CC provision with docker image workload (#3639)

CC provision with docker image workload for a generic way to accommodate
different applications in the future

### Description

CC provision with docker image workload for a generic way to accommodate
different applications in the future


### Types of changes
<!--- Put an `x` in all the boxes that apply, and remove the not
applicable items -->
- [x] Non-breaking change (fix or new feature that would not break
existing functionality).
- [ ] Breaking change (fix or new feature that would cause existing
functionality to change).
- [ ] New tests added to cover the changes.
- [ ] Quick tests passed locally by running `./runtest.sh`.
- [ ] In-line docstrings updated.
- [ ] Documentation updated.

---------

Co-authored-by: Chester Chen <[email protected]>

Author: YuanTingHsieh

examples/advanced/cc_provision/README.md

@@ -1,85 +1,112 @@
 # How to use CC provision
 
-In project.yml, under each site add "cc_config: [file]", for example:
+This guide explains how to use **CC (Confidential Computing) Provision** in NVFLARE, including setting up site configurations, enabling the CC builder, and using Docker images for CC workloads.
+
+
+## 0. Prepare application docker image workload
+
+In CC, we don't allow custom code, all the codes and required libs must be built-in in the docker image.
+In this example, we show you how to build NVFlare docker images in [docker/](docker/README.md)
+
+
+## 1. Define CC Configuration per Site (`cc_config`)
+
+Each site participating in a CC job must provide a **CC configuration file**. This file describes the trusted execution environment (e.g., AMD SEV-SNP on-prem CVM), drive allocations, and attestation policies.
+
+Here is an example (`cc_server.yml`):
+
+
+```yaml
+compute_env: onprem_cvm
+cc_cpu_mechanism: amd_sev_snp
+role: server
+
+# All drive sizes are in GB
+root_drive_size: 10
+applog_drive_size: 1
+user_data_drive_size: 1
+secure_drive_size: 10
+
+# Docker image archive saved using:
+# docker save <image_name> | gzip > app.tar.gz
+docker_archive: /tmp/base_images/app.tar.gz
+
+allowed_ports:
+- 8002
+
+cc_issuers:
+  - id: snp_authorizer
+    path: nvflare.app_opt.confidential_computing.snp_authorizer.SNPAuthorizer
+    token_expiration: 100 # seconds, needs to be less than check_frequency
+cc_attestation:
+  check_frequency: 120 # seconds
+  failure_action: stop_job
+```
+
+## 2. Reference `cc_config` in `project.yml`
+
+In your `project.yml`, reference the CC configuration file for each site using the `cc_config` key:
 
 ```yaml
 participants:
-  - name: site-1
-    type: client
+  - name: server1
+    type: server
     org: nvidia
-    cc_config: cc_site-1.yml
+    fed_learn_port: 8002
+    cc_config: cc_server1.yml
 ```
 
-Then in the end of builders add:
+## 3. Add the CCBuilder
 
-```
+At the end of the `builders` section in your `project.yml`, add the `CCBuilder`:
+
+```yaml
 builders:
   - path: nvflare.lighter.cc_provision.impl.cc.CCBuilder
 ```
 
-Then use the following command to generate startup kits:
-
-```bash
-nvflare provision -p project.yml
-```
+This builder sets up all CC-related configurations and assets.
 
-# NVFlare application code package
+## 4. Add the OnPremPackager
 
-For CC jobs, we don't allow custom codes, so we must pre-install those codes inside each CVM.
-We utilize our nvflare pre-install command to do that.
- 
-First, we need to prepare the application_code_zip folder structure:
+To generate startup kits for on-premises deployment, add the `OnPremPackager`:
 
-```bash
-application_code_folder
-├── application/                    # optional
-│   └── <job_name>/
-│               ├── meta.json       # job metadata
-│               ├── app_<site>/     # Site custom code
-│                  └── custom/      # Site custom code
-├── application-share/              # Shared resources
-|   └── simple_network.py           # Shared model definition 
-└── requirements.txt       # Python dependencies (optional)
+```yaml
+packager:
+  path: nvflare.lighter.cc_provision.impl.onprem_packager.OnPremPackager
+  args:
+    build_image_cmd: build_cvm_image.sh
 ```
 
-We have already prepared application-share folder and requirements.txt in this example.
-We run the following command to create a zip folder so we can use that to build the CVM:
+Note:
+    1. `build_image_cmd`: Path to the script used to build the CVM disk image.
+    2. For 2.7.0 Technical Preview release, please contact `[email protected]` to receive the `build_cvm_image.sh`
 
-```bash
-python -m zipfile -c application_code.zip application_code/*
-```
+## 5. Generate the Startup Kits
 
-# Content inside CC configuration
+Once you add all the required sections into your `project.yml`, run the provision command:
 
