diff --git a/.trivyignore.yaml b/.trivyignore.yaml index a2425ed..15b9fe5 100644 --- a/.trivyignore.yaml +++ b/.trivyignore.yaml @@ -1,26 +1 @@ -vulnerabilities: - # /usr/bin/pebble is Canonical's init/service manager binary shipped as part of - # the ubuntu:26.04 base image. Its Go stdlib is compiled into the binary by - # Canonical; we cannot upgrade it without replacing the base image. These - # findings will be resolved when Canonical rebuilds pebble against a patched - # Go toolchain. Track: https://bugs.launchpad.net/ubuntu/+source/pebble - - id: CVE-2026-33811 - paths: - - usr/bin/pebble - statement: "Canonical pebble base-image binary; not user-controlled." - - id: CVE-2026-33814 - paths: - - usr/bin/pebble - statement: "Canonical pebble base-image binary; not user-controlled." - - id: CVE-2026-39820 - paths: - - usr/bin/pebble - statement: "Canonical pebble base-image binary; not user-controlled." - - id: CVE-2026-39836 - paths: - - usr/bin/pebble - statement: "Canonical pebble base-image binary; not user-controlled." - - id: CVE-2026-42499 - paths: - - usr/bin/pebble - statement: "Canonical pebble base-image binary; not user-controlled." +vulnerabilities: [] diff --git a/frontend/Dockerfile b/frontend/Dockerfile index df0f0d4..6871bce 100644 --- a/frontend/Dockerfile +++ b/frontend/Dockerfile @@ -34,7 +34,8 @@ RUN apt-get update -y && apt-get install -y \ && rm -rf /var/lib/apt/lists/* \ && rm -f /etc/ssh/ssh_host_* \ && rm -f /etc/ssl/private/ssl-cert-snakeoil.key \ - && rm -f /etc/ssl/certs/ssl-cert-snakeoil.pem + && rm -f /etc/ssl/certs/ssl-cert-snakeoil.pem \ + && rm -f /usr/bin/pebble # Create stub eval.h for Python 3.13+ compatibility (header removed but API still present) RUN python3 -c "import sysconfig; open(sysconfig.get_path('include')+'/eval.h','w').write('#pragma once\n')" diff --git a/mom/Dockerfile b/mom/Dockerfile index 6e4a650..b6b790d 100644 --- a/mom/Dockerfile +++ b/mom/Dockerfile @@ -34,7 +34,8 @@ RUN apt-get update -y && apt-get install -y \ && rm -rf /var/lib/apt/lists/* \ && rm -f /etc/ssh/ssh_host_* \ && rm -f /etc/ssl/private/ssl-cert-snakeoil.key \ - && rm -f /etc/ssl/certs/ssl-cert-snakeoil.pem + && rm -f /etc/ssl/certs/ssl-cert-snakeoil.pem \ + && rm -f /usr/bin/pebble # Create stub eval.h for Python 3.13+ compatibility (header removed but API still present) RUN python3 -c "import sysconfig; open(sysconfig.get_path('include')+'/eval.h','w').write('#pragma once\n')" diff --git a/server/Dockerfile b/server/Dockerfile index 863286f..3802764 100644 --- a/server/Dockerfile +++ b/server/Dockerfile @@ -46,7 +46,8 @@ RUN apt-get update -y \ && rm -rf /var/lib/apt/lists/* \ && rm -f /etc/ssh/ssh_host_* \ && rm -f /etc/ssl/private/ssl-cert-snakeoil.key \ - && rm -f /etc/ssl/certs/ssl-cert-snakeoil.pem + && rm -f /etc/ssl/certs/ssl-cert-snakeoil.pem \ + && rm -f /usr/bin/pebble # Create stub eval.h for Python 3.13+ compatibility (header removed but API still present) RUN python3 -c "import sysconfig; open(sysconfig.get_path('include')+'/eval.h','w').write('#pragma once\n')" diff --git a/server/docker-entrypoint.sh b/server/docker-entrypoint.sh index 16b68b6..69420a1 100644 --- a/server/docker-entrypoint.sh +++ b/server/docker-entrypoint.sh @@ -105,9 +105,16 @@ sudo /opt/pbs/bin/qmgr -c "set server scheduling = True" || true sudo /opt/pbs/bin/qmgr -c "set server flatuid = True" || true sudo /opt/pbs/bin/qmgr -c "set server job_history_enable = True" || true -sudo /opt/pbs/bin/qmgr -c "create node pbsnode1" 2>/dev/null || true -sudo /opt/pbs/bin/qmgr -c "create node pbsnode2" 2>/dev/null || true -sudo /opt/pbs/bin/qmgr -c "create node pbsnode3" 2>/dev/null || true +# Pre-declare a range of compute nodes, mirroring the Slurm base's +# `NodeName=slurmnode[1-10]`. A pbsnodeN with no running mom just shows as +# "down" (state-unknown); starting a pbsnodeN service brings it "free". This +# lets the cluster grow purely by adding pbsnodeN services in compose -- the +# same UX as the Slurm cluster. PBS_MAX_NODES is overridable from compose, so +# growing past the default needs no base rebuild. +PBS_MAX_NODES=${PBS_MAX_NODES:-10} +for i in $(seq 1 "${PBS_MAX_NODES}"); do + sudo /opt/pbs/bin/qmgr -c "create node pbsnode${i}" 2>/dev/null || true +done # Create a queuejob hook that defaults output/error paths to the submission # directory (PBS_O_WORKDIR) instead of $HOME on the submission host.