RHAIENG-987: remove skopeo and OpenShift client installation from RStudio Dockerfiles to address CVE-2025-4674

jiridanek · jiridanek · commit 35924c8c23ff · 2025-09-12T10:17:30.000+02:00
diff --git a/rstudio/c9s-python-3.11/Dockerfile.cpu b/rstudio/c9s-python-3.11/Dockerfile.cpu
@@ -23,18 +23,12 @@ RUN dnf -y upgrade --refresh --best --nodocs --noplugins --setopt=install_weak_d
 # upgrade first to avoid fixable vulnerabilities end
 
 # Install useful OS packages
-RUN dnf install -y mesa-libGL skopeo && dnf clean all && rm -rf /var/cache/yum
+# remove skopeo, CVE-2025-4674
+RUN dnf install -y mesa-libGL && dnf clean all && rm -rf /var/cache/yum
 
 # Other apps and tools installed as default user
 USER 1001
 
-# Install the oc client begin
-RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \
-        -o /tmp/openshift-client-linux.tar.gz && \
-    tar -xzvf /tmp/openshift-client-linux.tar.gz oc && \
-    rm -f /tmp/openshift-client-linux.tar.gz
-# Install the oc client end
-
 WORKDIR /opt/app-root/src
 
 #####################
diff --git a/rstudio/c9s-python-3.11/Dockerfile.cuda b/rstudio/c9s-python-3.11/Dockerfile.cuda
@@ -25,18 +25,12 @@ RUN dnf -y upgrade --refresh --best --nodocs --noplugins --setopt=install_weak_d
 # upgrade first to avoid fixable vulnerabilities end
 
 # Install useful OS packages
-RUN dnf install -y mesa-libGL skopeo && dnf clean all && rm -rf /var/cache/yum
+# remove skopeo, CVE-2025-4674
+RUN dnf install -y mesa-libGL && dnf clean all && rm -rf /var/cache/yum
 
 # Other apps and tools installed as default user
 USER 1001
 
-# Install the oc client begin
-RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \
-        -o /tmp/openshift-client-linux.tar.gz && \
-    tar -xzvf /tmp/openshift-client-linux.tar.gz oc && \
-    rm -f /tmp/openshift-client-linux.tar.gz
-# Install the oc client end
-
 WORKDIR /opt/app-root/src
 
 #####################
diff --git a/rstudio/rhel9-python-3.11/Dockerfile.cpu b/rstudio/rhel9-python-3.11/Dockerfile.cpu
@@ -18,18 +18,12 @@ RUN dnf -y upgrade --refresh --best --nodocs --noplugins --setopt=install_weak_d
 # upgrade first to avoid fixable vulnerabilities end
 
 # Install useful OS packages
-RUN dnf install -y mesa-libGL skopeo && dnf clean all && rm -rf /var/cache/yum
+# remove skopeo, CVE-2025-4674
+RUN dnf install -y mesa-libGL && dnf clean all && rm -rf /var/cache/yum
 
 # Other apps and tools installed as default user
 USER 1001
 
-# Install the oc client begin
-RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \
-        -o /tmp/openshift-client-linux.tar.gz && \
-    tar -xzvf /tmp/openshift-client-linux.tar.gz oc && \
-    rm -f /tmp/openshift-client-linux.tar.gz
-# Install the oc client end
-
 WORKDIR /opt/app-root/src
 
 #####################
diff --git a/rstudio/rhel9-python-3.11/Dockerfile.cuda b/rstudio/rhel9-python-3.11/Dockerfile.cuda
@@ -20,18 +20,12 @@ RUN dnf -y upgrade --refresh --best --nodocs --noplugins --setopt=install_weak_d
 # upgrade first to avoid fixable vulnerabilities end
 
 # Install useful OS packages
-RUN dnf install -y mesa-libGL skopeo && dnf clean all && rm -rf /var/cache/yum
+# remove skopeo, CVE-2025-4674
+RUN dnf install -y mesa-libGL && dnf clean all && rm -rf /var/cache/yum
 
 # Other apps and tools installed as default user
 USER 1001
 
-# Install the oc client begin
-RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \
-        -o /tmp/openshift-client-linux.tar.gz && \
-    tar -xzvf /tmp/openshift-client-linux.tar.gz oc && \
-    rm -f /tmp/openshift-client-linux.tar.gz
-# Install the oc client end
-
 WORKDIR /opt/app-root/src
 
 ################
diff --git a/scripts/dockerfile_fragments.py b/scripts/dockerfile_fragments.py
@@ -36,16 +36,17 @@ def main():
             prefix="Install micropipenv and uv to deploy packages from requirements.txt",
         )
 
-        blockinfile(
-            dockerfile,
-            textwrap.dedent(r"""
-            RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \
-                    -o /tmp/openshift-client-linux.tar.gz && \
-                tar -xzvf /tmp/openshift-client-linux.tar.gz oc && \
-                rm -f /tmp/openshift-client-linux.tar.gz
-            """),
-            prefix="Install the oc client",
-        )
+        if not is_rstudio(dockerfile):
+            blockinfile(
+                dockerfile,
+                textwrap.dedent(r"""
+                RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \
+                        -o /tmp/openshift-client-linux.tar.gz && \
+                    tar -xzvf /tmp/openshift-client-linux.tar.gz oc && \
+                    rm -f /tmp/openshift-client-linux.tar.gz
+                """),
+                prefix="Install the oc client",
+            )
 
         if is_jupyter(dockerfile):
             blockinfile(
@@ -106,6 +107,10 @@ def is_jupyter(filename: pathlib.Path) -> bool:
     return filename.is_relative_to(ROOT_DIR / "jupyter")
 
 
+def is_rstudio(filename: pathlib.Path) -> bool:
+    return filename.is_relative_to(ROOT_DIR / "rstudio")
+
+
 if __name__ == "__main__":
     main()
 
diff --git a/tests/containers/base_image_test.py b/tests/containers/base_image_test.py
@@ -128,6 +128,8 @@ def check_elf_file():
         self._run_test(image=image, test_fn=test_fn)
 
     def test_oc_command_runs(self, image: str):
+        if utils.is_rstudio_image(image):
+            pytest.skip("oc command is not preinstalled in RStudio images.")
         def test_fn(container: testcontainers.core.container.DockerContainer):
             ecode, output = container.exec(["/bin/sh", "-c", "oc version"])
 
@@ -137,6 +139,8 @@ def test_fn(container: testcontainers.core.container.DockerContainer):
         self._run_test(image=image, test_fn=test_fn)
 
     def test_skopeo_command_runs(self, image: str):
+        if utils.is_rstudio_image(image):
+            pytest.skip("skopeo command is not preinstalled in RStudio images.")
         def test_fn(container: testcontainers.core.container.DockerContainer):
             ecode, output = container.exec(["/bin/sh", "-c", "skopeo --version"])
 
@@ -164,6 +168,8 @@ def test_oc_command_runs_fake_fips(self, image: str, subtests: pytest_subtests.S
         """Establishes a best-effort fake FIPS environment and attempts to execute `oc` binary in it.
 
         Related issue: RHOAIENG-4350 In workbench the oc CLI tool cannot be used on FIPS enabled cluster"""
+        if utils.is_rstudio_image(image):
+            pytest.skip("oc command is not preinstalled in RStudio images.")
         with tempfile.TemporaryDirectory() as tmp_crypto:
             # Ubuntu does not even have /proc/sys/crypto directory, unless FIPS is activated and machine
             #  is rebooted, see https://ubuntu.com/security/certifications/docs/fips-enablement