+```bash
+nvflare provision -p project.yml
 ```
-compute_env: onprem_cvm
-cc_cpu_mechanism: amd_sev_snp
-role: server
 
-# All drive sizes are in GB
-root_drive_size: 15
-secure_drive_size: 2
-data_source: /tmp/data
+## 6. Distribute and deploy
 
-# Can be any pip-installable version string (e.g., "2.6.0", "latest", Git URL, etc.)
-nvflare_version: "2.6.0"
+Each site's result will be located in 
 
-# NVFlare application code package to be pre-installed inside the CVM
-nvflare_package: application_code.zip
-allowed_ports:
-  - 8002
-trustee_host: trustee-azsnptpm.eastus.cloudapp.azure.com
-trustee_port: 8999
+```bash
+workspace/example_project/prod_xx/[site_name]/[site_name].tgz
+```
 
-cc_issuers:
-  - id: snp_authorizer
-    path: nvflare.app_opt.confidential_computing.snp_authorizer.SNPAuthorizer
-    token_expiration: 150 # in seconds, needs to be less than check_frequency
-  - id: gpu_authorizer
-    path: nvflare.app_opt.confidential_computing.gpu_authorizer.GPUAuthorizer
-    token_expiration: 150 # in seconds, needs to be less than check_frequency
+You can distribute these tgz file to each site.
 
-cc_attestation:
-  check_frequency: 300 # in seconds
+To deploy on each site, do:
 
+```bash
+tar -zxvf [site_name].tgz
+cd cvm_xxx
+./launch_vm.sh
 ```
+
+The confidential VM will start, and the NVFLARE server and clients will automatically connect and begin operation.
+You can now use the NVFlare admin console to communicate with the NVFlare system.

examples/advanced/cc_provision/cc_server1.yml

@@ -3,24 +3,26 @@ cc_cpu_mechanism: amd_sev_snp
 role: server
 
 # All drive sizes are in GB
-root_drive_size: 15
-secure_drive_size: 2
-data_source: /tmp/data
+root_drive_size: 30
+applog_drive_size: 1
+user_config_drive_size: 1
+user_data_drive_size: 1
+# Docker image archive saved using:
+# docker save <image_name> | gzip > app.tar.gz
+docker_archive: /tmp/base_images/app.tar.gz
+# will be mount inside docker "/user_config/nvflare"
+user_config:
+  nvflare: /tmp/startup_kits
 
-# Can be any pip-installable version string (e.g., "2.6.0", "latest", Git URL, etc.)
-nvflare_version: "2.6.0"
-
-# NVFlare application code package to be pre-installed inside the CVM
-nvflare_package: application_code.zip
 allowed_ports:
-  - 8002
-trustee_host: trustee-azsnptpm.eastus.cloudapp.azure.com
-trustee_port: 8999
+- 8002
 
 cc_issuers:
   - id: snp_authorizer
     path: nvflare.app_opt.confidential_computing.snp_authorizer.SNPAuthorizer
-    token_expiration: 150 # needs to be less than check_frequency
+    token_expiration: 100 # seconds, needs to be less than check_frequency
+    snpguest_binary: "/host/bin/snpguest"
 
 cc_attestation:
-  check_frequency: 300
+  check_frequency: 120 # seconds
+  failure_action: stop_job

examples/advanced/cc_provision/cc_site-1.yml

@@ -4,27 +4,31 @@ cc_gpu_mechanism: nvidia_cc
 role: client
 
 # All drive sizes are in GB
-root_drive_size: 15
-secure_drive_size: 2
-data_source: /tmp/data
+root_drive_size: 30
+applog_drive_size: 1
+user_config_drive_size: 1
+user_data_drive_size: 1
+# Docker image archive saved using:
+# docker save <image_name> | gzip > app.tar.gz
+docker_archive: /tmp/base_images/app.tar.gz
 
-# Can be any pip-installable version string (e.g., "2.6.0", "latest", Git URL, etc.)
-nvflare_version: "2.6.0"
+# for debugging purpose
+# hosts_entries:
+#   server1: 1.2.3.4
 
