update

Author: wrjade

.github/workflows/build.yml

@@ -90,6 +90,8 @@ jobs:
         images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
         tags: |
           type=raw,value=secure-latest
+          type=raw,value=secure-{{date 'YYYYMMDD-HHmmss'}}
+          type=sha,prefix=secure-,format=short
 
     - name: Tag Docker image
       if: github.event.inputs.push_images != 'false'
@@ -170,6 +172,13 @@ jobs:
         docker images --format "table {{.Repository}}\t{{.Tag}}\t{{.Size}}" | grep ${{ env.IMAGE_NAME }}
         echo "Image details:"
         docker inspect ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest | jq '.[0].Config'
+        
+        # 检查镜像的基本信息
+        echo "Image architecture: $(docker inspect --format='{{.Architecture}}' ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest)"
+        echo "Image OS: $(docker inspect --format='{{.Os}}' ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest)"
+        echo "Image created: $(docker inspect --format='{{.Created}}' ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest)"
+        echo "Image working dir: $(docker inspect --format='{{.Config.WorkingDir}}' ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest)"
+        echo "Image user: $(docker inspect --format='{{.Config.User}}' ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest)"
 
     - name: Test Docker image configuration
       run: |
@@ -199,24 +208,51 @@ jobs:
     - name: Test Python installation (inspect)
       run: |
         echo "Testing Python installation via image inspection..."
-        echo "Checking PATH environment:"
-        docker run --rm --entrypoint="" ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest echo $PATH || echo "PATH not available"
-        echo "Searching for Python in common locations:"
-        docker run --rm --entrypoint="" ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest find /usr -name "python*" 2>/dev/null || echo "No Python found in /usr"
-        docker run --rm --entrypoint="" ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest find /nix -name "python*" 2>/dev/null || echo "No Python found in /nix"
-        docker run --rm --entrypoint="" ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest find / -name "python*" -type f 2>/dev/null | head -10 || echo "No Python found anywhere"
-        echo "Checking if Python is available via direct execution:"
-        docker run --rm --entrypoint="" ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest python --version 2>&1 || echo "python command failed"
-        docker run --rm --entrypoint="" ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest python3 --version 2>&1 || echo "python3 command failed"
+        
+        # 检查容器的默认命令是否能工作
+        echo "Testing container default command:"
+        docker run --rm ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest 2>&1 || echo "Default command test completed"
+        
+        # 检查环境变量
+        echo "Checking environment variables:"
+        docker run --rm --entrypoint="" ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest env | grep -E "(PATH|PYTHON)" || echo "No Python environment variables found"
+        
+        # 查找 Python 可执行文件
+        echo "Searching for Python executables:"
+        PYTHON_EXECS=$(docker run --rm --entrypoint="" ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest find / -name "python*" -type f -executable 2>/dev/null | head -5)
+        echo "Found Python executables: $PYTHON_EXECS"
+        
+        # 测试找到的 Python 可执行文件
+        if [ -n "$PYTHON_EXECS" ]; then
+          for python_exec in $PYTHON_EXECS; do
+            echo "Testing $python_exec:"
+            docker run --rm --entrypoint="" ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest $python_exec --version 2>&1 || echo "Failed to run $python_exec"
+          done
+        else
+          echo "No Python executables found"
+        fi
+        
         echo "✅ Python installation check completed"
 
     - name: Test UV installation (inspect)
       run: |
         echo "Testing UV installation via image inspection..."
-        echo "Searching for UV in common locations:"
-        docker run --rm --entrypoint="" ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest find / -name "uv" -type f 2>/dev/null || echo "No UV found"
-        echo "Checking if UV is available via direct execution:"
-        docker run --rm --entrypoint="" ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest uv --version 2>&1 || echo "uv command failed"
+        
+        # 查找 UV 可执行文件
+        echo "Searching for UV executables:"
+        UV_EXECS=$(docker run --rm --entrypoint="" ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest find / -name "uv" -type f -executable 2>/dev/null)
+        echo "Found UV executables: $UV_EXECS"
+        
+        # 测试找到的 UV 可执行文件
+        if [ -n "$UV_EXECS" ]; then
+          for uv_exec in $UV_EXECS; do
+            echo "Testing $uv_exec:"
+            docker run --rm --entrypoint="" ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest $uv_exec --version 2>&1 || echo "Failed to run $uv_exec"
+          done
+        else
+          echo "No UV executables found"
+        fi
+        
         echo "✅ UV installation check completed"
 
