From f101eb8d8113e2ea92e0ffad76ac63c28040e74c Mon Sep 17 00:00:00 2001 From: Claude Date: Fri, 29 May 2026 17:27:43 +0000 Subject: [PATCH 01/14] Add sonar-scanner image layered on top of client (without vnc) Introduce a new onec-sonar-scanner image built directly on the client layer. It installs the SonarScanner CLI distribution with a bundled JRE, so the jdk/client-vnc layers are not required. - sonar-scanner/Dockerfile: download and install SonarScanner CLI - Makefile: add sonar-scanner target - Layers.md and README.md: document the new layer https://claude.ai/code/session_0172sYatuatmTxzCafudjtXn --- Layers.md | 5 +++++ Makefile | 10 ++++++++- README.md | 15 ++++++++++++++ sonar-scanner/Dockerfile | 45 ++++++++++++++++++++++++++++++++++++++++ 4 files changed, 74 insertions(+), 1 deletion(-) create mode 100644 sonar-scanner/Dockerfile diff --git a/Layers.md b/Layers.md index be2a406..d68a145 100644 --- a/Layers.md +++ b/Layers.md @@ -23,6 +23,11 @@ * oscript * test-utils +## SonarScanner (анализ кода, без vnc) + +* client +* sonar-scanner + ## 1C как Jenkins агент * client diff --git a/Makefile b/Makefile index 1d971bf..4715908 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,7 @@ BRANCH = $(shell git rev-parse --abbrev-ref HEAD) GIT_HASH = $(shell git show --format="%h" HEAD | head -1) VERSION ?= latest -.PHONY: all server server-nls client client-vnc client-nls thin-client thin-client-nls crs rac-gui gitsync oscript oscript-utils runner +.PHONY: all server server-nls client client-vnc client-nls sonar-scanner thin-client thin-client-nls crs rac-gui gitsync oscript oscript-utils runner all: server client thin-client crs @@ -47,6 +47,14 @@ client-nls: -f client/Dockerfile . docker tag ${DOCKER_REGISTRY_URL}/onec-client-nls:${ONEC_VERSION} ${DOCKER_REGISTRY_URL}/onec-client-nls:latest +sonar-scanner: + docker build --build-arg DOCKER_REGISTRY_URL=${DOCKER_REGISTRY_URL} \ + --build-arg BASE_IMAGE=onec-client \ + --build-arg BASE_TAG=${ONEC_VERSION} \ + -t ${DOCKER_REGISTRY_URL}/onec-sonar-scanner:${ONEC_VERSION} \ + -f sonar-scanner/Dockerfile . + docker tag ${DOCKER_REGISTRY_URL}/onec-sonar-scanner:${ONEC_VERSION} ${DOCKER_REGISTRY_URL}/onec-sonar-scanner:latest + thin-client: docker build --build-arg ONEC_USERNAME=${ONEC_USERNAME} \ --build-arg ONEC_PASSWORD=${ONEC_PASSWORD} \ diff --git a/README.md b/README.md index 613b08d..85f5ff7 100644 --- a/README.md +++ b/README.md @@ -18,6 +18,7 @@ - [Клиент](#клиент) - [Клиент с поддержкой VNC](#клиент-с-поддержкой-vnc) - [Клиент с дополнительными языками](#клиент-с-дополнительными-языками) + - [SonarScanner](#sonarscanner) - [Тонкий клиент](#тонкий-клиент) - [Тонкий клиент с дополнительными языками](#тонкий-клиент-с-дополнительными-языками) - [Хранилище конфигурации](#хранилище-конфигурации) @@ -167,6 +168,20 @@ docker build --build-arg ONEC_USERNAME=${ONEC_USERNAME} \ -f client/Dockerfile . ``` +## SonarScanner + +[(Наверх)](#оглавление) + +Образ с [SonarScanner CLI](https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/scanners/sonarscanner/) поверх слоя `client` (без поддержки VNC). Используется дистрибутив со встроенной JRE, поэтому слой `jdk` не требуется. Образ предварительно должен быть собран слой `onec-client`. + +```bash +docker build --build-arg DOCKER_REGISTRY_URL=${DOCKER_REGISTRY_URL} \ + --build-arg BASE_IMAGE=onec-client \ + --build-arg BASE_TAG=${ONEC_VERSION} \ + -t ${DOCKER_REGISTRY_URL}/onec-sonar-scanner:${ONEC_VERSION} \ + -f sonar-scanner/Dockerfile . +``` + ## Тонкий клиент [(Наверх)](#оглавление) diff --git a/sonar-scanner/Dockerfile b/sonar-scanner/Dockerfile new file mode 100644 index 0000000..10f6ad0 --- /dev/null +++ b/sonar-scanner/Dockerfile @@ -0,0 +1,45 @@ +ARG DOCKER_REGISTRY_URL +ARG BASE_IMAGE +ARG BASE_TAG + +# BASE_IMAGE - слой client (без vnc) +FROM ${DOCKER_REGISTRY_URL}${DOCKER_REGISTRY_URL:+/}${BASE_IMAGE}:${BASE_TAG} + +LABEL maintainer="Nikita Gryzlov , FirstBit" + +USER root + +# Версия SonarScanner CLI. Используется дистрибутив с встроенной JRE, +# поэтому слой jdk поверх client не требуется. +ARG SONAR_SCANNER_VERSION=5.0.1.3006 +ARG SONAR_SCANNER_ARCH=linux + +ENV SONAR_SCANNER_HOME=/opt/sonar-scanner + +RUN apt-get update \ + && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ + ca-certificates \ + unzip \ + wget \ + && wget -q -O /tmp/sonar-scanner.zip \ + "https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-${SONAR_SCANNER_ARCH}.zip" \ + && unzip -q /tmp/sonar-scanner.zip -d /opt \ + && mv "/opt/sonar-scanner-${SONAR_SCANNER_VERSION}-${SONAR_SCANNER_ARCH}" "${SONAR_SCANNER_HOME}" \ + && rm -f /tmp/sonar-scanner.zip \ + && apt-get purge -y --auto-remove unzip wget \ + && rm -rf \ + /var/lib/apt/lists/* \ + /var/cache/debconf \ + /tmp/* \ + /var/tmp/* + +ENV PATH="${SONAR_SCANNER_HOME}/bin:${PATH}" + +# Использовать встроенную в дистрибутив JRE +ENV SONAR_SCANNER_OPTS="" + +USER usr1cv8 + +WORKDIR /usr/src + +CMD ["sonar-scanner"] From ed7c95f9613bb6b4c0e3b6510c3029a0c9b28158 Mon Sep 17 00:00:00 2001 From: Claude Date: Fri, 29 May 2026 17:30:32 +0000 Subject: [PATCH 02/14] Build sonar-scanner on client+jdk and add build scripts + CI Rework the SonarScanner