Skip to content

NO-JIRA: refactor(jupyter/*/Dockerfile*): wrap multiple RUN commands with bash for improved readability and error handling #2655

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Nov 7, 2025
Merged

NO-JIRA: refactor(jupyter/*/Dockerfile*): wrap multiple RUN commands with bash for improved readability and error handling #2655

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 41 additions & 25 deletions jupyter/pytorch+llmcompressor/ubi9-python-3.12/Dockerfile.cuda
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,13 @@ FROM registry.access.redhat.com/ubi9/go-toolset:latest AS mongocli-builder
ARG MONGOCLI_VERSION=2.0.4

WORKDIR /tmp/
RUN curl -Lo mongodb-cli-mongocli-v${MONGOCLI_VERSION}.zip https://github.com/mongodb/mongodb-cli/archive/refs/tags/mongocli/v${MONGOCLI_VERSION}.zip
RUN unzip ./mongodb-cli-mongocli-v${MONGOCLI_VERSION}.zip
RUN cd ./mongodb-cli-mongocli-v${MONGOCLI_VERSION}/ && \
CGO_ENABLED=1 GOOS=linux go build -a -tags strictfipsruntime -o /tmp/mongocli ./cmd/mongocli/
RUN /bin/bash <<'EOF'
set -Eeuxo pipefail
curl -Lo mongodb-cli-mongocli-v${MONGOCLI_VERSION}.zip https://github.com/mongodb/mongodb-cli/archive/refs/tags/mongocli/v${MONGOCLI_VERSION}.zip
unzip ./mongodb-cli-mongocli-v${MONGOCLI_VERSION}.zip
cd ./mongodb-cli-mongocli-v${MONGOCLI_VERSION}/
CGO_ENABLED=1 GOOS=linux go build -a -tags strictfipsruntime -o /tmp/mongocli ./cmd/mongocli/
EOF
Comment on lines +19 to +25
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 7, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Critical: Variable substitution broken in quoted heredoc.

The heredoc uses <<'EOF' (with single quotes around EOF), which prevents variable expansion. However, line 21 uses ${MONGOCLI_VERSION}, which will not be substituted—the literal string ${MONGOCLI_VERSION} will be passed to curl, causing a malformed URL and build failure.

Fix by using unquoted heredoc delimiter:

-RUN /bin/bash <<'EOF'
+RUN /bin/bash <<EOF
 set -Eeuxo pipefail
 curl -Lo mongodb-cli-mongocli-v${MONGOCLI_VERSION}.zip https://github.com/mongodb/mongodb-cli/archive/refs/tags/mongocli/v${MONGOCLI_VERSION}.zip
 unzip ./mongodb-cli-mongocli-v${MONGOCLI_VERSION}.zip

Note: Unquoted heredocs allow variable expansion but also allow command substitution. Verify that no user input or untrusted data is interpolated.

🏁 Script executed:

#!/bin/bash
# Search for the Dockerfile mentioned in the review
fd -t f "Dockerfile.cuda" 2>/dev/null | head -20

Length of output: 733

🏁 Script executed:

#!/bin/bash
# If found, inspect the lines around 19-25
if [ -f "jupyter/pytorch+llmcompressor/ubi9-python-3.12/Dockerfile.cuda" ]; then
  echo "=== Lines 15-30 of Dockerfile.cuda ==="
  sed -n '15,30p' "jupyter/pytorch+llmcompressor/ubi9-python-3.12/Dockerfile.cuda"
  echo ""
  echo "=== Full context of RUN block at lines 19-25 ==="
  sed -n '19,25p' "jupyter/pytorch+llmcompressor/ubi9-python-3.12/Dockerfile.cuda" | cat -A
fi

Length of output: 1010

🏁 Script executed:

#!/bin/bash
# Check git history to see if this was a recent change
if [ -f "jupyter/pytorch+llmcompressor/ubi9-python-3.12/Dockerfile.cuda" ]; then
  echo "=== Git log for Dockerfile.cuda (last 5 commits) ==="
  git log --oneline -5 -- "jupyter/pytorch+llmcompressor/ubi9-python-3.12/Dockerfile.cuda" 2>/dev/null || echo "Git not available or file not tracked"
  echo ""
  echo "=== Git diff for Dockerfile.cuda ==="
  git diff HEAD -- "jupyter/pytorch+llmcompressor/ubi9-python-3.12/Dockerfile.cuda" 2>/dev/null | head -80 || echo "No diff available"
fi

Length of output: 617

🏁 Script executed:

#!/bin/bash
# Check all heredoc blocks in the file to see the pattern
if [ -f "jupyter/pytorch+llmcompressor/ubi9-python-3.12/Dockerfile.cuda" ]; then
  echo "=== All heredoc delimiters in Dockerfile ==="
  grep -n "<<" "jupyter/pytorch+llmcompressor/ubi9-python-3.12/Dockerfile.cuda"
fi

Length of output: 196

🏁 Script executed:

#!/bin/bash
# Show the refactor commit that introduced this code
echo "=== Git show for refactor commit 45e06a70 (first 150 lines) ==="
git show 45e06a70 -- jupyter/pytorch+llmcompressor/ubi9-python-3.12/Dockerfile.cuda 2>/dev/null | head -150

Length of output: 5424

🏁 Script executed:

#!/bin/bash
# Check the file at the parent commit before refactor to see original code
echo "=== Original code before refactor (45e06a70^) ==="
git show 45e06a70^:jupyter/pytorch+llmcompressor/ubi9-python-3.12/Dockerfile.cuda 2>/dev/null | sed -n '15,30p' || echo "Cannot access parent commit"

Length of output: 579

🏁 Script executed:

#!/bin/bash
# Look for CI configuration files
find . -maxdepth 2 -type f \( -name "*.yml" -o -name "*.yaml" \) | grep -E "(github|gitlab|circleci|travis|ci)" | head -10

Length of output: 515

🏁 Script executed:

#!/bin/bash
# Check if there's a test or validation script for Dockerfiles
fd -t f "(test|validate|check).*docker" -i | head -10

Length of output: 37

🌐 Web query:

Docker RUN heredoc variable expansion quoted delimiter heredoc <<'EOF'

💡 Result:

Short answer: quoting the heredoc delimiter (e.g. <<'EOF') disables shell-style expansion inside the here‑document. In Dockerfiles that means the builder will not expand variables at parse/build time; the content is kept literal and any expansion (if any) happens later when the shell inside the image runs the script. If the delimiter is unquoted (<<EOF) the builder performs parameter/command/arithmetic expansion on the here-doc content. [1][2][3]

Example — build-time expansion (unquoted):
RUN <<EOF
echo "$FOO"
EOF
If FOO is an ARG/ENV known to the builder, it will be expanded during build and the built RUN receives the expanded text. [1]

Example — literal (quoted delimiter):
RUN <<'EOF'
echo "$FOO"
EOF
The here-doc is kept literal (no expansion by the builder); $FOO will be expanded only at runtime by the shell inside the container (if that shell does expansion). [1][2]

References:

  • Dockerfile Here-Documents and rules for expansion. [1]
  • Bash here-document semantics (quoting disables expansion). [2]
  • Docker blog intro to heredocs (examples/explanation). [3]

🌐 Web query:

Docker ARG expansion in bash heredoc single quote delimiter

💡 Result:

Short answer: quoting the heredoc delimiter (e.g. <<'EOF') prevents shell/Dockerfile-time expansion, so ARG values will not be substituted; leaving it unquoted (<<EOF) lets the shell expand $VAR (and Docker injects ARG into the environment for RUN/COPY). See examples below.

Why: heredoc quoting is a shell rule — if the delimiter is quoted, the heredoc body is taken literally (no parameter/command/arithmetic expansion). Docker passes ARGs into the build environment, but expansion inside a RUN heredoc is done by the shell that executes RUN. Quoting the delimiter disables that shell expansion (and for COPY heredocs Docker also documents that a quoted delimiter prevents build-time expansion). (stackoverflow.com)

Examples

  • expands ARG:
    ARG MY=world
    RUN cat </tmp/x
    hello $MY
    EOF
    -> here $MY is expanded by the shell to "world". (docs.docker.com)

  • does NOT expand ARG (literal $MY):
    ARG MY=world
    RUN cat <<'EOF' >/tmp/x
    hello $MY
    EOF
    -> because the delimiter is quoted, the heredoc is literal and $MY is not expanded. (stackoverflow.com)

References

If you want, tell me which form (RUN versus COPY) and whether you need expansion at build-time or runtime and I’ll give the exact Dockerfile snippet.

Citations:

Fix quoted heredoc delimiter to enable variable expansion.

