diff --git a/rstudio/c9s-python-3.12/Dockerfile.cpu b/rstudio/c9s-python-3.12/Dockerfile.cpu index 686c045f2..53876ffc0 100644 --- a/rstudio/c9s-python-3.12/Dockerfile.cpu +++ b/rstudio/c9s-python-3.12/Dockerfile.cpu @@ -33,7 +33,12 @@ EOF # Install useful OS packages # remove skopeo, CVE-2025-4674 -RUN dnf install -y mesa-libGL && dnf clean all && rm -rf /var/cache/yum +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +dnf install -y mesa-libGL +dnf clean all +rm -rf /var/cache/yum +EOF # Other apps and tools installed as default user USER 1001 @@ -65,51 +70,63 @@ USER 0 ENV R_VERSION=4.5.1 # Install R -RUN dnf install -y 'dnf-command(config-manager)' && \ - dnf config-manager --set-enabled crb && \ - dnf install -y https://download.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm && \ - INSTALL_PKGS="R-core R-core-devel R-java R-Rcpp R-highlight \ - R-littler R-littler-examples openssl-libs compat-openssl11" && \ - dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS && \ - echo 'options(repos = c(CRAN = "https://cran.rstudio.com/"), download.file.method = "libcurl")' >> /usr/lib64/R/etc/Rprofile.site && \ - (umask 002;touch /usr/lib64/R/etc/Renviron.site) && \ - dnf -y clean all --enablerepo='*' +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +dnf install -y 'dnf-command(config-manager)' +dnf config-manager --set-enabled crb +dnf install -y https://download.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm +INSTALL_PKGS="R-core R-core-devel R-java R-Rcpp R-highlight \ +R-littler R-littler-examples openssl-libs compat-openssl11" +dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS +echo 'options(repos = c(CRAN = "https://cran.rstudio.com/"), download.file.method = "libcurl")' >> /usr/lib64/R/etc/Rprofile.site +(umask 002;touch /usr/lib64/R/etc/Renviron.site) +dnf -y clean all --enablerepo='*' +EOF # set R library to default (used in install.r from littler) ENV LIBLOC=/usr/lib64/R/library ENV R_LIBS_USER=/opt/app-root/bin/Rpackages/4.5 -RUN chmod -R a+w ${LIBLOC} && \ - # create User R Library path - mkdir -p ${R_LIBS_USER} && \ - chmod -R a+w ${R_LIBS_USER} +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +chmod -R a+w ${LIBLOC} +# create User R Library path +mkdir -p ${R_LIBS_USER} +chmod -R a+w ${R_LIBS_USER} +EOF WORKDIR /tmp/ COPY /rstudio/utils /tmp/utils # Install RStudio ARG RSTUDIO_RPM=rstudio-server-rhel-2025.09.0-387-x86_64.rpm -RUN wget --progress=dot:giga https://download2.rstudio.org/server/rhel9/x86_64/${RSTUDIO_RPM} && \ - dnf install -y ${RSTUDIO_RPM} && \ - rm ${RSTUDIO_RPM} && \ - dnf -y clean all --enablerepo='*' && \ - # Specific RStudio config and fixes - chmod 1777 /var/run/rstudio-server && \ - mkdir -p /usr/share/doc/R && \ - # package installation - # install necessary texlive-framed package to make Knit R markup to PDF rendering possible - dnf install -y libgit2-devel.x86_64 libcurl-devel harfbuzz-devel.x86_64 fribidi-devel.x86_64 cmake "flexiblas-*" texlive-framed && \ - dnf clean all && \ - rm -rf /var/cache/yum && \ - (cd /tmp/utils && ./cve_remediation.sh) +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +wget --progress=dot:giga https://download2.rstudio.org/server/rhel9/x86_64/${RSTUDIO_RPM} +dnf install -y ${RSTUDIO_RPM} +rm ${RSTUDIO_RPM} +dnf -y clean all --enablerepo='*' +# Specific RStudio config and fixes +chmod 1777 /var/run/rstudio-server +mkdir -p /usr/share/doc/R +# package installation +# install necessary texlive-framed package to make Knit R markup to PDF