feat: complete CPLEX integration with proper LFS tracking

wrjade · wrjade · commit 47c2cfb71333 · 2025-12-23T08:53:55.000+08:00
- Re-submitted with Git LFS for large binaries
- Implemented robust offline extraction for CPLEX &amp; CP Optimizer
- Pre-installed cplex/docplex Python APIs via uv
- Enhanced GitHub Actions with disk cleanup and Nix cache
- Fixed runtime permissions for non-root user (1000)
diff --git a/.gitattributes b/.gitattributes
@@ -0,0 +1 @@
+pkgs/cplex/*.bin filter=lfs diff=lfs merge=lfs -text
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -31,8 +31,21 @@ jobs:
       checks: write
 
     steps:
+    - name: Free Disk Space (Ubuntu)
+      uses: jlumbroso/free-disk-space@main
+      with:
+        tool-cache: true
+        android: true
+        dotnet: true
+        haskell: true
+        large-packages: true
+        docker-images: true
+        swap-storage: true
+
     - name: Checkout
       uses: actions/checkout@v4
+      with:
+        lfs: true # 必须开启 LFS 以便检出 CPLEX 安装包
 
     - name: Install Nix 2.31.1
       run: |
@@ -43,6 +56,9 @@ jobs:
         # 验证安装
         nix --version
 
+    - name: Magic Nix Cache
+      uses: DeterminateSystems/magic-nix-cache-action@main
+
     - name: Configure Nix
       run: |
         # 加载 Nix 环境
@@ -420,28 +436,32 @@ jobs:
           exit 1
         fi
         
-        # 测试Python和UV（使用临时文件系统挂载）
+        # 测试Python和UV (不使用 --user root，验证权限修复是否成功)
         echo "Testing Python:"
-        docker run --rm --tmpfs /tmp:noexec,nosuid,size=100m --user root ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest /bin/bash -c "export PATH=\${PATH} && python --version" || echo "Python not found"
+        docker run --rm --tmpfs /tmp:noexec,nosuid,size=100m ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest /bin/bash -c "python --version" || echo "Python not found"
         
         echo "Testing UV:"
-        docker run --rm --tmpfs /tmp:noexec,nosuid,size=100m --user root ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest /bin/bash -c "export PATH=\${PATH} && uv --version" || echo "UV not found"
+        docker run --rm --tmpfs /tmp:noexec,nosuid,size=100m ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest /bin/bash -c "uv --version" || echo "UV not found"
         
         # 测试安全限制
         echo "Testing security restrictions:"
-        docker run --rm --tmpfs /tmp:noexec,nosuid,size=100m --user root ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest /bin/bash -c "python -c \"try: import os; print('ERROR: os should be restricted'); exit(1); except ImportError: print('OK: os is restricted')\"" || echo "Security test failed"
+        docker run --rm --tmpfs /tmp:noexec,nosuid,size=100m ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest /bin/bash -c "python -c \"try: import os; print('ERROR: os should be restricted'); exit(1); except ImportError: print('OK: os is restricted')\"" || echo "Security test failed"
         
         # 测试Gurobi可用性
         echo "Testing Gurobi availability:"
-        docker run --rm --tmpfs /tmp:noexec,nosuid,size=100m --user root ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest /bin/bash -c "python -c \"import gurobipy; print('OK: Gurobi available')\"" || echo "Gurobi test failed"
+        docker run --rm --tmpfs /tmp:noexec,nosuid,size=100m ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest /bin/bash -c "python -c \"import gurobipy; print('OK: Gurobi available')\"" || echo "Gurobi test failed"
         
         # 测试OR-Tools可用性
         echo "Testing OR-Tools availability:"
-        docker run --rm --tmpfs /tmp:noexec,nosuid,size=100m --user root ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest /bin/bash -c "python -c \"import ortools; from ortools.linear_solver import pywraplp; print('OK: OR-Tools available')\"" || echo "OR-Tools test failed"
+        docker run --rm --tmpfs /tmp:noexec,nosuid,size=100m ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest /bin/bash -c "python -c \"import ortools; from ortools.linear_solver import pywraplp; print('OK: OR-Tools available')\"" || echo "OR-Tools test failed"
+        
+        # 测试CPLEX可用性
+        echo "Testing CPLEX availability:"
+        docker run --rm --tmpfs /tmp:noexec,nosuid,size=100m ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest /verify-cplex.sh || echo "CPLEX test failed"
         
         # 测试PuLP可用性
         echo "Testing PuLP availability:"
-        docker run --rm --tmpfs /tmp:exec,nosuid,size=100m --user root ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest /bin/bash -c "cd /tmp && python -c \"import pulp; prob = pulp.LpProblem('test', pulp.LpMaximize); x = pulp.LpVariable('x', 0, 10); prob += x; prob.solve(pulp.PULP_CBC_CMD(msg=0)); print('OK: PuLP and CBC solver available')\"" || echo "PuLP test failed"
+        docker run --rm --tmpfs /tmp:exec,nosuid,size=100m ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:secure-latest /bin/bash -c "cd /tmp && python -c \"import pulp; prob = pulp.LpProblem('test', pulp.LpMaximize); x = pulp.LpVariable('x', 0, 10); prob += x; prob.solve(pulp.PULP_CBC_CMD(msg=0)); print('OK: PuLP and CBC solver available')\"" || echo "PuLP test failed"
         