Quoting the heredoc delimiter (e.g., <<'EOF') disables variable expansion in Docker, so ${MONGOCLI_VERSION} will be passed as a literal string and the URL will be malformed. Change to unquoted delimiter:

-RUN /bin/bash <<'EOF'
+RUN /bin/bash <<EOF
 set -Eeuxo pipefail
 curl -Lo mongodb-cli-mongocli-v${MONGOCLI_VERSION}.zip https://github.com/mongodb/mongodb-cli/archive/refs/tags/mongocli/v${MONGOCLI_VERSION}.zip
 unzip ./mongodb-cli-mongocli-v${MONGOCLI_VERSION}.zip
 cd ./mongodb-cli-mongocli-v${MONGOCLI_VERSION}/
 CGO_ENABLED=1 GOOS=linux go build -a -tags strictfipsruntime -o /tmp/mongocli ./cmd/mongocli/
 EOF

Note: Unquoted heredocs allow variable expansion but also command substitution. Verify that no untrusted user input is interpolated.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
RUN /bin/bash <<'EOF'
set -Eeuxo pipefail
curl -Lo mongodb-cli-mongocli-v${MONGOCLI_VERSION}.zip https://github.com/mongodb/mongodb-cli/archive/refs/tags/mongocli/v${MONGOCLI_VERSION}.zip
unzip ./mongodb-cli-mongocli-v${MONGOCLI_VERSION}.zip
cd ./mongodb-cli-mongocli-v${MONGOCLI_VERSION}/
CGO_ENABLED=1 GOOS=linux go build -a -tags strictfipsruntime -o /tmp/mongocli ./cmd/mongocli/
EOF
RUN /bin/bash <<EOF
set -Eeuxo pipefail
curl -Lo mongodb-cli-mongocli-v${MONGOCLI_VERSION}.zip https://github.com/mongodb/mongodb-cli/archive/refs/tags/mongocli/v${MONGOCLI_VERSION}.zip
unzip ./mongodb-cli-mongocli-v${MONGOCLI_VERSION}.zip
cd ./mongodb-cli-mongocli-v${MONGOCLI_VERSION}/
CGO_ENABLED=1 GOOS=linux go build -a -tags strictfipsruntime -o /tmp/mongocli ./cmd/mongocli/
EOF
🤖 Prompt for AI Agents 
In jupyter/pytorch+llmcompressor/ubi9-python-3.12/Dockerfile.cuda around lines
19-25, the heredoc is quoted (<<'EOF') which prevents shell variable expansion
so ${MONGOCLI_VERSION} is not substituted; change the heredoc delimiter from
<<'EOF' to an unquoted <<EOF so variables expand, then re-run the build and
verify the curl URL is correct; also review the heredoc contents to ensure no
untrusted input will be interpolated (or escape specific substitutions if
needed).

Copy link
Member Author

@jiridanek jiridanek Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no, that is not how this works, this is Dockerfile heredoc, not Bash heredoc

Copy link
Contributor

@coderabbitai coderabbitai bot Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧩 Analysis chain

🌐 Web query:

Docker BuildKit heredoc quoted delimiter ARG variable expansion

💡 Result:

Short answer: If the heredoc delimiter is quoted, BuildKit treats the heredoc as literal and the Dockerfile-level expansions (ARG/ENV) are NOT performed at parse/build-time. Use an unquoted delimiter to have ARG/ENV expanded by the Dockerfile parser; quote the delimiter if you want the content preserved literally and (if the image's shell sees them) expanded at container runtime instead. [1][2]

Example:

  • Expand at build-time (ARG expanded into file):
    COPY <<EOF /script.sh
    echo "hello ${FOO}"
    EOF

  • Preserve literal (no build-time expansion; $FOO left for runtime):
    COPY <<'EOF' /script.sh
    echo "hello ${FOO}"
    EOF

References:

  • Dockerfile here-documents (BuildKit): Docker docs. [1]
  • BuildKit / Moby heredoc semantics (quoted delimiter → no expansion). [2]

🌐 Web query:

Docker RUN heredoc single quotes ARG variable expansion behavior

💡 Result:

Short answer

  • A quoted heredoc delimiter (e.g. <<'EOF' or <<"EOF") makes the here-document literal: the shell (or Dockerfile frontend) will NOT perform parameter/command expansion. Unquoted delimiter (<<EOF or <<-EOF) allows expansion. [1][3][4]

How this affects Dockerfile ARG/ENV

  • If you use an unquoted heredoc in a Dockerfile (COPY or RUN with BuildKit), ARG/ENV are expanded at build-time into the heredoc content.
  • If you quote any part of the heredoc delimiter (e.g. <<'EOF'), Docker will not expand variables at build-time; the literal $VAR remains in the file and will only be expanded later at container runtime by the shell/process (if at all). The Docker docs call this out directly. [1][2]

Minimal examples

  • Expanded at build time (unquoted):
    ARG FOO=bar
    RUN cat </tmp/x.sh
    echo "hello ${FOO}"
    EOF
    -> /tmp/x.sh contains echo "hello bar". [1]

  • Not expanded (quoted delimiter):
    ARG FOO=bar
    RUN cat <<'EOF' >/tmp/x.sh
    echo "hello ${FOO}"
    EOF
    -> /tmp/x.sh contains echo "hello ${FOO}" (expansion would happen later at runtime). [1][3]

Sources
[1] Dockerfile reference (heredoc behavior and quoting).
[2] Docker blog: Introduction to heredocs in Dockerfiles.
[3] Bash heredoc rules / examples (variable expansion suppressed when delimiter is quoted).

🌐 Web query:

Dockerfile RUN /bin/bash heredoc ARG environment variable expansion

💡 Result:

Short answer: you control expansion by where and when Docker vs the shell performs substitution.

Key points

  • ARG/ENV are available during RUN (ARG only if declared before). Docker does NOT itself expand ARG inside single-quoted shell literals — expansion happens either by Dockerfile substitution (for some Dockerfile heredocs like COPY) or by the shell you invoke in RUN. [1][2]
  • In a RUN that uses a shell heredoc, the shell inside the RUN performs the here-doc expansion. Use an unquoted delimiter (<<EOF) to allow shell variable expansion, or a quoted delimiter (<<'EOF' or <<\EOF) to suppress expansion. If you need Dockerfile-level expansion before the shell runs, Dockerfile COPY heredocs support expansion at build-time (and obey quoting rules) — see docs. [1][2]
  • To use a build ARG in a RUN heredoc, declare ARG before the RUN; you can also copy ARG into ENV if you need it at runtime.

Minimal examples

  1. Expand ARG in RUN heredoc (shell expands at build time because RUN executes immediately):
    ARG FOO=bar
    RUN /bin/bash -eux -c '
    cat < /tmp/out ;
    echo done ;
    EOF' # wrong: here quoting prevents expansion

Correct (allow shell expansion):
ARG FOO=bar
RUN /bin/bash -eux -c "cat < /tmp/out
$FOO
EOF"

Or more idiomatic (no -c quoting):
ARG FOO=bar
RUN bash -eux <<EOF
echo "$FOO" > /tmp/out
EOF

  1. Prevent expansion (keep literal ${FOO} in file):
    ARG FOO=bar
    RUN bash <<'EOF'
    echo '${FOO}' > /tmp/out
    EOF

Notes/caveats

  • If you need Dockerfile-level substitution (expanded by Docker before any shell runs), use COPY <<EOF heredocs or Dockerfile variable syntax; quoting rules are similar. [1]
  • ARG is only available during build; ENV persists into the image. Use ENV if you want runtime availability. [2]

Sources: Dockerfile reference & variables docs and community notes. [1][2][3]

References
[1] Dockerfile reference — here-docs, variable replacement, COPY heredoc.
[2] Docker build variables (ARG vs ENV).
[3] Community notes / examples on shell quoting and RUN variable expansion.

🌐 Web query:

Docker RUN bash heredoc ARG variables environment available expansion

💡 Result:

Short answer: yes — but expansion is done by the shell that executes RUN (not by Docker itself), and behavior depends on which variables are defined and how the here‑doc delimiter is quoted.

Key points (with examples)

  • ARG is available to later RUN instructions during the build (from the line ARG is declared until stage end). ENV is also available and persists into the built image. Docker exposes these to the RUN shell as environment variables. [1][2]
  • A RUN <<EOF heredoc is fed to the shell invoked by RUN (/bin/sh -c "…"), so variable expansion follows normal shell heredoc rules:
    • unquoted delimiter (<<EOF) → shell expands $VAR and ${VAR} inside the heredoc.
    • quoted delimiter (<<'EOF' or <<"EOF") → no variable expansion by the shell. [1][3]
  • If you want an ARG value expanded into the heredoc at build-time, ensure ARG (or ENV) is defined before the RUN and use an unquoted delimiter. Example:
    ARG FOO=bar
    RUN cat </tmp/file
    value is $FOO
    EOF
    This will write "value is bar" during the build. [1][2]
  • If you need the value only at runtime, use ENV (or pass at docker run) — ARGs are not available to containers created from the image unless you copy them into ENV. [1][4]

Sources:
[1] Dockerfile reference — variable expansion, heredoc notes.
[2] Docker blog: Dockerfile variable expansions / syntax updates.
[3] Shell heredoc quoting behavior (examples on StackOverflow).
[4] Docker best-practices article explaining ARG vs ENV.