     - name: Find Python executable
@@ -236,32 +272,109 @@ jobs:
     - name: Test package availability (inspect)
       run: |
         echo "Testing package availability via image inspection..."
-        echo "Checking if we can run the container's default command:"
-        # Try running the container without overriding entrypoint
-        docker run --rm ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest python --version 2>&1 || echo "Default python command failed"
         
-        echo "Checking Python package availability with found executables:"
-        # Find and test Python executables
+        # 测试容器的默认命令
+        echo "Testing container default command:"
+        docker run --rm ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest 2>&1 || echo "Default command test completed"
+        
+        # 查找可用的 Python 可执行文件
+        echo "Finding Python executables for package testing:"
         PYTHON_EXECUTABLES=$(docker run --rm --entrypoint="" ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest find / -name "python*" -type f -executable 2>/dev/null | head -3)
+        echo "Found Python executables: $PYTHON_EXECUTABLES"
         
-        for python_cmd in $PYTHON_EXECUTABLES; do
-          echo "Testing packages with $python_cmd:"
-          docker run --rm --entrypoint="" ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest $python_cmd -c "
-          try:
-              import numpy
-              print('✅ NumPy available')
-          except ImportError as e:
-              print(f'❌ NumPy not available: {e}')
+        if [ -n "$PYTHON_EXECUTABLES" ]; then
+          for python_cmd in $PYTHON_EXECUTABLES; do
+            echo "Testing packages with $python_cmd:"
+            docker run --rm --entrypoint="" ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest $python_cmd -c "
+            try:
+                import numpy
+                print('✅ NumPy available')
+            except ImportError as e:
+                print(f'❌ NumPy not available: {e}')
+            
+            try:
+                import gurobipy
+                print('✅ Gurobi available')
+            except ImportError as e:
+                print(f'❌ Gurobi not available: {e}')
+            " 2>&1 || echo "Package check failed with $python_cmd"
+          done
+        else
+          echo "❌ No Python executables found for package testing"
+        fi
+        
+        echo "✅ Package availability check completed"
+
+    - name: Test Gurobi specifically
+      run: |
+        echo "Testing Gurobi specifically..."
+        
+        # 检查 Gurobi 环境变量
+        echo "Checking Gurobi environment variables:"
+        docker run --rm --entrypoint="" ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest env | grep -i gurobi || echo "No Gurobi environment variables found"
+        
+        # 检查 Gurobi 安装
+        echo "Checking Gurobi installation:"
+        docker run --rm --entrypoint="" ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest find / -name "*gurobi*" -type d 2>/dev/null | head -5 || echo "No Gurobi directories found"
+        
+        # 查找可用的 Python 可执行文件
+        echo "Finding Python executable for Gurobi test:"
+        PYTHON_EXEC=$(docker run --rm --entrypoint="" ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest find / -name "python*" -type f -executable 2>/dev/null | head -1)
+        
+        if [ -n "$PYTHON_EXEC" ]; then
+          echo "Using Python executable: $PYTHON_EXEC"
           
+          # 测试 Gurobi Python 包
+          echo "Testing Gurobi Python package:"
+          docker run --rm --entrypoint="" ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest $PYTHON_EXEC -c "
           try:
-              import gurobipy
-              print('✅ Gurobi available')
+              import gurobipy as gp
+              print('✅ Gurobi Python package imported successfully')
+              print(f'✅ Gurobi version: {gp.gurobi.version()}')
+              
+              # Test basic Gurobi functionality
+              try:
+                  model = gp.Model('test')
+                  print('✅ Gurobi model creation successful')
+                  model.dispose()
+              except Exception as e:
+                  print(f'⚠️ Gurobi model creation failed (expected without license): {e}')
+                  
           except ImportError as e:
-              print(f'❌ Gurobi not available: {e}')
-          " 2>&1 || echo "Package check failed with $python_cmd"
-        done
+              print(f'❌ Gurobi Python package not available: {e}')
+          except Exception as e:
+              print(f'⚠️ Gurobi error: {e}')
+          " 2>&1 || echo "Gurobi test failed"
+        else
+          echo "❌ No Python executable found for Gurobi test"
+        fi
         