image to layer on top of client + jdk instead of relying on a bundled JRE, using the JDK provided by the jdk layer. - sonar-scanner/Dockerfile: use system Java from the jdk layer - build-sonar-scanner.sh / .bat: build the full client -> jdk -> sonar-scanner chain - .github/workflows/build.yml: add build-sonar-scanner.sh to the CI matrix - Makefile: base sonar-scanner target on onec-client-jdk - Layers.md / README.md: document the new layer stack and build scripts https://claude.ai/code/session_0172sYatuatmTxzCafudjtXn --- .github/workflows/build.yml | 2 +- Layers.md | 6 +++ Makefile | 2 +- README.md | 13 ++++++- build-sonar-scanner.bat | 72 +++++++++++++++++++++++++++++++++++ build-sonar-scanner.sh | 76 +++++++++++++++++++++++++++++++++++++ sonar-scanner/Dockerfile | 18 +++------ 7 files changed, 173 insertions(+), 16 deletions(-) create mode 100644 build-sonar-scanner.bat create mode 100755 build-sonar-scanner.sh diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7a0e54a..9d27384 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -17,7 +17,7 @@ jobs: strategy: fail-fast: false matrix: - script: [ 'build-base-k8s-jenkins-agent.sh', 'build-base-k8s-jenkins-coverage-agent.sh', 'build-base-swarm-jenkins-agent.sh', 'build-base-swarm-jenkins-coverage-agent.sh', 'build-edt-swarm-agent.sh', 'build-edt-k8s-agent.sh', 'build-oscript-k8s-agent.sh', 'build-oscript-swarm-agent.sh', 'build-server.sh', 'build-executor.sh'] + script: [ 'build-base-k8s-jenkins-agent.sh', 'build-base-k8s-jenkins-coverage-agent.sh', 'build-base-swarm-jenkins-agent.sh', 'build-base-swarm-jenkins-coverage-agent.sh', 'build-edt-swarm-agent.sh', 'build-edt-k8s-agent.sh', 'build-oscript-k8s-agent.sh', 'build-oscript-swarm-agent.sh', 'build-server.sh', 'build-executor.sh', 'build-sonar-scanner.sh'] steps: - name: Maximize build space diff --git a/Layers.md b/Layers.md index d68a145..d5c0f7a 100644 --- a/Layers.md +++ b/Layers.md @@ -26,8 +26,14 @@ ## SonarScanner (анализ кода, без vnc) * client +* jdk * sonar-scanner +Реализовано в скриптах: + +* [build-sonar-scanner.sh](build-sonar-scanner.sh) +* [build-sonar-scanner.bat](build-sonar-scanner.bat) + ## 1C как Jenkins агент * client diff --git a/Makefile b/Makefile index 4715908..d624744 100644 --- a/Makefile +++ b/Makefile @@ -49,7 +49,7 @@ client-nls: sonar-scanner: docker build --build-arg DOCKER_REGISTRY_URL=${DOCKER_REGISTRY_URL} \ - --build-arg BASE_IMAGE=onec-client \ + --build-arg BASE_IMAGE=onec-client-jdk \ --build-arg BASE_TAG=${ONEC_VERSION} \ -t ${DOCKER_REGISTRY_URL}/onec-sonar-scanner:${ONEC_VERSION} \ -f sonar-scanner/Dockerfile . diff --git a/README.md b/README.md index 85f5ff7..a89a34c 100644 --- a/README.md +++ b/README.md @@ -87,6 +87,13 @@ env.bat - build-edt-k8s-agent.sh - build-oscript-k8s-agent.sh +3. Отдельные образы: + + - build-server.sh + - build-crs.sh + - build-executor.sh + - build-sonar-scanner.sh + ## Как использовать готовые дистрибутивы Вы можете использовать готовые дистрибутивы платформы, для этого достаточно разместить их в папке `distr`. Скрипты будут автоматически использовать их для сборки образа. @@ -172,11 +179,13 @@ docker build --build-arg ONEC_USERNAME=${ONEC_USERNAME} \ [(Наверх)](#оглавление) -Образ с [SonarScanner CLI](https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/scanners/sonarscanner/) поверх слоя `client` (без поддержки VNC). Используется дистрибутив со встроенной JRE, поэтому слой `jdk` не требуется. Образ предварительно должен быть собран слой `onec-client`. +Образ с [SonarScanner CLI](https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/scanners/sonarscanner/) поверх слоёв `client` + `jdk` (без поддержки VNC). Java предоставляется слоем `jdk`. Для сборки всей цепочки слоёв (`client` → `jdk` → `sonar-scanner`) используйте скрипт `build-sonar-scanner.sh` (или `build-sonar-scanner.bat` в Windows). + +Либо соберите только финальный слой поверх уже собранного образа `onec-client-jdk`: ```bash docker build --build-arg DOCKER_REGISTRY_URL=${DOCKER_REGISTRY_URL} \ - --build-arg BASE_IMAGE=onec-client \ + --build-arg BASE_IMAGE=onec-client-jdk \ --build-arg BASE_TAG=${ONEC_VERSION} \ -t ${DOCKER_REGISTRY_URL}/onec-sonar-scanner:${ONEC_VERSION} \ -f sonar-scanner/Dockerfile . diff --git a/build-sonar-scanner.bat b/build-sonar-scanner.bat new file mode 100644 index 0000000..efd6568 --- /dev/null +++ b/build-sonar-scanner.bat @@ -0,0 +1,72 @@ +@echo off + +docker login -u %DOCKER_LOGIN% -p %DOCKER_PASSWORD% %DOCKER_REGISTRY_URL% + +if %ERRORLEVEL% neq 0 goto end + +if %DOCKER_SYSTEM_PRUNE%=="true" docker system prune -af + +if %ERRORLEVEL% neq 0 goto end + +if %NO_CACHE%=="true" (SET last_arg="--no-cache .") else (SET last_arg=".") + +docker build ^ + --pull ^ + --build-arg DOCKER_REGISTRY_URL=library ^ + --build-arg BASE_IMAGE=ubuntu ^ + --build-arg BASE_TAG=20.04 ^ + --build-arg ONESCRIPT_PACKAGES="yard" ^ + -t %DOCKER_REGISTRY_URL%/oscript-downloader:latest ^ + -f oscript/Dockerfile ^ + %last_arg% + +if %ERRORLEVEL% neq 0 goto end + +docker build ^ + --build-arg ONEC_USERNAME=%ONEC_USERNAME% ^ + --build-arg ONEC_PASSWORD=%ONEC_PASSWORD% ^ + --build-arg ONEC_VERSION=%ONEC_VERSION% ^ + --build-arg