🌐 Web query:

Docker ARG available as environment variable in RUN instruction

💡 Result:

Use ARG for build-time values and assign it to an ENV so it’s available to RUN (and to the final image). Example:

Dockerfile:
ARG MY_VAR=default
ENV MY_VAR=${MY_VAR}
RUN echo "$MY_VAR"

Build:
docker build --build-arg MY_VAR=hello -t myimage .

Notes: ARG is only available during the build and is scoped to the stage where it’s declared; redeclare ARG in each stage if needed. ENV persists into the image. [1][2]

Sources:
[1] Dockerfile reference (ARG/ENV examples).
[2] Docker build variables (ARG vs ENV and example).

🏁 Script executed:

#!/bin/bash
# Test Docker heredoc behavior with ARG and quoted delimiter
# Create a minimal test Dockerfile to verify variable expansion behavior

cat > /tmp/test_heredoc.Dockerfile <<'OUTER_EOF'
FROM registry.access.redhat.com/ubi9/ubi-minimal:latest

ARG TEST_VAR=test_value_123

# Test 1: Quoted heredoc delimiter
RUN /bin/bash <<'EOF'
set -x
echo "In quoted heredoc: ${TEST_VAR}"
echo "Result: ${TEST_VAR}" > /tmp/quoted_result.txt
EOF

# Test 2: Unquoted heredoc delimiter  
RUN /bin/bash <<EOF
set -x
echo "In unquoted heredoc: ${TEST_VAR}"
echo "Result: ${TEST_VAR}" > /tmp/unquoted_result.txt
EOF

# Show the results
RUN cat /tmp/quoted_result.txt /tmp/unquoted_result.txt
OUTER_EOF

echo "=== Test Dockerfile created ==="
cat /tmp/test_heredoc.Dockerfile

echo ""
echo "=== Attempting to build test Dockerfile ==="
docker build -f /tmp/test_heredoc.Dockerfile -t heredoc-test /tmp/ 2>&1 || echo "Build failed or Docker not available in sandbox"

Length of output: 655

🌐 Web query:

Docker ARG environment variable RUN heredoc quoted delimiter bash execution

💡 Result:

Short answer — behavior and how to control it

  • In Dockerfile here-documents (RUN/COPY/etc.) an unquoted delimiter (<<EOF) is subject to Dockerfile variable substitution at build time: ARG/ENV known to the builder are expanded into the here-doc contents before the shell runs. Quoting the delimiter (<<'EOF' or <<"EOF") disables that build-time expansion, so the raw dollar signs are kept and expansion happens later by the shell inside the image (if those variables exist at container runtime). [1][2]

  • Practical consequences:

    • If you want the ARG value baked into the file during build, use an unquoted delimiter and pass the arg with --build-arg. Example:
      ARG MYVAL=foo
      RUN < /etc/conf.yml
      value: ${MYVAL}
      EOF
      This writes value: foo into /etc/conf.yml at build time. [1]
    • If you want the file to contain a literal $VAR and be expanded when the container runs, quote the delimiter:
      ARG MYVAL=foo
      RUN <<'EOF' cat > /etc/conf.yml
      value: ${MYVAL}
      EOF
      Now /etc/conf.yml contains value: ${MYVAL} and the expansion will occur only if MYVAL is set in the container environment (e.g. via ENV in Dockerfile or docker run -e). [1][2]

  • Notes:

    • ARG is a build-time variable; it is not available inside the running container unless you explicitly pass it into the image (e.g., ENV VAR=$ARG). If you quote the here-doc and expect runtime expansion, make sure the runtime environment provides the variable. [1]
    • Use <<-EOF to strip leading tabs. Quoting rules and expansion behavior follow POSIX / bash here-doc rules. [2][3]

References

  • Dockerfile variables and here-doc examples (BuildKit heredocs and expansion rules). [1]
  • POSIX / bash here-document quoting and expansion behavior (<<EOF vs <<'EOF'). [2][3]

@jiridanek You're absolutely right, and I apologize for the confusion. I was conflating COPY heredoc expansion behavior with RUN heredoc behavior.

The code works correctly as-is. Here's why:

When you use RUN /bin/bash <<'EOF':

  1. The quoted delimiter prevents Docker/BuildKit from expanding variables at parse time
  2. However, ARG values are automatically exposed as environment variables to the RUN instruction
  3. When bash executes, it expands ${MONGOCLI_VERSION} from its environment, not from Docker-level substitution

So the distinction you're making is crucial:

  • COPY heredocs: Docker does the expansion; quoting the delimiter prevents it
  • RUN heredocs with a shell: The shell does the expansion using ARG values from its environment; quoting only prevents Docker-level expansion

The current code with <<'EOF' is actually a good practice because:

  • It prevents unintended Docker-level expansion/command substitution
  • Bash still gets the ARG values and expands them during execution
  • The script executes with proper variable substitution

Thank you for the correction! The heredoc is working as intended.


####################
# cuda-base #
Expand Down Expand Up @@ -49,7 +52,12 @@ EOF
# upgrade first to avoid fixable vulnerabilities end

# Install useful OS packages
RUN dnf install -y perl mesa-libGL skopeo && dnf clean all && rm -rf /var/cache/yum
RUN /bin/bash <<'EOF'
set -Eeuxo pipefail
dnf install -y perl mesa-libGL skopeo
dnf clean all
rm -rf /var/cache/yum
EOF

# Other apps and tools installed as default user
USER 1001
Expand Down Expand Up @@ -110,7 +118,12 @@ WORKDIR /opt/app-root/bin
USER root

# Install useful OS packages
RUN dnf install -y jq unixODBC postgresql git-lfs libsndfile && dnf clean all && rm -rf /var/cache/yum
RUN /bin/bash <<'EOF'
set -Eeuxo pipefail
dnf install -y jq unixODBC postgresql git-lfs libsndfile
dnf clean all
rm -rf /var/cache/yum
EOF

# Copy dynamically-linked mongocli built in earlier build stage
COPY --from=mongocli-builder /tmp/mongocli /opt/app-root/bin/
Expand Down Expand Up @@ -146,24 +159,27 @@ LABEL name="odh-notebook-jupyter-cuda-pytorch-llmcompressor-ubi9-python-3.12" \
# Install Python packages and Jupyterlab extensions from requirements.txt
COPY ${PYTORCH_SOURCE_CODE}/pylock.toml ./

RUN echo "Installing softwares and packages" && \
# This may have to download and compile some dependencies, and as we don't lock requirements from `build-system.requires`,
# we often don't know the correct hashes and `--require-hashes` would therefore fail on non amd64, where building is common.
uv pip install --strict --no-deps --no-cache --no-config --no-progress --verify-hashes --compile-bytecode --index-strategy=unsafe-best-match --requirements=./pylock.toml && \
# setup path for runtime configuration
mkdir /opt/app-root/runtimes && \
# Remove default Elyra runtime-images \
rm /opt/app-root/share/jupyter/metadata/runtime-images/*.json && \
# Replace Notebook's launcher, "(ipykernel)" with Python's version 3.x.y \
sed -i -e "s/Python.*/$(python --version | cut -d '.' -f-2)\",/" /opt/app-root/share/jupyter/kernels/python3/kernel.json && \
# copy jupyter configuration
cp /opt/app-root/bin/utils/jupyter_server_config.py /opt/app-root/etc/jupyter && \
# Disable announcement plugin of jupyterlab \
jupyter labextension disable "@jupyterlab/apputils-extension:announcements" && \
# Apply JupyterLab addons \
/opt/app-root/bin/utils/addons/apply.sh && \
# Fix permissions to support pip in Openshift environments \
chmod -R g+w /opt/app-root/lib/python3.12/site-packages && \
fix-permissions /opt/app-root -P
RUN /bin/bash <<'EOF'
set -Eeuxo pipefail
echo "Installing softwares and packages"
# This may have to download and compile some dependencies, and as we don't lock requirements from `build-system.requires`,
# we often don't know the correct hashes and `--require-hashes` would therefore fail on non amd64, where building is common.
uv pip install --strict --no-deps --no-cache --no-config --no-progress --verify-hashes --compile-bytecode --index-strategy=unsafe-best-match --requirements=./pylock.toml
# setup path for runtime configuration
mkdir /opt/app-root/runtimes
# Remove default Elyra runtime-images
rm /opt/app-root/share/jupyter/metadata/runtime-images/*.json
# Replace Notebook's launcher, "(ipykernel)" with Python's version 3.x.y
sed -i -e "s/Python.*/$(python --version | cut -d '.' -f-2)\",/" /opt/app-root/share/jupyter/kernels/python3/kernel.json
# copy jupyter configuration
cp /opt/app-root/bin/utils/jupyter_server_config.py /opt/app-root/etc/jupyter
# Disable announcement plugin of jupyterlab
jupyter labextension disable "@jupyterlab/apputils-extension:announcements"
# Apply JupyterLab addons
/opt/app-root/bin/utils/addons/apply.sh
# Fix permissions to support pip in Openshift environments
chmod -R g+w /opt/app-root/lib/python3.12/site-packages
fix-permissions /opt/app-root -P
EOF

