init version to support python

Author: wrjade

.github/workflows/build.yml

@@ -0,0 +1,200 @@
+name: Build and Push Docker Images with Nix
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    - cron: '0 2 * * 1'  # Weekly on Monday at 2 AM
+  workflow_dispatch:
+    inputs:
+      push_images:
+        description: 'Push images to registry'
+        type: boolean
+        default: true
+
+env:
+  REGISTRY: ghcr.io
+  IMAGE_NAME: reaslab/docker-python-uv
+
+jobs:
+  build:
+    runs-on: fedora-latest
+    permissions:
+      contents: read
+      packages: write
+      id-token: write
+      attestations: write
+
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    - name: Set up Nix
+      uses: cachix/install-nix-action@v22
+      with:
+        nix_path: nixpkgs=channel:nixos-unstable
+
+    - name: Install Nix dependencies
+      run: |
+        nix-env -iA nixpkgs.dockerTools
+        nix-env -iA nixpkgs.gnutar
+        nix-env -iA nixpkgs.gzip
+
+    - name: Build Docker image with Nix
+      run: |
+        nix-build docker.nix --option sandbox false
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Log in to Container Registry
+      if: github.event.inputs.push_images != 'false'
+      uses: docker/login-action@v3
+      with:
+        registry: ${{ env.REGISTRY }}
+        username: ${{ github.actor }}
+        password: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Load Docker image
+      run: |
+        docker load < result
+
+    - name: Extract metadata
+      id: meta
+      if: github.event.inputs.push_images != 'false'
+      uses: docker/metadata-action@v5
+      with:
+        images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+        tags: |
+          type=raw,value=secure-latest
+
+    - name: Tag Docker image
+      if: github.event.inputs.push_images != 'false'
+      run: |
+        # Get the image ID from the loaded image
+        IMAGE_ID=$(docker images --format "{{.ID}}" | head -1)
+        echo "Image ID: $IMAGE_ID"
+        
+        # Tag with all metadata tags
+        for tag in ${{ steps.meta.outputs.tags }}; do
+          echo "Tagging with: $tag"
+          docker tag $IMAGE_ID $tag
+        done
+
+    - name: Push Docker image
+      if: github.event.inputs.push_images != 'false'
+      run: |
+        for tag in ${{ steps.meta.outputs.tags }}; do
+          echo "Pushing: $tag"
+          docker push $tag
+        done
+
+    - name: Run security scan
+      if: github.event.inputs.push_images != 'false'
+      uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest
+        format: 'sarif'
+        output: 'trivy-results.sarif'
+
+    - name: Upload Trivy scan results
+      if: github.event.inputs.push_images != 'false'
+      uses: github/codeql-action/upload-sarif@v2
+      with:
+        sarif_file: 'trivy-results.sarif'
+
+  test:
+    runs-on: fedora-latest
+    needs: build
+    if: github.event.inputs.push_images != 'false'
+
+    steps:
+    - name: Test Python version
+      run: |
+        docker run --rm ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest python --version
+
+    - name: Test UV installation
+      run: |
+        docker run --rm ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest uv --version
+
+    - name: Test security restrictions
+      run: |
+        # Test that dangerous modules are restricted
+        docker run --rm ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest python -c "
+        try:
+            import os
+            print('ERROR: os module should be restricted')
+            exit(1)
+        except ImportError:
+            print('OK: os module is properly restricted')
+        "
+
+    - name: Test Gurobi availability
+      run: |
+        # Test that Gurobi is available (without license)
+        docker run --rm ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest python -c "
+        try:
+            import gurobipy
+            print('OK: Gurobi Python package is available')
+        except ImportError as e:
+            print(f'ERROR: Gurobi not available: {e}')
+            exit(1)
+        "
+
+    - name: Test scientific packages
+      run: |
+        # Test that scientific packages are available
+        docker run --rm ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest python -c "
+        import numpy
+        import scipy
+        import pandas
+        import matplotlib
+        import sklearn
+        print('OK: All scientific packages are available')
+        print(f'NumPy version: {numpy.__version__}')
+        print(f'SciPy version: {scipy.__version__}')
+        print(f'Pandas version: {pandas.__version__}')
+        "
+
+  cleanup:
+    runs-on: fedora-latest
+    needs: [build, test]
+    if: always() && github.event.inputs.push_images != 'false'
+
+    permissions:
+      packages: write
+
+    steps:
+    - name: Clean up old images
+      uses: dataaxiom/ghcr-cleanup-action@v1
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
+        package-name: ${{ env.IMAGE_NAME }}
+        keep-versions: 10
+
+  generate-summary:
+    runs-on: fedora-latest
+    needs: [build, test]
+    if: always()
+
+    steps:
+    - name: Generate summary
+      run: |
+        echo "## 🐳 Docker Image Build Summary" >> $GITHUB_STEP_SUMMARY
+        echo "" >> $GITHUB_STEP_SUMMARY
+        echo "**Image:** \`${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}\`" >> $GITHUB_STEP_SUMMARY
+        echo "" >> $GITHUB_STEP_SUMMARY
+        echo "**Tags:**" >> $GITHUB_STEP_SUMMARY
+        echo "- \`secure-latest\`" >> $GITHUB_STEP_SUMMARY
+        echo "" >> $GITHUB_STEP_SUMMARY
+        echo "**Features:**" >> $GITHUB_STEP_SUMMARY
+        echo "- ✅ Secure Python 3.12 environment" >> $GITHUB_STEP_SUMMARY
+        echo "- ✅ UV package manager" >> $GITHUB_STEP_SUMMARY
+        echo "- ✅ Gurobi optimization solver" >> $GITHUB_STEP_SUMMARY
+        echo "- ✅ Scientific computing packages" >> $GITHUB_STEP_SUMMARY
+        echo "- ✅ Non-root user execution" >> $GITHUB_STEP_SUMMARY
+        echo "- ✅ Resource limits and security restrictions" >> $GITHUB_STEP_SUMMARY
+        echo "" >> $GITHUB_STEP_SUMMARY
+        echo "**Registry:** [GitHub Container Registry](https://github.com/orgs/reaslab/packages)" >> $GITHUB_STEP_SUMMARY

.gitignore

@@ -0,0 +1,43 @@
+# Nix build artifacts
+result
+result-*
+
+# Docker build artifacts
+.dockerignore
+
+# IDE files
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# OS files
+.DS_Store
+Thumbs.db
+
+# Logs
+*.log
+
+# Temporary files
+*.tmp
+*.temp
+
+# Gurobi license (keep private)
+gurobi.lic
+*.lic
+
+# Test files
+test/
+*.pyc
+__pycache__/
+.pytest_cache/
+
+# Environment files
+.env
+.env.local
+.env.*.local
+
+# Backup files
+*.bak
+*.backup

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 ReasLab
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

Makefile

@@ -0,0 +1,83 @@
+# Makefile for docker-python-uv (Nix-based, Fedora runners)
+
+.PHONY: help build test clean push pull run run-secure dev
+
+# Default values
+REGISTRY ?= ghcr.io
+IMAGE_NAME ?= reaslab/docker-python-uv
+TAG ?= secure-latest
+
+help: ## Show this help message
+	@echo "Available targets:"
+	@grep -E '^[a-zA-Z_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk 'BEGIN {FS = ":.*?## "}; {printf "  \033[36m%-20s\033[0m %s\n", $$1, $$2}'
+
+build: ## Build Docker image using Nix
+	@echo "Building Docker image using Nix..."
+	@echo "This will build a secure Python environment with UV and Gurobi"
+	./build.sh
+
+test: ## Test the built Docker image
+	@echo "Testing Docker image..."
+	@echo "Testing Python version..."
+	docker run --rm $(IMAGE_NAME):$(TAG) python --version
+	@echo "Testing UV installation..."
+	docker run --rm $(IMAGE_NAME):$(TAG) uv --version
+	@echo "Testing security restrictions..."
+	docker run --rm $(IMAGE_NAME):$(TAG) python -c "try: import os; print('ERROR: os should be restricted'); exit(1); except ImportError: print('OK: os is restricted')"
+	@echo "Testing Gurobi availability..."
+	docker run --rm $(IMAGE_NAME):$(TAG) python -c "import gurobipy; print('OK: Gurobi available')"
+	@echo "Testing scientific packages..."
+	docker run --rm $(IMAGE_NAME):$(TAG) python -c "import numpy, scipy, pandas; print('OK: Scientific packages available')"
+
+clean: ## Clean up Docker images and Nix build artifacts
+	@echo "Cleaning up..."
+	docker rmi $(IMAGE_NAME):$(TAG) 2>/dev/null || true
+	docker image prune -f 2>/dev/null || true
+	rm -f result 2>/dev/null || true
+	@echo "Cleanup completed"
+
+push: ## Push Docker images to registry
+	@echo "Pushing Docker images to registry..."
+	docker push $(IMAGE_NAME):$(TAG)
+
+pull: ## Pull Docker images from registry
+	@echo "Pulling Docker images from registry..."
+	docker pull $(IMAGE_NAME):$(TAG)
+
+run: ## Run interactive container
+	@echo "Running interactive container..."
+	docker run --rm -it $(IMAGE_NAME):$(TAG) bash
+
+run-secure: ## Run secure Python interpreter
+	@echo "Running secure Python interpreter..."
+	docker run --rm -it $(IMAGE_NAME):$(TAG) python
+
+dev: ## Run development container with volume mount
+	@echo "Running development container with volume mount..."
+	docker run --rm -it -v $(PWD):/app $(IMAGE_NAME):$(TAG) bash
+
+gurobi-test: ## Test Gurobi with license file
+	@echo "Testing Gurobi with license file..."
+	@if [ ! -f "gurobi.lic" ]; then \
+		echo "Error: gurobi.lic file not found. Please place your Gurobi license file in the current directory."; \
+		exit 1; \
+	fi
+	docker run --rm -v $(PWD)/gurobi.lic:/app/gurobi.lic:ro $(IMAGE_NAME):$(TAG) python -c "import gurobipy; print('Gurobi version:', gurobipy.gurobi.version())"
+
+nix-shell: ## Enter Nix shell for development
+	@echo "Entering Nix shell..."
+	nix-shell -p nixpkgs.dockerTools nixpkgs.gnutar nixpkgs.gzip
+
+info: ## Show image information
+	@echo "Image Information:"
+	@echo "  Registry: $(REGISTRY)"
+	@echo "  Image: $(IMAGE_NAME)"
+	@echo "  Tag: $(TAG)"
+	@echo "  Full name: $(REGISTRY)/$(IMAGE_NAME):$(TAG)"
+	@echo ""
+	@echo "Available commands:"
+	@echo "  make build    - Build the image"
+	@echo "  make test     - Test the image"
+	@echo "  make run      - Run interactive container"
+	@echo "  make dev      - Run with volume mount"
+	@echo "  make clean    - Clean up images"