Open source the WhyLabs container

Author: Andy Dang

.bumpversion.cfg

@@ -0,0 +1,110 @@
+[bumpversion]
+current_version = 3.0.0
+tag = False
+parse = (?P<major>\d+)\.(?P<minor>\d+)\.(?P<patch>\d+)(\-(?P<release>[a-z]+)(?P<build>\d+))?
+serialize = 
+	{major}.{minor}.{patch}-{release}{build}
+	{major}.{minor}.{patch}
+
+[bumpversion:part:release]
+optional_value = prod
+first_value = dev
+values = 
+	dev
+	prod
+
+[bumpversion:file:pyproject.toml]
+search = version = "{current_version}" # bump2version
+replace = version = "{new_version}" # bump2version
+
+[bumpversion:file:version.txt]
+search = {current_version}
+replace = {new_version}
+
+[bumpversion:file:docs/conf.py]
+search = release = "{current_version}"
+replace = release = "{new_version}"
+
+[bumpversion:file:whylogs_container/whylabs/container/version.py]
+search = version = "{current_version}"
+replace = version = "{new_version}"
+
+[bumpversion:file:Makefile]
+search = version := {current_version}
+replace = version := {new_version}
+
+[bumpversion:file:whylogs-container-client/pyproject.toml]
+search = version = "{current_version}"
+replace = version = "{new_version}"
+
+[bumpversion:file:openapi-generator.yaml]
+search = package_version_override: {current_version}
+replace = package_version_override: {new_version}
+
+[bumpversion:file:.github/workflows/release.yaml]
+search = VERSION: {current_version}
+replace = VERSION: {new_version}
+
+[bumpversion:file:.github/workflows/workflow.yaml]
+search = VERSION: {current_version}
+replace = VERSION: {new_version}
+
+[bumpversion:file:example_repo/examples/configure_container_yaml/Dockerfile]
+search = FROM registry.gitlab.com/whylabs/langkit-container:{current_version}
+replace = FROM registry.gitlab.com/whylabs/langkit-container:{new_version}
+
+[bumpversion:file:example_repo/examples/configure_container_python/Dockerfile]
+search = FROM registry.gitlab.com/whylabs/langkit-container:{current_version}
+replace = FROM registry.gitlab.com/whylabs/langkit-container:{new_version}
+
+[bumpversion:file:example_repo/examples/custom_model/Dockerfile]
+search = FROM registry.gitlab.com/whylabs/langkit-container:{current_version}
+replace = FROM registry.gitlab.com/whylabs/langkit-container:{new_version}
+
+[bumpversion:file:example_repo/examples/llm_segments/Dockerfile]
+search = FROM registry.gitlab.com/whylabs/langkit-container:{current_version}
+replace = FROM registry.gitlab.com/whylabs/langkit-container:{new_version}
+
+[bumpversion:file:example_repo/examples/multi_tenant/Dockerfile]
+search = FROM registry.gitlab.com/whylabs/langkit-container:{current_version}
+replace = FROM registry.gitlab.com/whylabs/langkit-container:{new_version}
+
+[bumpversion:file:example_repo/examples/configure_container_python/Makefile]
+search = version := {current_version}
+replace = version := {new_version}
+
+[bumpversion:file:example_repo/examples/configure_container_yaml/Makefile]
+search = version := {current_version}
+replace = version := {new_version}
+
+[bumpversion:file:example_repo/examples/container_library/Makefile]
+search = version := {current_version}
+replace = version := {new_version}
+
+[bumpversion:file:example_repo/examples/custom_model/Makefile]
+search = version := {current_version}
+replace = version := {new_version}
+
+[bumpversion:file:example_repo/examples/llm_segments/Makefile]
+search = version := {current_version}
+replace = version := {new_version}
+
+[bumpversion:file:example_repo/examples/s3_configuration/Makefile]
+search = 
+	DOCKER_IMAGE = registry.gitlab.com/whylabs/langkit-container:{current_version}
+	version := {current_version}
+replace = 
+	DOCKER_IMAGE = registry.gitlab.com/whylabs/langkit-container:{new_version}
+	version := {new_version}
+
+[bumpversion:file:example_repo/examples/no_configuration/Makefile]
+search = 
+	DOCKER_IMAGE = registry.gitlab.com/whylabs/langkit-container:{current_version}
+	version := {current_version}
+replace = 
+	DOCKER_IMAGE = registry.gitlab.com/whylabs/langkit-container:{new_version}
+	version := {new_version}
+
+[bumpversion:file:policy-editor/index.html]
+search = <title>{current_version} WhyLabs Policy Editor</title>
+replace = <title>{new_version} WhyLabs Policy Editor</title>

.devcontainer/cache/.gitkeep

@@ -0,0 +1,6 @@
+WHYLABS_API_KEY=
+GITLAB_API_KEY=
+CONTAINER_PASSWORD=local
+CACHE_ASSETS_RUNTIME=true
+AUTO_PULL_WHYLABS_POLICY_MODEL_IDS=
+CONFIG_SYNC_INTERVAL=1