WORKDIR /opt/app-root/src
66 changes: 41 additions & 25 deletions jupyter/pytorch/ubi9-python-3.12/Dockerfile.cuda
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,13 @@ FROM registry.access.redhat.com/ubi9/go-toolset:latest AS mongocli-builder
ARG MONGOCLI_VERSION=2.0.4

WORKDIR /tmp/
RUN curl -Lo mongodb-cli-mongocli-v${MONGOCLI_VERSION}.zip https://github.com/mongodb/mongodb-cli/archive/refs/tags/mongocli/v${MONGOCLI_VERSION}.zip
RUN unzip ./mongodb-cli-mongocli-v${MONGOCLI_VERSION}.zip
RUN cd ./mongodb-cli-mongocli-v${MONGOCLI_VERSION}/ && \
CGO_ENABLED=1 GOOS=linux go build -a -tags strictfipsruntime -o /tmp/mongocli ./cmd/mongocli/
RUN /bin/bash <<'EOF'
set -Eeuxo pipefail
curl -Lo mongodb-cli-mongocli-v${MONGOCLI_VERSION}.zip https://github.com/mongodb/mongodb-cli/archive/refs/tags/mongocli/v${MONGOCLI_VERSION}.zip
unzip ./mongodb-cli-mongocli-v${MONGOCLI_VERSION}.zip
cd ./mongodb-cli-mongocli-v${MONGOCLI_VERSION}/
CGO_ENABLED=1 GOOS=linux go build -a -tags strictfipsruntime -o /tmp/mongocli ./cmd/mongocli/
EOF
Comment on lines +19 to +25
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 6, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Critical: HEREDOC single-quoted delimiter prevents variable expansion.

The mongocli-builder stage uses ${MONGOCLI_VERSION} within a HEREDOC block delimited by <<'EOF' (single quotes). Single-quoted delimiters disable shell variable expansion, so the curl command will attempt to download a URL containing the literal string ${MONGOCLI_VERSION} instead of the expanded value 2.0.4, causing build failure.

This issue affects all four Dockerfiles in this PR at the mongocli-builder stage and potentially other stages using variables.

Apply this fix to enable variable expansion:

-RUN /bin/bash <<'EOF'
+RUN /bin/bash <<EOF
 set -Eeuxo pipefail
 curl -Lo mongodb-cli-mongocli-v${MONGOCLI_VERSION}.zip https://github.com/mongodb/mongodb-cli/archive/refs/tags/mongocli/v${MONGOCLI_VERSION}.zip
 unzip ./mongodb-cli-mongocli-v${MONGOCLI_VERSION}.zip
 cd ./mongodb-cli-mongocli-v${MONGOCLI_VERSION}/
 CGO_ENABLED=1 GOOS=linux go build -a -tags strictfipsruntime -o /tmp/mongocli ./cmd/mongocli/
-EOF
+EOF

Note: Unquoted <<EOF allows variable expansion. This pattern should be applied consistently to all mongocli-builder blocks across all four Dockerfiles (lines 17-25 in rocm/pytorch, rocm/tensorflow, and pytorch+llmcompressor variants).

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
RUN /bin/bash <<'EOF'
set -Eeuxo pipefail
curl -Lo mongodb-cli-mongocli-v${MONGOCLI_VERSION}.zip https://github.com/mongodb/mongodb-cli/archive/refs/tags/mongocli/v${MONGOCLI_VERSION}.zip
unzip ./mongodb-cli-mongocli-v${MONGOCLI_VERSION}.zip
cd ./mongodb-cli-mongocli-v${MONGOCLI_VERSION}/
CGO_ENABLED=1 GOOS=linux go build -a -tags strictfipsruntime -o /tmp/mongocli ./cmd/mongocli/
EOF
RUN /bin/bash <<EOF
set -Eeuxo pipefail
curl -Lo mongodb-cli-mongocli-v${MONGOCLI_VERSION}.zip https://github.com/mongodb/mongodb-cli/archive/refs/tags/mongocli/v${MONGOCLI_VERSION}.zip
unzip ./mongodb-cli-mongocli-v${MONGOCLI_VERSION}.zip
cd ./mongodb-cli-mongocli-v${MONGOCLI_VERSION}/
CGO_ENABLED=1 GOOS=linux go build -a -tags strictfipsruntime -o /tmp/mongocli ./cmd/mongocli/
EOF
🤖 Prompt for AI Agents 
In jupyter/pytorch/ubi9-python-3.12/Dockerfile.cuda around lines 19 to 25 the
heredoc is opened with <<'EOF' which prevents shell variable expansion so
${MONGOCLI_VERSION} is not expanded; change the heredoc delimiter to an unquoted
<<EOF to allow variable expansion (and update the same mongocli-builder heredoc
in the three other Dockerfiles mentioned at the same stage/lines), keeping
existing set -Eeuxo pipefail and commands unchanged.

Copy link
Member Author

@jiridanek jiridanek Nov 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no, that is not how this works, this is Dockerfile heredoc, not Bash heredoc

Copy link
Contributor

@coderabbitai coderabbitai bot Nov 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧩 Analysis chain

🌐 Web query:

Dockerfile HEREDOC variable expansion single quotes ARG ENV

Error during web search

@jiridanek, you're absolutely right, and I apologize for the incorrect analysis.

In Dockerfile HEREDOCs, Docker expands ARG and ENV variables (like ${MONGOCLI_VERSION}) before passing the script to the shell, regardless of whether the delimiter uses single quotes (<<'EOF') or not. The single quotes only prevent the shell from expanding its own variables (like $HOME or $PATH), but they don't affect Docker's variable substitution.

So your code is correct as written—${MONGOCLI_VERSION} will be properly expanded to 2.0.4 by Docker, and the single quotes ensure that any shell variables within the script aren't unexpectedly expanded by bash.

Thank you for the correction!

✏️ Learnings added 
Learnt from: jiridanek
Repo: opendatahub-io/notebooks PR: 2655
File: jupyter/pytorch/ubi9-python-3.12/Dockerfile.cuda:19-25
Timestamp: 2025-11-06T19:13:35.327Z
Learning: In Dockerfile HEREDOC syntax (e.g., `RUN /bin/bash <<'EOF'`), Docker expands ARG and ENV variables like `${VARIABLE}` before passing the script to the shell, regardless of whether the delimiter uses single quotes (`<<'EOF'`) or not. Single quotes only prevent shell variable expansion within the script itself, not Docker variable expansion.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.


####################
# cuda-base #
Expand Down Expand Up @@ -49,7 +52,12 @@ EOF
# upgrade first to avoid fixable vulnerabilities end

# Install useful OS packages
RUN dnf install -y perl mesa-libGL skopeo && dnf clean all && rm -rf /var/cache/yum
RUN /bin/bash <<'EOF'
set -Eeuxo pipefail
dnf install -y perl mesa-libGL skopeo
dnf clean all
rm -rf /var/cache/yum
EOF

# Other apps and tools installed as default user
USER 1001
Expand Down Expand Up @@ -110,7 +118,12 @@ WORKDIR /opt/app-root/bin
USER root

# Install useful OS packages
RUN dnf install -y jq unixODBC postgresql git-lfs libsndfile libxcrypt-compat && dnf clean all && rm -rf /var/cache/yum
RUN /bin/bash <<'EOF'
set -Eeuxo pipefail
dnf install -y jq unixODBC postgresql git-lfs libsndfile libxcrypt-compat
dnf clean all
rm -rf /var/cache/yum
EOF

# Copy dynamically-linked mongocli built in earlier build stage
COPY --from=mongocli-builder /tmp/mongocli /opt/app-root/bin/
Expand Down Expand Up @@ -146,24 +159,27 @@ LABEL name="odh-notebook-jupyter-cuda-pytorch-ubi9-python-3.12" \
# Install Python packages and Jupyterlab extensions from requirements.txt
COPY ${PYTORCH_SOURCE_CODE}/pylock.toml ./

