- Админка: настройка pull-реестра (Hub / Harbor / Nexus) в БД, шифрование секретов;

обновлён /admin/config и API для os_registry.
- Molecule/раннер: env из конфигурации, ensure roleforge-os (ensure_roleforge_os.yml),
  os_registry_pull и доработки executors / runner / create.yml.
- /admin/os-images: выбор реестра, buildx (в т.ч. split amd64+arm64 + imagetools),
  опция --no-cache, стрим логов; domain.py: план команд build, ретраи push.
- UI: брендинг (app_name, app_tagline) из app_config через get_ui_branding_context;
  base.xhtml, role-create / role-view, core.js, pages-main, стили.
- Dockerfiles: требование Python ≥3.9 (assert), доработки alt9/astra/debian9/ubuntu20
  и др.; новые Dockerfile.arm64 для centos7/centos8.
- Конфиг: .env.example, config.py, pyproject.toml.

dockerfiles/alma/Dockerfile

@@ -25,6 +25,8 @@ RUN dnf install -y \
 # Создаем symlink для python3 -> python3.9
 RUN ln -sf /usr/bin/python3.9 /usr/bin/python3
 
+RUN python3 -c "import sys; assert sys.version_info[:2] >= (3, 9), sys.version"
+
 # Устанавливаем yq
 # RUN wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_arm64 \
 #     && chmod +x /usr/local/bin/yq

dockerfiles/alt10/Dockerfile

@@ -21,8 +21,7 @@ RUN apt-get install -y \
     sudo \
     && apt-get clean
 
-# Устанавливаем pip для Python 3.9 (в p10 python3 может быть < 3.10)
-RUN curl -sS https://bootstrap.pypa.io/pip/3.9/get-pip.py | python3
+RUN python3 -c "import sys; assert sys.version_info[:2] >= (3, 9), sys.version"
 
 # Устанавливаем yq
 # RUN wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_arm64 \

dockerfiles/alt9/Dockerfile

@@ -20,16 +20,37 @@ RUN set -eux; \
         curl \
         wget \
         nano \
-        python3 \
-        sudo && break; \
+        sudo \
+        gcc \
+        gcc-c++ \
+        make \
+        zlib-devel \
+        openssl-devel \
+        libffi-devel \
+        sqlite-devel \
+        ca-certificates \
+        tar \
+        gzip \
+        && break; \
       echo "apt install attempt ${attempt} failed, retrying in 8s..."; \
       apt-get clean; rm -rf /var/lib/apt/lists/*; \
       sleep 8; \
     done; \
     apt-get clean; rm -rf /var/lib/apt/lists/*
 
-# Устанавливаем pip для Python 3.7
-RUN curl -sS https://bootstrap.pypa.io/pip/3.7/get-pip.py | python3
+# Ansible 2.14+ требует Python 3.9+ на цели — на ALT p9 базовый python3 может быть 3.7.
+# curl/ca-certificates ставятся в предыдущем RUN; здесь не вызываем apt-get — после rm -rf /var/lib/apt/lists/*
+# слой apt «пустой» и apt-get update падает (нет /var/lib/apt/lists/partial).
+RUN curl -fsSL -o /tmp/Python-3.11.9.tgz https://www.python.org/ftp/python/3.11.9/Python-3.11.9.tgz \
+    && tar xzf /tmp/Python-3.11.9.tgz -C /tmp \
+    && rm -f /tmp/Python-3.11.9.tgz \
+    && cd /tmp/Python-3.11.9 \
+    && ./configure --prefix=/usr/local --with-ensurepip=install \
+    && make -j "$(nproc)" \
+    && make install \
+    && update-alternatives --install /usr/bin/python3 python3 /usr/local/bin/python3.11 1 \
+    && python3 -m pip install --upgrade pip setuptools wheel \
+    && python3 -c "import sys; assert sys.version_info[:2] >= (3, 9), sys.version"
 
 # Устанавливаем yq
 # RUN wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_arm64 \

dockerfiles/astra-linux/Dockerfile

@@ -22,8 +22,22 @@ RUN apt-get install -y \
     python3 \
     python3-pip \
     sudo \
+    build-essential \
+    zlib1g-dev \
+    libssl-dev \
+    libffi-dev \
+    libsqlite3-dev \
     && apt-get clean
 
