misc: Update Hadolint rules and clean dockerfiles

Author: JDBetteridge

.github/workflows/lint.yml

@@ -47,7 +47,7 @@ jobs:
     name: "Spellcheck everything"
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
     - name: Set up Python 3.10
       uses: actions/setup-python@v6
       with:
@@ -69,7 +69,7 @@ jobs:
     # #example-error-annotation-on-github-actions
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v6
       - name: Check workflow files
         uses: docker://rhysd/actionlint:latest
         with:
@@ -81,9 +81,9 @@ jobs:
     container:
       image: hadolint/hadolint:latest-alpine
       env:
-        HADOLINT_IGNORE: "DL3005,DL3007,DL3008,DL3015,DL3059"
+        HADOLINT_IGNORE: "DL3003,DL3004,DL3005,DL3007,DL3008,DL3009,DL3013,DL3015,DL3042,DL3059,SC2103,SC2046,SC2086"
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v6
       - name: Lint dockerfiles inside hadolint container
         run: |
           for DOCKERFILE in docker/Dockerfile.*; \

.pre-commit-config.yaml

@@ -33,3 +33,4 @@ repos:
     rev: v2.12.0
     hooks:
       - id: hadolint-docker
+        entry: -e HADOLINT_IGNORE=DL3003,DL3004,DL3005,DL3007,DL3008,DL3009,DL3013,DL3015,DL3042,DL3059,SC2103,SC2046,SC2086 ghcr.io/hadolint/hadolint hadolint

docker/Dockerfile.amd

@@ -28,7 +28,7 @@ ENV PATH=$ROCM_HOME/bin:$PATH \
     LD_LIBRARY_PATH=$ROCM_HOME/lib:$ROCM_HOME/lib/llvm/lib:$LD_LIBRARY_PATH
 
 # Until rocm base has it fixed
-RUN ln -s /opt/rocm/llvm/bin/offload-arch /opt/rocm/bin/offload-arch | echo "offload-arch already exis"
+RUN ln -s /opt/rocm/llvm/bin/offload-arch /opt/rocm/bin/offload-arch || echo "offload-arch already exists"
 
 # Install UCX
 RUN cd /tmp/ \

docker/Dockerfile.cpu

@@ -54,7 +54,7 @@ ENV PATH=${PATH}:/opt/openmpi/bin
 ENV LD_LIBRARY_PATH=/opt/openmpi/lib
 
 # Cleanup
-RUN apt-get clean && apt-get autoclean && apt-get autoremove  -y && rm -rf /var/lib/apt/lists/*
+RUN apt-get clean && apt-get autoclean && apt-get autoremove -y && rm -rf /var/lib/apt/lists/*
 
 EXPOSE 8888
 CMD ["/bin/bash"]

docker/Dockerfile.devito

@@ -21,7 +21,7 @@ RUN python3 -m venv /venv && \
     ln -fs /app/nvtop/build/src/nvtop /venv/bin/nvtop
 
 # Copy Devito
-ADD . /app/devito
+COPY . /app/devito
 
 # Remove git files
 RUN rm -rf /app/devito/.git
@@ -30,7 +30,7 @@ RUN rm -rf /app/devito/.git
 RUN eval "$MPI4PY_FLAGS /venv/bin/pip install --no-cache-dir --verbose -r /app/devito/requirements-mpi.txt"
 
 # Devito
-RUN /venv/bin/pip install --no-cache-dir -e /app/devito[extras,tests] && rm -rf ~/.cache/pip
+RUN /venv/bin/pip install --no-cache-dir -e "/app/devito[extras,tests]" && rm -rf ~/.cache/pip
 
 FROM $base AS utilities
 
@@ -80,10 +80,10 @@ RUN groupadd -g ${GROUP_ID} app && \
 COPY --from=builder --chown=app:app /app /app
 COPY --from=utilities --chown=app:app /app/nvtop /app/nvtop
 
-ADD --chown=app:app docker/run-jupyter.sh /jupyter
-ADD --chown=app:app docker/run-tests.sh /tests
-ADD --chown=app:app docker/run-print-defaults.sh /print-defaults
-ADD --chown=app:app docker/entrypoint.sh /docker-entrypoint.sh
+COPY --chown=app:app docker/run-jupyter.sh /jupyter
+COPY --chown=app:app docker/run-tests.sh /tests
+COPY --chown=app:app docker/run-print-defaults.sh /print-defaults
+COPY --chown=app:app docker/entrypoint.sh /docker-entrypoint.sh
 RUN chmod +x /print-defaults /jupyter /tests /docker-entrypoint.sh
 
 # Venv

docker/Dockerfile.intel

@@ -26,7 +26,8 @@ FROM base AS oneapi
 
 # Download the key to system keyring
 # https://www.intel.com/content/www/us/en/develop/documentation/installation-guide-for-intel-oneapi-toolkits-linux/top/installation/install-using-package-managers/apt.html#apt
-RUN wget -O- https://apt.repos.intel.com/intel-gpg-keys/GPG-PUB-KEY-INTEL-SW-PRODUCTS.PUB | gpg --dearmor > /usr/share/keyrings/oneapi-archive-keyring.gpg
+SHELL /bin/bash -o pipefail
+RUN wget --progress=dot:giga -O- https://apt.repos.intel.com/intel-gpg-keys/GPG-PUB-KEY-INTEL-SW-PRODUCTS.PUB | gpg --dearmor > /usr/share/keyrings/oneapi-archive-keyring.gpg
 RUN echo "deb [signed-by=/usr/share/keyrings/oneapi-archive-keyring.gpg] https://apt.repos.intel.com/oneapi all main" > /etc/apt/sources.list.d/oneAPI.list
 