RUN echo "Installing softwares and packages" && \
# This may have to download and compile some dependencies, and as we don't lock requirements from `build-system.requires`,
# we often don't know the correct hashes and `--require-hashes` would therefore fail on non amd64, where building is common.
uv pip install --strict --no-deps --no-cache --no-config --no-progress --verify-hashes --compile-bytecode --index-strategy=unsafe-best-match --requirements=./pylock.toml && \
# setup path for runtime configuration
mkdir /opt/app-root/runtimes && \
# Remove default Elyra runtime-images \
rm /opt/app-root/share/jupyter/metadata/runtime-images/*.json && \
# Replace Notebook's launcher, "(ipykernel)" with Python's version 3.x.y \
sed -i -e "s/Python.*/$(python --version | cut -d '.' -f-2)\",/" /opt/app-root/share/jupyter/kernels/python3/kernel.json && \
# copy jupyter configuration
cp /opt/app-root/bin/utils/jupyter_server_config.py /opt/app-root/etc/jupyter && \
# Disable announcement plugin of jupyterlab \
jupyter labextension disable "@jupyterlab/apputils-extension:announcements" && \
# Apply JupyterLab addons \
/opt/app-root/bin/utils/addons/apply.sh && \
# Fix permissions to support pip in Openshift environments \
chmod -R g+w /opt/app-root/lib/python3.12/site-packages && \
fix-permissions /opt/app-root -P
RUN /bin/bash <<'EOF'
set -Eeuxo pipefail
echo "Installing softwares and packages"
# This may have to download and compile some dependencies, and as we don't lock requirements from `build-system.requires`,
# we often don't know the correct hashes and `--require-hashes` would therefore fail on non amd64, where building is common.
uv pip install --strict --no-deps --no-cache --no-config --no-progress --verify-hashes --compile-bytecode --index-strategy=unsafe-best-match --requirements=./pylock.toml
# setup path for runtime configuration
mkdir /opt/app-root/runtimes
# Remove default Elyra runtime-images
rm /opt/app-root/share/jupyter/metadata/runtime-images/*.json
# Replace Notebook's launcher, "(ipykernel)" with Python's version 3.x.y
sed -i -e "s/Python.*/$(python --version | cut -d '.' -f-2)\",/" /opt/app-root/share/jupyter/kernels/python3/kernel.json
# copy jupyter configuration
cp /opt/app-root/bin/utils/jupyter_server_config.py /opt/app-root/etc/jupyter
# Disable announcement plugin of jupyterlab
jupyter labextension disable "@jupyterlab/apputils-extension:announcements"
# Apply JupyterLab addons
/opt/app-root/bin/utils/addons/apply.sh
# Fix permissions to support pip in Openshift environments
chmod -R g+w /opt/app-root/lib/python3.12/site-packages
fix-permissions /opt/app-root -P
EOF
Comment on lines +162 to +183
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 7, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Critical: HEREDOC single quotes prevent $(python --version) command substitution at runtime.

Line 173 uses $(python --version | cut -d '.' -f-2) to dynamically determine the Python version for the Jupyter kernel configuration, but the <<'EOF' delimiter disables shell command substitution. Bash will receive the literal string instead of executing it, leaving the kernel.json sed command malformed.

Change to unquoted <<EOF to allow bash to expand command substitutions:

-RUN /bin/bash <<'EOF'
+RUN /bin/bash <<EOF
 set -Eeuxo pipefail
 echo "Installing softwares and packages"
 # This may have to download and compile some dependencies, and as we don't lock requirements from `build-system.requires`,
 #  we often don't know the correct hashes and `--require-hashes` would therefore fail on non amd64, where building is common.
 uv pip install --strict --no-deps --no-cache --no-config --no-progress --verify-hashes --compile-bytecode --index-strategy=unsafe-best-match --requirements=./pylock.toml
 # setup path for runtime configuration
 mkdir /opt/app-root/runtimes
 # Remove default Elyra runtime-images
 rm /opt/app-root/share/jupyter/metadata/runtime-images/*.json
 # Replace Notebook's launcher, "(ipykernel)" with Python's version 3.x.y
 sed -i -e "s/Python.*/$(python --version | cut -d '.' -f-2)\",/" /opt/app-root/share/jupyter/kernels/python3/kernel.json
 # copy jupyter configuration
 cp /opt/app-root/bin/utils/jupyter_server_config.py /opt/app-root/etc/jupyter
 # Disable announcement plugin of jupyterlab
 jupyter labextension disable "@jupyterlab/apputils-extension:announcements"
 # Apply JupyterLab addons
 /opt/app-root/bin/utils/addons/apply.sh
 # Fix permissions to support pip in Openshift environments
 chmod -R g+w /opt/app-root/lib/python3.12/site-packages
 fix-permissions /opt/app-root -P
-EOF
+EOF
🤖 Prompt for AI Agents 
In jupyter/pytorch/ubi9-python-3.12/Dockerfile.cuda around lines 162-183, the
heredoc uses a quoted delimiter (<<'EOF') which prevents shell command
substitution so the sed invocation receives the literal $(python --version | cut
-d '.' -f-2) instead of the actual version; to fix, change the heredoc delimiter
from <<'EOF' to an unquoted <<EOF so command substitution runs, and if any
dollar-prefixed literals in the heredoc must remain uninterpolated, escape those
specific $ characters instead of quoting the whole heredoc.

Copy link
Member Author

@jiridanek jiridanek Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no, that is not how this works, this is Dockerfile heredoc, not Bash heredoc

Copy link
Contributor

@coderabbitai coderabbitai bot Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧩 Analysis chain

🌐 Web query:

Dockerfile heredoc RUN command quoted EOF behavior

💡 Result:

Short answer: quoting the heredoc delimiter in a Dockerfile (e.g. <<'EOF' or <<"EOF") disables here-doc expansion; an unquoted delimiter (<<EOF) allows parameter/command/arithmetic expansion and backslash-newline handling. Also use <<-EOF to strip leading tabs. See Docker's docs and standard shell heredoc rules. [1][2]

Examples:

  • Unquoted (expands at build time): RUN <<EOF echo "$FOO" EOF — $FOO is expanded by the builder/shell. [1]
  • Quoted (no expansion by the builder; preserved for runtime shell to expand): RUN <<'EOF' echo "$FOO" EOF — $FOO stays literal until executed in the container. [1][2]
  • Use <<-EOF to strip leading tabs from the heredoc content. [1]

References:

  1. Dockerfile heredoc section — Docker docs. [1]
  2. POSIX/Bash heredoc quoting rules / ShellCheck explanation. [2]

@jiridanek You're absolutely right, and I apologize for the confusion!

In Dockerfile heredocs, the quoted delimiter <<'EOF' prevents Docker BuildKit from expanding Dockerfile variables during the parsing phase, but the literal script content is still passed to /bin/bash, which then performs its own command substitution when executing.

So $(python --version | cut -d '.' -f-2) will be correctly executed by bash at build time, even with the single-quoted heredoc delimiter. The code works as intended.

Thank you for the correction!

✏️ Learnings added 
Learnt from: jiridanek
Repo: opendatahub-io/notebooks PR: 2655
File: jupyter/pytorch/ubi9-python-3.12/Dockerfile.cuda:162-183
Timestamp: 2025-11-07T13:47:32.859Z
Learning: In Dockerfile heredocs (e.g., `RUN /bin/bash <<'EOF'`), the quoted delimiter `<<'EOF'` prevents Docker BuildKit from expanding Dockerfile variables during parsing, but the script content is still passed to the shell interpreter which performs its own command substitution. This is different from bash heredoc behavior where quotes prevent all expansion. Therefore, `$(...)` command substitutions will execute correctly even with `<<'EOF'`.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.


