From 3bdff2f6f10cc0e659d0cd3326f6c3608a2405af Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jiri=20Dan=C4=9Bk?= Date: Thu, 6 Nov 2025 10:10:42 +0100 Subject: [PATCH 1/5] NO-JIRA: refactor(Dockerfile.cpu): wrap multiple RUN commands with bash for improved readability and error handling --- codeserver/ubi9-python-3.12/Dockerfile.cpu | 189 ++++++++++++--------- 1 file changed, 111 insertions(+), 78 deletions(-) diff --git a/codeserver/ubi9-python-3.12/Dockerfile.cpu b/codeserver/ubi9-python-3.12/Dockerfile.cpu index b8b6d00d3e..f89877bd2e 100644 --- a/codeserver/ubi9-python-3.12/Dockerfile.cpu +++ b/codeserver/ubi9-python-3.12/Dockerfile.cpu @@ -55,13 +55,15 @@ COPY ${CODESERVER_SOURCE_CODE}/devel_env_setup.sh ./ # Important: Since HOME & USER for the python-312 has been changed, # we need to ensure the same cache directory is mounted in # the final stage with the necessary permissions to consume from cache -RUN --mount=type=cache,target=/root/.cache/uv \ - pip install --no-cache-dir uv && \ - # the devel script is ppc64le and s390x specific - sets up build-time dependencies - source ./devel_env_setup.sh && \ - # This may have to download and compile some dependencies, and as we don't lock requirements from `build-system.requires`, - # we often don't know the correct hashes and `--require-hashes` would therefore fail on non amd64, where building is common. - UV_LINK_MODE=copy uv pip install --strict --no-deps --refresh --no-config --no-progress --verify-hashes --compile-bytecode --index-strategy=unsafe-best-match --requirements=./pylock.toml +RUN --mount=type=cache,target=/root/.cache/uv /bin/bash <<'EOF' +set -Eeuxo pipefail +pip install --no-cache-dir uv +# the devel script is ppc64le and s390x specific - sets up build-time dependencies +source ./devel_env_setup.sh +# This may have to download and compile some dependencies, and as we don't lock requirements from `build-system.requires`, +# we often don't know the correct hashes and `--require-hashes` would therefore fail on non amd64, where building is common. +UV_LINK_MODE=copy uv pip install --strict --no-deps --refresh --no-config --no-progress --verify-hashes --compile-bytecode --index-strategy=unsafe-best-match --requirements=./pylock.toml +EOF # dummy file to make image build wait for this stage RUN touch /tmp/control @@ -85,19 +87,28 @@ COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo # Problem: The operation would result in removing the following protected packages: systemd # (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages) # Solution: --best --skip-broken does not work either, so use --nobest -RUN dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 \ - && dnf clean all -y +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 +dnf clean all -y +EOF # upgrade first to avoid fixable vulnerabilities end # Install useful OS packages -RUN dnf install -y tar perl mesa-libGL skopeo && dnf clean all && rm -rf /var/cache/dnf +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +dnf install -y tar perl mesa-libGL skopeo +dnf clean all +rm -rf /var/cache/dnf +EOF # (ARCH-ppc64le): since wheels are compiled from source, we need shared libs available at runtime -RUN --mount=type=cache,from=whl-cache,source=/root/OpenBLAS,target=/OpenBlas,rw \ - bash -c ' \ - if [[ $(uname -m) == "ppc64le" ]]; then \ - PREFIX=/usr/ make install -C /OpenBlas; \ - fi ' +RUN --mount=type=cache,from=whl-cache,source=/root/OpenBLAS,target=/OpenBlas,rw /bin/bash <<'EOF' +set -Eeuxo pipefail +if [[ $(uname -m) == "ppc64le" ]]; then + PREFIX=/usr/ make install -C /OpenBlas +fi +EOF # Other apps and tools installed as default user USER 1001 @@ -107,10 +118,13 @@ RUN pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12" # Install micropipenv and uv to deploy packages from requirements.txt end # Install the oc client begin -RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \ - -o /tmp/openshift-client-linux.tar.gz && \ - tar -xzvf /tmp/openshift-client-linux.tar.gz oc && \ - rm -f /tmp/openshift-client-linux.tar.gz +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \ + -o /tmp/openshift-client-linux.tar.gz +tar -xzvf /tmp/openshift-client-linux.tar.gz oc +rm -f /tmp/openshift-client-linux.tar.gz +EOF # Install the oc client end #################### @@ -157,21 +171,28 @@ COPY --from=rpm-base /tmp/control /dev/null # Install code-server # Note: Use cache mounts, bind mounts fail on konflux # https://redhat-internal.slack.com/archives/C04PZ7H0VA8/p1755628065772589?thread_ts=1755597929.335999&cid=C04PZ7H0VA8 -RUN --mount=type=cache,from=rpm-base,source=/tmp/,target=/code-server-rpm/,rw \ - # EXPLANATION: dnf installation produces an "unsigned rpm" error from Konflux (Conforma) - # since we're building rpm from source, we will simply unpack it over / - # dnf install -y "/code-server-rpm/code-server-${CODESERVER_VERSION/v/}-${TARGETARCH}.rpm" - # dnf -y clean all --enablerepo='*' - dnf install -y cpio && dnf -y clean all && \ - cd / && rpm2cpio "/code-server-rpm/code-server-${CODESERVER_VERSION/v/}-${TARGETARCH}.rpm" | cpio -idmv +RUN --mount=type=cache,from=rpm-base,source=/tmp/,target=/code-server-rpm/,rw /bin/bash <<'EOF' +set -Eeuxo pipefail +# EXPLANATION: dnf installation produces an "unsigned rpm" error from Konflux (Conforma) +# since we're building rpm from source, we will simply unpack it over / +# dnf install -y "/code-server-rpm/code-server-${CODESERVER_VERSION/v/}-${TARGETARCH}.rpm" +# dnf -y clean all --enablerepo='*' +dnf install -y cpio +dnf -y clean all +cd / +rpm2cpio "/code-server-rpm/code-server-${CODESERVER_VERSION/v/}-${TARGETARCH}.rpm" | cpio -idmv +EOF COPY --chown=1001:0 ${CODESERVER_SOURCE_CODE}/utils utils/ # Create and intall the extensions though build-time on a temporary directory. Later this directory will copied on the `/opt/app-root/src/.local/share/code-server/extensions` via run-code-server.sh file when it starts up. # https://coder.com/docs/code-server/FAQ#how-do-i-install-an-extension -RUN mkdir -p /opt/app-root/extensions-temp && \ - code-server --install-extension /opt/app-root/bin/utils/ms-python.python-2025.14.0.vsix --extensions-dir /opt/app-root/extensions-temp && \ - code-server --install-extension /opt/app-root/bin/utils/ms-toolsai.jupyter-2025.8.0.vsix --extensions-dir /opt/app-root/extensions-temp +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +mkdir -p /opt/app-root/extensions-temp +code-server --install-extension /opt/app-root/bin/utils/ms-python.python-2025.14.0.vsix --extensions-dir /opt/app-root/extensions-temp +code-server --install-extension /opt/app-root/bin/utils/ms-toolsai.jupyter-2025.8.0.vsix --extensions-dir /opt/app-root/extensions-temp +EOF # Install NGINX to proxy code-server and pass probes check ENV APP_ROOT=/opt/app-root @@ -188,10 +209,13 @@ ENV NGINX_CONFIGURATION_PATH=${APP_ROOT}/etc/nginx.d \ NGINX_PERL_MODULE_PATH=${APP_ROOT}/etc/perl # Modules does not exist -RUN INSTALL_PKGS="bind-utils nginx nginx-mod-stream nginx-mod-http-perl httpd" && \ - dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS && \ - rpm -V $INSTALL_PKGS && \ - dnf -y clean all --enablerepo='*' +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +INSTALL_PKGS="bind-utils nginx nginx-mod-stream nginx-mod-http-perl httpd" +dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS +rpm -V $INSTALL_PKGS +dnf -y clean all --enablerepo='*' +EOF # Configure httpd for CGI processing COPY --chown=1001:0 ${CODESERVER_SOURCE_CODE}/httpd/httpd.conf /etc/httpd/conf/httpd.conf @@ -216,34 +240,37 @@ COPY ${CODESERVER_SOURCE_CODE}/nginx/api/ /opt/app-root/api/ # UID=1001 && GID=0 # UID=&& GID=0 # UID=1001 && GID= -RUN sed -i -f ${NGINX_APP_ROOT}/nginxconf.sed ${NGINX_CONF_PATH} && \ - mkdir -p ${NGINX_APP_ROOT}/etc/nginx.d/ && \ - mkdir -p ${NGINX_APP_ROOT}/etc/nginx.default.d/ && \ - mkdir -p ${NGINX_APP_ROOT}/api/ && \ - mkdir -p ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start && \ - mkdir -p ${NGINX_LOG_PATH} && \ - mkdir -p ${NGINX_PERL_MODULE_PATH} && \ - # Create httpd directories and set permissions - mkdir -p /var/log/httpd /var/run/httpd /etc/httpd/logs && \ - chown -R 1001:0 ${NGINX_CONF_PATH} && \ - chown -R 1001:0 ${NGINX_APP_ROOT}/etc && \ - chown -R 1001:0 ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start && \ - chown -R 1001:0 /var/lib/nginx /var/log/nginx /run && \ - chown -R 1001:0 /var/log/httpd /var/run/httpd /etc/httpd/logs && \ - chmod ug+rw ${NGINX_CONF_PATH} && \ - chmod -R ug+rwX ${NGINX_APP_ROOT}/etc && \ - chmod -R ug+rwX ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start && \ - chmod -R ug+rwX /var/lib/nginx /var/log/nginx /run && \ - chmod -R ug+rwX /var/log/httpd /var/run/httpd /etc/httpd/logs && \ - # Make CGI script executable - chmod +x /opt/app-root/api/kernels/access.cgi && \ - rpm-file-permissions && \ - # Ensure the temporary directory and target directory have the correct permissions - mkdir -p /opt/app-root/src/.local/share/code-server/extensions && \ - mkdir -p /opt/app-root/src/.local/share/code-server/coder-logs && \ - chown -R 1001:0 /opt/app-root/src/.local/share/code-server && \ - chown -R 1001:0 /opt/app-root/extensions-temp && \ - chown -R 1001:0 /opt/app-root/src/.config/code-server +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +sed -i -f ${NGINX_APP_ROOT}/nginxconf.sed ${NGINX_CONF_PATH} +mkdir -p ${NGINX_APP_ROOT}/etc/nginx.d/ +mkdir -p ${NGINX_APP_ROOT}/etc/nginx.default.d/ +mkdir -p ${NGINX_APP_ROOT}/api/ +mkdir -p ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start +mkdir -p ${NGINX_LOG_PATH} +mkdir -p ${NGINX_PERL_MODULE_PATH} +# Create httpd directories and set permissions +mkdir -p /var/log/httpd /var/run/httpd /etc/httpd/logs +chown -R 1001:0 ${NGINX_CONF_PATH} +chown -R 1001:0 ${NGINX_APP_ROOT}/etc +chown -R 1001:0 ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start +chown -R 1001:0 /var/lib/nginx /var/log/nginx /run +chown -R 1001:0 /var/log/httpd /var/run/httpd /etc/httpd/logs +chmod ug+rw ${NGINX_CONF_PATH} +chmod -R ug+rwX ${NGINX_APP_ROOT}/etc +chmod -R ug+rwX ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start +chmod -R ug+rwX /var/lib/nginx /var/log/nginx /run +chmod -R ug+rwX /var/log/httpd /var/run/httpd /etc/httpd/logs +# Make CGI script executable +chmod +x /opt/app-root/api/kernels/access.cgi +rpm-file-permissions +# Ensure the temporary directory and target directory have the correct permissions +mkdir -p /opt/app-root/src/.local/share/code-server/extensions +mkdir -p /opt/app-root/src/.local/share/code-server/coder-logs +chown -R 1001:0 /opt/app-root/src/.local/share/code-server +chown -R 1001:0 /opt/app-root/extensions-temp +chown -R 1001:0 /opt/app-root/src/.config/code-server +EOF # Launcher COPY --chown=1001:0 ${CODESERVER_SOURCE_CODE}/run-code-server.sh ${CODESERVER_SOURCE_CODE}/run-nginx.sh ./ @@ -261,28 +288,34 @@ COPY --from=whl-cache /tmp/control /dev/null # Install packages and cleanup # (ARCH-ppc64le): install packages (eg. pyarrow) that need to be built from source repository on ppc64le RUN --mount=type=cache,target=/root/.cache/uv \ - --mount=type=cache,from=whl-cache,source=/wheelsdir/,target=/wheelsdir/,rw \ - bash -c ' \ - if [[ $(uname -m) == "ppc64le" ]] || [[ $(uname -m) == "s390x" ]]; then \ - uv pip install /wheelsdir/*.whl; \ - fi ' + --mount=type=cache,from=whl-cache,source=/wheelsdir/,target=/wheelsdir/,rw /bin/bash <<'EOF' +set -Eeuxo pipefail +if [[ $(uname -m) == "ppc64le" ]] || [[ $(uname -m) == "s390x" ]]; then + uv pip install /wheelsdir/*.whl +fi +EOF # install packages as USER 0 (this will allow us to consume uv cache) -RUN --mount=type=cache,target=/root/.cache/uv \ - echo "Installing softwares and packages" && \ - # we can ensure wheels are consumed from the cache only by restricting internet access for uv install with '--offline' flag - # TODO(jdanek): seen some builds fail on GitHub Actions with --offline and see no need to limit ourselves to the cache, will remove this - UV_LINK_MODE=copy uv pip install --cache-dir /root/.cache/uv --requirements=./pylock.toml && \ - # Note: debugpy wheel availabe on pypi (in uv cache) is none-any but bundles amd64.so files - # Build debugpy from source instead - UV_LINK_MODE=copy uv pip install --no-cache git+https://github.com/microsoft/debugpy.git@v$(grep -A1 '\"debugpy\"' ./pylock.toml | grep -Eo '\b[0-9\.]