ROCm-docker

This fork is almost completely rewritten as:

• Use multi-stage Dockerfile.
  • Reuse pre-built (intermediate) images to reduce time and space.
• All images are built with docker compose.
  • Export rocm-terminal image only.
  • Remove (probably) obsolete services for building images from souce.

• Only a specific OS version is teated at a time.
  • OS / version / variant are specified by .env file.
• Currently available OSs / versions are:
  • Ubuntu 24.04 LTS
  • Debian 13 (Trixie)

• Do not use obsolete apt-key add.
• Can specify image flavor based on latest (7.1) ROCm programming models.
  Available flavors are:
  • base / openmp-sdk
  • hip-runtime / hip-runtime-dev
  • hip / hip-sdk
  • ml / ml-sdk
  • opencl / opencl-sdk
  • complete / complete-sdk
• Add X11 enabled terminal.

How to build

1. Check .env file and edit it if necessary.

• OS : ubuntu or debian
• OS_VERSION : 24.04 for Ubuntu or trixie for Debian
• ROCM_VERSION
• RT_FLAVOR : Image flavor for runtime terminal (term service)
• DEV_FLAVOR : Image flavor for development terminal (devterm service)
• X_FLAVOR : Image flavor for X11 enabled terminal (xterm service)
• UID : User ID of the user account
• USER_NAME : User name associated to UID
• RENDER_GID : Same group id as the Linux host (Required)
• GFX_VERSION : GPU version (See bellow)
• GFX_ARCH : GPU architecture (See bellow)

You can find the id of render group of Linux host:

$ getent group render

Your GPU architecture can be found with rocminfo command like:

$ rocminfo | grep gfx
  Name:                    gfx1031
      Name:                    amdgcn-amd-amdhsa--gfx1031

Please refer Supported GPUs and Compatibility matrix to find officially supprted GPU architectures. If your GPU architectore is not listed in these pages, you may specify GFX_ARCH and GFX_VERSION to pretend to be a supported GPU. On the above example case, ROCm may work with following setting:

GFX_VERSION=10.3.0
GFX_ARCH=gfx1031

Ref: Pytorch Performance on AMD Radeon and Instinct GPUs page 20

2. Build

$ docker compose build term     # or devterm / xterm

How to run

1. Check compose.yml file and edit it if necessary.

• environment
• volumes

2. Run

$ docker compose run --rm term  # or devterm / xterm

Supplementary information

Original docker-compose.yml file is renamed to docker-compose.orig.yml, but other assets still remain as is. Do not run original scripts.

Original README follows:

---

Radeon Open Compute Platform for docker

This repository contains a framework for building the software layers defined in the Radeon Open Compute Platform into portable docker images. The following are docker dependencies, which should be installed on the target machine.

• Docker on Ubuntu systems or Fedora systems
• Highly recommended: Docker-Compose to simplify container management

Docker Hub

Looking for an easy start with ROCm + Docker? The rocm/rocm-terminal image is hosted on Docker Hub. After the ROCm kernel is installed, pull the image from Docker Hub and create a new instance of a container.

sudo docker pull rocm/rocm-terminal
sudo docker run -it --device=/dev/kfd --device=/dev/dri --security-opt seccomp=unconfined --group-add video rocm/rocm-terminal

ROCm-docker set up guide

Installation instructions and asciicasts demos are available to help users quickly get running with rocm-docker. Visit the set up guide to read more.

F.A.Q

When working with the ROCm containers, the following are common and useful docker commands:

• A new docker container typically does not house apt repository meta-data. Before trying to install new software using apt, make sure to run sudo apt update first
• A message like the following typically means your user does not have permissions to execute docker; use sudo or add your user to the docker group.
• Cannot connect to the Docker daemon. Is the docker daemon running on this host?
• Open another terminal into a running container
• sudo docker exec -it <CONTAINER-NAME> bash -l
• Copy files from host machine into running docker container
  • sudo docker cp HOST_PATH <CONTAINER-NAME>:/PATH
• Copy files from running docker container onto host machine
  • sudo docker cp <CONTAINER-NAME>:/PATH/TO/FILE HOST_PATH
• If receiving messages about no space left on device when pulling images, check the storage driver in use by the docker engine. If its 'device mapper', that means the image size limits imposed by the 'device mapper' storage driver are a problem
  • Follow the documentation in the quick start guide for a solution to change to the storage driver

Saving work in a container

Docker containers are typically ephemeral, and are discarded after closing the container with the '--rm' flag to docker run. However, there are times when it is desirable to close a container that has arbitrary work in it, and serialize it back into a docker image. This may be to to create a checkpoint in a long and complicated series of instructions, or it may be desired to share the image with others through a docker registry, such as docker hub.

sudo docker ps -a  # Find container of interest
sudo docker commit <container-name> <new-image-name>
sudo docker images # Confirm existence of a new image

Details

Docker does not virtualize or package the linux kernel inside of an image or container. This is a design decision of docker to provide lightweight and fast containerization. The implication for this on the ROCm compute stack is that in order for the docker framework to function, the ROCm kernel and corresponding modules must be installed on the host machine. Containers share the host kernel, so the ROCm KFD component ROCK-Kernel-Driver¹ functions outside of docker.

