SKA Base Images

This repository contains the definition of the base image that’s deprived of application level dependencies for SKAO developers to use as a base image when building their own products or other variant base images.

This will make possible to create and release a security patched Ubuntu 22.04 base image without any application dependencies and to implement a monthly security patch process for all ST services and images.

Currently, we provide the following images:

  • ska-base: CIS hardened Ubuntu 22.04 base image

  • ska-base-ubuntu24: CIS hardened Ubuntu 24.04 base image

  • ska-python: Ubuntu 22.04 based base image for Python applications with Python 3.10

  • ska-python-ubuntu24: Ubuntu 24.04 based base image for Python applications with Python 3.12

  • ska-build-python: Ubuntu 22.04 based build image for Python applications with Python 3.10

  • ska-build-python-ubuntu24: Ubuntu 24.04 based build image for Python applications with Python 3.12

  • ska-node: Ubuntu 22.04 based base image for Javascript applications with Node 22

  • ska-build-node: Ubuntu 22.04 based built and test image for Javascript applications with Node 22 and Cypress 14.2.0. The linux/arm64 variant skips Google Chrome because Google does not publish a Linux arm64 package.

  • ska-webserver: Ubuntu 22.04 based base image for serving static websites and proxying calls to backend APIs with Nginx 1.27.3 and Python 3.10

  • ska-cuda: NVIDIA provided Ubuntu 22.04 based base image for running CUDA applications with CUDA 12.14.x and Python 3.10.x. Based on nvidia/cuda:12.4.1-runtime-ubuntu22.04

  • ska-cuda-ubuntu24: NVIDIA provided Ubuntu 24.04 based base image for running CUDA applications with CUDA 13.0.x and Python 3.10.x. Based on nvidia/cuda:13.0.1-runtime-ubuntu24.04

  • ska-build-cuda: NVIDIA provided Ubuntu 22.04 based base image for building CUDA applications with CUDA 12.14.x and Python 3.10.x. Based on FROM nvidia/cuda:12.4.1-cudnn-devel-ubuntu22.04

  • ska-build-cuda-ubuntu24: NVIDIA provided Ubuntu 24.04 based base image for building CUDA applications with CUDA 13.0.x and Python 3.10.x. Based on FROM nvidia/cuda:13.0.1-cudnn-devel-ubuntu24.04

  • ska-build-cuda-11: NVIDIA provided Ubuntu 22.04 based base image for building CUDA applications with CUDA 11.8.0 and Python 3.10.x. Based on FROM nvidia/cuda:11.8.0-cudnn-devel-ubuntu22.04. NOTE: This image is deprecated and will be removed in the future as CUDA 11 is no longer supported by NVIDIA.

ska-webserver

The ska-webserver differs from the other images as it is offering a tailored solution for teams to easily create OCI images to serve static web content while being able to proxy calls to backend APIs using best-practices, much like what is provided by NextJS and similar solutions. The main goal is to avoid having teams crafting their own nginx.conf files, while giving them an easy-to-setup yet configurable image.

The Nginx configuration is done by templating the jinja2 template with a custom configuration. The configuration context is created by providing one or more YAML configuration files, and mounting them to ${NGINX_ENVSUBST_TEMPLATE_DIR}/conf.d/. The configuration files will be loaded in alphabetical order and merged together. Note that as it is jinja2 based, we also template the configuration itself, meaning we can have variables in configuration files refering to itself.

The default configuration contains the full spec with examples, comenting what is not necessary as a default.

An example configuration file could be:

config:
  log_level: debug
  source_env:
    - name: NAMESPACE
      default: some-namespace
    - name: BACKEND_URL
      default: http://some-backend.some-namespace.svc
  disable_default_locations: true
  before_snippets:
    - |
      location ^~ /{{ env.NAMESPACE }}/static {
        alias {{ config.root }}/static/$1;
        expires {{ config.static_file_cache_expiration }};
        add_header Pragma public;
        add_header Cache-Control "public";
        try_files $uri $uri/ =404;
      }
  locations:
    - location: ~* ^/{{ env.NAMESPACE }}/api(.*)$
      proxy_pass: "{{ env.BACKEND_URL }}/api$1$is_args$args"
      proxy_read_timeout: 120s
    - location: ~* ^/{{ env.NAMESPACE }}/another/api(.*)$
      proxy_pass: "{{ env.BACKEND_URL }}/api$1$is_args$args"
      proxy_buffering: 'on'

Most notably, through proper configuraiton, this image allows to:

  • Using references in the configuration to other variables in the configuration (recursive, has some limitations) using {{ config.<variable> }}

before_snippets:
- |
    location ^~ /static {
    alias {{ config.root }}/static/$1;
    expires {{ config.static_file_cache_expiration }};
    add_header Pragma public;
    add_header Cache-Control "public";
    try_files $uri $uri/ =404;
    }

  • Capability of “importing” environment variables and giving them a default value

source_env:
  - name: NAMESPACE
    default: some-namespace
  - name: BACKEND_URL
    default: http://some-backend.some-namespace.svc
locations:
  - location: ~* ^/{{ env.NAMESPACE }}/api(.*)$
    proxy_pass: "{{ env.BACKEND_URL }}/api$1$is_args$args"

  • Any number of locations with configurable location expression, proxy_pass and other proxy configurations

  • Add snippets to Nginx configuration before the defaults and locations with before_snippets and after with after_snippets

If you want to test what the nginx configuration would look like, you can:

mkdir -p /tmp/ska-webserver-configs
cp images/ska-webserver/resources/conf.yml /tmp/ska-webserver-configs/0-conf.yml

# Create any number of configuration files
vi /tmp/ska-webserver-configs/[...].yml

python3 images/ska-webserver/resources/generate.py -i images/ska-webserver/resources/nginx.conf.j2 -c /tmp/ska-webserver-configs -o /tmp/nginx.conf
cat /tmp/nginx.conf

Other dynamic procedures

As this image installs Ngnix from native sources, we also carried the docker-entrypoint capabilities the official Nginx images have. If you wish to do other dynamic procedures that do not involve generating the nginx.conf file, you can mount any bash script (note the alphabetical order of execution) to /docker-entrypoint.d.

A common use-case for this is to replace in the static HTML, JS and CSS files, paths to other resources by including the namespace of the deployment as a prefix.

ska-cuda and ska-build-cuda

These images are not built using the ska-base image, but rather the NVIDIA provided base images. The ska-cuda image is based on nvidia/cuda:12.4.1-runtime-ubuntu22.04 and the ska-build-cuda image is based on nvidia/cuda:12.4.1-cudnn-devel-ubuntu22.04. Both images have Python 3.10.x installed.

Deprecations and removals

  • The ska-build image was removed in favor of having language/platform specific base images

Beta images

All the images based on the Ubuntu 24.04 base image are currently in beta and won’t be supported by the System Team. We do welcome any bug reports on their usage, but they are not guaranteed to be stable or production-ready.

Building the images locally

make oci-build-all