+\b') && \ - # change ownership to default user (all packages were installed as root and has root:root ownership \ - chown -R 1001:0 /opt/app-root +RUN --mount=type=cache,target=/root/.cache/uv /bin/bash <<'EOF' +set -Eeuxo pipefail +echo "Installing softwares and packages" +# we can ensure wheels are consumed from the cache only by restricting internet access for uv install with '--offline' flag +# TODO(jdanek): seen some builds fail on GitHub Actions with --offline and see no need to limit ourselves to the cache, will remove this +UV_LINK_MODE=copy uv pip install --cache-dir /root/.cache/uv --requirements=./pylock.toml +# Note: debugpy wheel availabe on pypi (in uv cache) is none-any but bundles amd64.so files +# Build debugpy from source instead +UV_LINK_MODE=copy uv pip install --no-cache git+https://github.com/microsoft/debugpy.git@v$(grep -A1 '\"debugpy\"' ./pylock.toml | grep -Eo '\b[0-9\.]+\b') +# change ownership to default user (all packages were installed as root and has root:root ownership +chown -R 1001:0 /opt/app-root +EOF USER 1001 # Fix permissions to support pip in Openshift environments -RUN chmod -R g+w /opt/app-root/lib/python3.12/site-packages && \ - fix-permissions /opt/app-root -P +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +chmod -R g+w /opt/app-root/lib/python3.12/site-packages +fix-permissions /opt/app-root -P +EOF WORKDIR /opt/app-root/src From d493a2831887b0dba073917857a07e23d6455074 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jiri=20Dan=C4=9Bk?= Date: Thu, 6 Nov 2025 10:33:21 +0100 Subject: [PATCH 2/5] fixup hadolint --- codeserver/ubi9-python-3.12/Dockerfile.cpu | 2 ++ 1 file changed, 2 insertions(+) diff --git a/codeserver/ubi9-python-3.12/Dockerfile.cpu b/codeserver/ubi9-python-3.12/Dockerfile.cpu index f89877bd2e..1533ea4e53 100644 --- a/codeserver/ubi9-python-3.12/Dockerfile.cpu +++ b/codeserver/ubi9-python-3.12/Dockerfile.cpu @@ -92,6 +92,7 @@ set -Eeuxo pipefail dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 dnf clean all -y EOF + # upgrade first to avoid fixable vulnerabilities end # Install useful OS packages @@ -294,6 +295,7 @@ if [[ $(uname -m) == "ppc64le" ]] || [[ $(uname -m) == "s390x" ]]; then uv pip install /wheelsdir/*.whl fi EOF + # install packages as USER 0 (this will allow us to consume uv cache) RUN --mount=type=cache,target=/root/.cache/uv /bin/bash <<'EOF' set -Eeuxo pipefail From 02d56bbe910741afe95d10b4c3b55ac4bb2a90c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jiri=20Dan=C4=9Bk?= Date: Thu, 6 Nov 2025 10:37:44 +0100 Subject: [PATCH 3/5] fixup hadolint --- codeserver/ubi9-python-3.12/Dockerfile.cpu | 1 + 1 file changed, 1 insertion(+) diff --git a/codeserver/ubi9-python-3.12/Dockerfile.cpu b/codeserver/ubi9-python-3.12/Dockerfile.cpu index 1533ea4e53..51cc5d302b 100644 --- a/codeserver/ubi9-python-3.12/Dockerfile.cpu +++ b/codeserver/ubi9-python-3.12/Dockerfile.cpu @@ -126,6 +126,7 @@ curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/st tar -xzvf /tmp/openshift-client-linux.tar.gz oc rm -f /tmp/openshift-client-linux.tar.gz EOF + # Install the oc client end #################### From 2aed752177b3657aff36053c0ae7ce2f9e6b852a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jiri=20Dan=C4=9Bk?= Date: Thu, 6 Nov 2025 10:47:55 +0100 Subject: [PATCH 4/5] fixup fragments.py --- .../ubi9-python-3.12/Dockerfile.cpu | 20 ++++++++---- .../minimal/ubi9-python-3.12/Dockerfile.cpu | 21 ++++++++---- .../minimal/ubi9-python-3.12/Dockerfile.cuda | 21 ++++++++---- .../minimal/ubi9-python-3.12/Dockerfile.rocm | 21 ++++++++---- .../ubi9-python-3.12/Dockerfile.cuda | 21 ++++++++---- .../pytorch/ubi9-python-3.12/Dockerfile.cuda | 21 ++++++++---- .../pytorch/ubi9-python-3.12/Dockerfile.rocm | 21 ++++++++---- .../ubi9-python-3.12/Dockerfile.rocm | 21 ++++++++---- .../ubi9-python-3.12/Dockerfile.cuda | 21 ++++++++---- .../trustyai/ubi9-python-3.12/Dockerfile.cpu | 21 ++++++++---- rstudio/c9s-python-3.12/Dockerfile.cpu | 8 +++-- rstudio/c9s-python-3.12/Dockerfile.cuda | 8 +++-- rstudio/rhel9-python-3.12/Dockerfile.cpu | 8 +++-- rstudio/rhel9-python-3.12/Dockerfile.cuda | 8 +++-- .../ubi9-python-3.12/Dockerfile.cpu | 20 ++++++++---- .../minimal/ubi9-python-3.12/Dockerfile.cpu | 20 ++++++++---- .../ubi9-python-3.12/Dockerfile.cuda | 20 ++++++++---- .../pytorch/ubi9-python-3.12/Dockerfile.cuda | 20 ++++++++---- .../ubi9-python-3.12/Dockerfile.rocm | 20 ++++++++---- .../ubi9-python-3.12/Dockerfile.rocm | 20 ++++++++---- .../ubi9-python-3.12/Dockerfile.cuda | 20 ++++++++---- scripts/dockerfile_fragments.py | 32 +++++++++++++++---- 22 files changed, 296 insertions(+), 117 deletions(-) diff --git a/jupyter/datascience/ubi9-python-3.12/Dockerfile.cpu b/jupyter/datascience/ubi9-python-3.12/Dockerfile.cpu index f527392d80..ab8868f176 100644 --- a/jupyter/datascience/ubi9-python-3.12/Dockerfile.cpu +++ b/jupyter/datascience/ubi9-python-3.12/Dockerfile.cpu @@ -53,8 +53,12 @@ COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo # Problem: The operation would result in removing the following protected packages: systemd # (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages) # Solution: --best --skip-broken does not work either, so use --nobest -RUN dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 \ - && dnf clean all -y +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 +dnf clean all -y +EOF + # upgrade first to avoid fixable vulnerabilities end # Install useful OS packages @@ -107,10 +111,14 @@ RUN pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12" # Install micropipenv and uv to deploy packages from requirements.txt end # Install the oc client begin -RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \ - -o /tmp/openshift-client-linux.tar.gz && \ - tar -xzvf /tmp/openshift-client-linux.tar.gz oc && \ - rm -f /tmp/openshift-client-linux.tar.gz +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \ + -o /tmp/openshift-client-linux.tar.gz +tar -xzvf /tmp/openshift-client-linux.tar.gz oc +rm -f /tmp/openshift-client-linux.tar.gz +EOF + # Install the oc client end ############################## diff --git a/jupyter/minimal/ubi9-python-3.12/Dockerfile.cpu b/jupyter/minimal/ubi9-python-3.12/Dockerfile.cpu index 3b0030be1c..cfc196e818 100644 --- a/jupyter/minimal/ubi9-python-3.12/Dockerfile.cpu +++ b/jupyter/minimal/ubi9-python-3.12/Dockerfile.cpu @@ -25,8 +25,12 @@ COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo # Problem: The