+RUN curl -fsSL https://www.python.org/ftp/python/3.11.9/Python-3.11.9.tgz | tar xz -C /tmp \
+    && cd /tmp/Python-3.11.9 \
+    && ./configure --prefix=/usr/local --with-ensurepip=install \
+    && make -j "$(nproc)" \
+    && make install \
+    && update-alternatives --install /usr/bin/python3 python3 /usr/local/bin/python3.11 2 \
+    && python3 -m pip install --upgrade pip setuptools wheel \
+    && python3 -c "import sys; assert sys.version_info[:2] >= (3, 9), sys.version"
+
 # Устанавливаем yq (автоопределение архитектуры)
 # RUN ARCH=$(dpkg --print-architecture | sed 's/amd64/amd64/; s/arm64/arm64/; s/aarch64/arm64/') && \
 #     wget -qO /usr/local/bin/yq "https://github.com/mikefarah/yq/releases/latest/download/yq_linux_${ARCH}" && \

dockerfiles/astra-linux/Dockerfile.arm64

@@ -37,6 +37,8 @@ RUN apt-get install -y \
     lsb-release \
     && apt-get clean
 
+RUN python3 -c "import sys; assert sys.version_info[:2] >= (3, 9), sys.version"
+
 # Устанавливаем yq (автоопределение архитектуры)
 RUN ARCH=$(dpkg --print-architecture | sed 's/amd64/amd64/; s/arm64/arm64/; s/aarch64/arm64/') && \
     wget -qO /usr/local/bin/yq "https://github.com/mikefarah/yq/releases/latest/download/yq_linux_${ARCH}" && \

dockerfiles/centos7/Dockerfile

@@ -12,19 +12,24 @@ RUN sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-*.repo && \
 # Обновляем систему
 RUN yum update -y && yum upgrade -y
 
-# Устанавливаем systemd и необходимые пакеты
-RUN yum install -y \
+# Устанавливаем systemd и необходимые пакеты (Python 3.9+ required by modern Ansible)
+RUN yum install -y epel-release \
+    && yum install -y \
     systemd \
     systemd-sysv \
     dbus \
     curl \
     wget \
     nano \
-    python3 \
-    python3-pip \
+    python39 \
+    python39-pip \
     sudo \
     && yum clean all
 
+RUN alternatives --set python3 /usr/bin/python3.9 2>/dev/null || ln -sf /usr/bin/python3.9 /usr/bin/python3
+
+RUN python3 -c "import sys; assert sys.version_info[:2] >= (3, 9), sys.version"
+
 # Устанавливаем yq
 # RUN wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_arm64 \
 #     && chmod +x /usr/local/bin/yq

dockerfiles/centos7/Dockerfile.arm64

@@ -0,0 +1,39 @@
+# CentOS 7 ARM64 with systemd (arm64v8 official image)
+# Pair with Dockerfile in this directory: both publish as roleforge-os:centos7 (multi-arch manifest).
+
+FROM arm64v8/centos:7
+ENV container=docker
+
+RUN sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-*.repo && \
+    sed -i 's|#baseurl=http://mirror.centos.org|baseurl=http://vault.centos.org|g' /etc/yum.repos.d/CentOS-*.repo
+
+RUN yum update -y && yum upgrade -y
+
+RUN yum install -y epel-release \
+    && yum install -y \
+    systemd \
+    systemd-sysv \
+    dbus \
+    curl \
+    wget \
+    nano \
+    python39 \
+    python39-pip \
+    sudo \
+    && yum clean all
+
+RUN alternatives --set python3 /usr/bin/python3.9 2>/dev/null || ln -sf /usr/bin/python3.9 /usr/bin/python3
+
+RUN python3 -c "import sys; assert sys.version_info[:2] >= (3, 9), sys.version"
+
+RUN systemctl set-default multi-user.target
+
+RUN echo "root ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers && \
+    echo "ALL ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/ansible-test
+
+RUN useradd -m -s /bin/bash ansible \
+    && echo "ansible ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
+
+STOPSIGNAL SIGRTMIN+3
+VOLUME ["/sys/fs/cgroup"]
+CMD ["/sbin/init"]

dockerfiles/centos8/Dockerfile

@@ -12,7 +12,7 @@ RUN sed -i 's/mirrorlist/#mirrorlist/g' /etc/yum.repos.d/CentOS-*.repo && \
 # Обновляем систему
 RUN dnf update -y && dnf upgrade -y
 
-# Устанавливаем systemd и необходимые пакеты
+# Устанавливаем systemd и необходимые пакеты (Python 3.9+ required by modern Ansible)
 RUN dnf install -y --allowerasing \
     systemd \
     systemd-sysv \
@@ -20,11 +20,15 @@ RUN dnf install -y --allowerasing \
     curl \
     wget \
     nano \
-    python3 \
-    python3-pip \
+    python39 \
+    python39-pip \
     sudo \
     && dnf clean all
 