rendering possible +dnf install -y libgit2-devel.x86_64 libcurl-devel harfbuzz-devel.x86_64 fribidi-devel.x86_64 cmake "flexiblas-*" texlive-framed +dnf clean all +rm -rf /var/cache/yum +(cd /tmp/utils && ./cve_remediation.sh) +EOF COPY ${RSTUDIO_SOURCE_CODE}/rsession.conf /etc/rstudio/rsession.conf # Install R packages # https://cran.r-project.org/web/packages COPY ${RSTUDIO_SOURCE_CODE}/install_packages.R ./ -RUN R -f ./install_packages.R && \ - rm ./install_packages.R +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +R -f ./install_packages.R +rm ./install_packages.R +EOF ENV APP_ROOT=/opt/app-root @@ -125,12 +142,15 @@ ENV NGINX_VERSION=1.24 \ NGINX_PERL_MODULE_PATH=${APP_ROOT}/etc/perl # Modules does not exist -RUN dnf -y module enable nginx:$NGINX_VERSION && \ - INSTALL_PKGS="nss_wrapper bind-utils gettext hostname nginx nginx-mod-stream nginx-mod-http-perl httpd" && \ - dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS && \ - rpm -V $INSTALL_PKGS && \ - nginx -v 2>&1 | grep -qe "nginx/$NGINX_VERSION\." && echo "Found VERSION $NGINX_VERSION" && \ - dnf -y clean all --enablerepo='*' +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +dnf -y module enable nginx:$NGINX_VERSION +INSTALL_PKGS="nss_wrapper bind-utils gettext hostname nginx nginx-mod-stream nginx-mod-http-perl httpd" +dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS +rpm -V $INSTALL_PKGS +nginx -v 2>&1 | grep -qe "nginx/$NGINX_VERSION\." && echo "Found VERSION $NGINX_VERSION" +dnf -y clean all --enablerepo='*' +EOF # Configure httpd for CGI processing COPY --chown=1001:0 ${RSTUDIO_SOURCE_CODE}/httpd/httpd.conf /etc/httpd/conf/httpd.conf @@ -155,30 +175,33 @@ COPY ${RSTUDIO_SOURCE_CODE}/nginx/api/ /opt/app-root/api/ # UID=1001 && GID=0 # UID=&& GID=0 # UID=1001 && GID= -RUN sed -i -f ${NGINX_APP_ROOT}/nginxconf.sed ${NGINX_CONF_PATH} && \ - mkdir -p ${NGINX_APP_ROOT}/etc/nginx.d/ && \ - mkdir -p ${NGINX_APP_ROOT}/etc/nginx.default.d/ && \ - mkdir -p ${NGINX_APP_ROOT}/api/ && \ - mkdir -p ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start && \ - mkdir -p ${NGINX_LOG_PATH} && \ - mkdir -p ${NGINX_PERL_MODULE_PATH} && \ - # Create httpd directories and set permissions - mkdir -p /var/log/httpd /var/run/httpd /etc/httpd/logs && \ - chown -R 1001:0 ${NGINX_CONF_PATH} && \ - chown -R 1001:0 ${NGINX_APP_ROOT}/etc && \ - chown -R 1001:0 ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start && \ - chown -R 1001:0 /var/lib/nginx /var/log/nginx /run && \ - chown -R 1001:0 /var/log/httpd /var/run/httpd /etc/httpd/logs && \ - chmod ug+rw ${NGINX_CONF_PATH} && \ - chmod -R ug+rwX ${NGINX_APP_ROOT}/etc && \ - chmod -R ug+rwX ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start && \ - chmod -R ug+rwX /var/lib/nginx /var/log/nginx /run && \ - chmod -R ug+rwX /var/log/httpd /var/run/httpd /etc/httpd/logs && \ - # Make CGI scripts executable and set proper ownership - chmod +x /opt/app-root/api/kernels/access.cgi && \ - chmod +x /opt/app-root/api/probe.cgi && \ - chown -R 1001:0 /opt/app-root/api && \ - rpm-file-permissions +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +sed -i -f ${NGINX_APP_ROOT}/nginxconf.sed ${NGINX_CONF_PATH} +mkdir -p ${NGINX_APP_ROOT}/etc/nginx.d/ +mkdir -p ${NGINX_APP_ROOT}/etc/nginx.default.d/ +mkdir -p ${NGINX_APP_ROOT}/api/ +mkdir -p ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start +mkdir -p ${NGINX_LOG_PATH} +mkdir -p ${NGINX_PERL_MODULE_PATH} +# Create httpd directories and set permissions +mkdir -p /var/log/httpd /var/run/httpd /etc/httpd/logs +chown -R 1001:0 ${NGINX_CONF_PATH} +chown -R 1001:0 ${NGINX_APP_ROOT}/etc +chown -R 1001:0 ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start +chown -R 1001:0 /var/lib/nginx /var/log/nginx /run +chown -R 1001:0 /var/log/httpd /var/run/httpd /etc/httpd/logs +chmod ug+rw ${NGINX_CONF_PATH} +chmod -R ug+rwX ${NGINX_APP_ROOT}/etc +chmod -R ug+rwX ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start +chmod -R ug+rwX /var/lib/nginx /var/log/nginx /run +chmod -R ug+rwX /var/log/httpd /var/run/httpd /etc/httpd/logs +# Make CGI scripts executable and set proper ownership +chmod +x /opt/app-root/api/kernels/access.cgi +chmod +x /opt/app-root/api/probe.cgi +chown -R 1001:0 /opt/app-root/api +rpm-file-permissions +EOF # Launcher WORKDIR /opt/app-root/bin @@ -190,13 +213,16 @@ USER 1001 COPY ${RSTUDIO_SOURCE_CODE}/pylock.toml ./ -RUN echo "Installing softwares and packages" && \ - # This may have to download and compile some dependencies, and as we don't lock requirements from `build-system.requires`, - # we often don't know the correct hashes and `--require-hashes` would therefore fail on non amd64, where building is common. - uv pip install --strict --no-deps --no-cache --no-config --no-progress --verify-hashes --compile-bytecode --index-strategy=unsafe-best-match --requirements=./pylock.toml && \ - # Fix permissions to support pip in Openshift environments \ - chmod -R g+w /opt/app-root/lib/python3.12/site-packages && \ - fix-permissions /opt/app-root -P +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +echo "Installing softwares and packages" +# This may have to download and compile some dependencies, and as we don't lock requirements from `build-system.requires`, +# we often don't know the correct hashes and `--require-hashes` would therefore fail on non amd64, where building is common. +uv pip install --strict --no-deps --no-cache --no-config --no-progress --verify-hashes --compile-bytecode --index-strategy=unsafe-best-match --requirements=./pylock.toml +# Fix permissions to support pip in Openshift environments +chmod -R g+w /opt/app-root/lib/python3.12/site-packages +fix-permissions /opt/app-root -P +EOF WORKDIR /opt/app-root/src diff --git a/rstudio/c9s-python-3.12/Dockerfile.cuda b/rstudio/c9s-python-3.12/Dockerfile.cuda index caeb2a4a7..5f2e74a15 100644 --- a/rstudio/c9s-python-3.12/Dockerfile.cuda +++ b/rstudio/c9s-python-3.12/Dockerfile.cuda @@ -65,51 +65,63 @@ USER 0 ENV R_VERSION=4.5.1 # Install R -RUN dnf install -y 'dnf-command(config-manager)' && \ - dnf config-manager --set-enabled crb && \ - dnf install -y https://download.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm && \ - INSTALL_PKGS="R-core R-core-devel R-java R-Rcpp R-highlight \ - R-littler R-littler-examples openssl-libs compat-openssl11" && \ - dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS && \ - echo 'options(repos = c(CRAN = "https://cran.rstudio.com/"), download.file.method = "libcurl")' >> /usr/lib64/R/etc/Rprofile.site && \ - (umask 002;touch /usr/lib64/R/etc/Renviron.site) && \ - dnf -y clean all --enablerepo='*' +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +dnf install -y 'dnf-command(config-manager)' +dnf config-manager --set-enabled crb +dnf install -y https://download.