARTH_PRETRAIN_CLONE      | Deploy key to use when closing olmoearth_pretrain repo.           |
+| DEPLOY_KEY_FOR_OLMOEARTH_RUN_CLONE           | Deploy key to use when cloning omoearth_run repo.                 |
+| DOCKER_BUILD_PAT_JOSH                        | Personal access token from Josh for docker builds (still needed?) |
+| FOREST_LOSS_DRIVER_INFERENCE_SERVICE_ACCOUNT | GCP Service Account to use for Forest Loss Driver                 |
+| GCP_PROJECT_ID                               | GCP Project ID for forest loss                                    |
+| GCP_USER                                     |                                                                   |
+| GCP_VM_DEPLOYER_CREDENTIALS                  | GCP Service accoutn for deploying vms (?)                         |
+| GHCR_PAT_PULL_DOCKER_IMAGE                   | GHCR Peronsal access token for reading?/writing?) iamges          |
+| GIT_TOKEN                                    | Is this still used?                                               |
+| GIT_USERNAME                                 | Is this still used?                                               |
+| GOOGLE_CREDENTIALS                           | Is this still used?                                               |
+| PLANET_API_KEY_NICFI                         | Planet API key                                                    |
+| RSLP_PREFIX                                  | RSLP Prefix (?)                                                   |