DOCKER_REGISTRY_URL=%DOCKER_REGISTRY_URL% ^ + --build-arg BASE_IMAGE=oscript-downloader ^ + --build-arg BASE_TAG=latest ^ + -t %DOCKER_REGISTRY_URL%/onec-client:%ONEC_VERSION% ^ + -f client/Dockerfile ^ + %last_arg% + +if %ERRORLEVEL% neq 0 goto end + +docker push %DOCKER_REGISTRY_URL%/onec-client:%ONEC_VERSION% + +if %ERRORLEVEL% neq 0 goto end + +docker build ^ + --build-arg DOCKER_REGISTRY_URL=%DOCKER_REGISTRY_URL% ^ + --build-arg BASE_IMAGE=onec-client ^ + --build-arg BASE_TAG=%ONEC_VERSION% ^ + --build-arg OPENJDK_VERSION=%OPENJDK_VERSION% ^ + -t %DOCKER_REGISTRY_URL%/onec-client-jdk:%ONEC_VERSION% ^ + -f jdk/Dockerfile ^ + %last_arg% + +if %ERRORLEVEL% neq 0 goto end + +docker push %DOCKER_REGISTRY_URL%/onec-client-jdk:%ONEC_VERSION% + +if %ERRORLEVEL% neq 0 goto end + +docker build ^ + --build-arg DOCKER_REGISTRY_URL=%DOCKER_REGISTRY_URL% ^ + --build-arg BASE_IMAGE=onec-client-jdk ^ + --build-arg BASE_TAG=%ONEC_VERSION% ^ + -t %DOCKER_REGISTRY_URL%/onec-sonar-scanner:%ONEC_VERSION% ^ + -f sonar-scanner/Dockerfile ^ + %last_arg% + +if %ERRORLEVEL% neq 0 goto end + +docker push %DOCKER_REGISTRY_URL%/onec-sonar-scanner:%ONEC_VERSION% + +if %ERRORLEVEL% neq 0 goto end + +:end +echo End of program. diff --git a/build-sonar-scanner.sh b/build-sonar-scanner.sh new file mode 100755 index 0000000..8b2244b --- /dev/null +++ b/build-sonar-scanner.sh @@ -0,0 +1,76 @@ +#!/usr/bin/env bash +set -eo pipefail + +if [ -n "${DOCKER_LOGIN}" ] && [ -n "${DOCKER_PASSWORD}" ] && [ -n "${DOCKER_REGISTRY_URL}" ]; then + if ! docker login -u "${DOCKER_LOGIN}" -p "${DOCKER_PASSWORD}" "${DOCKER_REGISTRY_URL}"; then + echo "Docker login failed" + exit 1 + fi +else + echo "Skipping Docker login due to missing credentials" +fi + +if [ "${DOCKER_SYSTEM_PRUNE}" = 'true' ] ; then + docker system prune -af +fi + +last_arg='.' +if [ "${NO_CACHE}" = 'true' ] ; then + last_arg='--no-cache .' +fi + +docker build \ + --pull \ + --build-arg DOCKER_REGISTRY_URL=library \ + --build-arg BASE_IMAGE=ubuntu \ + --build-arg BASE_TAG=20.04 \ + --build-arg ONESCRIPT_PACKAGES="yard" \ + -t ${DOCKER_REGISTRY_URL:+"$DOCKER_REGISTRY_URL/"}oscript-downloader:latest \ + -f oscript/Dockerfile \ + $last_arg + +docker build \ + --build-arg ONEC_USERNAME=$ONEC_USERNAME \ + --build-arg ONEC_PASSWORD=$ONEC_PASSWORD \ + --build-arg ONEC_VERSION=$ONEC_VERSION \ + --build-arg DOCKER_REGISTRY_URL=$DOCKER_REGISTRY_URL \ + --build-arg BASE_IMAGE=oscript-downloader \ + --build-arg BASE_TAG=latest \ + -t ${DOCKER_REGISTRY_URL:+"$DOCKER_REGISTRY_URL/"}onec-client:$ONEC_VERSION \ + -f client/Dockerfile \ + $last_arg + +if [[ -n "$DOCKER_REGISTRY_URL" ]]; then + docker push $DOCKER_REGISTRY_URL/onec-client:$ONEC_VERSION +else + echo "DOCKER_REGISTRY_URL not set, skipping docker push." +fi + +docker build \ + --build-arg DOCKER_REGISTRY_URL=$DOCKER_REGISTRY_URL \ + --build-arg BASE_IMAGE=onec-client \ + --build-arg BASE_TAG=$ONEC_VERSION \ + --build-arg OPENJDK_VERSION=$OPENJDK_VERSION \ + -t ${DOCKER_REGISTRY_URL:+"$DOCKER_REGISTRY_URL/"}onec-client-jdk:$ONEC_VERSION \ + -f jdk/Dockerfile \ + $last_arg + +if [[ -n "$DOCKER_REGISTRY_URL" ]]; then + docker push $DOCKER_REGISTRY_URL/onec-client-jdk:$ONEC_VERSION +else + echo "DOCKER_REGISTRY_URL not set, skipping docker push." +fi + +docker build \ + --build-arg DOCKER_REGISTRY_URL=$DOCKER_REGISTRY_URL \ + --build-arg BASE_IMAGE=onec-client-jdk \ + --build-arg BASE_TAG=$ONEC_VERSION \ + -t ${DOCKER_REGISTRY_URL:+"$DOCKER_REGISTRY_URL/"}onec-sonar-scanner:$ONEC_VERSION \ + -f sonar-scanner/Dockerfile \ + $last_arg + +if [[ -n "$DOCKER_REGISTRY_URL" ]]; then + docker push $DOCKER_REGISTRY_URL/onec-sonar-scanner:$ONEC_VERSION +else + echo "DOCKER_REGISTRY_URL not set, skipping docker push." +fi diff --git a/sonar-scanner/Dockerfile b/sonar-scanner/Dockerfile index 10f6ad0..0e45629 100644 --- a/sonar-scanner/Dockerfile +++ b/sonar-scanner/Dockerfile @@ -2,31 +2,28 @@ ARG DOCKER_REGISTRY_URL ARG BASE_IMAGE ARG BASE_TAG -# BASE_IMAGE - слой client (без vnc) +# BASE_IMAGE - слой client с установленным JDK (client + jdk) FROM ${DOCKER_REGISTRY_URL}${DOCKER_REGISTRY_URL:+/}${BASE_IMAGE}:${BASE_TAG} LABEL maintainer="Nikita Gryzlov , FirstBit" USER root -# Версия SonarScanner CLI. Используется дистрибутив с встроенной JRE, -# поэтому слой jdk поверх client не требуется. +# Версия SonarScanner CLI. Java предоставляется слоем jdk. ARG SONAR_SCANNER_VERSION=5.0.1.3006 -ARG SONAR_SCANNER_ARCH=linux ENV SONAR_SCANNER_HOME=/opt/sonar-scanner +# ca-certificates и wget уже присутствуют в слоях client/jdk RUN apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ - ca-certificates \ unzip \ - wget \ && wget -q -O /tmp/sonar-scanner.zip \ - "https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}-${SONAR_SCANNER_ARCH}.zip" \ + "https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}.zip" \ && unzip -q /tmp/sonar-scanner.zip -d /opt \ - && mv "/opt/sonar-scanner-${SONAR_SCANNER_VERSION}-${SONAR_SCANNER_ARCH}" "${SONAR_SCANNER_HOME}" \ + && mv "/opt/sonar-scanner-${SONAR_SCANNER_VERSION}" "${SONAR_SCANNER_HOME}" \ && rm -f /tmp/sonar-scanner.zip \ - && apt-get purge -y --auto-remove unzip wget \ + && apt-get purge -y --auto-remove unzip \ && rm -rf \ /var/lib/apt/lists/* \ /var/cache/debconf \ @@ -35,9 +32,6 @@ RUN apt-get update \ ENV PATH="${SONAR_SCANNER_HOME}/bin:${PATH}" -# Использовать встроенную в дистрибутив JRE -ENV SONAR_SCANNER_OPTS="" - USER usr1cv8 WORKDIR /usr/src From 1e46cfd4d2fc6db30dbb3e245edb92acd1668bf1 Mon Sep 17 00:00:00 2001 From: Claude Date: Fri, 29 May 2026 17:31:12 +0000 Subject: [PATCH 03/14] Disable SonarScanner JRE auto-provisioning Java is provided by the jdk layer, so disable downloading a JRE from the server via SONAR_SCANNER_SKIP_JRE_PROVISIONING. https://claude.ai/code/session_0172sYatuatmTxzCafudjtXn --- sonar-scanner/Dockerfile | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sonar-scanner/Dockerfile b/sonar-scanner/Dockerfile index 0e45629..797f0bd 100644 --- a/sonar-scanner/Dockerfile +++ b/sonar-scanner/Dockerfile @@ -32,6 +32,9 @@ RUN apt-get update \ ENV PATH="${SONAR_SCANNER_HOME}/bin:${PATH}" +# Java берётся из слоя jdk, поэтому отключаем автоскачивание JRE с сервера +ENV SONAR_SCANNER_SKIP_JRE_PROVISIONING=true + USER usr1cv8 WORKDIR /usr/src From 0aa17785df38b7aed8b26a9cf1e781cacbefa7fc Mon Sep 17 00:00:00 2001 From: Claude Date: Fri, 29 May 2026 17:33:45 +0000 Subject: [PATCH 04/14] Bump SonarScanner CLI to latest 8.1.0.6389 and build jdk layer with JDK 21 SonarScanner CLI 8.x requires Java 21+, so build the jdk layer with OpenJDK 21 (SONAR_JDK_VERSION, default 21) in the build scripts. https://claude.ai/code/session_0172sYatuatmTxzCafudjtXn --- README.md | 4 ++-- build-sonar-scanner.bat | 5 ++++- build-sonar-scanner.sh | 5 ++++- sonar-scanner/Dockerfile | 3 ++- 4 files changed, 12 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index a89a34c..a84e193 100644 --- a/README.md +++ b/README.md @@ -179,9 +179,9 @@ docker build --build-arg ONEC_USERNAME=${ONEC_USERNAME} \ [(Наверх)](#оглавление) -Образ с [SonarScanner CLI](https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/scanners/sonarscanner/) поверх слоёв `client` + `jdk` (без поддержки VNC). Java предоставляется слоем `jdk`. Для сборки всей цепочки слоёв (`client` → `jdk` → `sonar-scanner`) используйте скрипт `build-sonar-scanner.sh` (или `build-sonar-scanner.bat` в Windows). +Образ с [SonarScanner CLI](https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/scanners/sonarscanner/) поверх слоёв `client` + `jdk` (без поддержки VNC). Java предоставляется слоем `jdk`, автоскачивание JRE с сервера отключено (`SONAR_SCANNER_SKIP_JRE_PROVISIONING=true`). SonarScanner CLI 8.x требует Java 21+, поэтому скрипт сборки собирает слой `jdk` с JDK 21 (`SONAR_JDK_VERSION`, по умолчанию `21`). Для сборки всей цепочки слоёв (`client` → `jdk` → `sonar-scanner`) используйте скрипт `build-sonar-scanner.sh` (или `build-sonar-scanner.bat` в Windows). -Либо соберите только финальный слой поверх уже собранного образа `onec-client-jdk`: +Либо соберите только финальный слой поверх уже собранного образа `onec-client-jdk` (собранного с JDK 21): ```bash docker build --build-arg DOCKER_REGISTRY_URL=${DOCKER_REGISTRY_URL} \ diff --git a/build-sonar-scanner.bat b/build-sonar-scanner.bat index efd6568..bc2c750 100644 --- a/build-sonar-scanner.bat +++ b/build-sonar-scanner.bat @@ -10,6 +10,9 @@ if %ERRORLEVEL% neq 0 goto end if %NO_CACHE%=="true" (SET last_arg="--no-cache .") else (SET last_arg=".") +rem SonarScanner CLI 8.x требует Java 21+, поэтому слой jdk собираем с JDK 21 +if "%SONAR_JDK_VERSION%"=="" set SONAR_JDK_VERSION=21 + docker build ^ --pull ^ --build-arg DOCKER_REGISTRY_URL=library ^ @@ -43,7 +46,7 @@ docker build ^ --build-arg DOCKER_REGISTRY_URL=%DOCKER_REGISTRY_URL% ^ --build-arg BASE_IMAGE=onec-client ^ --build-arg BASE_TAG=%ONEC_VERSION% ^ - --build-arg OPENJDK_VERSION=%OPENJDK_VERSION% ^ + --build-arg OPENJDK_VERSION=%SONAR_JDK_VERSION% ^ -t %DOCKER_REGISTRY_URL%/onec-client-jdk:%ONEC_VERSION% ^ -f jdk/Dockerfile ^ %last_arg% diff --git a/build-sonar-scanner.sh b/build-sonar-scanner.sh index 8b2244b..ba96b9a 100755 --- a/build-sonar-scanner.sh +++ b/build-sonar-scanner.sh @@ -19,6 +19,9 @@ if [ "${NO_CACHE}" = 'true' ] ; then last_arg='--no-cache .' fi +# SonarScanner CLI 8.x требует Java 21+, поэтому слой jdk собираем с JDK 21 +SONAR_JDK_VERSION="${SONAR_JDK_VERSION:-21}" + docker build \ --pull \ --build-arg DOCKER_REGISTRY_URL=library \ @@ -50,7 +53,7 @@ docker build \ --build-arg DOCKER_REGISTRY_URL=$DOCKER_REGISTRY_URL \ --build-arg BASE_IMAGE=onec-client \ --build-arg BASE_TAG=$ONEC_VERSION \ - --build-arg OPENJDK_VERSION=$OPENJDK_VERSION \ + --build-arg OPENJDK_VERSION=$SONAR_JDK_VERSION \ -t ${DOCKER_REGISTRY_URL:+"$DOCKER_REGISTRY_URL/"}onec-client-jdk:$ONEC_VERSION \ -f jdk/Dockerfile \ $last_arg diff --git a/sonar-scanner/Dockerfile b/sonar-scanner/Dockerfile index 797f0bd..d29c4c9 100644 --- a/sonar-scanner/Dockerfile +++ b/sonar-scanner/Dockerfile @@ -10,7 +10,8 @@ LABEL maintainer="Nikita Gryzlov , FirstBit" USER root # Версия SonarScanner CLI. Java предоставляется слоем jdk. -ARG SONAR_SCANNER_VERSION=5.0.1.3006 +# SonarScanner CLI 8.x требует Java 21+ (см. build-sonar-scanner.sh). +ARG SONAR_SCANNER_VERSION=8.1.0.6389 ENV