.devcontainer/devcontainer.env

@@ -0,0 +1,24 @@
+{
+  "name": "WhyLabs Container",
+  "build": {
+      "context": "..",
+      "options": [ "--platform=linux/amd64"],
+      "dockerfile": "../Dockerfile.dev"
+  },
+  "forwardPorts": [8000],
+  "runArgs": [
+      "--platform",
+      "linux/amd64",
+      "--env-file",
+      ".devcontainer/devcontainer.env"
+  ],
+  "remoteEnv": {
+    "CACHE_ASSETS_RUNTIME": "True"
+  },
+  "postCreateCommand": "poetry config http-basic.whylabs_container_gitlab __token__ $GITLAB_API_KEY; make install",
+  "remoteUser": "root",
+  "mounts": [
+    "type=bind,source=${localWorkspaceFolder}/.devcontainer/cache/,target=/root/.cache/",
+    "source=guardrails-bashhistory,target=/commandhistory,type=volume"
+  ]
+}

.devcontainer/devcontainer.json

@@ -0,0 +1,8 @@
+data
+.venv
+*.pyc
+*__pycache__*
+# Ignore validation schemas during dev
+whylogs_container/whylogs_config/*
+!whylogs_container/whylogs_config/default.yaml
+!whylogs_container/whylogs_config/embeddings.yaml

.dockerignore

@@ -0,0 +1 @@
+whylabs_asset_cache/ filter=lfs diff=lfs merge=lfs -text

.gitattributes

@@ -0,0 +1,216 @@
+name: "Docker Build Steps"
+description: "Common Docker build steps"
+inputs:
+  langkit_whylabs_api_key:
+    description: "api key for org-0 used for langkit assets"
+    required: true
+  openai_api_key:
+    description: "api key for calling openai, which happens during the asset caching phase of the llm container build."
+    required: true
+  gitlab_pypi_token:
+    required: false
+    description: "A gitlab token from the whylabs-llm-toolkit repo that can be used to download python packages. Only used in llm build."
+  type:
+    description: "main or llm"
+    required: true
+  workdir:
+    description: "Where to put generated artifacts/images."
+    default: "./docker"
+    required: false
+  version:
+    description: "current container publish version"
+    required: true
+  upload_artifact:
+    description: "if true, upload the generated image to the artifact server"
+    required: true
+  llm_default_encoder:
+    description: "The encoder to use during the container build. Only applies to llm"
+    required: false
+
+runs:
+  using: "composite"
+  steps:
+    - name: Free Disk Space (Ubuntu)
+      uses: jlumbroso/free-disk-space@main
+      with:
+        # this might remove tools that are actually needed,
+        # if set to "true" but frees about 6 GB
+        tool-cache: false
+        # all of these default to true, but feel free to set to
+        # "false" if necessary for your workflow
+        android: true
+        dotnet: true
+        haskell: true
+        large-packages: true
+        docker-images: true
+        swap-storage: true
+
+    # Build the policy editor typescript project, required for the llm build
+    - name: Use Node.js
+      if: ${{ inputs.type == 'llm'  }}
+      uses: actions/setup-node@v4
+      with:
+        node-version: "20.x"
+
+    - name: Build the policy editor
+      if: ${{ inputs.type == 'llm'  }}
+      shell: bash
+      run: make policy-editor
+
+    - uses: actions/setup-python@v4
+      if: ${{ inputs.type == 'llm' }}
+      name: Install Python
+      with:
+        python-version: "3.10.8"
+
+    - uses: Gr1N/setup-poetry@v8
+      if: ${{ inputs.type == 'llm' }}
+      name: Install poetry
+      with:
+        poetry-version: 1.7.1
+
+    - name: Remove python dependencies to save space
+      if: ${{ inputs.type == 'llm' }}
+      shell: bash
+      run: |
+        rm -rf .venv/
+        poetry cache clear PyPI --all
+        poetry cache clear torch --all
+        echo "Available storage:"
+        sudo df -h
+        echo
+
+    - name: Create docker dirs
+      shell: bash
+      run: mkdir -p ${{ inputs.workdir }}/llm/ && mkdir -p ${{ inputs.workdir }}/main/
+
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v3
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Determine the tag postfix
+      shell: bash
+      id: tag_logic
+      run: |
+        if [[ "${{ inputs.type }}" == "main" ]]; then
+          echo "TAG=registry.gitlab.com/whylabs/whylogs-container" >> $GITHUB_OUTPUT
+        elif [[ "${{ inputs.type }}" == "llm" ]]; then
+          echo "TAG=registry.gitlab.com/whylabs/langkit-container" >> $GITHUB_OUTPUT
+        fi
+
+    - name: Set version
+      shell: bash
+      id: set-version
+      run: |
+        if [[ -n "${{ inputs.llm_default_encoder }}" ]]; then
+          echo "version=${{ inputs.version }}_${{ inputs.llm_default_encoder }}" >> $GITHUB_OUTPUT
+        else
+          echo "version=${{ inputs.version }}" >> $GITHUB_OUTPUT
+        fi
+
+    - name: Set tags
+      shell: bash
+      id: set-tags
+      # Set the docker image tags to the <image name>:<version>_<encoder>. If the encoder is the default encoder AllMiniLML6V2,
+      # then also tag to <image name>:<version> (no encoder) so people can just pull the latest version without specifying the encoder.
+      run: |
+        TAGS="${{ steps.tag_logic.outputs.TAG }}:${{ steps.set-version.outputs.version }}"
+        if [[ "${{ inputs.llm_default_encoder }}" == "AllMiniLML6V2" ]]; then
+          TAGS="$TAGS"$'\n'"${{ steps.tag_logic.outputs.TAG }}:${{ inputs.version }}"
+        fi
+        echo "TAGS<<EOF" >> $GITHUB_OUTPUT
+        echo "$TAGS" >> $GITHUB_OUTPUT
+        echo "EOF" >> $GITHUB_OUTPUT
+
+    - name: Build Docker container
+      uses: docker/build-push-action@v5
+      with:
+        context: .
+        file: ./Dockerfile.${{ inputs.type }}
+        load: true
+        push: false
+        cache-to: type=local,dest=${{ inputs.workdir }}/docker # This will be on a larger mounted file system
+        tags: ${{ steps.set-tags.outputs.TAGS }}
+        outputs: type=docker,dest=${{ inputs.workdir }}/${{ inputs.type }}/whylogs-container-${{ inputs.type }}.tar
+        secrets: |
+          "whylabs_api_key=${{ inputs.langkit_whylabs_api_key }}"
+          "openai_api_key=${{ inputs.openai_api_key }}"
+          "pypi_api_key=${{ inputs.gitlab_pypi_token }}"
+        build-args: |
+          DEFAULT_ENCODER=${{ inputs.llm_default_encoder }}
+
+    - name: Install Trivy
+      shell: bash
+      run: |
+        sudo apt-get install wget apt-transport-https gnupg
+        wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | gpg --dearmor | sudo tee /usr/share/keyrings/trivy.gpg > /dev/null
+        echo "deb [signed-by=/usr/share/keyrings/trivy.gpg] https://aquasecurity.github.io/trivy-repo/deb generic main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
+        sudo apt-get update
+        sudo apt-get install trivy
+
+    - name: Download trivy vulnerability database
+      uses: nick-fields/retry@v2
+      with:
+        timeout_minutes: 5
+        max_attempts: 3
+        command: trivy image --download-db-only --db-repository public.ecr.aws/aquasecurity/trivy-db
+
+    - name: Run Trivy image scan
+      shell: bash
+      run: |
+        trivy image \
+          --db-repository public.ecr.aws/aquasecurity/trivy-db \
+          --scanners vuln \
+          --severity HIGH,CRITICAL \
+          --exit-code 1 \
+          --ignore-unfixed \
+          --input ${{ inputs.workdir }}/${{ inputs.type }}/whylogs-container-${{ inputs.type }}.tar
+
+    - name: Make sure container starts
+      shell: bash
+      run: |
+        docker load -i ${{ inputs.workdir }}/${{ inputs.type }}/whylogs-container-${{ inputs.type }}.tar
+        ./scripts/check-health.sh ${{ inputs.type }} ${{ steps.tag_logic.outputs.TAG }}:${{ steps.set-version.outputs.version }}
+
+    # The build host is running out of disk space
+    - name: Delete docker images and cache
+      shell: bash
+      run: docker system prune -a -f --volumes
+
+    - name: Show file system usage at the end
+      shell: bash
+      run: df -h
+
+    - name: Show image tar size
+      shell: bash
+      run: ls -lh ${{ inputs.workdir }}/${{ inputs.type }}/whylogs-container-${{ inputs.type }}.tar
+
+    - name: Fail if image size is too large
+      if: ${{ inputs.type == 'main' }}
+      shell: bash
+      run: test $(du -m ${{ inputs.workdir }}/${{ inputs.type }}/whylogs-container-${{ inputs.type }}.tar | cut -f1) -le 200 || exit 1
+
+    # The size check is set to the size of the largest encoder variant
+    - name: Fail if image size is too large
+      if: ${{ inputs.type == 'llm'  }}
+      shell: bash
+      run: test $(du -m ${{ inputs.workdir }}/${{ inputs.type }}/whylogs-container-${{ inputs.type }}.tar | cut -f1) -le 3400 || exit 1
+
+    - name: Set artifact name
+      shell: bash
+      id: set-artifact-name
+      run: |
+        if [[ -n "${{ inputs.llm_default_encoder }}" ]]; then
+          echo "artifact_name=container-${{ inputs.type }}_${{ inputs.llm_default_encoder }}" >> $GITHUB_OUTPUT
+        else
+          echo "artifact_name=container-${{ inputs.type }}" >> $GITHUB_OUTPUT
+        fi
+
+    - name: Upload container artifact
+      if: ${{ inputs.upload_artifact == 'true' }}
+      uses: actions/upload-artifact@v4
+      with:
+        name: ${{ steps.set-artifact-name.outputs.artifact_name }}
+        path: ${{ inputs.workdir }}/${{ inputs.type }}/whylogs-container-${{ inputs.type }}.tar