+RUN ln -sf /usr/bin/python3.9 /usr/bin/python3
+
+RUN python3 -c "import sys; assert sys.version_info[:2] >= (3, 9), sys.version"
+
 # Устанавливаем yq
 # RUN wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_arm64 \
 #     && chmod +x /usr/local/bin/yq

dockerfiles/centos8/Dockerfile.arm64

@@ -0,0 +1,35 @@
+# CentOS Stream 8 ARM64 with systemd (multi-arch base)
+# Pair with Dockerfile in this directory: both publish as roleforge-os:centos8 (multi-arch manifest).
+
+FROM quay.io/centos/centos:stream8
+ENV container=docker
+
+RUN dnf update -y && dnf upgrade -y
+
+RUN dnf install -y --allowerasing \
+    systemd \
+    systemd-sysv \
+    dbus \
+    curl \
+    wget \
+    nano \
+    python39 \
+    python39-pip \
+    sudo \
+    && dnf clean all
+
+RUN ln -sf /usr/bin/python3.9 /usr/bin/python3
+
+RUN python3 -c "import sys; assert sys.version_info[:2] >= (3, 9), sys.version"
+
+RUN systemctl set-default multi-user.target
+
+RUN echo "root ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers && \
+    echo "ALL ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/ansible-test
+
+RUN useradd -m -s /bin/bash ansible \
+    && echo "ansible ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
+
+STOPSIGNAL SIGRTMIN+3
+VOLUME ["/sys/fs/cgroup"]
+CMD ["/sbin/init"]

dockerfiles/centos9/Dockerfile

@@ -21,6 +21,8 @@ RUN dnf install -y --allowerasing \
     sudo \
     && dnf clean all
 
+RUN python3 -c "import sys; assert sys.version_info[:2] >= (3, 9), sys.version"
+
 # Устанавливаем yq
 # RUN wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_arm64 \
 #     && chmod +x /usr/local/bin/yq

dockerfiles/debian10/Dockerfile

@@ -26,11 +26,16 @@ RUN apt-get install -y \
     curl \
     wget \
     nano \
-    python3 \
-    python3-pip \
     sudo \
     && apt-get clean
 
+RUN echo "deb http://archive.debian.org/debian buster-backports main" >> /etc/apt/sources.list \
+    && apt-get -o Acquire::Check-Valid-Until=false update \
+    && apt-get install -y -t buster-backports python3.9 python3.9-distutils python3-pip \
+    && update-alternatives --install /usr/bin/python3 python3 /usr/bin/python3.9 1 \
+    && python3 -m pip install --upgrade pip setuptools wheel \
+    && python3 -c "import sys; assert sys.version_info[:2] >= (3, 9), sys.version"
+
 # Устанавливаем Docker вручную для Debian
 # RUN apt-get update && apt-get install -y \
 #     ca-certificates \

dockerfiles/debian11/Dockerfile

@@ -25,6 +25,8 @@ RUN apt-get install -y \
     sudo \
     && apt-get clean
 
+RUN python3 -c "import sys; assert sys.version_info[:2] >= (3, 9), sys.version"
+
 # Устанавливаем Docker вручную для Debian
 # RUN apt-get update && apt-get install -y \
 #     ca-certificates \

dockerfiles/debian12/Dockerfile

@@ -25,6 +25,8 @@ RUN apt-get install -y \
     sudo \
     && apt-get clean
 
+RUN python3 -c "import sys; assert sys.version_info[:2] >= (3, 9), sys.version"
+
 # Устанавливаем Docker вручную для Debian
 # RUN apt-get update && apt-get install -y \
 #     ca-certificates \

dockerfiles/debian9/Dockerfile

@@ -26,11 +26,24 @@ RUN apt-get install -y \
     curl \
     wget \
     nano \
-    python3 \
-    python3-pip \
     sudo \
+    build-essential \
+    zlib1g-dev \
+    libssl-dev \
+    libffi-dev \
+    libsqlite3-dev \
     && apt-get clean
 
+# Ansible 2.14+ requires Python 3.9+ on targets — Stretch ships Python 3.5; install CPython 3.11.
+RUN curl -fsSL https://www.python.org/ftp/python/3.11.9/Python-3.11.9.tgz | tar xz -C /tmp \
+    && cd /tmp/Python-3.11.9 \
+    && ./configure --prefix=/usr/local --with-ensurepip=install \
+    && make -j "$(nproc)" \
+    && make install \
+    && update-alternatives --install /usr/bin/python3 python3 /usr/local/bin/python3.11 1 \
+    && python3 -m pip install --upgrade pip setuptools wheel \
+    && python3 -c "import sys; assert sys.version_info[:2] >= (3, 9), sys.version"
+
 # Устанавливаем Docker вручную для Debian
 # RUN apt-get update && apt-get install -y \
 #     ca-certificates \

dockerfiles/redos/Dockerfile

@@ -20,11 +20,15 @@ RUN dnf install -y \
     curl \
     wget \
     nano \
-    python3 \
-    python3-pip \
+    python39 \
+    python39-pip \
     sudo \
     && dnf clean all
 