-# NVFlare application code package to be pre-installed inside the CVM
-nvflare_package: application_code.zip
-hosts_entries:
-  server1: 1.2.3.4
-trustee_host: trustee-azsnptpm.eastus.cloudapp.azure.com
-trustee_port: 8999
+# will be mount inside docker "/user_config/nvflare"
+user_config:
+  nvflare: /tmp/startup_kits
 
 cc_issuers:
   - id: snp_authorizer
     path: nvflare.app_opt.confidential_computing.snp_authorizer.SNPAuthorizer
-    token_expiration: 150 # needs to be less than check_frequency
+    token_expiration: 100 # seconds, needs to be less than check_frequency
+    snpguest_binary: "/host/bin/snpguest"
   - id: gpu_authorizer
     path: nvflare.app_opt.confidential_computing.gpu_authorizer.GPUAuthorizer
-    token_expiration: 150 # needs to be less than check_frequency
+    token_expiration: 100 # seconds, needs to be less than check_frequency
 
 cc_attestation:
-  check_frequency: 300
+  check_frequency: 120 # seconds
+  failure_action: stop_job

examples/advanced/cc_provision/docker/Dockerfile

@@ -0,0 +1,16 @@
+ARG BASE_IMAGE=python:3.12
+
+FROM ${BASE_IMAGE}
+
+ENV PYTHONDONTWRITEBYTECODE=1
+ENV PIP_NO_CACHE_DIR=1
+ENV PATH="/host/bin:${PATH}"
+
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get -y install zip
+RUN pip install -U pip
+RUN pip install git+https://github.com/NVIDIA/NVFlare.git@main
+COPY application_code.zip application_code.zip
+RUN nvflare pre-install install -a application_code.zip
+
+ENTRYPOINT ["/user_config/nvflare/startup/sub_start.sh", "--verify"]
+

examples/advanced/cc_provision/docker/README.md

@@ -0,0 +1,36 @@
+This is a simple example to show how to build NVFlare docker image.
+
+
+# NVFlare application code package
+We can pre-install custom codes inside each docker image.
+We utilize our nvflare pre-install command to do that.
+
+First, we need to prepare the `application_code.zip` folder structure:
+
+```bash
+application_code_folder
+├── application/                    # optional
+│   └── <job_name>/
+│               ├── meta.json       # job metadata
+│               ├── app_<site>/     # Site custom code
+│                  └── custom/      # Site custom code
+├── application-share/              # Shared resources
+|   └── simple_network.py           # Shared model definition 
+└── requirements.txt       # Python dependencies (optional)
+```
+
+We have already prepared application-share folder and requirements.txt in this example.
+We run the following command to create a zip folder so we can use that to build the CVM:
+
+```bash
+python -m zipfile -c application_code.zip application_code/*
+```
+
+# NVFlare docker file
+
+We have prepared a `Dockerfile`.
+Please run the following command to build the NVFlare docker image:
+
+```bash
+./docker_build.sh Dockerfile nvflare-site 
+```

examples/advanced/cc_provision/application_code/application-share/hello-pt_cifar10_fl.py renamed to examples/advanced/cc_provision/docker/application_code/application-share/hello-pt_cifar10_fl.py

@@ -0,0 +1,33 @@
+#!/bin/bash
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+DOCKERFILE=${1:-}
+IMAGE_TAG=${2:-}
+
+# Validate inputs
+if [[ -z "$DOCKERFILE" || -z "$IMAGE_TAG" ]]; then
+  echo "Error: Missing arguments."
+  echo "Usage: $0 <Dockerfile> <image_tag>"
+  echo "Example: $0 Dockerfile.site nvflare_site"
+  exit 1
+fi
+
+DOCKERFILE_PATH="$SCRIPT_DIR/$DOCKERFILE"
+
+if [[ ! -f "$DOCKERFILE_PATH" ]]; then
+  echo "Error: Dockerfile not found at $DOCKERFILE_PATH"
+  exit 1
+fi
+
+echo "Calling build_nvflare_docker.sh using Dockerfile $DOCKERFILE and $IMAGE_TAG"
+docker build -t "$IMAGE_TAG" -f "$SCRIPT_DIR/$DOCKERFILE" "$SCRIPT_DIR"
+docker save "$IMAGE_TAG" | gzip > "$SCRIPT_DIR/${IMAGE_TAG}.tar.gz"
+
+if [[ $? -eq 0 ]]; then
+  echo "Docker image successfully saved to: $SCRIPT_DIR/${IMAGE_TAG}.tar.gz"
+else
+  echo "Failed to save Docker image"
+  exit 1
+fi

examples/advanced/cc_provision/application_code/application-share/simple_network.py renamed to examples/advanced/cc_provision/docker/application_code/application-share/simple_network.py

@@ -58,6 +58,10 @@ builders:
   - path: nvflare.lighter.impl.cert.CertBuilder
   - path: nvflare.lighter.impl.signature.SignatureBuilder
   - path: nvflare.lighter.cc_provision.impl.cc.CCBuilder
+  - path: nvflare.lighter.impl.docker_image_builder.DockerImageBuilder
+    args:
+      base_dockerfile: Dockerfile.base
+      requirement: git+https://github.com/NVIDIA/NVFlare.git@main
 packager:
   path: nvflare.lighter.cc_provision.impl.onprem_packager.OnPremPackager
   args: