Skip to content

Commit

Permalink
[AutoGluon] Add AutoGluon v1.1.0 (#3867)
Browse files Browse the repository at this point in the history 
* Draft AutoGluon DLC 1.1.0

* update tests

* capping mmcv

* vulnerability scans

* Revert "vulnerability scans"

This reverts commit 3f2a9de.

* ray upgrade

* fix vulnerabilities

* update

* update training

* updating inference

* update packages

* add setuptools

* test

* fix tqdm vulnerability

* cleanup

* cleanup

* revert toml

* fix toml

* test version

* revert

* revert toml

* revert toml

* update available images

* scan for vulnerabilities

* fix ray vulnerabilities

* fix vulnerability for gpu images

* revert toml

---------

Co-authored-by: Ubuntu <[email protected]>
  • Loading branch information
@prateekdesai04
prateekdesai04 and Ubuntu authored May 9, 2024
1 parent bc13cd9 commit db83f12
Show file tree
Hide file tree
Showing 18 changed files with 1,266 additions and 14 deletions.
53 changes: 53 additions & 0 deletions autogluon/inference/buildspec-1-0-0.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
account_id: &ACCOUNT_ID <set-$ACCOUNT_ID-in-environment>
region: &REGION <set-$REGION-in-environment>
framework: &FRAMEWORK autogluon
version: &VERSION 1.0.0
short_version: &SHORT_VERSION 1.0
arch_type: x86

repository_info:
inference_repository: &INFERENCE_REPOSITORY
image_type: &INFERENCE_IMAGE_TYPE inference
root: !join [ *FRAMEWORK, "/", *INFERENCE_IMAGE_TYPE ]
repository_name: &REPOSITORY_NAME !join [pr, "-", *FRAMEWORK, "-", *INFERENCE_IMAGE_TYPE]
repository: &REPOSITORY !join [ *ACCOUNT_ID, .dkr.ecr., *REGION, .amazonaws.com/, *REPOSITORY_NAME ]

context:
inference_context: &INFERENCE_CONTEXT
torchserve-entrypoint:
source: ../build_artifacts/inference/torchserve-entrypoint.py
target: torchserve-entrypoint.py
config:
source: ../build_artifacts/inference/config.properties
target: config.properties
deep_learning_container:
source: ../../src/deep_learning_container.py
target: deep_learning_container.py

images:
BuildAutogluonCPUInferencePy3DockerImage:
<<: *INFERENCE_REPOSITORY
build: &AUTOGLUON_CPU_INFERENCE_PY3 false
image_size_baseline: 6399
device_type: &DEVICE_TYPE cpu
python_version: &DOCKER_PYTHON_VERSION py3
tag_python_version: &TAG_PYTHON_VERSION py310
os_version: &OS_VERSION ubuntu20.04
tag: !join [ *VERSION, "-", *DEVICE_TYPE, "-", *TAG_PYTHON_VERSION, "-", *OS_VERSION ]
docker_file: !join [ docker/, *SHORT_VERSION, /, *DOCKER_PYTHON_VERSION, /Dockerfile., *DEVICE_TYPE ]
context:
<<: *INFERENCE_CONTEXT

BuildAutogluonGPUInferencePy3DockerImage:
<<: *INFERENCE_REPOSITORY
build: &AUTOGLUON_GPU_INFERENCE_PY3 false
image_size_baseline: 16613
device_type: &DEVICE_TYPE gpu
python_version: &DOCKER_PYTHON_VERSION py3
tag_python_version: &TAG_PYTHON_VERSION py310
cuda_version: &CUDA_VERSION cu118
os_version: &OS_VERSION ubuntu20.04
tag: !join [ *VERSION, "-", *DEVICE_TYPE, "-", *TAG_PYTHON_VERSION, "-", *CUDA_VERSION, "-", *OS_VERSION ]
docker_file: !join [ docker/, *SHORT_VERSION, /, *DOCKER_PYTHON_VERSION, /, *CUDA_VERSION, /Dockerfile., *DEVICE_TYPE ]
context:
<<: *INFERENCE_CONTEXT
6 changes: 3 additions & 3 deletions autogluon/inference/buildspec.yml
View file
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
account_id: &ACCOUNT_ID <set-$ACCOUNT_ID-in-environment>
region: &REGION <set-$REGION-in-environment>
framework: &FRAMEWORK autogluon
version: &VERSION 1.0.0
short_version: &SHORT_VERSION 1.0
version: &VERSION 1.1.0
short_version: &SHORT_VERSION 1.1
arch_type: x86