SONAR_SCANNER_HOME=/opt/sonar-scanner From 344cd182817353ff763483349a573ec2228689d5 Mon Sep 17 00:00:00 2001 From: Claude Date: Fri, 29 May 2026 17:34:38 +0000 Subject: [PATCH 05/14] Build sonar-scanner jdk layer with JDK 25 https://claude.ai/code/session_0172sYatuatmTxzCafudjtXn --- README.md | 4 ++-- build-sonar-scanner.bat | 4 ++-- build-sonar-scanner.sh | 4 ++-- sonar-scanner/Dockerfile | 2 +- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index a84e193..e54f30d 100644 --- a/README.md +++ b/README.md @@ -179,9 +179,9 @@ docker build --build-arg ONEC_USERNAME=${ONEC_USERNAME} \ [(Наверх)](#оглавление) -Образ с [SonarScanner CLI](https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/scanners/sonarscanner/) поверх слоёв `client` + `jdk` (без поддержки VNC). Java предоставляется слоем `jdk`, автоскачивание JRE с сервера отключено (`SONAR_SCANNER_SKIP_JRE_PROVISIONING=true`). SonarScanner CLI 8.x требует Java 21+, поэтому скрипт сборки собирает слой `jdk` с JDK 21 (`SONAR_JDK_VERSION`, по умолчанию `21`). Для сборки всей цепочки слоёв (`client` → `jdk` → `sonar-scanner`) используйте скрипт `build-sonar-scanner.sh` (или `build-sonar-scanner.bat` в Windows). +Образ с [SonarScanner CLI](https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/scanners/sonarscanner/) поверх слоёв `client` + `jdk` (без поддержки VNC). Java предоставляется слоем `jdk`, автоскачивание JRE с сервера отключено (`SONAR_SCANNER_SKIP_JRE_PROVISIONING=true`). SonarScanner CLI 8.x требует Java 21+, поэтому скрипт сборки собирает слой `jdk` с JDK 25 (`SONAR_JDK_VERSION`, по умолчанию `25`). Для сборки всей цепочки слоёв (`client` → `jdk` → `sonar-scanner`) используйте скрипт `build-sonar-scanner.sh` (или `build-sonar-scanner.bat` в Windows). -Либо соберите только финальный слой поверх уже собранного образа `onec-client-jdk` (собранного с JDK 21): +Либо соберите только финальный слой поверх уже собранного образа `onec-client-jdk` (собранного с JDK 25): ```bash docker build --build-arg DOCKER_REGISTRY_URL=${DOCKER_REGISTRY_URL} \ diff --git a/build-sonar-scanner.bat b/build-sonar-scanner.bat index bc2c750..4137772 100644 --- a/build-sonar-scanner.bat +++ b/build-sonar-scanner.bat @@ -10,8 +10,8 @@ if %ERRORLEVEL% neq 0 goto end if %NO_CACHE%=="true" (SET last_arg="--no-cache .") else (SET last_arg=".") -rem SonarScanner CLI 8.x требует Java 21+, поэтому слой jdk собираем с JDK 21 -if "%SONAR_JDK_VERSION%"=="" set SONAR_JDK_VERSION=21 +rem SonarScanner CLI 8.x требует Java 21+, поэтому слой jdk собираем с JDK 25 +if "%SONAR_JDK_VERSION%"=="" set SONAR_JDK_VERSION=25 docker build ^ --pull ^ diff --git a/build-sonar-scanner.sh b/build-sonar-scanner.sh index ba96b9a..23dd9f8 100755 --- a/build-sonar-scanner.sh +++ b/build-sonar-scanner.sh @@ -19,8 +19,8 @@ if [ "${NO_CACHE}" = 'true' ] ; then last_arg='--no-cache .' fi -# SonarScanner CLI 8.x требует Java 21+, поэтому слой jdk собираем с JDK 21 -SONAR_JDK_VERSION="${SONAR_JDK_VERSION:-21}" +# SonarScanner CLI 8.x требует Java 21+, поэтому слой jdk собираем с JDK 25 +SONAR_JDK_VERSION="${SONAR_JDK_VERSION:-25}" docker build \ --pull \ diff --git a/sonar-scanner/Dockerfile b/sonar-scanner/Dockerfile index d29c4c9..0a6dd2e 100644 --- a/sonar-scanner/Dockerfile +++ b/sonar-scanner/Dockerfile @@ -10,7 +10,7 @@ LABEL maintainer="Nikita Gryzlov , FirstBit" USER root # Версия SonarScanner CLI. Java предоставляется слоем jdk. -# SonarScanner CLI 8.x требует Java 21+ (см. build-sonar-scanner.sh). +# SonarScanner CLI 8.x требует Java 21+, слой jdk собирается с JDK 25 (см. build-sonar-scanner.sh). ARG SONAR_SCANNER_VERSION=8.1.0.6389 ENV SONAR_SCANNER_HOME=/opt/sonar-scanner From 923501cc33fc7ac15df54c8c430784a25d5eb317 Mon Sep 17 00:00:00 2001 From: Claude Date: Fri, 29 May 2026 17:38:27 +0000 Subject: [PATCH 06/14] Update sonar-scanner maintainer label https://claude.ai/code/session_0172sYatuatmTxzCafudjtXn --- sonar-scanner/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sonar-scanner/Dockerfile b/sonar-scanner/Dockerfile index 0a6dd2e..1b6d88a 100644 --- a/sonar-scanner/Dockerfile +++ b/sonar-scanner/Dockerfile @@ -5,7 +5,7 @@ ARG BASE_TAG # BASE_IMAGE - слой client с установленным JDK (client + jdk) FROM ${DOCKER_REGISTRY_URL}${DOCKER_REGISTRY_URL:+/}${BASE_IMAGE}:${BASE_TAG} -LABEL maintainer="Nikita Gryzlov , FirstBit" +LABEL maintainer="Nikita Fedkin , FirstBit" USER root From 80c0ca47e5ef413beeb3acecdf5d274a84745a37 Mon Sep 17 00:00:00 2001 From: Claude Date: Fri, 29 May 2026 17:40:34 +0000 Subject: [PATCH 07/14] Remove bogus sonar-scanner Makefile target referencing non-existent base The onec-client-jdk image is not a standalone repo image; it only exists as an intermediate built inside build-sonar-scanner.sh. Multi-layer stacks are not represented in the Makefile (they use build-*.sh scripts), so drop the broken target and make the README example self-contained by building the jdk layer first. https://claude.ai/code/session_0172sYatuatmTxzCafudjtXn --- Makefile | 10 +--------- README.md | 11 ++++++++++- 2 files changed, 11 insertions(+), 10 deletions(-) diff --git a/Makefile b/Makefile index d624744..1d971bf 100644 --- a/Makefile +++ b/Makefile @@ -2,7 +2,7 @@ BRANCH = $(shell git rev-parse --abbrev-ref HEAD) GIT_HASH = $(shell git show --format="%h" HEAD | head -1) VERSION ?