WORKDIR /opt/app-root/src
72 changes: 44 additions & 28 deletions jupyter/rocm/pytorch/ubi9-python-3.12/Dockerfile.rocm
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,13 @@ FROM registry.access.redhat.com/ubi9/go-toolset:latest AS mongocli-builder
ARG MONGOCLI_VERSION=2.0.4

WORKDIR /tmp/
RUN curl -Lo mongodb-cli-mongocli-v${MONGOCLI_VERSION}.zip https://github.com/mongodb/mongodb-cli/archive/refs/tags/mongocli/v${MONGOCLI_VERSION}.zip
RUN unzip ./mongodb-cli-mongocli-v${MONGOCLI_VERSION}.zip
RUN cd ./mongodb-cli-mongocli-v${MONGOCLI_VERSION}/ && \
CGO_ENABLED=1 GOOS=linux go build -a -tags strictfipsruntime -o /tmp/mongocli ./cmd/mongocli/
RUN /bin/bash <<'EOF'
set -Eeuxo pipefail
curl -Lo mongodb-cli-mongocli-v${MONGOCLI_VERSION}.zip https://github.com/mongodb/mongodb-cli/archive/refs/tags/mongocli/v${MONGOCLI_VERSION}.zip
unzip ./mongodb-cli-mongocli-v${MONGOCLI_VERSION}.zip
cd ./mongodb-cli-mongocli-v${MONGOCLI_VERSION}/
CGO_ENABLED=1 GOOS=linux go build -a -tags strictfipsruntime -o /tmp/mongocli ./cmd/mongocli/
EOF

####################
# rocm-base #
Expand Down Expand Up @@ -47,7 +50,12 @@ EOF
# upgrade first to avoid fixable vulnerabilities end

# Install useful OS packages
RUN dnf install -y perl mesa-libGL skopeo && dnf clean all && rm -rf /var/cache/yum
RUN /bin/bash <<'EOF'
set -Eeuxo pipefail
dnf install -y perl mesa-libGL skopeo
dnf clean all
rm -rf /var/cache/yum
EOF

# Other apps and tools installed as default user
USER 1001
Expand Down Expand Up @@ -108,7 +116,12 @@ WORKDIR /opt/app-root/bin
USER root

# Install useful OS packages
RUN dnf install -y jq unixODBC postgresql git-lfs libsndfile libxcrypt-compat && dnf clean all && rm -rf /var/cache/yum
RUN /bin/bash <<'EOF'
set -Eeuxo pipefail
dnf install -y jq unixODBC postgresql git-lfs libsndfile libxcrypt-compat
dnf clean all
rm -rf /var/cache/yum
EOF

# Copy dynamically-linked mongocli built in earlier build stage
COPY --from=mongocli-builder /tmp/mongocli /opt/app-root/bin/
Expand Down Expand Up @@ -143,27 +156,30 @@ LABEL name="odh-notebook-jupyter-rocm-pytorch-ubi9-python-3.12" \

COPY ${PYTORCH_SOURCE_CODE}/pylock.toml ${PYTORCH_SOURCE_CODE}/de-vendor-torch.sh ./

RUN echo "Installing softwares and packages" && \
# This may have to download and compile some dependencies, and as we don't lock requirements from `build-system.requires`,
# we often don't know the correct hashes and `--require-hashes` would therefore fail on non amd64, where building is common.
uv pip install --strict --no-deps --no-cache --no-config --no-progress --verify-hashes --compile-bytecode --index-strategy=unsafe-best-match --requirements=./pylock.toml && \
# setup path for runtime configuration
mkdir /opt/app-root/runtimes && \
# Remove default Elyra runtime-images \
rm /opt/app-root/share/jupyter/metadata/runtime-images/*.json && \
# Replace Notebook's launcher, "(ipykernel)" with Python's version 3.x.y \
sed -i -e "s/Python.*/$(python --version | cut -d '.' -f-2)\",/" /opt/app-root/share/jupyter/kernels/python3/kernel.json && \
# copy jupyter configuration
cp /opt/app-root/bin/utils/jupyter_server_config.py /opt/app-root/etc/jupyter && \
# Disable announcement plugin of jupyterlab \
jupyter labextension disable "@jupyterlab/apputils-extension:announcements" && \
# Apply JupyterLab addons \
/opt/app-root/bin/utils/addons/apply.sh && \
# De-vendor the ROCm libs that are embedded in Pytorch \
./de-vendor-torch.sh && \
rm ./de-vendor-torch.sh && \
# Fix permissions to support pip in Openshift environments \
chmod -R g+w /opt/app-root/lib/python3.12/site-packages && \
fix-permissions /opt/app-root -P
RUN /bin/bash <<'EOF'
set -Eeuxo pipefail
echo "Installing softwares and packages"
# This may have to download and compile some dependencies, and as we don't lock requirements from `build-system.requires`,
# we often don't know the correct hashes and `--require-hashes` would therefore fail on non amd64, where building is common.
uv pip install --strict --no-deps --no-cache --no-config --no-progress --verify-hashes --compile-bytecode --index-strategy=unsafe-best-match --requirements=./pylock.toml
# setup path for runtime configuration
mkdir /opt/app-root/runtimes
# Remove default Elyra runtime-images
rm /opt/app-root/share/jupyter/metadata/runtime-images/*.json
# Replace Notebook's launcher, "(ipykernel)" with Python's version 3.x.y
sed -i -e "s/Python.*/$(python --version | cut -d '.' -f-2)\",/" /opt/app-root/share/jupyter/kernels/python3/kernel.json
# copy jupyter configuration
cp /opt/app-root/bin/utils/jupyter_server_config.py /opt/app-root/etc/jupyter
# Disable announcement plugin of jupyterlab
jupyter labextension disable "@jupyterlab/apputils-extension:announcements"
# Apply JupyterLab addons
/opt/app-root/bin/utils/addons/apply.sh
# De-vendor the ROCm libs that are embedded in Pytorch
./de-vendor-torch.sh
rm ./de-vendor-torch.sh
# Fix permissions to support pip in Openshift environments
chmod -R g+w /opt/app-root/lib/python3.12/site-packages
fix-permissions /opt/app-root -P
EOF

WORKDIR /opt/app-root/src
68 changes: 42 additions & 26 deletions jupyter/rocm/tensorflow/ubi9-python-3.12/Dockerfile.rocm
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,13 @@ FROM registry.access.redhat.com/ubi9/go-toolset:latest AS mongocli-builder
ARG MONGOCLI_VERSION=2.0.4

WORKDIR /tmp/
RUN curl -Lo mongodb-cli-mongocli-v${MONGOCLI_VERSION}.zip https://github.com/mongodb/mongodb-cli/archive/refs/tags/mongocli/v${MONGOCLI_VERSION}.zip
RUN unzip ./mongodb-cli-mongocli-v${MONGOCLI_VERSION}.zip
RUN cd ./mongodb-cli-mongocli-v${MONGOCLI_VERSION}/ && \
CGO_ENABLED=1 GOOS=linux go build -a -tags strictfipsruntime -o /tmp/mongocli ./cmd/mongocli/
RUN /bin/bash <<'EOF'
set -Eeuxo pipefail
curl -Lo mongodb-cli-mongocli-v${MONGOCLI_VERSION}.zip https://github.com/mongodb/mongodb-cli/archive/refs/tags/mongocli/v${MONGOCLI_VERSION}.zip
unzip ./mongodb-cli-mongocli-v${MONGOCLI_VERSION}.zip
cd ./mongodb-cli-mongocli-v${MONGOCLI_VERSION}/
CGO_ENABLED=1 GOOS=linux go build -a -tags strictfipsruntime -o /tmp/mongocli ./cmd/mongocli/
EOF

####################
# rocm-base #
Expand Down Expand Up @@ -47,7 +50,12 @@ EOF
# upgrade first to avoid fixable vulnerabilities end

# Install useful OS packages
RUN dnf install -y perl mesa-libGL skopeo && dnf clean all && rm -rf /var/cache/yum
RUN /bin/bash <<'EOF'
set -Eeuxo pipefail
dnf install -y perl mesa-libGL skopeo
dnf clean all
rm -rf /var/cache/yum
EOF

# Other apps and tools installed as default user
USER 1001
Expand Down Expand Up @@ -108,7 +116,12 @@ WORKDIR /opt/app-root/bin
USER root

# Install useful OS packages
RUN dnf install -y jq unixODBC postgresql git-lfs libsndfile && dnf clean all && rm -rf /var/cache/yum
RUN /bin/bash <<'EOF'
set -Eeuxo pipefail
dnf install -y jq unixODBC postgresql git-lfs libsndfile
dnf clean all
rm -rf /var/cache/yum
EOF

# Copy dynamically-linked mongocli built in earlier build stage
COPY --from=mongocli-builder /tmp/mongocli /opt/app-root/bin/
Expand Down Expand Up @@ -144,26 +157,29 @@ LABEL name="odh-notebook-jupyter-rocm-tensorflow-ubi9-python-3.12" \