repository_info:
Expand Down Expand Up @@ -41,7 +41,7 @@ images:
BuildAutogluonGPUInferencePy3DockerImage:
<<: *INFERENCE_REPOSITORY
build: &AUTOGLUON_GPU_INFERENCE_PY3 false
image_size_baseline: 16613
image_size_baseline: 19456
device_type: &DEVICE_TYPE gpu
python_version: &DOCKER_PYTHON_VERSION py3
tag_python_version: &TAG_PYTHON_VERSION py310
Expand Down
75 changes: 75 additions & 0 deletions autogluon/inference/docker/1.1/py3/Dockerfile.cpu
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
ARG PYTHON_VERSION=3.10.8

FROM 763104351884.dkr.ecr.us-west-2.amazonaws.com/pytorch-inference:2.1.0-cpu-py310-ubuntu20.04-sagemaker

# Specify accept-bind-to-port LABEL for inference pipelines to use SAGEMAKER_BIND_TO_PORT
# https://docs.aws.amazon.com/sagemaker/latest/dg/inference-pipeline-real-time.html
LABEL com.amazonaws.sagemaker.capabilities.accept-bind-to-port=true
# Specify multi-models LABEL to indicate container is capable of loading and serving multiple models concurrently
# https://docs.aws.amazon.com/sagemaker/latest/dg/build-multi-model-build-container.html
LABEL com.amazonaws.sagemaker.capabilities.multi-models=true

LABEL maintainer="Amazon AI"
LABEL dlc_major_version="1"

RUN apt-get update \
&& apt-get -y upgrade \
&& apt-get autoremove -y \
&& apt-get install tesseract-ocr -y \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*

ARG AUTOGLUON_VERSION=1.1.0

# Upgrading pip and installing/updating Python dependencies
# Comments are added to explain the reason behind each update
RUN pip install --no-cache-dir -U --trusted-host pypi.org --trusted-host files.pythonhosted.org pip \
&& pip install --no-cache-dir -U wheel \
&& pip uninstall -y dataclasses \
&& pip install --no-cache-dir -U numpy numba \
# Install AutoGluon, ensuring no vulnerable dependencies are left behind
&& pip install --no-cache-dir -U autogluon==${AUTOGLUON_VERSION} \
# Update requests to a secure version that fixes CVE-2023-32681
&& pip install --no-cache-dir -U requests>=2.31.0 \
&& mim install -q mmcv==2.1.0 --timeout 600 \
&& pip install --no-cache-dir -U mmdet>=3.0.0 \
&& pip install --no-cache-dir -U "mmengine" \
# Update ray to a secure version that fixes CVE-2023-48022
&& pip install --no-cache-dir -U ray>=2.10.0 \
# Update transformers to secure versions that fixes CVE-2023-7018
&& pip install --no-cache-dir -U setuptools>=65.5.1 \
# Update pillow to a secure version that fixes CVE-2023-50447
&& pip install --no-cache-dir -U pillow>=10.2.0 \
# Update Jinja2 to a secure version that fixes vulnerability id 64227
&& pip install --no-cache-dir -U Jinja2>=3.1.3 \
# Update aiohttp to a secure version that fixes vulnerability id 64642
&& pip install --no-cache-dir -U aiohttp>=3.9.2 \
# below adjustments are done to be consistent with the training container
&& pip install --no-cache-dir -U scikit-learn==1.4.0 \
&& pip install --no-cache-dir -U scipy==1.12.0 \
&& pip install --no-cache-dir -U joblib==1.4.2 \
# update tqdm to a secure version that fixes CVE-2024-34062
&& pip install --no-cache-dir -U tqdm>=4.66.3



# add TS entrypoint
COPY config.properties /home/model-server

COPY torchserve-entrypoint.py /usr/local/bin/dockerd-entrypoint.py
RUN chmod +x /usr/local/bin/dockerd-entrypoint.py

RUN HOME_DIR=/root \
&& curl -o ${HOME_DIR}/oss_compliance.zip https://aws-dlinfra-utilities.s3.amazonaws.com/oss_compliance.zip \
&& unzip -o ${HOME_DIR}/oss_compliance.zip -d ${HOME_DIR}/ \
&& cp ${HOME_DIR}/oss_compliance/test/testOSSCompliance /usr/local/bin/testOSSCompliance \
&& chmod +x /usr/local/bin/testOSSCompliance \
&& chmod +x ${HOME_DIR}/oss_compliance/generate_oss_compliance.sh \
&& ${HOME_DIR}/oss_compliance/generate_oss_compliance.sh ${HOME_DIR} python \
&& rm -rf ${HOME_DIR}/oss_compliance*