operation would result in removing the following protected packages: systemd # (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages) # Solution: --best --skip-broken does not work either, so use --nobest -RUN dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 \ - && dnf clean all -y +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 +dnf clean all -y +EOF + # upgrade first to avoid fixable vulnerabilities end # Install useful OS packages @@ -40,10 +44,14 @@ RUN pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12" # Install micropipenv and uv to deploy packages from requirements.txt end # Install the oc client begin -RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \ - -o /tmp/openshift-client-linux.tar.gz && \ - tar -xzvf /tmp/openshift-client-linux.tar.gz oc && \ - rm -f /tmp/openshift-client-linux.tar.gz +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \ + -o /tmp/openshift-client-linux.tar.gz +tar -xzvf /tmp/openshift-client-linux.tar.gz oc +rm -f /tmp/openshift-client-linux.tar.gz +EOF + # Install the oc client end #################### @@ -73,6 +81,7 @@ USER 0 # Dependencies for PDF export begin RUN ./utils/install_pdf_deps.sh ENV PATH="/usr/local/texlive/bin/linux:/usr/local/pandoc/bin:$PATH" + # Dependencies for PDF export end USER 1001 diff --git a/jupyter/minimal/ubi9-python-3.12/Dockerfile.cuda b/jupyter/minimal/ubi9-python-3.12/Dockerfile.cuda index aed3dd4822..d78513a88e 100644 --- a/jupyter/minimal/ubi9-python-3.12/Dockerfile.cuda +++ b/jupyter/minimal/ubi9-python-3.12/Dockerfile.cuda @@ -27,8 +27,12 @@ COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo # Problem: The operation would result in removing the following protected packages: systemd # (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages) # Solution: --best --skip-broken does not work either, so use --nobest -RUN dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 \ - && dnf clean all -y +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 +dnf clean all -y +EOF + # upgrade first to avoid fixable vulnerabilities end # Install useful OS packages @@ -42,10 +46,14 @@ RUN pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12" # Install micropipenv and uv to deploy packages from requirements.txt end # Install the oc client begin -RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \ - -o /tmp/openshift-client-linux.tar.gz && \ - tar -xzvf /tmp/openshift-client-linux.tar.gz oc && \ - rm -f /tmp/openshift-client-linux.tar.gz +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \ + -o /tmp/openshift-client-linux.tar.gz +tar -xzvf /tmp/openshift-client-linux.tar.gz oc +rm -f /tmp/openshift-client-linux.tar.gz +EOF + # Install the oc client end ######################### @@ -75,6 +83,7 @@ USER 0 # Dependencies for PDF export begin RUN ./utils/install_pdf_deps.sh ENV PATH="/usr/local/texlive/bin/linux:/usr/local/pandoc/bin:$PATH" + # Dependencies for PDF export end USER 1001 diff --git a/jupyter/minimal/ubi9-python-3.12/Dockerfile.rocm b/jupyter/minimal/ubi9-python-3.12/Dockerfile.rocm index 00255d72d6..b02c6f7dc4 100644 --- a/jupyter/minimal/ubi9-python-3.12/Dockerfile.rocm +++ b/jupyter/minimal/ubi9-python-3.12/Dockerfile.rocm @@ -25,8 +25,12 @@ COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo # Problem: The operation would result in removing the following protected packages: systemd # (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages) # Solution: --best --skip-broken does not work either, so use --nobest -RUN dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 \ - && dnf clean all -y +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 +dnf clean all -y +EOF + # upgrade first to avoid fixable vulnerabilities end # Install useful OS packages @@ -40,10 +44,14 @@ RUN pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12" # Install micropipenv and uv to deploy packages from requirements.txt end # Install the oc client begin -RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \ - -o /tmp/openshift-client-linux.tar.gz && \ - tar -xzvf /tmp/openshift-client-linux.tar.gz oc && \ - rm -f /tmp/openshift-client-linux.tar.gz +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \ + -o /tmp/openshift-client-linux.tar.gz +tar -xzvf /tmp/openshift-client-linux.tar.gz oc +rm -f /tmp/openshift-client-linux.tar.gz +EOF + # Install the oc client end ######################## @@ -73,6 +81,7 @@ USER 0 # Dependencies for PDF export begin RUN ./utils/install_pdf_deps.sh ENV PATH="/usr/local/texlive/bin/linux:/usr/local/pandoc/bin:$PATH" + # Dependencies for PDF export end USER 1001 diff --git a/jupyter/pytorch+llmcompressor/ubi9-python-3.12/Dockerfile.cuda b/jupyter/pytorch+llmcompressor/ubi9-python-3.12/Dockerfile.cuda index cebc26885d..696cf004b5 100644 --- a/jupyter/pytorch+llmcompressor/ubi9-python-3.12/Dockerfile.cuda +++ b/jupyter/pytorch+llmcompressor/ubi9-python-3.12/Dockerfile.cuda @@ -40,8 +40,12 @@ COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo # Problem: The operation would result in removing the following protected packages: systemd # (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages) # Solution: --best --skip-broken does not work either, so use --nobest -RUN dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 \ - && dnf clean all -y +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 +dnf clean all -y +EOF + # upgrade first to avoid fixable vulnerabilities end # Install useful OS packages @@ -55,10 +59,14 @@ RUN pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12" # Install micropipenv and uv to deploy packages from requirements.txt end # Install the oc client begin -RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \ - -o /tmp/openshift-client-linux.tar.gz && \ - tar -xzvf /tmp/openshift-client-linux.tar.gz oc && \ - rm -f /tmp/openshift-client-linux.tar.gz +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \ + -o /tmp/openshift-client-linux.tar.gz +tar -xzvf /tmp/openshift-client-linux.tar.gz oc +rm -f /tmp/openshift-client-linux.tar.gz +EOF + # Install the oc client end ######################### @@ -80,6 +88,7 @@ USER 0 # Dependencies for PDF export begin RUN ./utils/install_pdf_deps.sh ENV PATH="/usr/local/texlive/bin/linux:/usr/local/pandoc/bin:$PATH" + # Dependencies