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm +INSTALL_PKGS="R-core R-core-devel R-java R-Rcpp R-highlight \ +R-littler R-littler-examples openssl-libs compat-openssl11" +dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS +echo 'options(repos = c(CRAN = "https://cran.rstudio.com/"), download.file.method = "libcurl")' >> /usr/lib64/R/etc/Rprofile.site +(umask 002;touch /usr/lib64/R/etc/Renviron.site) +dnf -y clean all --enablerepo='*' +EOF # set R library to default (used in install.r from littler) ENV LIBLOC=/usr/lib64/R/library ENV R_LIBS_USER=/opt/app-root/bin/Rpackages/4.5 -RUN chmod -R a+w ${LIBLOC} && \ - # create User R Library path - mkdir -p ${R_LIBS_USER} && \ - chmod -R a+w ${R_LIBS_USER} +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +chmod -R a+w ${LIBLOC} +# create User R Library path +mkdir -p ${R_LIBS_USER} +chmod -R a+w ${R_LIBS_USER} +EOF WORKDIR /tmp/ COPY /rstudio/utils /tmp/utils # Install RStudio ARG RSTUDIO_RPM=rstudio-server-rhel-2025.09.0-387-x86_64.rpm -RUN wget --progress=dot:giga https://download2.rstudio.org/server/rhel9/x86_64/${RSTUDIO_RPM} && \ - dnf install -y ${RSTUDIO_RPM} && \ - rm ${RSTUDIO_RPM} && \ - dnf -y clean all --enablerepo='*' && \ - # Specific RStudio config and fixes - chmod 1777 /var/run/rstudio-server && \ - mkdir -p /usr/share/doc/R && \ - # package installation - # install necessary texlive-framed package to make Knit R markup to PDF rendering possible - dnf install -y libgit2-devel.x86_64 libcurl-devel harfbuzz-devel.x86_64 fribidi-devel.x86_64 cmake "flexiblas-*" texlive-framed && \ - dnf clean all && \ - rm -rf /var/cache/yum && \ - (cd /tmp/utils && ./cve_remediation.sh) +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +wget --progress=dot:giga https://download2.rstudio.org/server/rhel9/x86_64/${RSTUDIO_RPM} +dnf install -y ${RSTUDIO_RPM} +rm ${RSTUDIO_RPM} +dnf -y clean all --enablerepo='*' +# Specific RStudio config and fixes +chmod 1777 /var/run/rstudio-server +mkdir -p /usr/share/doc/R +# package installation +# install necessary texlive-framed package to make Knit R markup to PDF rendering possible +dnf install -y libgit2-devel.x86_64 libcurl-devel harfbuzz-devel.x86_64 fribidi-devel.x86_64 cmake "flexiblas-*" texlive-framed +dnf clean all +rm -rf /var/cache/yum +(cd /tmp/utils && ./cve_remediation.sh) +EOF COPY ${RSTUDIO_SOURCE_CODE}/rsession.conf /etc/rstudio/rsession.conf # Install R packages # https://cran.r-project.org/web/packages COPY ${RSTUDIO_SOURCE_CODE}/install_packages.R ./ -RUN R -f ./install_packages.R && \ - rm ./install_packages.R +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +R -f ./install_packages.R +rm ./install_packages.R +EOF ENV APP_ROOT=/opt/app-root @@ -125,12 +137,16 @@ ENV NGINX_VERSION=1.24 \ NGINX_PERL_MODULE_PATH=${APP_ROOT}/etc/perl # Modules does not exist -RUN dnf -y module enable nginx:$NGINX_VERSION && \ - INSTALL_PKGS="nss_wrapper bind-utils gettext hostname nginx nginx-mod-stream nginx-mod-http-perl httpd" && \ - dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS && \ - rpm -V $INSTALL_PKGS && \ - nginx -v 2>&1 | grep -qe "nginx/$NGINX_VERSION\." && echo "Found VERSION $NGINX_VERSION" && \ - dnf -y clean all --enablerepo='*' +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +dnf -y module enable nginx:$NGINX_VERSION +INSTALL_PKGS="nss_wrapper bind-utils gettext hostname nginx nginx-mod-stream nginx-mod-http-perl httpd" +dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS +rpm -V $INSTALL_PKGS +nginx -v 2>&1 | grep -qe "nginx/$NGINX_VERSION\." +echo "Found VERSION $NGINX_VERSION" +dnf -y clean all --enablerepo='*' +EOF # Configure httpd for CGI processing COPY --chown=1001:0 ${RSTUDIO_SOURCE_CODE}/httpd/httpd.conf /etc/httpd/conf/httpd.conf @@ -155,30 +171,33 @@ COPY ${RSTUDIO_SOURCE_CODE}/nginx/api/ /opt/app-root/api/ # UID=1001 && GID=0 # UID=&& GID=0 # UID=1001 && GID= -RUN sed -i -f ${NGINX_APP_ROOT}/nginxconf.sed ${NGINX_CONF_PATH} && \ - mkdir -p ${NGINX_APP_ROOT}/etc/nginx.d/ && \ - mkdir -p ${NGINX_APP_ROOT}/etc/nginx.default.d/ && \ - mkdir -p ${NGINX_APP_ROOT}/api/ && \ - mkdir -p ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start && \ - mkdir -p ${NGINX_LOG_PATH} && \ - mkdir -p ${NGINX_PERL_MODULE_PATH} && \ - # Create httpd directories and set permissions - mkdir -p /var/log/httpd /var/run/httpd /etc/httpd/logs && \ - chown -R 1001:0 ${NGINX_CONF_PATH} && \ - chown -R 1001:0 ${NGINX_APP_ROOT}/etc && \ - chown -R 1001:0 ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start && \ - chown -R 1001:0 /var/lib/nginx /var/log/nginx /run && \ - chown -R 1001:0 /var/log/httpd /var/run/httpd /etc/httpd/logs && \ - chmod ug+rw ${NGINX_CONF_PATH} && \ - chmod -R ug+rwX ${NGINX_APP_ROOT}/etc && \ - chmod -R ug+rwX ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start && \ - chmod -R ug+rwX /var/lib/nginx /var/log/nginx /run && \ - chmod -R ug+rwX /var/log/httpd /var/run/httpd /etc/httpd/logs && \ - # Make CGI scripts executable and set proper ownership - chmod +x /opt/app-root/api/kernels/access.cgi && \ - chmod +x /opt/app-root/api/probe.cgi && \ - chown -R 1001:0 /opt/app-root/api && \ - rpm-file-permissions +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +sed -i -f ${NGINX_APP_ROOT}/nginxconf.sed ${NGINX_CONF_PATH} +mkdir -p ${NGINX_APP_ROOT}/etc/nginx.d/ +mkdir -p ${NGINX_APP_ROOT}/etc/nginx.default.d/ +mkdir -p ${NGINX_APP_ROOT}/api/ +mkdir -p ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start +mkdir -p ${NGINX_LOG_PATH} +mkdir -p ${NGINX_PERL_MODULE_PATH} +# Create httpd directories and set permissions +mkdir -p /var/log/httpd /var/run/httpd /etc/httpd/logs +chown -R 1001:0 ${NGINX_CONF_PATH} +chown -R 1001:0 ${NGINX_APP_ROOT}/etc +chown -R 1001:0 ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start +chown -R 1001:0 /var/lib/nginx /var/log/nginx /run +chown -R 1001:0 /var/log/httpd /var/run/httpd /etc/httpd/logs +chmod ug+rw ${NGINX_CONF_PATH} +chmod -R ug+rwX ${NGINX_APP_ROOT}/etc +chmod -R ug+rwX ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start +chmod -R ug+rwX /var/lib/nginx /var/log/nginx /run +chmod -R ug+rwX /var/log/httpd /var/run/httpd /etc/httpd/logs +# Make CGI scripts executable and set proper ownership +chmod +x /opt/app-root/api/kernels/access.cgi +chmod +x /opt/app-root/api/probe.cgi +chown -R 1001:0 /opt/app-root/api +rpm-file-permissions +EOF # Launcher WORKDIR /opt/app-root/bin @@ -190,13 +209,16 @@ USER 1001 COPY ${RSTUDIO_SOURCE_CODE}/pylock.toml ./ -RUN echo "Installing softwares and packages" && \ - # This may have to download and compile some dependencies, and as we don't lock requirements from `build-system.requires`, - # we often don't know the correct hashes and `--require-hashes` would therefore fail on non amd64, where building is common. - uv pip install --strict --no-deps --no-cache --no-config --no-progress --verify-hashes --compile-bytecode --index-strategy=unsafe-best-match --requirements=./pylock.toml && \ - # Fix permissions to support pip in Openshift environments \ - chmod -R g+w /opt/app-root/lib/python3.12/site-packages && \ - fix-permissions /opt/app-root -P +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +echo "Installing softwares and packages" +# This may have