+RUN alternatives --set python3 /usr/bin/python3.9 2>/dev/null || ln -sf /usr/bin/python3.9 /usr/bin/python3
+
+RUN python3 -c "import sys; assert sys.version_info[:2] >= (3, 9), sys.version"
+
 # Устанавливаем yq (автоопределение архитектуры)
 # RUN ARCH=$(uname -m | sed 's/x86_64/amd64/; s/aarch64/arm64/') && \
 #     wget -qO /usr/local/bin/yq "https://github.com/mikefarah/yq/releases/latest/download/yq_linux_${ARCH}" && \

dockerfiles/redos/Dockerfile.arm64

@@ -34,6 +34,8 @@ RUN dnf install -y --allowerasing \
     gnupg \
     && dnf clean all
 
+RUN python3 -c "import sys; assert sys.version_info[:2] >= (3, 9), sys.version"
+
 # Устанавливаем yq (автоопределение архитектуры)
 RUN ARCH=$(uname -m | sed 's/x86_64/amd64/; s/aarch64/arm64/') && \
     wget -qO /usr/local/bin/yq "https://github.com/mikefarah/yq/releases/latest/download/yq_linux_${ARCH}" && \

dockerfiles/rocky/Dockerfile

@@ -22,9 +22,10 @@ RUN dnf install -y --allowerasing \
     sudo \
     && dnf clean all
 
-# Устанавливаем более новую версию Python через pip если нужно
 RUN python3 -m pip install --upgrade pip
 
+RUN python3 -c "import sys; assert sys.version_info[:2] >= (3, 9), sys.version"
+
 # Устанавливаем yq (автоматически определяем архитектуру)
 # RUN ARCH=$(uname -m) && \
 #     if [ "$ARCH" = "x86_64" ]; then ARCH="amd64"; elif [ "$ARCH" = "aarch64" ]; then ARCH="arm64"; fi && \

dockerfiles/ubuntu20/Dockerfile

@@ -20,11 +20,29 @@ RUN apt-get install -y \
     curl \
     wget \
     nano \
-    python3 \
-    python3-pip \
     sudo \
     && apt-get clean
 
+# Python ≥3.9 для Ansible: deadsnakes 3.11 как единственный python3 (software-properties только для add-apt, затем purge вместе с 3.8).
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends software-properties-common \
+    && add-apt-repository -y ppa:deadsnakes/ppa \
+    && apt-get update \
+    && apt-get install -y --no-install-recommends \
+        python3.11 \
+        python3.11-venv \
+        python3.11-distutils \
+    && update-alternatives --install /usr/bin/python3 python3 /usr/bin/python3.11 1 \
+    && update-alternatives --set python3 /usr/bin/python3.11 \
+    && apt-get purge -y software-properties-common \
+    && apt-get purge -y python3.8 python3.8-minimal python3.8-venv 2>/dev/null || true \
+    && apt-get purge -y libpython3.8-stdlib libpython3.8-minimal 2>/dev/null || true \
+    && apt-get autoremove -y \
+    && curl -sS https://bootstrap.pypa.io/get-pip.py | python3 \
+    && python3 -c "import sys; assert sys.version_info[:2] >= (3, 9), sys.version" \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*
+
 # Устанавливаем Docker вручную для Ubuntu
 # RUN apt-get update && apt-get install -y \
 #     ca-certificates \

dockerfiles/ubuntu22/Dockerfile

@@ -25,6 +25,8 @@ RUN apt-get install -y \
     sudo \
     && apt-get clean
 
+RUN python3 -c "import sys; assert sys.version_info[:2] >= (3, 9), sys.version"
+
 # Устанавливаем Docker вручную для Ubuntu
 # RUN apt-get update && apt-get install -y \
 #     ca-certificates \

dockerfiles/ubuntu24/Dockerfile

@@ -25,6 +25,8 @@ RUN apt-get install -y \
     sudo \
     && apt-get clean
 
+RUN python3 -c "import sys; assert sys.version_info[:2] >= (3, 9), sys.version"
+
 # Устанавливаем Docker вручную для Ubuntu
 # RUN apt-get update && apt-get install -y \
 #     ca-certificates \