pyhf · matthewfeickert · Jun 17, 2022 · Jun 17, 2022 · Jun 22, 2022 · Jun 22, 2022
diff --git a/Makefile b/Makefile
@@ -0,0 +1,37 @@
+default: image
+
+all: image
+
+image:
+	docker pull aperloff/cms-cvmfs-docker:latest
+	docker buildx prune -f
+	docker buildx create \
+		--driver-opt \
+		image=moby/buildkit:master \
+		--use \
+		--name insecure-builder \
+		--buildkitd-flags '--allow-insecure-entitlement security.insecure'
+	docker buildx use insecure-builder
+	docker buildx build \
+		--load \
+		--allow security.insecure \
+		--file docker/Dockerfile \
+		--build-arg ARG_CVMFS_MOUNTS="cms.cern.ch oasis.opensciencegrid.org" \
+		--build-arg ARG_MY_UID=$(shell id -u) \
+		--build-arg ARG_MY_GID=$(shell id -g) \
+		--tag pyhf/pyhf-combine-converter:debug-local \
+		.
+	docker buildx rm insecure-builder
+
+run:
+	docker run \
+		--rm \
+		-it \
+		-P \
+		--device /dev/fuse \
+		--cap-add SYS_ADMIN \
+		--security-opt apparmor:unconfined \
+		-e CVMFS_MOUNTS="cms.cern.ch oasis.opensciencegrid.org" \
+		-e MY_UID=$(shell id -u) \
+		-e MY_GID=$(shell id -g) \
+		pyhf/pyhf-combine-converter:debug-local
diff --git a/README.md b/README.md
@@ -1,2 +1,44 @@
 # pyhf-combine-converter
-Image containing both pyhf and CMS Combine
+
+A base Docker image that contains a Python 3 environment with CMS Combine and pyhf installed is available on [Docker Hub][Docker Hub]
+
+```console
+$ docker pull pyhf/pyhf-combine-converter:cmssw-11.2.0-python3
+```
+
+## Running the image
+
+As noted in the [using the cms-cvmfs-docker image tutorial][cvmfs-image-tutorial], the images can be run locally using the following run commands (all options shown are required).
+
+### Linux
+
+On Linux systems the [`--security-opt` option][security-opt-option] is needed
+
+```console
+$ docker run \
+    --rm \
+    -ti \
+    -P \
+    --device /dev/fuse \
+    --cap-add SYS_ADMIN \
+    --security-opt apparmor:unconfined \
+    -e CVMFS_MOUNTS="cms.cern.ch oasis.opensciencegrid.org" \
+    pyhf/pyhf-combine-converter:cmssw-11.2.0-python3
+```
+
+### macOS
+
+```console
+$ docker run \
+    --rm \
+    -ti \
+    -P \
+    --device /dev/fuse \
+    --cap-add SYS_ADMIN \
+    -e CVMFS_MOUNTS="cms.cern.ch oasis.opensciencegrid.org" \
+    pyhf/pyhf-combine-converter:cmssw-11.2.0-python3
+```
+
+[Docker Hub]: https://hub.docker.com/r/pyhf/pyhf-combine-converter/tags
+[security-opt-option]: https://docs.docker.com/engine/reference/commandline/run/#optional-security-options---security-opt
+[cvmfs-image-tutorial]: https://awesome-workshop.github.io/docker-singularity-hats/07-cms-cvmfs-docker/index.html
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -0,0 +1,70 @@
+# syntax=docker/dockerfile:1.3-labs
+
+ARG BASE_IMAGE=aperloff/cms-cvmfs-docker:latest
+FROM ${BASE_IMAGE} as base
+
+USER root
+
+ARG ARG_CVMFS_MOUNTS="cms.cern.ch oasis.opensciencegrid.org"
+ARG ARG_MY_UID
+ARG ARG_MY_GID
+ARG CMSSW_VERSION="CMSSW_11_2_0"
+ARG COMBINED_LIMIT_TAG="py3"
+ARG COMBINE_HARVESTER_TAG="113x"
+
+ENV CVMFS_MOUNTS=${ARG_CVMFS_MOUNTS}
+ENV MY_UID=${ARG_MY_UID}
+ENV MY_GID=${ARG_MY_GID}
+
+# N.B.: Using `python -m pip install --ignore-installed --upgrade` is a major anti-pattern
+# and is _only_ being used here to intentionally avoid the old packages installed through
+# /cvmfs. Using `--ignore-installed --upgrade` is almost never what you want to do, so do
+# not copy this pattern in general!
+RUN --security=insecure . /mount_cvmfs.sh && \
+    mount_cvmfs && \
+    . /home/cmsusr/.bashrc && \
+    . /cvmfs/cms.cern.ch/cmsset_default.sh && \
+    cmsrel "${CMSSW_VERSION}" && \
+    cd "${CMSSW_VERSION}"/src && \
+    cmsenv && \
+    export PATH="/cvmfs/cms.cern.ch/slc7_amd64_gcc900/external/cmake/3.18.2/bin:${PATH}" && \
+    git clone https://gitlab.cern.ch/will/TRooFit.git && \
+    cmake \
+        -DCMAKE_INSTALL_PREFIX=/home/cmsusr/"${CMSSW_VERSION}" \
+        -S TRooFit \
+        -B build && \
+    cmake build -LH && \
+    cmake \
+        --build build \
+        --clean-first \
+        --parallel $(($(nproc) - 1)) && \
+    cmake --build build --target install && \
+    rm -rf build && \
+    git clone \
+        --depth 1 \
+        https://github.com/cms-analysis/HiggsAnalysis-CombinedLimit.git \
+        --branch "${COMBINED_LIMIT_TAG}" \
+        --single-branch \
+        HiggsAnalysis/CombinedLimit && \
+    git clone \
+        --depth 1 \
+        https://github.com/nsmith-/CombineHarvester.git \
+        --branch "${COMBINE_HARVESTER_TAG}" \
+        --single-branch \
+        CombineHarvester && \
+    scram b --jobs $(($(nproc) - 1)) && \
+    cmsenv && \
+    python3 -m pip --no-cache-dir --verbose install --upgrade --user pip setuptools wheel && \
+    python3 -m pip --no-cache-dir --verbose install --ignore-installed --upgrade --user 'pyhf[xmlio,minuit,contrib]' && \
+    echo 'export PATH=/home/cmsusr/.local/bin:${PATH}' >> /home/cmsusr/.bashrc && \
+    echo '# Hack for TRooFit to load' >> /home/cmsusr/.bashrc && \
+    echo 'LD_LIBRARY_PATH=/home/cmsusr/'"${CMSSW_VERSION}"'/lib:${LD_LIBRARY_PATH}' >> /home/cmsusr/.bashrc && \
+    echo 'printf "\n# Sourcing cmsenv ..."' >> /home/cmsusr/.bashrc && \
+    echo 'cmsenv' >> /home/cmsusr/.bashrc && \
+    echo 'printf " DONE\n"' >> /home/cmsusr/.bashrc
+
+WORKDIR /home/cmsusr/"${CMSSW_VERSION}"/workarea
+
+USER cmsusr
+
+ENTRYPOINT ["/run.sh"]