Installing ROCK on the host machine.

An apt-get repository is available to automate the installation of the required kernel and kernel modules.

Building images

There are two ways to install rocm components:

1. install from the rocm apt/rpm repository (repo.radeon.com)
2. build the components from source and run install scripts

The first method produces docker images with the smallest footprint and best building speed. The footprint is smaller because no developer tools need to be installed in the image, an the images build speed is fastest because typically downloading binaries is much faster than downloading source and then invoking a build process. Of course, building components allows much greater flexibility on install location and the ability to step through the source with debug builds. ROCm-docker supports making images either way, and depends on the flags passed to the setup script.

The setup script included in this repository is provides some flexibility to how docker containers are constructed. Unfortunately, Dockerfiles do not have a preprocessor or template language, so typically build instructions are hardcoded. However, the setup script allows us to write a primitive 'template', and after running it instantiates baked dockerfiles with environment variables substituted in. For instance, if you wish to build release images and debug images, first run the setup script to generate release dockerfiles and build the images. Then, run the setup script again and specify debug dockerfiles and build new images. The docker images should generate unique image names and not conflict with each other.

setup.sh

Currently, the setup.sh scripts checks to make sure that it is running on an Ubuntu system, as it makes a few assumptions about the availability of tools and file locations. If running rocm on a Fedora machine, inspect the source of setup.sh and issue the appropriate commands manually. There are a few parameters to setup.sh of a generic nature that affects all images built after running. If no parameters are given, built images will be based off of Ubuntu 16.04 with rocm components installed from debians downloaded from repo.radeon.com. Supported parameters can be queried with ./setup --help.

setup.sh parameters	parameter [default]	description
--ubuntu	xx.yy [16.04]	Ubuntu version for to inherit base image
--install-docker-compose		helper to install the docker-compose tool

The following parameters are specific to building containers that compile rocm components from source.

setup.sh parameters	parameter [default]	description
--tag	string ['master']	string representing a git branch name
--branch	string ['master']	alias for tag
--debug		build code with debug flags

./setup generates finalized Dockerfiles from textual template files ending with the .template suffix. Each sub-directory of this repository corresponds to a docker 'build context' responsible for a software layer in the ROCm stack. After running the script, each directory contains generated dockerfiles for building images from debians and from source.

Docker compose

./setup prepares an environment to be controlled with Docker Compose. While docker-compose is not necessary for proper operation, it is highly recommended. setup.sh does provide a flag to simplify the installation of this tool. Docker-compose coordinates the relationships between the various ROCm software layers, and it remembers flags that should be passed to docker to expose devices and import volumes.

Example of using docker-compose

docker-compose.yml provides services that build and run containers. YAML is structured data, so it's easy to modify and extend. The setup.sh script generates a .env file that docker-compose reads to satisfy the definitions of the variables in the .yml file.

• docker-compose run --rm rocm -- Run container using rocm packages
• docker-compose run --rm rocm-from-src -- Run container with rocm built from source

Docker-compose	description
docker-compose	docker compose executable
run	sub-command to bring up interactive container
--rm	when shutting the container down, delete it
rocm	application service defined in docker-compose.yml

rocm-user has root privileges by default

The dockerfile that serves as a 'terminal' creates a non-root user called rocm-user. This container is meant to serve as a development environment (therefore apt-get is likely needed), the user has been added to the linux sudo group. Since it is somewhat difficult to set and change passwords in a container (often requiring a rebuild), the password prompt has been disabled for the sudo group. While this is convenient for development to be able sudo apt-get install packages, it does imply lower security in the container.

To increase container security:

1. Eliminate the sudo-nopasswd COPY statement in the dockerfile and replace with
2. Your own password with RUN echo 'account:password' | chpasswd

The docker.ce release 18.02 has known defects working with rocm-user account insider docker image. Please upgrade docker package to the 18.04 build.

Footnotes:

[1] It can be installed into a container, it just doesn't do anything because containers do not go through the traditional boot process. We actually do provide a container for ROCK-Kernel-Driver, but it not used by the rest of the docker images. It does provide isolation and a reproducible environment for kernel development.