= latest -.PHONY: all server server-nls client client-vnc client-nls sonar-scanner thin-client thin-client-nls crs rac-gui gitsync oscript oscript-utils runner +.PHONY: all server server-nls client client-vnc client-nls thin-client thin-client-nls crs rac-gui gitsync oscript oscript-utils runner all: server client thin-client crs @@ -47,14 +47,6 @@ client-nls: -f client/Dockerfile . docker tag ${DOCKER_REGISTRY_URL}/onec-client-nls:${ONEC_VERSION} ${DOCKER_REGISTRY_URL}/onec-client-nls:latest -sonar-scanner: - docker build --build-arg DOCKER_REGISTRY_URL=${DOCKER_REGISTRY_URL} \ - --build-arg BASE_IMAGE=onec-client-jdk \ - --build-arg BASE_TAG=${ONEC_VERSION} \ - -t ${DOCKER_REGISTRY_URL}/onec-sonar-scanner:${ONEC_VERSION} \ - -f sonar-scanner/Dockerfile . - docker tag ${DOCKER_REGISTRY_URL}/onec-sonar-scanner:${ONEC_VERSION} ${DOCKER_REGISTRY_URL}/onec-sonar-scanner:latest - thin-client: docker build --build-arg ONEC_USERNAME=${ONEC_USERNAME} \ --build-arg ONEC_PASSWORD=${ONEC_PASSWORD} \ diff --git a/README.md b/README.md index e54f30d..891aafb 100644 --- a/README.md +++ b/README.md @@ -181,9 +181,18 @@ docker build --build-arg ONEC_USERNAME=${ONEC_USERNAME} \ Образ с [SonarScanner CLI](https://docs.sonarsource.com/sonarqube/latest/analyzing-source-code/scanners/sonarscanner/) поверх слоёв `client` + `jdk` (без поддержки VNC). Java предоставляется слоем `jdk`, автоскачивание JRE с сервера отключено (`SONAR_SCANNER_SKIP_JRE_PROVISIONING=true`). SonarScanner CLI 8.x требует Java 21+, поэтому скрипт сборки собирает слой `jdk` с JDK 25 (`SONAR_JDK_VERSION`, по умолчанию `25`). Для сборки всей цепочки слоёв (`client` → `jdk` → `sonar-scanner`) используйте скрипт `build-sonar-scanner.sh` (или `build-sonar-scanner.bat` в Windows). -Либо соберите только финальный слой поверх уже собранного образа `onec-client-jdk` (собранного с JDK 25): +Либо вручную, поверх уже собранного образа `onec-client` (см. раздел [Клиент](#клиент)) — сначала слой `jdk`, затем `sonar-scanner`: ```bash +# слой jdk поверх client +docker build --build-arg DOCKER_REGISTRY_URL=${DOCKER_REGISTRY_URL} \ + --build-arg BASE_IMAGE=onec-client \ + --build-arg BASE_TAG=${ONEC_VERSION} \ + --build-arg OPENJDK_VERSION=25 \ + -t ${DOCKER_REGISTRY_URL}/onec-client-jdk:${ONEC_VERSION} \ + -f jdk/Dockerfile . + +# слой sonar-scanner поверх client + jdk docker build --build-arg DOCKER_REGISTRY_URL=${DOCKER_REGISTRY_URL} \ --build-arg BASE_IMAGE=onec-client-jdk \ --build-arg BASE_TAG=${ONEC_VERSION} \ From 46a4c82b4ac15170e158e7ad4e9ae5f6089f2a58 Mon Sep 17 00:00:00 2001 From: Claude Date: Fri, 29 May 2026 17:40:54 +0000 Subject: [PATCH 08/14] Drop FirstBit from sonar-scanner maintainer label https://claude.ai/code/session_0172sYatuatmTxzCafudjtXn --- sonar-scanner/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sonar-scanner/Dockerfile b/sonar-scanner/Dockerfile index 1b6d88a..a024864 100644 --- a/sonar-scanner/Dockerfile +++ b/sonar-scanner/Dockerfile @@ -5,7 +5,7 @@ ARG BASE_TAG # BASE_IMAGE - слой client с установленным JDK (client + jdk) FROM ${DOCKER_REGISTRY_URL}${DOCKER_REGISTRY_URL:+/}${BASE_IMAGE}:${BASE_TAG} -LABEL maintainer="Nikita Fedkin , FirstBit" +LABEL maintainer="Nikita Fedkin " USER root From 7a7fbda8a388d3295f2f729a22c6e319acdf36b9 Mon Sep 17 00:00:00 2001 From: Claude Date: Fri, 29 May 2026 17:53:35 +0000 Subject: [PATCH 09/14] Fix client->jdk layering and quote batch conditionals - jdk/Dockerfile: switch to USER root before apt-get so the layer works when based on the client image (which ends as USER usr1cv8). No-op for existing root-based consumers. - build-sonar-scanner.bat: quote DOCKER_SYSTEM_PRUNE/NO_CACHE comparisons to avoid malformed if-statements when unset. https://claude.ai/code/session_0172sYatuatmTxzCafudjtXn --- build-sonar-scanner.bat | 4 ++-- jdk/Dockerfile | 3 +++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/build-sonar-scanner.bat b/build-sonar-scanner.bat index 4137772..1e8d127 100644 --- a/build-sonar-scanner.bat +++ b/build-sonar-scanner.bat @@ -4,11 +4,11 @@ docker login -u %DOCKER_LOGIN% -p %DOCKER_PASSWORD% %DOCKER_REGISTRY_URL% if %ERRORLEVEL% neq 0 goto end -if %DOCKER_SYSTEM_PRUNE%=="true" docker system prune -af +if "%DOCKER_SYSTEM_PRUNE%"=="true" docker system prune -af if %ERRORLEVEL% neq 0 goto end -if %NO_CACHE%=="true" (SET last_arg="--no-cache .") else (SET last_arg=".") +if "%NO_CACHE%"=="true" (SET last_arg="--no-cache .") else (SET last_arg=".") rem SonarScanner CLI 8.x требует Java 21+, поэтому слой jdk собираем с JDK 25 if "%SONAR_JDK_VERSION%"=="" set SONAR_JDK_VERSION=25 diff --git a/jdk/Dockerfile b/jdk/Dockerfile index ed324d8..a79e38e 100644 --- a/jdk/Dockerfile +++ b/jdk/Dockerfile @@ -6,6 +6,9 @@ FROM ${DOCKER_REGISTRY_URL:+"$DOCKER_REGISTRY_URL/"}${BASE_IMAGE}:${BASE_TAG} LABEL maintainer="Nikita Gryzlov , FirstBit" +# Установка JDK требует root (например, когда базовый слой client завершается USER usr1cv8) +USER root + # Install OpenJDK ARG OPENJDK_VERSION=17 From 68a401bbebcd0510738fd49d7a544135368258b4 Mon Sep 17 00:00:00 