forked from NVIDIA-AI-Blueprints/vulnerability-analysis
-
Notifications
You must be signed in to change notification settings - Fork 15
Expand file tree
/
Copy pathDockerfile
More file actions
142 lines (113 loc) · 4.65 KB
/
Copy pathDockerfile
File metadata and controls
142 lines (113 loc) · 4.65 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
# SPDX-FileCopyrightText: Copyright (c) 2024-2025, NVIDIA CORPORATION & AFFILIATES. All rights reserved.
# SPDX-License-Identifier: Apache-2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
ARG BASE_IMAGE_URL=registry.redhat.io/ubi9/ubi
ARG BASE_IMAGE_TAG=9.8-1782841664
ARG PYTHON_VERSION=3.12
# Specified on the command line with --build-arg VULN_ANALYSIS_VERSION=$(python -m setuptools_scm)
ARG VULN_ANALYSIS_VERSION=2.0.0
FROM ${BASE_IMAGE_URL}:${BASE_IMAGE_TAG} AS base
COPY --from=ghcr.io/astral-sh/uv:0.7.15 /uv /uvx /bin/
ARG VULN_ANALYSIS_VERSION
ARG PYTHON_VERSION
ARG AGENT_GIT_COMMIT
ARG AGENT_GIT_TAG
ENV PYTHONDONTWRITEBYTECODE=1 \
AGENT_GIT_COMMIT=${AGENT_GIT_COMMIT} \
AGENT_GIT_TAG=${AGENT_GIT_TAG}
RUN dnf install -y --nodocs \
bsdtar \
ca-certificates \
gcc \
gcc-c++ \
git \
git-lfs \
krb5-devel \
libatomic \
make \
skopeo \
wget \
xz \
&& dnf clean all \
&& update-ca-trust
RUN curl -L -X GET https://go.dev/dl/go1.24.1.linux-amd64.tar.gz -o /tmp/go1.24.1.linux-amd64.tar.gz \
&& tar -C /usr/local -xzf /tmp/go1.24.1.linux-amd64.tar.gz \
&& rm /tmp/go1.24.1.linux-amd64.tar.gz
ENV GOTOOLCHAIN=auto
# --- Node.js 25.2.0 and npm 11.6.2 ---
ARG NODE_VERSION=25.2.0
RUN curl -fsSL -o /tmp/node.tar.xz \
"https://nodejs.org/dist/v${NODE_VERSION}/node-v${NODE_VERSION}-linux-x64.tar.xz" \
&& mkdir -p /opt/nodejs \
&& tar -C /opt/nodejs -xJf /tmp/node.tar.xz --strip-components=1 \
&& rm -f /tmp/node.tar.xz
ENV PATH="/opt/nodejs/bin:${PATH}"
# Verify Node.js and npm installation
RUN node --version && npm --version
# --- Temurin JDK 17 (amd64/x86_64) ---
ARG JDK_URL="https://github.com/adoptium/temurin17-binaries/releases/download/jdk-17.0.18%2B8/OpenJDK17U-jdk_x64_linux_hotspot_17.0.18_8.tar.gz"
ARG JDK_DIR="jdk-17.0.18+8"
RUN mkdir -p /opt/jdk \
&& curl -fsSL -o /tmp/jdk.tgz "${JDK_URL}" \
&& tar -C /opt/jdk -xzf /tmp/jdk.tgz \
&& rm -f /tmp/jdk.tgz
ENV JAVA_HOME=/opt/jdk/${JDK_DIR}
ENV PATH="${JAVA_HOME}/bin:${PATH}"
# --- Maven 3.9.11 (optional) ---
ARG MVN_VER=3.9.11
RUN curl -fsSL -o /tmp/maven.tgz \
"https://archive.apache.org/dist/maven/maven-3/${MVN_VER}/binaries/apache-maven-${MVN_VER}-bin.tar.gz" \
&& tar -C /opt -xzf /tmp/maven.tgz \
&& rm -f /tmp/maven.tgz
ENV PATH="/opt/apache-maven-${MVN_VER}/bin:${PATH}"
# Verify
RUN java -version && mvn -v
# Set SSL environment variables
ENV REQUESTS_CA_BUNDLE=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem \
SSL_CERT_FILE=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
# Add Tini
ADD --chmod=755 \
--checksum=sha256:93dcc18adc78c65a028a84799ecf8ad40c936fdfc5f2a57b1acda5a8117fa82c \
https://github.com/krallin/tini/releases/download/v0.19.0/tini /tini
SHELL ["/bin/bash", "-c"]
# Set working directory
WORKDIR /workspace
# Copy the project into the container
COPY ./ /workspace
RUN groupadd workspace-group && \
useradd -u 1001 -m -g workspace-group user1001 && \
chown -R :workspace-group /home/user1001 && \
chmod -R g+wrx /home/user1001
# Install the NeMo Agent toolkit package and vuln analysis package
RUN --mount=type=cache,id=uv_cache,target=/home/user1001/.cache/uv,mode=0775,sharing=locked \
export SETUPTOOLS_SCM_PRETEND_VERSION=${VULN_ANALYSIS_VERSION} && \
uv venv --python ${PYTHON_VERSION} /workspace/.venv && \
uv sync && \
chown -R :workspace-group /workspace && \
chmod -R g+wrx /workspace && \
chown -R :workspace-group /root && \
chmod -R g+rx /root
USER 1001
# Activate the environment (make it default for subsequent commands)
# Environment variables for the venv
ENV PATH="/workspace/.venv/bin:/usr/local/go/bin:$PATH"
# Mark all git repos as safe to avoid git errors
RUN git config --global --add safe.directory '*'
# Activate the environment (make it default for subsequent commands)
RUN echo "source /workspace/.venv/bin/activate" >> ~/.bashrc
# ===== Setup for development =====
FROM base AS runtime
RUN --mount=type=cache,id=uv_cache,target=/root/.cache/uv,sharing=locked \
source /workspace/.venv/bin/activate
CMD ["jupyter-lab", "--no-browser", "--allow-root", "--ip='*'", "--port=8000", "--NotebookApp.token=''", "--NotebookApp.password=''"]