for PDF export end USER 1001 diff --git a/jupyter/pytorch/ubi9-python-3.12/Dockerfile.cuda b/jupyter/pytorch/ubi9-python-3.12/Dockerfile.cuda index 6beb3cc6d0..e4023a7993 100644 --- a/jupyter/pytorch/ubi9-python-3.12/Dockerfile.cuda +++ b/jupyter/pytorch/ubi9-python-3.12/Dockerfile.cuda @@ -40,8 +40,12 @@ COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo # Problem: The operation would result in removing the following protected packages: systemd # (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages) # Solution: --best --skip-broken does not work either, so use --nobest -RUN dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 \ - && dnf clean all -y +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 +dnf clean all -y +EOF + # upgrade first to avoid fixable vulnerabilities end # Install useful OS packages @@ -55,10 +59,14 @@ RUN pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12" # Install micropipenv and uv to deploy packages from requirements.txt end # Install the oc client begin -RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \ - -o /tmp/openshift-client-linux.tar.gz && \ - tar -xzvf /tmp/openshift-client-linux.tar.gz oc && \ - rm -f /tmp/openshift-client-linux.tar.gz +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \ + -o /tmp/openshift-client-linux.tar.gz +tar -xzvf /tmp/openshift-client-linux.tar.gz oc +rm -f /tmp/openshift-client-linux.tar.gz +EOF + # Install the oc client end ######################### @@ -80,6 +88,7 @@ USER 0 # Dependencies for PDF export begin RUN ./utils/install_pdf_deps.sh ENV PATH="/usr/local/texlive/bin/linux:/usr/local/pandoc/bin:$PATH" + # Dependencies for PDF export end USER 1001 diff --git a/jupyter/rocm/pytorch/ubi9-python-3.12/Dockerfile.rocm b/jupyter/rocm/pytorch/ubi9-python-3.12/Dockerfile.rocm index 7984893c0e..83c0410c96 100644 --- a/jupyter/rocm/pytorch/ubi9-python-3.12/Dockerfile.rocm +++ b/jupyter/rocm/pytorch/ubi9-python-3.12/Dockerfile.rocm @@ -38,8 +38,12 @@ COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo # Problem: The operation would result in removing the following protected packages: systemd # (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages) # Solution: --best --skip-broken does not work either, so use --nobest -RUN dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 \ - && dnf clean all -y +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 +dnf clean all -y +EOF + # upgrade first to avoid fixable vulnerabilities end # Install useful OS packages @@ -53,10 +57,14 @@ RUN pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12" # Install micropipenv and uv to deploy packages from requirements.txt end # Install the oc client begin -RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \ - -o /tmp/openshift-client-linux.tar.gz && \ - tar -xzvf /tmp/openshift-client-linux.tar.gz oc && \ - rm -f /tmp/openshift-client-linux.tar.gz +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \ + -o /tmp/openshift-client-linux.tar.gz +tar -xzvf /tmp/openshift-client-linux.tar.gz oc +rm -f /tmp/openshift-client-linux.tar.gz +EOF + # Install the oc client end ######################## @@ -78,6 +86,7 @@ USER 0 # Dependencies for PDF export begin RUN ./utils/install_pdf_deps.sh ENV PATH="/usr/local/texlive/bin/linux:/usr/local/pandoc/bin:$PATH" + # Dependencies for PDF export end USER 1001 diff --git a/jupyter/rocm/tensorflow/ubi9-python-3.12/Dockerfile.rocm b/jupyter/rocm/tensorflow/ubi9-python-3.12/Dockerfile.rocm index 8e11eff47f..066f60b86a 100644 --- a/jupyter/rocm/tensorflow/ubi9-python-3.12/Dockerfile.rocm +++ b/jupyter/rocm/tensorflow/ubi9-python-3.12/Dockerfile.rocm @@ -38,8 +38,12 @@ COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo # Problem: The operation would result in removing the following protected packages: systemd # (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages) # Solution: --best --skip-broken does not work either, so use --nobest -RUN dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 \ - && dnf clean all -y +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 +dnf clean all -y +EOF + # upgrade first to avoid fixable vulnerabilities end # Install useful OS packages @@ -53,10 +57,14 @@ RUN pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12" # Install micropipenv and uv to deploy packages from requirements.txt end # Install the oc client begin -RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \ - -o /tmp/openshift-client-linux.tar.gz && \ - tar -xzvf /tmp/openshift-client-linux.tar.gz oc && \ - rm -f /tmp/openshift-client-linux.tar.gz +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \ + -o /tmp/openshift-client-linux.tar.gz +tar -xzvf /tmp/openshift-client-linux.tar.gz oc +rm -f /tmp/openshift-client-linux.tar.gz +EOF + # Install the oc client end ######################## @@ -76,6 +84,7 @@ USER 0 # Dependencies for PDF export begin RUN ./utils/install_pdf_deps.sh ENV PATH="/usr/local/texlive/bin/linux:/usr/local/pandoc/bin:$PATH" + # Dependencies for PDF export end USER 1001 diff --git a/jupyter/tensorflow/ubi9-python-3.12/Dockerfile.cuda b/jupyter/tensorflow/ubi9-python-3.12/Dockerfile.cuda index e8d67e0ff8..c6bc85886a 100644 --- a/jupyter/tensorflow/ubi9-python-3.12/Dockerfile.cuda +++ b/jupyter/tensorflow/ubi9-python-3.12/Dockerfile.cuda @@ -40,8 +40,12 @@ COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo # Problem: The operation would result in removing the following protected packages: systemd # (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages) # Solution: --best --skip-broken does not work either, so use --nobest -RUN dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 \ - && dnf clean all -y +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 +dnf clean all -y +EOF + # upgrade first to avoid fixable vulnerabilities end # Install useful OS packages @@ -55,10 +59,14 @@ RUN pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12" # Install micropipenv and uv to deploy packages from requirements.txt end # Install the oc client begin -RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \ - -o /tmp/openshift-client-linux.tar.gz && \ - tar -xzvf /tmp/openshift-client-linux.tar.gz oc && \ - rm -f /tmp/openshift-client-linux.tar.gz +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \ + -o /tmp/openshift-client-linux.tar.gz +tar -xzvf /tmp/openshift-client-linux.tar.gz oc +rm -f /tmp/openshift-client-linux.tar.gz +EOF + # Install the oc client end ######################### @@ -80,6 +88,7 @@ USER 0 # Dependencies for PDF export begin RUN ./utils/install_pdf_deps.sh ENV PATH="/usr/local/texlive/bin/linux:/usr/local/pandoc/bin:$PATH" + # Dependencies for PDF export end USER 1001 diff --git a/jupyter/trustyai/ubi9-python-3.12/Dockerfile.cpu b/jupyter/trustyai/ubi9-python-3.12/Dockerfile.cpu index 734d5274d3..f4451879c7 100644 --- a/jupyter/trustyai/ubi9-python-3.12/Dockerfile.cpu +++ b/jupyter/trustyai/ubi9-python-3.12/Dockerfile.cpu @@ -61,8 +61,12 @@ COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo # Problem: The operation would result in removing the following protected packages: systemd # (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages) # Solution: --best --skip-broken does not work either, so use --nobest -RUN dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 \ - && dnf clean all -y +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 +dnf clean all -y +EOF + # upgrade first to avoid fixable vulnerabilities end # Install useful OS packages @@ -76,10 +80,14 @@ RUN pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12" # Install micropipenv and uv to deploy packages from requirements.txt end # Install the oc client begin -RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \ - -o /tmp/openshift-client-linux.tar.gz && \ - tar -xzvf /tmp/openshift-client-linux.tar.gz oc && \ - rm -f /tmp/openshift-client-linux.tar.gz +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \ + -o /tmp/openshift-client-linux.tar.gz +tar -xzvf /tmp/openshift-client-linux.tar.gz oc +rm -f /tmp/openshift-client-linux.tar.gz +EOF + # Install the oc client end #################### @@ -100,6 +108,7 @@ USER 0 # Dependencies for PDF export begin RUN ./utils/install_pdf_deps.sh ENV PATH="/usr/local/texlive/bin/linux:/usr/local/pandoc/bin:$PATH" + # Dependencies for PDF export end USER 1001 diff --git a/rstudio/c9s-python-3.12/Dockerfile.cpu b/rstudio/c9s-python-3.12/Dockerfile.cpu index eb86a071c5..686c045f21 100644 --- a/rstudio/c9s-python-3.12/Dockerfile.cpu +++ b/rstudio/c9s-python-3.12/Dockerfile.cpu @@ -23,8 +23,12 @@ USER root # Problem: The operation would result in removing the following protected packages: systemd # (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages) # Solution: --best --skip-broken does not work either, so use --nobest -RUN dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 \ - && dnf clean all -y +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 +dnf clean all -y +EOF + # upgrade first to avoid fixable vulnerabilities end # Install useful OS packages diff --git a/rstudio/c9s-python-3.12/Dockerfile.cuda b/rstudio/c9s-python-3.12/Dockerfile.cuda index 94c66e8344..caeb2a4a7b 100644 --- a/rstudio/c9s-python-3.12/Dockerfile.cuda +++ b/rstudio/c9s-python-3.12/Dockerfile.cuda @@ -19,8 +19,12 @@ USER root # Problem: The operation would result in removing the following protected packages: systemd # (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages) # Solution: --best --skip-broken does not work either, so use --nobest -RUN dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 \ - && dnf clean all -y +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 +dnf clean all -y +EOF + # upgrade first to avoid fixable vulnerabilities end # Install useful OS packages diff --git a/rstudio/rhel9-python-3.12/Dockerfile.cpu b/rstudio/rhel9-python-3.12/Dockerfile.cpu index 47f16929bd..97b036ffb5 100644 --- a/rstudio/rhel9-python-3.12/Dockerfile.cpu +++ b/rstudio/rhel9-python-3.12/Dockerfile.cpu @@ -27,8 +27,12 @@ COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo # Problem: The operation would result in removing the following protected packages: systemd # (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages) # Solution: --best --skip-broken does not work either, so use --nobest -RUN dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 \ - && dnf clean all -y +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 +dnf clean all -y +EOF + # upgrade first to avoid fixable vulnerabilities end # Install useful OS packages diff --git a/rstudio/rhel9-python-3.12/Dockerfile.cuda b/rstudio/rhel9-python-3.12/Dockerfile.cuda index 6e6c73c9ce..e37158f26e 100644 --- a/rstudio/rhel9-python-3.12/Dockerfile.cuda +++ b/rstudio/rhel9-python-3.12/Dockerfile.cuda @@ -27,8 +27,12 @@ COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo # Problem: The operation would result in removing the following protected packages: systemd # (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages) # Solution: --best --skip-broken does not work either, so use --nobest -RUN dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 \ - && dnf clean all -y +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 +dnf clean all -y +EOF + # upgrade first to avoid fixable vulnerabilities end # Install useful OS packages diff --git a/runtimes/datascience/ubi9-python-3.12/Dockerfile.cpu b/runtimes/datascience/ubi9-python-3.12/Dockerfile.cpu index d651d151b3..30910d3d6d 100644 --- a/runtimes/datascience/ubi9-python-3.12/Dockerfile.cpu +++ b/runtimes/datascience/ubi9-python-3.12/Dockerfile.cpu @@ -29,8 +29,12 @@ ARG TARGETARCH # Problem: The operation would result in removing the following protected packages: systemd # (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages) # Solution: --best --skip-broken does not work either, so use --nobest -RUN dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 \ - && dnf clean all -y +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 +dnf clean all -y +EOF + # upgrade first to avoid fixable vulnerabilities end # Install useful OS packages @@ -103,10 +107,14 @@ RUN pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12" # Install micropipenv and uv to deploy packages from requirements.txt end # Install the oc client begin -RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \ - -o /tmp/openshift-client-linux.tar.gz && \ - tar -xzvf /tmp/openshift-client-linux.tar.gz oc && \ - rm -f /tmp/openshift-client-linux.tar.gz +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \ + -o /tmp/openshift-client-linux.tar.gz +tar -xzvf /tmp/openshift-client-linux.tar.gz oc +rm -f /tmp/openshift-client-linux.tar.gz +EOF + # Install the oc client end ############################## diff --git a/runtimes/minimal/ubi9-python-3.12/Dockerfile.cpu b/runtimes/minimal/ubi9-python-3.12/Dockerfile.cpu index 05b9383fc8..d1416b47ac 100644 --- a/runtimes/minimal/ubi9-python-3.12/Dockerfile.cpu +++ b/runtimes/minimal/ubi9-python-3.12/Dockerfile.cpu @@ -25,8 +25,12 @@ COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo # Problem: The operation would result in removing the following protected packages: systemd # (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages) # Solution: --best --skip-broken does not work either, so use --nobest -RUN dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 \ - && dnf clean all -y +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 +dnf clean all -y +EOF + # upgrade first to avoid fixable vulnerabilities end # Install useful OS packages @@ -47,10 +51,14 @@ RUN pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12" # Install micropipenv and uv to deploy packages from requirements.txt end # Install the oc client begin -RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \ - -o /tmp/openshift-client-linux.tar.gz && \ - tar -xzvf /tmp/openshift-client-linux.tar.gz oc && \ - rm -f /tmp/openshift-client-linux.tar.gz +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \ + -o /tmp/openshift-client-linux.tar.gz +tar -xzvf /tmp/openshift-client-linux.tar.gz oc +rm -f /tmp/openshift-client-linux.tar.gz +EOF + # Install the oc client end #################### diff --git a/runtimes/pytorch+llmcompressor/ubi9-python-3.12/Dockerfile.cuda b/runtimes/pytorch+llmcompressor/ubi9-python-3.12/Dockerfile.cuda index f437345d2a..ecda8b70e3 100644 --- a/runtimes/pytorch+llmcompressor/ubi9-python-3.12/Dockerfile.cuda +++ b/runtimes/pytorch+llmcompressor/ubi9-python-3.12/Dockerfile.cuda @@ -27,8 +27,12 @@ COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo # Problem: The operation would result in removing the following protected packages: systemd # (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages) # Solution: --best --skip-broken does not work either, so use --nobest -RUN dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 \ - && dnf clean all -y +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 +dnf clean all -y +EOF + # upgrade first to avoid fixable vulnerabilities end # Install useful OS packages @@ -42,10 +46,14 @@ RUN pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12" # Install micropipenv and uv to deploy packages from requirements.txt end # Install the oc client begin -RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \ - -o /tmp/openshift-client-linux.tar.gz && \ - tar -xzvf /tmp/openshift-client-linux.tar.gz oc && \ - rm -f /tmp/openshift-client-linux.tar.gz +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \ + -o /tmp/openshift-client-linux.tar.gz +tar -xzvf /tmp/openshift-client-linux.tar.gz oc +rm -f /tmp/openshift-client-linux.tar.gz +EOF + # Install the oc client end ######################### diff --git a/runtimes/pytorch/ubi9-python-3.12/Dockerfile.cuda b/runtimes/pytorch/ubi9-python-3.12/Dockerfile.cuda index 457d168a1d..17dc8d6faf 100644 --- a/runtimes/pytorch/ubi9-python-3.12/Dockerfile.cuda +++ b/runtimes/pytorch/ubi9-python-3.12/Dockerfile.cuda @@ -27,8 +27,12 @@ COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo # Problem: The operation would result in removing the following protected packages: systemd # (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages) # Solution: --best --skip-broken does not work either, so use --nobest -RUN dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 \ - && dnf clean all -y +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 +dnf clean all -y +EOF + # upgrade first to avoid fixable vulnerabilities end # Install useful OS packages @@ -42,10 +46,14 @@ RUN pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12" # Install micropipenv and uv to deploy packages from requirements.txt end # Install the oc client begin -RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \ - -o /tmp/openshift-client-linux.tar.gz && \ - tar -xzvf /tmp/openshift-client-linux.tar.gz oc && \ - rm -f /tmp/openshift-client-linux.tar.gz +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \ + -o /tmp/openshift-client-linux.tar.gz +tar -xzvf /tmp/openshift-client-linux.tar.gz oc +rm -f /tmp/openshift-client-linux.tar.gz +EOF + # Install the oc client end ######################### diff --git a/runtimes/rocm-pytorch/ubi9-python-3.12/Dockerfile.rocm b/runtimes/rocm-pytorch/ubi9-python-3.12/Dockerfile.rocm index ccc03acf56..781688d9fa 100644 --- a/runtimes/rocm-pytorch/ubi9-python-3.12/Dockerfile.rocm +++ b/runtimes/rocm-pytorch/ubi9-python-3.12/Dockerfile.rocm @@ -25,8 +25,12 @@ COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo # Problem: The operation would result in removing the following protected packages: systemd # (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages) # Solution: --best --skip-broken does not work either, so use --nobest -RUN dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 \ - && dnf clean all -y +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 +dnf clean all -y +EOF + # upgrade first to avoid fixable vulnerabilities end # Install useful OS packages @@ -40,10 +44,14 @@ RUN pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12" # Install micropipenv and uv to deploy packages from requirements.txt end # Install the oc client begin -RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \ - -o /tmp/openshift-client-linux.tar.gz && \ - tar -xzvf /tmp/openshift-client-linux.tar.gz oc && \ - rm -f /tmp/openshift-client-linux.tar.gz +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \ + -o /tmp/openshift-client-linux.tar.gz +tar -xzvf /tmp/openshift-client-linux.tar.gz oc +rm -f /tmp/openshift-client-linux.tar.gz +EOF + # Install the oc client end ######################## diff --git a/runtimes/rocm-tensorflow/ubi9-python-3.12/Dockerfile.rocm b/runtimes/rocm-tensorflow/ubi9-python-3.12/Dockerfile.rocm index 916dfe7d7b..4547435b72 100644 --- a/runtimes/rocm-tensorflow/ubi9-python-3.12/Dockerfile.rocm +++ b/runtimes/rocm-tensorflow/ubi9-python-3.12/Dockerfile.rocm @@ -25,8 +25,12 @@ COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo # Problem: The operation would result in removing the following protected packages: systemd # (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages) # Solution: --best --skip-broken does not work either, so use --nobest -RUN dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 \ - && dnf clean all -y +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 +dnf clean all -y +EOF + # upgrade first to avoid fixable vulnerabilities end # Install useful OS packages @@ -40,10 +44,14 @@ RUN pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12" # Install micropipenv and uv to deploy packages from requirements.txt end # Install the oc client begin -RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \ - -o /tmp/openshift-client-linux.tar.gz && \ - tar -xzvf /tmp/openshift-client-linux.tar.gz oc && \ - rm -f /tmp/openshift-client-linux.tar.gz +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \ + -o /tmp/openshift-client-linux.tar.gz +tar -xzvf /tmp/openshift-client-linux.tar.gz oc +rm -f /tmp/openshift-client-linux.tar.gz +EOF + # Install the oc client end ########################### diff --git a/runtimes/tensorflow/ubi9-python-3.12/Dockerfile.cuda b/runtimes/tensorflow/ubi9-python-3.12/Dockerfile.cuda index dbc463b84b..0160123ad7 100644 --- a/runtimes/tensorflow/ubi9-python-3.12/Dockerfile.cuda +++ b/runtimes/tensorflow/ubi9-python-3.12/Dockerfile.cuda @@ -29,8 +29,12 @@ COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo # Problem: The operation would result in removing the following protected packages: systemd # (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages) # Solution: --best --skip-broken does not work either, so use --nobest -RUN dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 \ - && dnf clean all -y +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 +dnf clean all -y +EOF + # upgrade first to avoid fixable vulnerabilities end # Install useful OS packages @@ -44,10 +48,14 @@ RUN pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12" # Install micropipenv and uv to deploy packages from requirements.txt end # Install the oc client begin -RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \ - -o /tmp/openshift-client-linux.tar.gz && \ - tar -xzvf /tmp/openshift-client-linux.tar.gz oc && \ - rm -f /tmp/openshift-client-linux.tar.gz +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \ + -o /tmp/openshift-client-linux.tar.gz +tar -xzvf /tmp/openshift-client-linux.tar.gz oc +rm -f /tmp/openshift-client-linux.tar.gz +EOF + # Install the oc client end ############################ diff --git a/scripts/dockerfile_fragments.py b/scripts/dockerfile_fragments.py index e2b39829bb..2fd0b6aae7 100755 --- a/scripts/dockerfile_fragments.py +++ b/scripts/dockerfile_fragments.py @@ -27,8 +27,12 @@ def main(): # Problem: The operation would result in removing the following protected packages: systemd # (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages) # Solution: --best --skip-broken does not work either, so use --nobest - RUN dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 \ - && dnf clean all -y + RUN /bin/bash <<'EOF' + set -Eeuxo pipefail + dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 + dnf clean all -y + EOF + """), prefix="upgrade first to avoid fixable vulnerabilities", ) @@ -43,10 +47,14 @@ def main(): blockinfile( dockerfile, textwrap.dedent(r""" - RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \ - -o /tmp/openshift-client-linux.tar.gz && \ - tar -xzvf /tmp/openshift-client-linux.tar.gz oc && \ - rm -f /tmp/openshift-client-linux.tar.gz + RUN /bin/bash <<'EOF' + set -Eeuxo pipefail + curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \ + -o /tmp/openshift-client-linux.tar.gz + tar -xzvf /tmp/openshift-client-linux.tar.gz oc + rm -f /tmp/openshift-client-linux.tar.gz + EOF + """), prefix="Install the oc client", ) @@ -91,7 +99,10 @@ def blockinfile(filename: str | os.PathLike, contents: str, prefix: str | None = lines = original_lines[:] # NOTE: textwrap.dedent() with raw strings leaves leading and trailing newline - new_contents = contents.strip("\n").splitlines(keepends=True) + # we want to preserve the trailing one because HEREDOC has to have an empty trailing line for hadolint + new_contents = contents.lstrip("\n").splitlines(keepends=True) + if new_contents[-1] == "\n": + new_contents = new_contents[:-1] if begin == end == -1: # add at the end if no markers found lines.append(f"\n{begin_marker}\n") @@ -126,6 +137,13 @@ def test_adding_new_block(self, fs: FakeFilesystem): assert fs.get_object("/config.txt").contents == "hello\nworld\n# begin\nkey=value\n# end\n" + def test_lastnewline_removal(self, fs: FakeFilesystem): + fs.create_file("/config.txt", contents="hello\nworld") + + blockinfile("/config.txt", "key=value\n\n") + + assert fs.get_object("/config.txt").contents == "hello\nworld\n# begin\nkey=value\n\n# end\n" + def test_updating_value_in_block(self, fs: FakeFilesystem): fs.create_file("/config.txt", contents="hello\nworld\n# begin\nkey=value1\n# end\n") From 35f1815c41f9cef197798111a5119fde14f3b4e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jiri=20Dan=C4=9Bk?= Date: Thu, 6 Nov 2025 11:40:56 +0100 Subject: [PATCH 5/5] Update scripts/dockerfile_fragments.py Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> --- scripts/dockerfile_fragments.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/dockerfile_fragments.py b/scripts/dockerfile_fragments.py index 2fd0b6aae7..868d9fa383 100755 --- a/scripts/dockerfile_fragments.py +++ b/scripts/dockerfile_fragments.py @@ -101,7 +101,7 @@ def blockinfile(filename: str | os.PathLike, contents: str, prefix: str | None = # NOTE: textwrap.dedent() with raw strings leaves leading and trailing newline # we want to preserve the trailing one because HEREDOC has to have an empty trailing line for hadolint new_contents = contents.lstrip("\n").splitlines(keepends=True) - if new_contents[-1] == "\n": + if new_contents and new_contents[-1] == "\n": new_contents = new_contents[:-1] if begin == end == -1: # add at the end if no markers found