to download and compile some dependencies, and as we don't lock requirements from `build-system.requires`, +# we often don't know the correct hashes and `--require-hashes` would therefore fail on non amd64, where building is common. +uv pip install --strict --no-deps --no-cache --no-config --no-progress --verify-hashes --compile-bytecode --index-strategy=unsafe-best-match --requirements=./pylock.toml +# Fix permissions to support pip in Openshift environments +chmod -R g+w /opt/app-root/lib/python3.12/site-packages +fix-permissions /opt/app-root -P +EOF WORKDIR /opt/app-root/src diff --git a/rstudio/rhel9-python-3.12/Dockerfile.cpu b/rstudio/rhel9-python-3.12/Dockerfile.cpu index 97b036ffb..90e8802f0 100644 --- a/rstudio/rhel9-python-3.12/Dockerfile.cpu +++ b/rstudio/rhel9-python-3.12/Dockerfile.cpu @@ -82,69 +82,85 @@ USER 0 #RUN sed -i 's/\(def in_container():\)/\1\n return False/g' /usr/lib64/python*/*-packages/rhsm/config.py # If necessary, run the subscription manager command using the provided credentials. Only include --serverurl and --baseurl if they are provided -RUN if [ -d "${SECRET_DIR}" ]; then \ - SERVERURL=$(cat ${SECRET_DIR}/SERVERURL 2>/dev/null || echo ${SERVERURL_DEFAULT}) && \ - BASEURL=$(cat ${SECRET_DIR}/BASEURL 2>/dev/null || echo ${BASEURL_DEFAULT}) && \ - USERNAME=$(cat ${SECRET_DIR}/USERNAME) && \ - PASSWORD=$(cat ${SECRET_DIR}/PASSWORD) && \ +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +if [ -d "${SECRET_DIR}" ]; then + SERVERURL=$(cat ${SECRET_DIR}/SERVERURL 2>/dev/null || echo ${SERVERURL_DEFAULT}) + BASEURL=$(cat ${SECRET_DIR}/BASEURL 2>/dev/null || echo ${BASEURL_DEFAULT}) + USERNAME=$(cat ${SECRET_DIR}/USERNAME) + PASSWORD=$(cat ${SECRET_DIR}/PASSWORD) subscription-manager register \ ${SERVERURL:+--serverurl=$SERVERURL} \ ${BASEURL:+--baseurl=$BASEURL} \ --username=$USERNAME \ --password=$PASSWORD \ --force \ - --auto-attach; \ - fi + --auto-attach +fi +EOF + # TILL HERE ENV R_VERSION=4.5.1 # Install R -RUN dnf install -y dnf-plugins-core && \ - subscription-manager repos --enable codeready-builder-for-rhel-9-x86_64-rpms && \ - dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm && \ - INSTALL_PKGS="R-core R-core-devel R-java R-Rcpp R-highlight \ - R-littler R-littler-examples openssl-libs compat-openssl11" && \ - dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS && \ - echo 'options(repos = c(CRAN = "https://cran.rstudio.com/"), download.file.method = "libcurl")' >> /usr/lib64/R/etc/Rprofile.site && \ - (umask 002;touch /usr/lib64/R/etc/Renviron.site) && \ - dnf -y clean all --enablerepo='*' +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +dnf install -y dnf-plugins-core +subscription-manager repos --enable codeready-builder-for-rhel-9-x86_64-rpms +dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm +INSTALL_PKGS="R-core R-core-devel R-java R-Rcpp R-highlight \ +R-littler R-littler-examples openssl-libs compat-openssl11" +dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS +echo 'options(repos = c(CRAN = "https://cran.rstudio.com/"), download.file.method = "libcurl")' >> /usr/lib64/R/etc/Rprofile.site +(umask 002;touch /usr/lib64/R/etc/Renviron.site) +dnf -y clean all --enablerepo='*' +EOF # set R library to default (used in install.r from littler) ENV LIBLOC=/usr/lib64/R/library ENV R_LIBS_USER=/opt/app-root/bin/Rpackages/4.5 -RUN chmod -R a+w ${LIBLOC} && \ - # create User R Library path - mkdir -p ${R_LIBS_USER} && \ - chmod -R a+w ${R_LIBS_USER} +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +chmod -R a+w ${LIBLOC} +# create User R Library path +mkdir -p ${R_LIBS_USER} +chmod -R a+w ${R_LIBS_USER} +EOF WORKDIR /tmp/ COPY /rstudio/utils /tmp/utils # Install RStudio ARG RSTUDIO_RPM=rstudio-server-rhel-2025.09.0-387-x86_64.rpm -RUN wget --progress=dot:giga https://download2.rstudio.org/server/rhel9/x86_64/${RSTUDIO_RPM} && \ - dnf install -y ${RSTUDIO_RPM} && \ - rm ${RSTUDIO_RPM} && \ - dnf -y clean all --enablerepo='*' && \ - # Specific RStudio config and fixes - chmod 1777 /var/run/rstudio-server && \ - mkdir -p /usr/share/doc/R && \ - # package installation - # install necessary texlive-framed package to make Knit R markup to PDF rendering possible - dnf install -y libgit2-devel.x86_64 libcurl-devel harfbuzz-devel.x86_64 fribidi-devel.x86_64 cmake "flexiblas-*" texlive-framed && \ - dnf clean all && \ - rm -rf /var/cache/yum && \ - (cd /tmp/utils && ./cve_remediation.sh) +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +wget --progress=dot:giga https://download2.rstudio.org/server/rhel9/x86_64/${RSTUDIO_RPM} +dnf install -y ${RSTUDIO_RPM} +rm ${RSTUDIO_RPM} +dnf -y clean all --enablerepo='*' +# Specific RStudio config and fixes +chmod 1777 /var/run/rstudio-server +mkdir -p /usr/share/doc/R +# package installation +# install necessary texlive-framed package to make Knit R markup to PDF rendering possible +dnf install -y libgit2-devel.x86_64 libcurl-devel harfbuzz-devel.x86_64 fribidi-devel.x86_64 cmake "flexiblas-*" texlive-framed +dnf clean all +rm -rf /var/cache/yum +(cd /tmp/utils && ./cve_remediation.sh) +EOF COPY ${RSTUDIO_SOURCE_CODE}/rsession.conf /etc/rstudio/rsession.conf # Install R packages # https://cran.r-project.org/web/packages COPY ${RSTUDIO_SOURCE_CODE}/install_packages.R ./ -RUN R -f ./install_packages.R && \ - rm ./install_packages.R +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +R -f ./install_packages.R +rm ./install_packages.R +EOF ENV APP_ROOT=/opt/app-root @@ -160,12 +176,15 @@ ENV NGINX_VERSION=1.24 \ NGINX_PERL_MODULE_PATH=${APP_ROOT}/etc/perl # Modules does not exist -RUN dnf -y module enable nginx:$NGINX_VERSION && \ - INSTALL_PKGS="nss_wrapper bind-utils gettext hostname nginx nginx-mod-stream nginx-mod-http-perl httpd" && \ - dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS && \ - rpm -V $INSTALL_PKGS && \ - nginx -v 2>&1 | grep -qe "nginx/$NGINX_VERSION\." && echo "Found VERSION $NGINX_VERSION" && \ - dnf -y clean all --enablerepo='*' +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +dnf -y module enable nginx:$NGINX_VERSION +INSTALL_PKGS="nss_wrapper bind-utils gettext hostname nginx nginx-mod-stream nginx-mod-http-perl httpd" +dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS +rpm -V $INSTALL_PKGS +nginx -v 2>&1 | grep -qe "nginx/$NGINX_VERSION\." && echo "Found VERSION $NGINX_VERSION" +dnf -y clean all --enablerepo='*' +EOF # Configure httpd for CGI processing COPY --chown=1001:0 ${RSTUDIO_SOURCE_CODE}/httpd/httpd.conf /etc/httpd/conf/httpd.conf @@ -190,30 +209,33 @@ COPY ${RSTUDIO_SOURCE_CODE}/nginx/api/ /opt/app-root/api/ # UID=1001 && GID=0 # UID=&& GID=0 # UID=1001 && GID= -RUN sed -i -f ${NGINX_APP_ROOT}/nginxconf.sed ${NGINX_CONF_PATH} && \ - mkdir -p ${NGINX_APP_ROOT}/etc/nginx.d/ && \ - mkdir -p ${NGINX_APP_ROOT}/etc/nginx.default.d/ && \ - mkdir -p ${NGINX_APP_ROOT}/api/ && \ - mkdir -p ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start && \ - mkdir -p ${NGINX_LOG_PATH} && \ - mkdir -p ${NGINX_PERL_MODULE_PATH} && \ - # Create