Skip to content

chore(docker): migrate base container images to nvcr.io/nvidia/base/ubuntu:noble-20251013#245

Merged
drew merged 1 commit intomainfrom
244-migrate-base-images-nvidia/drew
Mar 11, 2026
Merged

chore(docker): migrate base container images to nvcr.io/nvidia/base/ubuntu:noble-20251013#245
drew merged 1 commit intomainfrom
244-migrate-base-images-nvidia/drew

Conversation

@drew
Copy link
Copy Markdown
Collaborator

@drew drew commented Mar 11, 2026

Closes #244

Summary

  • Migrate all production container runtime stages to nvcr.io/nvidia/base/ubuntu:noble-20251013 for supply chain consistency
  • Convert Dockerfile.cluster from single-stage rancher/k3s (Alpine) to a multistage build that extracts k3s artifacts onto the NVIDIA Ubuntu base
  • Install Python 3.12 from Ubuntu Noble system packages in the sandbox base image (replaces python:3.12-slim-bookworm)

Changes

Dockerfile Previous Base (runtime) New Base
Dockerfile.ci ubuntu:24.04 nvcr.io/nvidia/base/ubuntu:noble-20251013
Dockerfile.server debian:bookworm-20260223-slim nvcr.io/nvidia/base/ubuntu:noble-20251013
sandbox/Dockerfile.base python:3.12.13-slim-bookworm nvcr.io/nvidia/base/ubuntu:noble-20251013 + system Python 3.12
Dockerfile.cluster rancher/k3s:v1.35.2-k3s1 Multistage: k3s artifacts → nvcr.io/nvidia/base/ubuntu:noble-20251013

Dockerfile.cluster details

The cluster image is now a two-stage build:

  1. Stage 1 (k3s): Pulls rancher/k3s as an artifact source only
  2. Stage 2 (runtime): NVIDIA Ubuntu base with:
    • All k3s binaries copied from /bin/ (k3s, kubectl, containerd-shim-runc-v2, runc, CNI plugins, busybox, coreutils, iptables tooling, etc.)
    • Ubuntu runtime deps: iptables, mount, ca-certificates, dnsutils
    • PATH and env vars matching upstream k3s image

Test Plan

  • Pre-commit checks pass locally (all Rust/Python tests, linting, formatting)
  • E2E label applied — CI will build and test all container images

@drew
chore(docker): migrate base container images to nvcr.io/nvidia/base/u…
df42710 
…buntu:noble-20251013

Migrate all production container runtime stages from Debian/Ubuntu
upstream to NVIDIA's hardened Ubuntu base image for supply chain
consistency.

- Dockerfile.ci: ubuntu:24.04 -> nvidia base
- Dockerfile.server: debian:bookworm-slim -> nvidia base (runtime stage)
- Dockerfile.base (sandbox): python:3.12-slim-bookworm -> nvidia base
  with system Python 3.12 from Ubuntu Noble repos
- Dockerfile.cluster: convert from single-stage rancher/k3s to
  multistage build extracting k3s artifacts onto nvidia base

Closes #244
@drew drew added the test:e2e Requires end-to-end coverage label Mar 11, 2026
@drew drew self-assigned this Mar 11, 2026
@drew drew added the test:e2e Requires end-to-end coverage label Mar 11, 2026
@drew drew merged commit 5803c0b into main Mar 11, 2026
18 checks passed
@drew drew deleted the 244-migrate-base-images-nvidia/drew branch March 11, 2026 22:11
drew added a commit that referenced this pull request Mar 16, 2026
@drew
chore(docker): migrate base container images to nvcr.io/nvidia/base/u…
329725d 
…buntu:noble-20251013 (#245)

Migrate all production container runtime stages from Debian/Ubuntu
upstream to NVIDIA's hardened Ubuntu base image for supply chain
consistency.

- Dockerfile.ci: ubuntu:24.04 -> nvidia base
- Dockerfile.server: debian:bookworm-slim -> nvidia base (runtime stage)
- Dockerfile.base (sandbox): python:3.12-slim-bookworm -> nvidia base
  with system Python 3.12 from Ubuntu Noble repos
- Dockerfile.cluster: convert from single-stage rancher/k3s to
  multistage build extracting k3s artifacts onto nvidia base

Closes #244
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@drew drew

Labels

test:e2e Requires end-to-end coverage

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

chore: migrate base container images to nvcr.io/nvidia/base/ubuntu:noble-20251013

1 participant

@drew