2001 From: Claude Date: Fri, 29 May 2026 17:58:01 +0000 Subject: [PATCH 10/14] Fix Mono APT key import in oscript image The oscript image failed to build on newer base images (e.g. the eclipse-temurin:17 base used by the oscript agent scripts) because it used the deprecated 'apt-key adv' with an hkp:// keyserver. Switch to the modern signed-by keyring approach over https, mirroring the pattern already used in client/Dockerfile. --- oscript/Dockerfile | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/oscript/Dockerfile b/oscript/Dockerfile index 556fe47..7041120 100644 --- a/oscript/Dockerfile +++ b/oscript/Dockerfile @@ -15,15 +15,18 @@ RUN apt-get update \ wget \ libicu-dev \ pkg-config \ - && apt-key adv --keyserver hkp://keyserver.ubuntu.com:80 --recv-keys 3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF \ - && echo "deb http://download.mono-project.com/repo/debian stable-buster main" > /etc/apt/sources.list.d/mono-official-stable.list \ + && mkdir -p -m 0755 /etc/apt/keyrings \ + && wget -qO- 'https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF' | \ + gpg --dearmor -o /etc/apt/keyrings/mono-official-stable.gpg \ + && echo "deb [signed-by=/etc/apt/keyrings/mono-official-stable.gpg] https://download.mono-project.com/repo/debian stable-buster main" \ + > /etc/apt/sources.list.d/mono-official-stable.list \ && apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y \ mono-runtime \ ca-certificates-mono \ libmono-i18n4.0-all \ libmono-system-runtime-serialization4.0-cil \ - && rm -rf /etc/apt/sources.list.d/mono-official-stable.list \ + && rm -rf /etc/apt/sources.list.d/mono-official-stable.list /etc/apt/keyrings/mono-official-stable.gpg \ && apt-get update \ && cert-sync --user /etc/ssl/certs/ca-certificates.crt \ && rm -rf \ From f1c2eaeec994a4a1dcc1f7891d56888b732e5d29 Mon Sep 17 00:00:00 2001 From: Claude Date: Fri, 29 May 2026 17:58:01 +0000 Subject: [PATCH 11/14] Force CRLF line endings for .bat files Add '*.bat eol=crlf' to .gitattributes so Windows batch scripts always check out with CRLF, avoiding GOTO/label parsing issues. Renormalized existing .bat files accordingly. --- .gitattributes | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitattributes b/.gitattributes index fe21a8c..dd185af 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1,4 +1,5 @@ *.sh eol=lf +*.bat eol=crlf client/configs/** eol=lf client-vnc/configs/** eol=lf swarm-jenkins-agent/configs/** eol=lf From 2359ba87840a58318fbd23d432ee32a454c36972 Mon Sep 17 00:00:00 2001 From: Claude Date: Fri, 29 May 2026 18:12:31 +0000 Subject: [PATCH 12/14] Use Mono Ubuntu stable-focal repo for oscript image The oscript builds run on Ubuntu-based images (eclipse-temurin:17, ubuntu:20.04, onec-client-vnc), but the Dockerfile used the Debian-buster Mono repo. On newer Ubuntu the buster packages are no longer installable (mono-libraries unsatisfiable / version-split between 6.12.0.200 and .201), breaking the build. Per the official Mono docs, Ubuntu 20.04+ must use the ubuntu stable-focal suite (consistent 6.12.0.206 package set). --- oscript/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/oscript/Dockerfile b/oscript/Dockerfile index 7041120..5a49ae8 100644 --- a/oscript/Dockerfile +++ b/oscript/Dockerfile @@ -18,7 +18,7 @@ RUN apt-get update \ && mkdir -p -m 0755 /etc/apt/keyrings \ && wget -qO- 'https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF' | \ gpg --dearmor -o /etc/apt/keyrings/mono-official-stable.gpg \ - && echo "deb [signed-by=/etc/apt/keyrings/mono-official-stable.gpg] https://download.mono-project.com/repo/debian stable-buster main" \ + && echo "deb [signed-by=/etc/apt/keyrings/mono-official-stable.gpg] https://download.mono-project.com/repo/ubuntu stable-focal main" \ > /etc/apt/sources.list.d/mono-official-stable.list \ && apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y \ From 738111f09aa44c1423085b8675c1d4b0ad53eabc Mon Sep 17 00:00:00 2001 From: Claude Date: Fri, 29 May 2026 18:27:30 +0000 Subject: [PATCH 13/14] Address review: multi-stage scanner image, distro-aware Mono repo, env guard - sonar-scanner/Dockerfile: multi-stage build (download in a builder stage, runtime layer no longer touches apt); align FROM with the canonical registry-prefix pattern; keep final image non-root. - oscript/Dockerfile: pick the Mono repo suite from the actual base distro via /etc/os-release (Debian -> stable-buster, Ubuntu -> stable-focal) instead of hardcoding, so debian and ubuntu bases both resolve. - build-sonar-scanner.sh: validate required ONEC_* env vars up front. --- build-sonar-scanner.sh | 7 +++++++ oscript/Dockerfile | 6 +++++- sonar-scanner/Dockerfile | 32 +++++++++++++++----------------- 3 files changed, 27 insertions(+), 18 deletions(-) diff --git a/build-sonar-scanner.sh b/build-sonar-scanner.sh index 23dd9f8..d65c586 100755 --- a/build-sonar-scanner.sh +++ b/build-sonar-scanner.sh @@ -19,6 +19,13 @@ if [ "${NO_CACHE}" = 'true' ] ; then last_arg='--no-cache .' fi +for var in ONEC_USERNAME ONEC_PASSWORD ONEC_VERSION; do + if [ -z "${!var}" ]; then + echo "Required environment variable $var is not set" >&2 + exit 1 + fi +done + # SonarScanner CLI 