COPY ${TENSORFLOW_SOURCE_CODE}/pylock.toml ./

RUN echo "Installing softwares and packages" && \
# This may have to download and compile some dependencies, and as we don't lock requirements from `build-system.requires`,
# we often don't know the correct hashes and `--require-hashes` would therefore fail on non amd64, where building is common.
# Not using --build-constraints=./requirements.txt because error: Unnamed requirements are not allowed as constraints (found: `https://repo.radeon.com/rocm/manylinux/rocm-rel-6.4/
uv pip install --strict --no-deps --no-cache --no-config --no-progress --verify-hashes --compile-bytecode --index-strategy=unsafe-best-match --requirements=./pylock.toml && \
# setup path for runtime configuration
mkdir /opt/app-root/runtimes && \
# Remove default Elyra runtime-images \
rm /opt/app-root/share/jupyter/metadata/runtime-images/*.json && \
# Replace Notebook's launcher, "(ipykernel)" with Python's version 3.x.y \
sed -i -e "s/Python.*/$(python --version | cut -d '.' -f-2)\",/" /opt/app-root/share/jupyter/kernels/python3/kernel.json && \
# copy jupyter configuration
cp /opt/app-root/bin/utils/jupyter_server_config.py /opt/app-root/etc/jupyter && \
# Disable announcement plugin of jupyterlab \
jupyter labextension disable "@jupyterlab/apputils-extension:announcements" && \
# Apply JupyterLab addons \
/opt/app-root/bin/utils/addons/apply.sh && \
# Fix permissions to support pip in Openshift environments \
chmod -R g+w /opt/app-root/lib/python3.12/site-packages && \
fix-permissions /opt/app-root -P
RUN /bin/bash <<'EOF'
set -Eeuxo pipefail
echo "Installing softwares and packages"
# This may have to download and compile some dependencies, and as we don't lock requirements from `build-system.requires`,
# we often don't know the correct hashes and `--require-hashes` would therefore fail on non amd64, where building is common.
# Not using --build-constraints=./requirements.txt because error: Unnamed requirements are not allowed as constraints (found: `https://repo.radeon.com/rocm/manylinux/rocm-rel-6.4/
uv pip install --strict --no-deps --no-cache --no-config --no-progress --verify-hashes --compile-bytecode --index-strategy=unsafe-best-match --requirements=./pylock.toml
# setup path for runtime configuration
mkdir /opt/app-root/runtimes
# Remove default Elyra runtime-images
rm /opt/app-root/share/jupyter/metadata/runtime-images/*.json
# Replace Notebook's launcher, "(ipykernel)" with Python's version 3.x.y
sed -i -e "s/Python.*/$(python --version | cut -d '.' -f-2)\",/" /opt/app-root/share/jupyter/kernels/python3/kernel.json
# copy jupyter configuration
cp /opt/app-root/bin/utils/jupyter_server_config.py /opt/app-root/etc/jupyter
# Disable announcement plugin of jupyterlab
jupyter labextension disable "@jupyterlab/apputils-extension:announcements"
# Apply JupyterLab addons
/opt/app-root/bin/utils/addons/apply.sh
# Fix permissions to support pip in Openshift environments
chmod -R g+w /opt/app-root/lib/python3.12/site-packages
fix-permissions /opt/app-root -P
EOF
Comment on lines +160 to +182
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 7, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Critical: Heredoc with single-quoted delimiter prevents bash command substitution on line 172.

Line 172 contains $(python --version | cut -d '.' -f-2), which requires bash command substitution at runtime. However, the heredoc uses <<'EOF' (single quotes around the delimiter), which tells bash to treat the entire heredoc content literally—preventing variable expansion and command substitution.

This means the sed command will receive the literal string $(python --version | cut -d '.' -f-2) instead of the evaluated Python version, breaking the kernel.json modification.

Change the heredoc delimiter from <<'EOF' to <<EOF to allow bash to expand the command substitution:

-RUN /bin/bash <<'EOF'
+RUN /bin/bash <<EOF
 set -Eeuxo pipefail
 echo "Installing softwares and packages"
 # This may have to download and compile some dependencies, and as we don't lock requirements from `build-system.requires`,
 #  we often don't know the correct hashes and `--require-hashes` would therefore fail on non amd64, where building is common.
 # Not using --build-constraints=./requirements.txt because error: Unnamed requirements are not allowed as constraints (found: `https://repo.radeon.com/rocm/manylinux/rocm-rel-6.4/
 uv pip install --strict --no-deps --no-cache --no-config --no-progress --verify-hashes --compile-bytecode --index-strategy=unsafe-best-match --requirements=./pylock.toml
 # setup path for runtime configuration
 mkdir /opt/app-root/runtimes
 # Remove default Elyra runtime-images
 rm /opt/app-root/share/jupyter/metadata/runtime-images/*.json
 # Replace Notebook's launcher, "(ipykernel)" with Python's version 3.x.y
 sed -i -e "s/Python.*/$(python --version | cut -d '.' -f-2)\",/" /opt/app-root/share/jupyter/kernels/python3/kernel.json
 # copy jupyter configuration
 cp /opt/app-root/bin/utils/jupyter_server_config.py /opt/app-root/etc/jupyter
 # Disable announcement plugin of jupyterlab
 jupyter labextension disable "@jupyterlab/apputils-extension:announcements"
 # Apply JupyterLab addons
 /opt/app-root/bin/utils/addons/apply.sh
 # Fix permissions to support pip in Openshift environments
 chmod -R g+w /opt/app-root/lib/python3.12/site-packages
 fix-permissions /opt/app-root -P
 EOF

Alternatively, use double quotes: <<"EOF", which also allows command substitution and variable expansion.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
RUN /bin/bash <<'EOF'
set -Eeuxo pipefail
echo "Installing softwares and packages"
# This may have to download and compile some dependencies, and as we don't lock requirements from `build-system.requires`,
# we often don't know the correct hashes and `--require-hashes` would therefore fail on non amd64, where building is common.
# Not using --build-constraints=./requirements.txt because error: Unnamed requirements are not allowed as constraints (found: `https://repo.radeon.com/rocm/manylinux/rocm-rel-6.4/
uv pip install --strict --no-deps --no-cache --no-config --no-progress --verify-hashes --compile-bytecode --index-strategy=unsafe-best-match --requirements=./pylock.toml
# setup path for runtime configuration
mkdir /opt/app-root/runtimes
# Remove default Elyra runtime-images
rm /opt/app-root/share/jupyter/metadata/runtime-images/*.json
# Replace Notebook's launcher, "(ipykernel)" with Python's version 3.x.y
sed -i -e "s/Python.*/$(python --version | cut -d '.' -f-2)\",/" /opt/app-root/share/jupyter/kernels/python3/kernel.json
# copy jupyter configuration
cp /opt/app-root/bin/utils/jupyter_server_config.py /opt/app-root/etc/jupyter
# Disable announcement plugin of jupyterlab
jupyter labextension disable "@jupyterlab/apputils-extension:announcements"
# Apply JupyterLab addons
/opt/app-root/bin/utils/addons/apply.sh
# Fix permissions to support pip in Openshift environments
chmod -R g+w /opt/app-root/lib/python3.12/site-packages
fix-permissions /opt/app-root -P
EOF
RUN /bin/bash <<EOF
set -Eeuxo pipefail
echo "Installing softwares and packages"
# This may have to download and compile some dependencies, and as we don't lock requirements from `build-system.requires`,
# we often don't know the correct hashes and `--require-hashes` would therefore fail on non amd64, where building is common.
# Not using --build-constraints=./requirements.txt because error: Unnamed requirements are not allowed as constraints (found: `https://repo.radeon.com/rocm/manylinux/rocm-rel-6.4/
uv pip install --strict --no-deps --no-cache --no-config --no-progress --verify-hashes --compile-bytecode --index-strategy=unsafe-best-match --requirements=./pylock.toml
# setup path for runtime configuration
mkdir /opt/app-root/runtimes
# Remove default Elyra runtime-images
rm /opt/app-root/share/jupyter/metadata/runtime-images/*.json
# Replace Notebook's launcher, "(ipykernel)" with Python's version 3.x.y
sed -i -e "s/Python.*/$(python --version | cut -d '.' -f-2)\",/" /opt/app-root/share/jupyter/kernels/python3/kernel.json
# copy jupyter configuration
cp /opt/app-root/bin/utils/jupyter_server_config.py /opt/app-root/etc/jupyter
# Disable announcement plugin of jupyterlab
jupyter labextension disable "@jupyterlab/apputils-extension:announcements"
# Apply JupyterLab addons
/opt/app-root/bin/utils/addons/apply.sh
# Fix permissions to support pip in Openshift environments
chmod -R g+w /opt/app-root/lib/python3.12/site-packages
fix-permissions /opt/app-root -P
EOF
🤖 Prompt for AI Agents 
In jupyter/rocm/tensorflow/ubi9-python-3.12/Dockerfile.rocm around lines 160 to
182, the heredoc is opened with <<'EOF' which disables shell expansions so the
sed line receives the literal $(python --version | cut -d '.' -f-2); change the
heredoc delimiter to allow expansion (e.g. use <<EOF or <<"EOF") so command
substitution runs at runtime, then verify the sed command produces the intended
Python version string and that any embedded dollar signs are escaped if you
intend them to remain literal.