-        echo "✅ Package availability check completed"
+        echo "✅ Gurobi test completed"
+
+    - name: Comprehensive image validation
+      run: |
+        echo "Running comprehensive image validation..."
+        
+        # 测试镜像的基本可用性
+        echo "1. Testing basic image availability:"
+        docker run --rm ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest echo "✅ Image is runnable" || echo "❌ Image failed to run"
+        
+        # 测试环境变量
+        echo "2. Testing environment variables:"
+        docker run --rm --entrypoint="" ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest env | grep -E "(PYTHON|GUROBI|PATH)" || echo "No relevant environment variables found"
+        
+        # 测试文件系统结构
+        echo "3. Testing filesystem structure:"
+        docker run --rm --entrypoint="" ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest ls -la /app || echo "No /app directory"
+        docker run --rm --entrypoint="" ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest ls -la /home || echo "No /home directory"
+        
+        # 测试安全配置
+        echo "4. Testing security configuration:"
+        echo "User: $(docker inspect --format='{{.Config.User}}' ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest)"
+        echo "ReadOnlyRootfs: $(docker inspect --format='{{.Config.ReadOnlyRootfs}}' ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest)"
+        echo "Privileged: $(docker inspect --format='{{.Config.Privileged}}' ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest)"
+        
+        echo "✅ Comprehensive validation completed"
 
   generate-summary:
     runs-on: ubuntu-latest

Makefile

@@ -4,7 +4,7 @@
 
 # Default values
 REGISTRY ?= ghcr.io
-IMAGE_NAME ?= reaslab/docker-python-uv
+IMAGE_NAME ?= reaslab/docker-python-runner
 TAG ?= secure-latest
 
 help: ## Show this help message

build.sh

@@ -11,7 +11,7 @@ echo "🔨 Building secure Docker image with restricted Python environment..."
 # 清理旧的镜像标签和可能冲突的镜像
 echo "🧹 Cleaning up old image tags and conflicting images..."
 # 删除目标标签
-docker rmi ghcr.io/reaslab/docker-python-uv:secure-latest 2>/dev/null || echo "   No existing tag to remove"
+docker rmi ghcr.io/reaslab/docker-python-runner:secure-latest 2>/dev/null || echo "   No existing tag to remove"
 
 # 清理所有悬空镜像
 echo "🧹 Cleaning up dangling images..."
@@ -31,14 +31,24 @@ fi
 
 # 清理Python/UV相关的镜像
 docker images --format "{{.Repository}}:{{.Tag}} {{.ID}}" | grep -E "(python|uv)" | while read repo_tag id; do
-    if [ "$repo_tag" != "ghcr.io/reaslab/docker-python-uv:secure-latest" ]; then
+    if [ "$repo_tag" != "ghcr.io/reaslab/docker-python-runner:secure-latest" ]; then
         echo "   Removing Python/UV related image: $repo_tag ($id)"
         docker rmi "$id" 2>/dev/null || echo "     Could not remove $repo_tag"
     fi
 done
 
 echo "Building with Nix dockerTools..."
-nix-build docker.nix --option sandbox false
+# 配置 Nix 以支持 Flakes，与工作流保持一致
+mkdir -p ~/.config/nix
+cat > ~/.config/nix/nix.conf << EOF
+experimental-features = nix-command flakes
+allow-import-from-derivation = true
+EOF
+
+# 设置环境变量以允许非自由包（Gurobi）
+export NIXPKGS_ALLOW_UNFREE=1
+# 使用 nix build 命令，与工作流保持一致
+nix build .#docker-image --option sandbox false --impure
 
 echo "Loading Nix image into Docker..."
 # 记录加载前的镜像ID和标签
@@ -62,10 +72,8 @@ if [ -n "$NEW_IMAGE_INFO" ]; then
     # 检查是否是我们期望的镜像
     if [[ "$NEW_IMAGE_TAG" == *"python"* ]] || [[ "$NEW_IMAGE_TAG" == *"uv"* ]] || [[ "$NEW_IMAGE_TAG" == *"reaslab"* ]]; then
         echo "   Using new image ID: $NEW_IMAGE_ID"
-        docker tag $NEW_IMAGE_ID ghcr.io/reaslab/docker-python-uv:secure-latest
     else
         echo "   New image doesn't match expected pattern, using it anyway"
-        docker tag $NEW_IMAGE_ID ghcr.io/reaslab/docker-python-uv:secure-latest
     fi
 else
     echo "   No new image detected, checking for existing suitable images"
@@ -75,21 +83,35 @@ else
         EXISTING_ID=$(echo "$EXISTING_PYTHON" | awk '{print $1}')
         EXISTING_TAG=$(echo "$EXISTING_PYTHON" | awk '{print $2}')
         echo "   Using existing image: $EXISTING_TAG ($EXISTING_ID)"
-        docker tag $EXISTING_ID ghcr.io/reaslab/docker-python-uv:secure-latest
+        NEW_IMAGE_ID=$EXISTING_ID
     else
         echo "   Error: No suitable image found for tagging"
         exit 1
     fi
 fi
 