8.x требует Java 21+, поэтому слой jdk собираем с JDK 25 SONAR_JDK_VERSION="${SONAR_JDK_VERSION:-25}" diff --git a/oscript/Dockerfile b/oscript/Dockerfile index 5a49ae8..8b1fc84 100644 --- a/oscript/Dockerfile +++ b/oscript/Dockerfile @@ -18,7 +18,11 @@ RUN apt-get update \ && mkdir -p -m 0755 /etc/apt/keyrings \ && wget -qO- 'https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x3FA7E0328081BFF6A14DA29AA6A19B38D3D831EF' | \ gpg --dearmor -o /etc/apt/keyrings/mono-official-stable.gpg \ - && echo "deb [signed-by=/etc/apt/keyrings/mono-official-stable.gpg] https://download.mono-project.com/repo/ubuntu stable-focal main" \ + # Mono публикует отдельные репозитории под дистрибутив: Debian -> stable-buster, Ubuntu -> stable-focal. + # Подбираем подходящий по фактическому базовому образу (BASE_IMAGE/BASE_TAG могут быть любыми). + && . /etc/os-release \ + && if [ "$ID" = "debian" ]; then mono_repo="debian stable-buster"; else mono_repo="ubuntu stable-focal"; fi \ + && echo "deb [signed-by=/etc/apt/keyrings/mono-official-stable.gpg] https://download.mono-project.com/repo/$mono_repo main" \ > /etc/apt/sources.list.d/mono-official-stable.list \ && apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y \ diff --git a/sonar-scanner/Dockerfile b/sonar-scanner/Dockerfile index a024864..13b476e 100644 --- a/sonar-scanner/Dockerfile +++ b/sonar-scanner/Dockerfile @@ -2,34 +2,32 @@ ARG DOCKER_REGISTRY_URL ARG BASE_IMAGE ARG BASE_TAG -# BASE_IMAGE - слой client с установленным JDK (client + jdk) -FROM ${DOCKER_REGISTRY_URL}${DOCKER_REGISTRY_URL:+/}${BASE_IMAGE}:${BASE_TAG} - -LABEL maintainer="Nikita Fedkin " - -USER root - # Версия SonarScanner CLI. Java предоставляется слоем jdk. # SonarScanner CLI 8.x требует Java 21+, слой jdk собирается с JDK 25 (см. build-sonar-scanner.sh). ARG SONAR_SCANNER_VERSION=8.1.0.6389 -ENV SONAR_SCANNER_HOME=/opt/sonar-scanner +# Стадия загрузки: скачиваем и распаковываем SonarScanner CLI +FROM ${DOCKER_REGISTRY_URL:+"$DOCKER_REGISTRY_URL/"}${BASE_IMAGE}:${BASE_TAG} AS downloader + +ARG SONAR_SCANNER_VERSION +USER root -# ca-certificates и wget уже присутствуют в слоях client/jdk RUN apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \ unzip \ && wget -q -O /tmp/sonar-scanner.zip \ "https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_SCANNER_VERSION}.zip" \ && unzip -q /tmp/sonar-scanner.zip -d /opt \ - && mv "/opt/sonar-scanner-${SONAR_SCANNER_VERSION}" "${SONAR_SCANNER_HOME}" \ - && rm -f /tmp/sonar-scanner.zip \ - && apt-get purge -y --auto-remove unzip \ - && rm -rf \ - /var/lib/apt/lists/* \ - /var/cache/debconf \ - /tmp/* \ - /var/tmp/* + && mv "/opt/sonar-scanner-${SONAR_SCANNER_VERSION}" /opt/sonar-scanner + +# Финальный образ: SonarScanner CLI поверх слоя client + jdk (Java из слоя jdk) +FROM ${DOCKER_REGISTRY_URL:+"$DOCKER_REGISTRY_URL/"}${BASE_IMAGE}:${BASE_TAG} + +LABEL maintainer="Nikita Fedkin " + +ENV SONAR_SCANNER_HOME=/opt/sonar-scanner + +COPY --from=downloader /opt/sonar-scanner ${SONAR_SCANNER_HOME} ENV PATH="${SONAR_SCANNER_HOME}/bin:${PATH}" From 1b628c40105ea75290dbf57147b60bcfd2d56540 Mon Sep 17 00:00:00 2001 From: Claude Date: Fri, 29 May 2026 18:31:33 +0000 Subject: [PATCH 14/14] Pin oscript-agent base to eclipse-temurin:17-jdk-focal The oscript-agent images build oscript (Mono) directly on eclipse-temurin:17, which now resolves to a newer Ubuntu where Mono's packages (published only up to Ubuntu focal) are not installable, so the build fails at the mono install. Pin the base to the focal-based JDK 17 image so the OS matches Mono's focal repo. Other build paths already use focal-based Ubuntu and are unaffected. --- build-oscript-k8s-agent.sh | 2 +- build-oscript-swarm-agent.bat | 2 +- build-oscript-swarm-agent.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/build-oscript-k8s-agent.sh b/build-oscript-k8s-agent.sh index 84ad6f7..57a74ca 100755 --- a/build-oscript-k8s-agent.sh +++ b/build-oscript-k8s-agent.sh @@ -23,7 +23,7 @@ docker build \ --pull \ --build-arg DOCKER_REGISTRY_URL=library \ --build-arg BASE_IMAGE=eclipse-temurin \ - --build-arg BASE_TAG=17 \ + --build-arg BASE_TAG=17-jdk-focal \ -t ${DOCKER_REGISTRY_URL:+"$DOCKER_REGISTRY_URL/"}oscript-jdk:latest \ -f oscript/Dockerfile \ $last_arg diff --git a/build-oscript-swarm-agent.bat b/build-oscript-swarm-agent.bat index cbcc3dc..f733337 100644 --- a/build-oscript-swarm-agent.bat +++ b/build-oscript-swarm-agent.bat @@ -14,7 +14,7 @@ docker build ^ --pull ^ --build-arg DOCKER_REGISTRY_URL=%DOCKER_REGISTRY_URL% ^ --build-arg BASE_IMAGE=eclipse-temurin ^ - --build-arg BASE_TAG=17 ^ + --build-arg BASE_TAG=17-jdk-focal ^ -t %DOCKER_REGISTRY_URL%/oscript-jdk:latest ^ -f oscript/Dockerfile ^ %last_arg% diff --git a/build-oscript-swarm-agent.sh b/build-oscript-swarm-agent.sh index dcdb7d5..b28f474 100755 --- a/build-oscript-swarm-agent.sh +++ b/build-oscript-swarm-agent.sh @@ -23,7 +23,7 @@ docker build \ --pull \ --build-arg DOCKER_REGISTRY_URL=library \ --build-arg BASE_IMAGE=eclipse-temurin \ - --build-arg BASE_TAG=17 \ + --build-arg BASE_TAG=17-jdk-focal \ -t ${DOCKER_REGISTRY_URL:+"$DOCKER_REGISTRY_URL/"}oscript-jdk:latest \ -f oscript/Dockerfile \ $last_arg