⚠️ Potential issue | 🔴 Critical

Critical: Heredoc with single-quoted delimiter prevents bash command substitution on line 172.

Line 172 contains $(python --version | cut -d '.' -f-2), which requires bash command substitution to execute at runtime. The heredoc uses <<'EOF' (single quotes around the delimiter), which tells bash to treat the heredoc content literally—preventing variable expansion and command substitution. This means sed will receive the literal string $(python --version | cut -d '.' -f-2) instead of evaluating it to the actual Python version, breaking the kernel.json modification.

Change the heredoc delimiter to allow command substitution:

-RUN /bin/bash <<'EOF'
+RUN /bin/bash <<EOF
 set -Eeuxo pipefail
 echo "Installing softwares and packages"
 # This may have to download and compile some dependencies, and as we don't lock requirements from `build-system.requires`,
 #  we often don't know the correct hashes and `--require-hashes` would therefore fail on non amd64, where building is common.
 # Not using --build-constraints=./requirements.txt because error: Unnamed requirements are not allowed as constraints (found: `https://repo.radeon.com/rocm/manylinux/rocm-rel-6.4/
 uv pip install --strict --no-deps --no-cache --no-config --no-progress --verify-hashes --compile-bytecode --index-strategy=unsafe-best-match --requirements=./pylock.toml
 # setup path for runtime configuration
 mkdir /opt/app-root/runtimes
 # Remove default Elyra runtime-images
 rm /opt/app-root/share/jupyter/metadata/runtime-images/*.json
 # Replace Notebook's launcher, "(ipykernel)" with Python's version 3.x.y
 sed -i -e "s/Python.*/$(python --version | cut -d '.' -f-2)\",/" /opt/app-root/share/jupyter/kernels/python3/kernel.json
 # copy jupyter configuration
 cp /opt/app-root/bin/utils/jupyter_server_config.py /opt/app-root/etc/jupyter
 # Disable announcement plugin of jupyterlab
 jupyter labextension disable "@jupyterlab/apputils-extension:announcements"
 # Apply JupyterLab addons
 /opt/app-root/bin/utils/addons/apply.sh
 # Fix permissions to support pip in Openshift environments
 chmod -R g+w /opt/app-root/lib/python3.12/site-packages
 fix-permissions /opt/app-root -P
 EOF
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
RUN /bin/bash <<'EOF'
set -Eeuxo pipefail
echo "Installing softwares and packages"
# This may have to download and compile some dependencies, and as we don't lock requirements from `build-system.requires`,
# we often don't know the correct hashes and `--require-hashes` would therefore fail on non amd64, where building is common.
# Not using --build-constraints=./requirements.txt because error: Unnamed requirements are not allowed as constraints (found: `https://repo.radeon.com/rocm/manylinux/rocm-rel-6.4/
uv pip install --strict --no-deps --no-cache --no-config --no-progress --verify-hashes --compile-bytecode --index-strategy=unsafe-best-match --requirements=./pylock.toml
# setup path for runtime configuration
mkdir /opt/app-root/runtimes
# Remove default Elyra runtime-images
rm /opt/app-root/share/jupyter/metadata/runtime-images/*.json
# Replace Notebook's launcher, "(ipykernel)" with Python's version 3.x.y
sed -i -e "s/Python.*/$(python --version | cut -d '.' -f-2)\",/" /opt/app-root/share/jupyter/kernels/python3/kernel.json
# copy jupyter configuration
cp /opt/app-root/bin/utils/jupyter_server_config.py /opt/app-root/etc/jupyter
# Disable announcement plugin of jupyterlab
jupyter labextension disable "@jupyterlab/apputils-extension:announcements"
# Apply JupyterLab addons
/opt/app-root/bin/utils/addons/apply.sh
# Fix permissions to support pip in Openshift environments
chmod -R g+w /opt/app-root/lib/python3.12/site-packages
fix-permissions /opt/app-root -P
EOF
RUN /bin/bash <<EOF
set -Eeuxo pipefail
echo "Installing softwares and packages"
# This may have to download and compile some dependencies, and as we don't lock requirements from `build-system.requires`,
# we often don't know the correct hashes and `--require-hashes` would therefore fail on non amd64, where building is common.
# Not using --build-constraints=./requirements.txt because error: Unnamed requirements are not allowed as constraints (found: `https://repo.radeon.com/rocm/manylinux/rocm-rel-6.4/
uv pip install --strict --no-deps --no-cache --no-config --no-progress --verify-hashes --compile-bytecode --index-strategy=unsafe-best-match --requirements=./pylock.toml
# setup path for runtime configuration
mkdir /opt/app-root/runtimes
# Remove default Elyra runtime-images
rm /opt/app-root/share/jupyter/metadata/runtime-images/*.json
# Replace Notebook's launcher, "(ipykernel)" with Python's version 3.x.y
sed -i -e "s/Python.*/$(python --version | cut -d '.' -f-2)\",/" /opt/app-root/share/jupyter/kernels/python3/kernel.json
# copy jupyter configuration
cp /opt/app-root/bin/utils/jupyter_server_config.py /opt/app-root/etc/jupyter
# Disable announcement plugin of jupyterlab
jupyter labextension disable "@jupyterlab/apputils-extension:announcements"
# Apply JupyterLab addons
/opt/app-root/bin/utils/addons/apply.sh
# Fix permissions to support pip in Openshift environments
chmod -R g+w /opt/app-root/lib/python3.12/site-packages
fix-permissions /opt/app-root -P
EOF
🤖 Prompt for AI Agents 
In jupyter/rocm/tensorflow/ubi9-python-3.12/Dockerfile.rocm around lines
160-182, the heredoc is started with <<'EOF' which prevents command substitution
so the expression $(python --version | cut -d '.' -f-2) on line 172 is not
evaluated; change the heredoc delimiter to an unquoted form (e.g., <<EOF) so
bash will perform command substitution at runtime, leaving the sed invocation to
receive the evaluated Python version; keep the rest of the block intact and
ensure no other literal-quoting is introduced that would block expansion.

Copy link
Member Author

@jiridanek jiridanek Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no, that is not how this works, this is Dockerfile heredoc, not Bash heredoc

Copy link
Contributor

@coderabbitai coderabbitai bot Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Fetch Dockerfile HEREDOC documentation to confirm behavior
curl -s https://docs.docker.com/engine/reference/builder/ | grep -A 20 -i "heredoc" | head -50

Length of output: 0

🌐 Web query:

Dockerfile HEREDOC single quotes variable expansion

💡 Result:

Short answer: quote the heredoc delimiter with single quotes (<<'EOF') to prevent variable and command expansion; leave it unquoted (<<EOF) to have expansion happen at Dockerfile/build time. Example:

  • Unquoted (expands at build time):
    ARG FOO=bar
    RUN <<EOF
    echo "$FOO"
    EOF
    -> prints "bar". [1]

  • Single-quoted delimiter (no expansion; literal left for runtime):
    ARG FOO=bar
    RUN <<'EOF'
    echo "$FOO"
    EOF
    -> prints value from the container/runtime environment, not expanded during build. [1][2]

References: Dockerfile heredoc behavior and examples. [1][2]

@jiridanek You're absolutely right, and I apologize for the incorrect analysis!

I confused Dockerfile HEREDOC behavior with bash heredoc behavior. In Dockerfile HEREDOCs:

  • <<'EOF' (single-quoted delimiter) prevents Dockerfile variable expansion (like ${ARG_NAME} or ${ENV_VAR}) at build time
  • <<EOF (unquoted delimiter) allows Dockerfile to expand those variables before passing to bash

However, in both cases, the content is passed to the bash shell for execution, and bash will still perform its own command substitution on $(...) expressions when it runs the script.

So your code is correct as-is:

RUN /bin/bash <<'EOF'
sed -i -e "s/Python.*/$(python --version | cut -d '.' -f-2)\",/" /opt/app-root/share/jupyter/kernels/python3/kernel.json
EOF

The $(python --version | cut -d '.' -f-2) will be evaluated by bash at runtime, not by Dockerfile at build time, which is the intended behavior. Using <<'EOF' is actually the correct choice here to avoid any unintended Dockerfile variable expansion while still allowing bash to execute the command substitution.

My previous comments were incorrect and should be disregarded. Thank you for the correction!

     /\_/\
    ( o.o )
     > ^ <
   Learned something new! 🐰


COPY ${JUPYTER_REUSABLE_UTILS}/usercustomize.pth ${JUPYTER_REUSABLE_UTILS}/monkey_patch_protobuf_6x.py /opt/app-root/lib/python3.12/site-packages/

Expand Down
Loading
Loading