 # Intel advisor and drivers
@@ -36,6 +37,7 @@ RUN apt-get update -y && \
 
 # Drivers mandatory for intel gpu
 # https://dgpu-docs.intel.com/driver/installation.html#ubuntu-install-steps
+SHELL /bin/bash -o pipefail
 RUN wget -qO - https://repositories.intel.com/graphics/intel-graphics.key | gpg --dearmor > /usr/share/keyrings/intel-graphics.gpg
 RUN echo "deb [arch=amd64 signed-by=/usr/share/keyrings/intel-graphics.gpg] https://repositories.intel.com/graphics/ubuntu jammy unified" >  /etc/apt/sources.list.d/intel-gpu-jammy.list
 

docker/Dockerfile.nvidia

@@ -15,10 +15,11 @@ ENV DEBIAN_FRONTEND=noninteractive
 
 # Install python
 RUN apt-get update && \
-    apt-get install -y -q gpg apt-utils curl wget libnuma-dev cmake git \
+    apt-get install -y -q gpg apt-utils curl libnuma-dev cmake git \
                           dh-autoreconf python3-venv python3-dev python3-pip
 
 # nodesource: nvdashboard requires nodejs>=10
+SHELL /bin/bash -o pipefail
 RUN curl https://developer.download.nvidia.com/hpc-sdk/ubuntu/DEB-GPG-KEY-NVIDIA-HPC-SDK | gpg --yes --dearmor -o /usr/share/keyrings/nvidia-hpcsdk-archive-keyring.gpg
 RUN arch="$(uname -m)" && \
     case "$arch" in \
@@ -27,9 +28,9 @@ RUN arch="$(uname -m)" && \
         *) echo "Unsupported architecture: $arch" >&2; exit 1 ;; \
     esac && \
     echo "deb [trusted=yes, signed-by=/usr/share/keyrings/nvidia-hpcsdk-archive-keyring.gpg] https://developer.download.nvidia.com/hpc-sdk/ubuntu/${nvplat} /" | tee /etc/apt/sources.list.d/nvhpc.list
-RUN apt-key update *&& apt-get update -y
+RUN apt-key update -- * && apt-get update -y
 
-# Install nvhpc. `nvhpc` is the alias for the latest avaialble version
+# Install nvhpc. `nvhpc` is the alias for the latest available version
 ARG ver=nvhpc
 # We use the standard apt-get for the default latest nvhpc. For earlier version, apt has a bug that it will always
 # install the latest nvhpc-x-y no matter which version nvhpc-x-z is requested which would double (extra 10Gb) the size of the image.
@@ -43,10 +44,12 @@ RUN arch="$(uname -m)" && \
     if [ "$ver" = "nvhpc" ]; then \
         apt-get install -y -q --allow-unauthenticated ${ver}; \
     else \
-        export year=$(echo $ver | cut -d "-" -f 2) && \
-        export minor=$(echo $ver | cut -d "-" -f 3) && \
-        wget -O nvhpc.deb "https://developer.download.nvidia.com/hpc-sdk/ubuntu/${nvplat}/nvhpc_${year}.${minor}_${nvplat}.deb" \
-        || wget -O nvhpc.deb "https://developer.download.nvidia.com/hpc-sdk/ubuntu/${nvplat}/nvhpc_${year}.${minor}-0_${nvplat}.deb" && \
+        year=$(echo $ver | cut -d "-" -f 2) && \
+        export year && \
+        minor=$(echo $ver | cut -d "-" -f 3) && \
+        export minor && \
+        curl -O nvhpc.deb -L "https://developer.download.nvidia.com/hpc-sdk/ubuntu/${nvplat}/nvhpc_${year}.${minor}_${nvplat}.deb" \
+        || curl -O nvhpc.deb -L "https://developer.download.nvidia.com/hpc-sdk/ubuntu/${nvplat}/nvhpc_${year}.${minor}-0_${nvplat}.deb" && \
         apt-get install --allow-unauthenticated -y -q ./nvhpc.deb; \
     fi;
 
@@ -89,6 +92,7 @@ ENV UCX_TLS=cuda,cuda_copy,cuda_ipc,sm,shm,self
 #ENV UCX_TLS=cuda,cuda_copy,cuda_ipc,sm,shm,self,rc_x,gdr_copy
 
 # Make simlink for path setup since ENV doesn't accept shell commands.
+SHELL /bin/bash -o pipefail
 RUN arch="$(uname -m)" && \
     case "$arch" in \
         x86_64) linux=Linux_x86_64 ;; \
@@ -157,7 +161,7 @@ CMD ["/bin/bash"]
 FROM sdk-base AS nvc
 
 # Make devito env vars file and extras
-ADD docker/nvdashboard.json /app/nvdashboard.json
+COPY docker/nvdashboard.json /app/nvdashboard.json
 
 # mpi4py
 ENV MPI4PY_FLAGS='source $HPCSDK_HOME/comm_libs/hpcx/latest/hpcx-init.sh && hpcx_load && CC=nvc CFLAGS="-noswitcherror -tp=px"'