Добавлен образ под Python

2026-03-23 22:51:28 +03:00 · 2026-03-23 22:51:28 +03:00 · ffa6892c79
commit ffa6892c79
parent b1eabf0a89
4 changed files with 92 additions and 45 deletions
--- a/Dockerfile.jdk
+++ b/Dockerfile.jdk
@ -1,4 +1,7 @@
-FROM repo.nstart.local/nstart/gradle:jdk17-noble
+ARG BASE_REPO="repo.nstart.local/nstart/"
+ARG BASE_TAG="jdk17-noble"
+
+FROM ${BASE_REPO}gradle:${BASE_TAG}

 COPY ispras/ispras-archive-keyring.gpg /usr/share/keyrings/ispras-archive-keyring.gpg
 COPY ispras/ispras.list /etc/apt/sources.list.d/ispras.list
--- a/Dockerfile.python
+++ b/Dockerfile.python
@ -0,0 +1,23 @@
+ARG BASE_REPO="repo.nstart.local/nstart/"
+ARG BASE_TAG="3.14-slim-trixie"
+
+FROM ${BASE_REPO}python:${BASE_TAG}
+
+COPY ispras/ispras-archive-keyring.gpg /usr/share/keyrings/ispras-archive-keyring.gpg
+COPY ispras/ispras.list /etc/apt/sources.list.d/ispras.list
+COPY ./hasplm-recepient.ini /etc/hasplm/hasplm.ini
+
+RUN <<EOF
+    set -eux
+
+    mkdir -p /etc/init.d
+
+    apt-get update
+    apt-get install -y --install-recommends svace svacer procps
+
+    apt-get clean
+    rm -rf /var/lib/apt/lists/*
+EOF
+
+COPY --chmod=0755 ./svace /usr/local/bin/svace
+COPY --chmod=0755 ./python/enable-python-warnings.sh /usr/local/bin/enable-python-warnings.sh
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@ -2,20 +2,19 @@ variable "registry" {
  default = "repo.nstart.local"
 }

-variable "VERSION" {
-  default = "1.0.11"
-}
-
-variable "EXPORT_TYPE" {
-  default = "oci"
+variable "base_repo" {
+  default = "repo.nstart.local/nstart/"
 }

 function "oci_labels" {
-  params = [name]
+  params = [name, version]
  result = {
-    "org.opencontainers.image.version" = VERSION,
-    "org.opencontainers.image.vendor"  = "New Start",
-    "org.opencontainers.image.authors" = "Sychev Nikita <sychev.na@nstart.space>",
+    "org.opencontainers.image.version"     = version,
+    "org.opencontainers.image.vendor"      = "New Start",
+    "org.opencontainers.image.authors"     = "Sychev Nikita <Sychev.NA@nstart.space>",
+    "org.opencontainers.image.base.name"   = "${base_repo}${name}:${version}",
+    "org.opencontainers.image.title"       = "Base image for ${name} with custom CA and local repos",
+    "org.opencontainers.image.description" = "Slim base image for ${name} with internal CA and local package mirrors",
  }
 }

@ -24,52 +23,41 @@ function "image_ref" {
  result = registry != "" ? "${registry}/nstart/${name}" : "nstart/${name}"
 }

-target "common" {
+target "image" {
+  name = join("-", compact([
+    replace(combo.version, ".", "-")
+  ]))
+
+  matrix = {
+    combo = [
+      { version = "jdk17-noble", dockerfile="Dockerfile.jdk" },
+      { version = "3.14-slim-trixie", dockerfile="Dockerfile.python" }
+    ]
+  }
+
  platforms = ["linux/amd64"]
-
  output = ["type=image"]
-
  attest = [
    "type=sbom,generator=${registry}/docker/buildkit-syft-scanner:stable-1",
    "type=provenance,mode=max"
  ]
-}

-target "svace" {
-  matrix = { combo = [ { name = "svace" } ] }
+  context    = "."
+  dockerfile = combo.dockerfile

-  inherits = ["common"]
-  context  = "."
-  dockerfile = "Dockerfile"
-
-  tags = [
-    "${image_ref(combo.name)}:${VERSION}",
-    "${image_ref(combo.name)}:latest"
-  ]
-
-  labels = merge(
-    oci_labels(combo.name),
-    {
-      "org.opencontainers.image.base.name" = "${registry}/library/nginx:1.29.1-alpine"
-    }
-  )
-}
-
-target "save" {
-  matrix = {
-    combo = [
-      { name = "svace_save", svc = "svace" }
-    ]
+  args = {
+    BASE_REPO = base_repo
+    BASE_TAG  = combo.version
  }

-  name     = combo.name
-  inherits = [combo.svc]
-
-  output = [
-    "type=${EXPORT_TYPE},dest=./dist/nstart-${combo.svc}-${VERSION}.tar"
+  tags = [
+    "${image_ref("svace")}:${combo.version}",
+    "${image_ref("svace")}:latest",
  ]
+
+  labels = oci_labels("svace", combo.version)
 }

 group "all" {
-  targets = ["svace"]
+  targets = ["image"]
 }
--- a/python/enable-python-warnings.sh
+++ b/python/enable-python-warnings.sh
@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+for rule in \
+  PYTHON.DEREF_OF_NULL.RET \
+  PYTHON.TAINTED_PTR.SQL_INJECTION \
+  PYTHON.TAINTED_PTR.LDAP_INJECTION \
+  PYTHON.TAINTED_PTR.PATH_TRAVERSAL \
+  PYTHON.HARDCODED_PASSWORD \
+  PYTHON.UNUSED_FUNC_RES \
+  PYTHON.UNUSED_FUNC_RES.MINOR \
+  PYTHON.UNREACHABLE_CODE.RET \
+  PYTHON.UNREACHABLE_CODE.GLOBAL \
+  PYTHON.REDUNDANT_COMPARISON \
+  PYTHON.REDUNDANT_COMPARISON.RET \
+  PYTHON.UNUSED_VALUE.STRICT \
+  PYTHON.UNUSED_VALUE.UNINIT \
+  PYTHON.UNUSED_PARAM \
+  PYTHON.UNUSED_VALUE.PARAM_ASSIGN \
+  PYTHON.UNUSED_VALUE.PARAM_ASSIGN.NULL \
+  PYTHON.CATCH.NO_BODY.MINOR \
+  PYTHON.INCONSISTENT_RETURN \
+  PYTHON.WRONG_NULL_COMPARE \
+  PYTHON.USER.BAD_RANDOM \
+  PYTHON.USER.BAD_PBE_PARAMETERS \
+  PYTHON.USER.BAD_IV_PARAMETERS \
+  PYTHON.USER.PRINTF_NON_CONST \
+  PYTHON.USER.BAD_CRYPTO \
+  PYTHON.USER.BAD_HASH \
+  PYTHON.USER.CLEARTEXT_TRANSMISSION
+do
+  svace warning "$rule" true
+done