Container transforms(容器转换(Container transforms))¶
:::callout{theme="warning" title="Prerequisites"} The following documentation assumes working knowledge of containerized infrastructure and concepts like container images. If you are unfamiliar with these topics, we recommend reviewing the Docker overview documentation ↗. :::
Foundry interacts with containers pushed into the platform in two ways:
- Using the transforms sidecar decorator.
- Constructing and using container backed model assets.
In both use cases, the first step is to push the image into the Docker registry hosted within Foundry while following the image requirements listed below.
Image requirements¶
-
The image has a numeric
userID. -
The
userIDdefined within the Dockerfile must be numeric and not '0'. Foundry does not allow commands to run within the container as the root user; '0' gets interpreted in some systems as zero, and non-numeric IDs can be set to function as root. -
For bring your own container transforms, the
userIDmust be specifically '5001'. -
The image is built for
linux/amd64platform. -
Foundry supports the execution of containers built for this platform only. The default platform for Docker is
linux, so add--platform linux/amd64for the Docker build command ↗ to set the platform specifically. -
The image is pushed with
digestor any tag other thanlatest. -
The executed Docker push command should specify the digest of the image or use a tag that is not
latest. Foundry will not execute images tagged aslatestsince there is no mechanism to ensure any given image is actually the latest one. -
The maximum image layer size is less than ~10 GB.
-
It is strongly recommended that each layer is smaller than ~10 GB. If your use case requires a larger layer size, contact your Palantir representative.
-
Any ports exposed are between 1024 and 65535.
-
Ports 0 through 1023 are well-known ports and as such are reserved for root. Foundry does not allow commands to run within the container as the root user; therefore, any ports specified in this range will not be available when the image is launched within Foundry.
-
[Optional] The image has telemetry enabled.
-
To enable telemetry logging from your container:
- The image must have a shell executable in
/bin/sh. - The image must support the shell commands
setandtee.
中文翻译¶
容器转换(Container transforms)¶
:::callout{theme="warning" title="前提条件"} 以下文档假定您已掌握容器化基础设施和容器镜像(container images)等相关概念。如果您不熟悉这些主题,建议先查阅 Docker 概述文档 ↗。 :::
Foundry 通过两种方式与推送到平台中的容器进行交互:
在这两种使用场景中,第一步都是按照下面列出的镜像要求,将镜像推送到 Foundry 内托管的 Docker 注册表(Docker registry)中。
镜像要求(Image requirements)¶
-
镜像必须包含数字类型的
userID。 -
Dockerfile 中定义的
userID必须为数字且不能为 '0'。Foundry 不允许以 root 用户身份在容器内运行命令;在某些系统中,'0' 会被解释为零,而非数字 ID 可能被设置为以 root 身份运行。 -
对于 自带容器转换(bring your own container transforms),
userID必须为 '5001'。 -
镜像必须为
linux/amd64平台构建。 -
Foundry 仅支持执行为此平台构建的容器。Docker 的默认平台为
linux,因此请在 Docker 构建命令 ↗ 中添加--platform linux/amd64以明确指定平台。 -
推送镜像时必须使用
digest或除latest之外的任何标签。 -
执行 Docker 推送命令时,应指定镜像的摘要(digest)或使用非
latest的标签。Foundry 不会执行标记为latest的镜像,因为没有任何机制能确保某个给定镜像确实是最新版本。 -
镜像层的最大大小应小于约 10 GB。
-
强烈建议每个镜像层的大小小于约 10 GB。如果您的使用场景需要更大的层大小,请联系您的 Palantir 代表。
-
任何暴露的端口必须在 1024 到 65535 之间。
-
0 到 1023 端口是知名端口(well-known ports),因此保留给 root 使用。Foundry 不允许以 root 用户身份在容器内运行命令;因此,当镜像在 Foundry 中启动时,此范围内的任何端口都将不可用。
-
[可选] 镜像已启用遥测功能(telemetry)。
-
要从容器中启用遥测日志记录:
- 镜像必须在
/bin/sh中包含可执行的 shell。 - 镜像必须支持
set和tee这两个 shell 命令。