         # 测试科学计算包
         echo "Testing scientific packages:"
@@ -471,7 +491,7 @@ jobs:
         echo "**Features:**" >> $GITHUB_STEP_SUMMARY
         echo "- ✅ Secure Python 3.12 environment" >> $GITHUB_STEP_SUMMARY
         echo "- ✅ UV package manager" >> $GITHUB_STEP_SUMMARY
-        echo "- ✅ Optimization solvers: Gurobi, OR-Tools, PuLP" >> $GITHUB_STEP_SUMMARY
+        echo "- ✅ Optimization solvers: Gurobi, CPLEX, OR-Tools, PuLP" >> $GITHUB_STEP_SUMMARY
         echo "- ✅ Scientific computing packages" >> $GITHUB_STEP_SUMMARY
         echo "- ✅ Non-root user execution" >> $GITHUB_STEP_SUMMARY
         echo "- ✅ Resource limits and security restrictions" >> $GITHUB_STEP_SUMMARY
diff --git a/README.md b/README.md
@@ -9,6 +9,7 @@ A secure, production-ready Docker environment for Python development with UV pac
 - **UV Package Manager**: Fast Python package and dependency manager
 - **Optimization Solvers Pre-installed**:
   - **Gurobi**: Commercial optimization solver (12.0.3) - requires license
+  - **CPLEX**: IBM ILOG CPLEX Optimization Studio (22.1.2) - requires license
   - **OR-Tools**: Google's open-source suite (GLOP, CBC, SCIP, CP-SAT) - no license required
 - **Non-root User**: Runs as non-privileged user for security
 - **Resource Limits**: Built-in CPU and memory limits
@@ -79,6 +80,22 @@ docker run --rm \
   ghcr.io/reaslab/docker-python-runner:secure-latest python optimization.py
 ```
 
+### With CPLEX Optimization
+
+```bash
+# Run CPLEX optimization code
+# CPLEX is pre-installed at /opt/ibm/ILOG/CPLEX_Studio221
+docker run --rm -v $(pwd):/app \
+  ghcr.io/reaslab/docker-python-runner:secure-latest python -c "
+import cplex
+print(f'CPLEX Version: {cplex.__version__}')
+# ... your optimization code ...
+"
+
+# Verify CPLEX installation
+docker run --rm ghcr.io/reaslab/docker-python-runner:secure-latest /verify-cplex.sh
+```
+
 ### With OR-Tools Optimization
 
 ```bash
@@ -129,6 +146,7 @@ docker run --rm ghcr.io/reaslab/docker-python-runner:secure-latest /verify-ortoo
 - **Visualization**: seaborn
 - **Optimization**: 
   - **gurobipy** (Gurobi 12.0.3) - Pre-installed, requires license
+  - **cplex** (IBM CPLEX 22.1.2) - Pre-installed, requires license
   - **ortools** (Google OR-Tools) - Pre-installed, no license required ✨
 - **Build Tools**: cython
 - **Package Manager**: uv
@@ -221,6 +239,9 @@ docker run --rm ghcr.io/reaslab/docker-python-runner:secure-latest uv --version
 # Test Gurobi (requires license)
 docker run --rm -v /path/to/gurobi.lic:/app/gurobi.lic:ro ghcr.io/reaslab/docker-python-runner:secure-latest python -c "import gurobipy; print('Gurobi available')"
 
+# Test CPLEX (verify installation)
+docker run --rm ghcr.io/reaslab/docker-python-runner:secure-latest /verify-cplex.sh
+
 # Test OR-Tools (pre-installed, verify)
 docker run --rm ghcr.io/reaslab/docker-python-runner:secure-latest /verify-ortools.sh
 
diff --git a/build.sh b/build.sh
@@ -148,8 +148,9 @@ echo "📋 Secure Image Configuration:"
 echo "   - Python Version: 3.12 (restricted environment)"
 echo "   - Security: Dangerous modules blocked (os, subprocess, sys, etc.)"
 echo "   - Resource Limits: 1GB memory, CPU share limits"
-echo "   - Safe Packages: pip, setuptools, wheel, cython, numpy, scipy, pandas, matplotlib, scikit-learn, yfinance, seaborn"
+echo "   - Safe Packages: pip, setuptools, wheel, cython, numpy, scipy, pandas, matplotlib, scikit-learn, seaborn, gurobipy, cplex, ortools, pulp"
 echo "   - Gurobi: 12.0.3 (via nixpkgs)"
+echo "   - CPLEX: 22.1.2 (from installer)"
 echo "   - Container: Read-only root filesystem, non-root user (1000:1000)"
 echo "   - Network: Restricted (disabled by default)"
 echo "   - Tools: Minimal set (bash, coreutils, curl, tar, gzip)"
diff --git a/docker.nix b/docker.nix
diff --git a/pkgs/cplex/cos_installer_preview-22.1.2.R4-M0N96ML-linux-x86-64.bin b/pkgs/cplex/cos_installer_preview-22.1.2.R4-M0N96ML-linux-x86-64.bin

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+pkgs/cplex/*.bin filter=lfs diff=lfs merge=lfs -text`