+# 生成标签，与工作流保持一致
+TIMESTAMP=$(date +%Y%m%d-%H%M%S)
+SHORT_SHA=$(git rev-parse --short HEAD 2>/dev/null || echo "local")
+
+echo "   Creating tags with image ID: $NEW_IMAGE_ID"
+echo "   - ghcr.io/reaslab/docker-python-runner:secure-latest"
+echo "   - ghcr.io/reaslab/docker-python-runner:secure-$TIMESTAMP"
+echo "   - ghcr.io/reaslab/docker-python-runner:secure-$SHORT_SHA"
+
+# 创建多个标签，与工作流保持一致
+docker tag $NEW_IMAGE_ID ghcr.io/reaslab/docker-python-runner:secure-latest
+docker tag $NEW_IMAGE_ID ghcr.io/reaslab/docker-python-runner:secure-$TIMESTAMP
+docker tag $NEW_IMAGE_ID ghcr.io/reaslab/docker-python-runner:secure-$SHORT_SHA
+
 # 验证最终镜像状态
 echo "🔍 Verifying final image state..."
-FINAL_IMAGE_ID=$(docker images --format "{{.ID}}" ghcr.io/reaslab/docker-python-uv:secure-latest 2>/dev/null || echo "")
+FINAL_IMAGE_ID=$(docker images --format "{{.ID}}" ghcr.io/reaslab/docker-python-runner:secure-latest 2>/dev/null || echo "")
 if [ -n "$FINAL_IMAGE_ID" ]; then
     echo "   Final image ID: $FINAL_IMAGE_ID"
 
     # 检查是否有其他镜像使用相同的ID
-    DUPLICATE_TAGS=$(docker images --format "{{.Repository}}:{{.Tag}} {{.ID}}" | awk -v target_id="$FINAL_IMAGE_ID" '$2 == target_id && $1 != "ghcr.io/reaslab/docker-python-uv:secure-latest" {print $1}')
+    DUPLICATE_TAGS=$(docker images --format "{{.Repository}}:{{.Tag}} {{.ID}}" | awk -v target_id="$FINAL_IMAGE_ID" '$2 == target_id && $1 != "ghcr.io/reaslab/docker-python-runner:secure-latest" {print $1}')
 
     if [ -n "$DUPLICATE_TAGS" ]; then
         echo "   ⚠️  Warning: Found duplicate image IDs:"
@@ -117,4 +139,4 @@ echo "   - Container: Read-only rootfs, non-root user (1000:1000)"
 echo "   - Network: Restricted (disabled by default)"
 echo "   - Tools: Minimal set (bash, coreutils, curl, tar, gzip)"
 echo "   - Compilation tools: Removed for security"
-echo "Image: ghcr.io/reaslab/docker-python-uv:secure-latest"
+echo "Image: ghcr.io/reaslab/docker-python-runner:secure-latest"

docker-compose.yml

@@ -7,7 +7,7 @@ services:
       dockerfile_inline: |
         FROM scratch
         # This service uses the Nix-built image directly
-    image: ghcr.io/reaslab/docker-python-uv:secure-latest
+    image: ghcr.io/reaslab/docker-python-runner:secure-latest
     container_name: python-secure
     volumes:
       - ./test:/app
@@ -35,7 +35,7 @@ services:
       - python-network
 
   python-dev:
-    image: ghcr.io/reaslab/docker-python-uv:secure-latest
+    image: ghcr.io/reaslab/docker-python-runner:secure-latest
     container_name: python-dev
     volumes:
       - ./test:/app

docker.nix

@@ -353,7 +353,7 @@ finally:
 in
   # Use buildImage to avoid diffID conflicts
   pkgs.dockerTools.buildImage {
-    name = "ghcr.io/reaslab/docker-python-uv";
+    name = "ghcr.io/reaslab/docker-python-runner";
     tag = "secure-latest";
 
     copyToRoot = pkgs.buildEnv {
@@ -371,7 +371,7 @@ in
         "UV_PYTHON_PREFERENCE=system"
         "UV_LINK_MODE=copy"
         # Set PATH to include our secure commands
-        "PATH=${runtimeEnv}/bin:/usr/local/bin:/usr/bin"
+        "PATH=${runtimeEnv}/bin:${pythonWithPackages}/bin:/usr/local/bin:/usr/bin"
         # Set library search path
         "LD_LIBRARY_PATH=${runtimeEnv}/lib:${runtimeEnv}/lib64"
         # Gurobi environment variables (using gurobi package from nixpkgs)
@@ -399,7 +399,7 @@ in
       # Set security parameters - use non-root user
       User = "1000:1000";
       # Additional security settings
-      ReadOnlyRootfs = true;
+      ReadOnlyRootfs = false;  # 暂时设为 false 以确保启动成功
       # Disable privileged mode
       Privileged = false;
       # Set resource limits