RUN curl -o /licenses-autogluon.txt https://autogluon.s3.us-west-2.amazonaws.com/licenses/THIRD-PARTY-LICENSES.txt

EXPOSE 8080 8081
ENTRYPOINT ["python", "/usr/local/bin/dockerd-entrypoint.py"]
CMD ["torchserve", "--start", "--ts-config", "/home/model-server/config.properties", "--model-store", "/home/model-server/"]
209 changes: 209 additions & 0 deletions autogluon/inference/docker/1.1/py3/Dockerfile.cpu.os_scan_allowlist.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,209 @@
{
"linux": [
{
"description": " An out-of-bounds read vulnerability was found in smbCalcSize in fs/smb/client/netmisc.c in the Linux Kernel. This issue could allow a local attacker to crash the system or leak internal kernel information.",
"vulnerability_id": "CVE-2023-6606",
"name": "CVE-2023-6606",
"package_name": "linux",
"package_details": {
"file_path": null,
"name": "linux",
"package_manager": "OS",
"version": "5.4.0",
"release": "169.187"
},
"remediation": {
"recommendation": {
"text": "None Provided"
}
},
"cvss_v3_score": 7.1,
"cvss_v30_score": 0.0,
"cvss_v31_score": 7.1,
"cvss_v2_score": 0.0,
"cvss_v3_severity": "HIGH",
"source_url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-6606.html",
"source": "UBUNTU_CVE",
"severity": "HIGH",
"status": "ACTIVE",
"title": "CVE-2023-6606 - linux",
"reason_to_ignore": "vulnerability from Linux kernel 5.4.0 in base image"
},
{
"description": "\n It was discovered that the CIFS network file system implementation in\n the Linux kernel did not properly validate the server frame size in\n certain situation, leading to an out-of-bounds read vulnerability. An\n attacker could use this to construct a malicious CIFS image that, when\n operated on, could cause a denial of service (system crash) or possibly\n expose sensitive information.",
"vulnerability_id": "CVE-2023-6606",
"name": "CVE-2023-6606",
"package_name": "linux",
"package_details": {
"file_path": null,
"name": "linux",
"package_manager": "OS",
"version": "5.4.0",
"release": "170.188"
},
"remediation": {
"recommendation": {
"text": "None Provided"
}
},
"cvss_v3_score": 7.1,
"cvss_v30_score": 0.0,
"cvss_v31_score": 7.1,
"cvss_v2_score": 0.0,
"cvss_v3_severity": "HIGH",
"source_url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-6606.html",
"source": "UBUNTU_CVE",
"severity": "HIGH",
"status": "ACTIVE",
"title": "CVE-2023-6606 - linux",
"reason_to_ignore": "vulnerability from Linux kernel 5.4.0 in base image"
},
{
"description": "\n It was discovered that a race condition existed in the Rose X.25\n protocol implementation in the Linux kernel, leading to a use-after-\n free vulnerability. A local attacker could use this to cause a denial\n of service (system crash) or possibly execute arbitrary code.",
"vulnerability_id": "CVE-2023-51782",
"name": "CVE-2023-51782",
"package_name": "linux",
"package_details": {
"file_path": null,
"name": "linux",
"package_manager": "OS",
"version": "5.4.0",
"release": "171.189"
},
"remediation": {
"recommendation": {
"text": "None Provided"
}
},
"cvss_v3_score": 7.0,
"cvss_v30_score": 0.0,
"cvss_v31_score": 7.0,
"cvss_v2_score": 0.0,
"cvss_v3_severity": "HIGH",
"source_url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-51782.html",
"source": "UBUNTU_CVE",
"severity": "HIGH",
"status": "ACTIVE",
"title": "CVE-2023-51782 - linux",
"reason_to_ignore": "fix not available yet"
},
{
"description": "\n It was discovered that a race condition existed in the ATM\n (Asynchronous Transfer Mode) subsystem of the Linux kernel, leading\n to a use-after-free vulnerability. A local attacker could use this\n to cause a denial of service (system crash) or possibly execute\n arbitrary code.",
"vulnerability_id": "CVE-2023-51780",
"name": "CVE-2023-51780",
"package_name": "linux",
"package_details": {
"file_path": null,
"name": "linux",
"package_manager": "OS",
"version": "5.4.0",
"release": "171.189"
},
"remediation": {
"recommendation": {
"text": "None Provided"
}
},
"cvss_v3_score": 7.0,
"cvss_v30_score": 0.0,
"cvss_v31_score": 7.0,
"cvss_v2_score": 0.0,
"cvss_v3_severity": "HIGH",
"source_url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-51780.html",
"source": "UBUNTU_CVE",
"severity": "HIGH",
"status": "ACTIVE",
"title": "CVE-2023-51780 - linux",
"reason_to_ignore": "fix not available yet"
},
{
"description": "\n It was discovered that a race condition existed in the AppleTalk\n networking subsystem of the Linux kernel, leading to a use-after-free\n vulnerability. A local attacker could use this to cause a denial of\n service (system crash) or possibly execute arbitrary code.",
"vulnerability_id": "CVE-2023-51781",
"name": "CVE-2023-51781",
"package_name": "linux",
"package_details": {
"file_path": null,
"name": "linux",
"package_manager": "OS",
"version": "5.4.0",
"release": "171.189"
},
"remediation": {
"recommendation": {
"text": "None Provided"
}
},
"cvss_v3_score": 7.0,
"cvss_v30_score": 0.0,
"cvss_v31_score": 7.0,
"cvss_v2_score": 0.0,
"cvss_v3_severity": "HIGH",
"source_url": "https://people.canonical.com/~ubuntu-security/cve/2023/CVE-2023-51781.html",
"source": "UBUNTU_CVE",
"severity": "HIGH",
"status": "ACTIVE",
"title": "CVE-2023-51781 - linux",
"reason_to_ignore": "fix not available yet"
}
],
"ray": [
{
"description": "Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment",
"vulnerability_id": "CVE-2023-48022",
"name": "CVE-2023-48022",
"package_name": "ray",
"package_details": {
"file_path": "opt/conda/lib/python3.10/site-packages/ray-2.20.0.dist-info/METADATA",
"name": "ray",
"package_manager": "PYTHONPKG",
"version": "2.20.0",
"release": null
},
"remediation": {
"recommendation": {
"text": "None Provided"
}
},
"cvss_v3_score": 9.8,
"cvss_v30_score": 0,
"cvss_v31_score": 9.8,
"cvss_v2_score": 0,
"cvss_v3_severity": "CRITICAL",
"source_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48022",
"source": "NVD",
"severity": "CRITICAL",
"status": "ACTIVE",
"title": "CVE-2023-48022 - ray",
"reason_to_ignore": "fix not available yet"
},
{
"description": "Anyscale Ray 2.6.3 and 2.8.0 allows a remote attacker to execute arbitrary code via the job submission API. NOTE: the vendor's position is that this report is irrelevant because Ray, as stated in its documentation, is not intended for use outside of a strictly controlled network environment",
"vulnerability_id": "CVE-2023-48022",
"name": "CVE-2023-48022",
"package_name": "ray",
"package_details": {
"file_path": "opt/conda/lib/python3.10/site-packages/ray-2.21.0.dist-info/METADATA",
"name": "ray",
"package_manager": "PYTHONPKG",
"version": "2.21.0",
"release": null
},
"remediation": {
"recommendation": {
"text": "None Provided"
}
},
"cvss_v3_score": 9.8,
"cvss_v30_score": 0,
"cvss_v31_score": 9.8,
"cvss_v2_score": 0,
"cvss_v3_severity": "CRITICAL",
"source_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-48022",
"source": "NVD",
"severity": "CRITICAL",
"status": "ACTIVE",
"title": "CVE-2023-48022 - ray",
"reason_to_ignore": "fix not available yet"
}
]
}
7 changes: 7 additions & 0 deletions autogluon/inference/docker/1.1/py3/Dockerfile.cpu.py_scan_allowlist.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
{
"50916": "Pydantic 1.10.2 prevents long strings as int inputs to fix CVE-2020-10735 - upstream dependencies are still not patched",
"51358": "Safety 2.2.0 updates its dependency 'dparse' to include a security fix. - not packaged with container, result of security scanning process",
"65213": "PyOpenSSL doesn't have this fix yet - the issue only applicable to PowerPC architecture and not applicable to this container",
"67599": "pip - No fix for this yet",
"65345": "torchserve - we do not use torchserve, this vulnerability leaks from an upstream base image"
}
Loading

0 comments on commit db83f12

Please sign in to comment.