httpd directories and set permissions - mkdir -p /var/log/httpd /var/run/httpd /etc/httpd/logs && \ - chown -R 1001:0 ${NGINX_CONF_PATH} && \ - chown -R 1001:0 ${NGINX_APP_ROOT}/etc && \ - chown -R 1001:0 ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start && \ - chown -R 1001:0 /var/lib/nginx /var/log/nginx /run && \ - chown -R 1001:0 /var/log/httpd /var/run/httpd /etc/httpd/logs && \ - chmod ug+rw ${NGINX_CONF_PATH} && \ - chmod -R ug+rwX ${NGINX_APP_ROOT}/etc && \ - chmod -R ug+rwX ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start && \ - chmod -R ug+rwX /var/lib/nginx /var/log/nginx /run && \ - chmod -R ug+rwX /var/log/httpd /var/run/httpd /etc/httpd/logs && \ - # Make CGI scripts executable and set proper ownership - chmod +x /opt/app-root/api/kernels/access.cgi && \ - chmod +x /opt/app-root/api/probe.cgi && \ - chown -R 1001:0 /opt/app-root/api && \ - rpm-file-permissions +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +sed -i -f ${NGINX_APP_ROOT}/nginxconf.sed ${NGINX_CONF_PATH} +mkdir -p ${NGINX_APP_ROOT}/etc/nginx.d/ +mkdir -p ${NGINX_APP_ROOT}/etc/nginx.default.d/ +mkdir -p ${NGINX_APP_ROOT}/api/ +mkdir -p ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start +mkdir -p ${NGINX_LOG_PATH} +mkdir -p ${NGINX_PERL_MODULE_PATH} +# Create httpd directories and set permissions +mkdir -p /var/log/httpd /var/run/httpd /etc/httpd/logs +chown -R 1001:0 ${NGINX_CONF_PATH} +chown -R 1001:0 ${NGINX_APP_ROOT}/etc +chown -R 1001:0 ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start +chown -R 1001:0 /var/lib/nginx /var/log/nginx /run +chown -R 1001:0 /var/log/httpd /var/run/httpd /etc/httpd/logs +chmod ug+rw ${NGINX_CONF_PATH} +chmod -R ug+rwX ${NGINX_APP_ROOT}/etc +chmod -R ug+rwX ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start +chmod -R ug+rwX /var/lib/nginx /var/log/nginx /run +chmod -R ug+rwX /var/log/httpd /var/run/httpd /etc/httpd/logs +# Make CGI scripts executable and set proper ownership +chmod +x /opt/app-root/api/kernels/access.cgi +chmod +x /opt/app-root/api/probe.cgi +chown -R 1001:0 /opt/app-root/api +rpm-file-permissions +EOF # Launcher WORKDIR /opt/app-root/bin @@ -223,22 +245,29 @@ COPY ${RSTUDIO_SOURCE_CODE}/run-rstudio.sh ${RSTUDIO_SOURCE_CODE}/setup_rstudio. # TODO THIS SHOULD BE REMOVED in favor of: https://issues.redhat.com/browse/RHOAIENG-32541 # Unregister the system -RUN if [ -d "${SECRET_DIR}" ]; then \ - subscription-manager remove --all && subscription-manager unregister && subscription-manager clean; \ - fi +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +if [ -d "${SECRET_DIR}" ]; then + subscription-manager remove --all && subscription-manager unregister && subscription-manager clean +fi +EOF + # TILL HERE USER 1001 COPY ${RSTUDIO_SOURCE_CODE}/pylock.toml ./ -RUN echo "Installing softwares and packages" && \ - # This may have to download and compile some dependencies, and as we don't lock requirements from `build-system.requires`, - # we often don't know the correct hashes and `--require-hashes` would therefore fail on non amd64, where building is common. - uv pip install --strict --no-deps --no-cache --no-config --no-progress --verify-hashes --compile-bytecode --index-strategy=unsafe-best-match --requirements=./pylock.toml && \ - # Fix permissions to support pip in Openshift environments \ - chmod -R g+w /opt/app-root/lib/python3.12/site-packages && \ - fix-permissions /opt/app-root -P +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +echo "Installing softwares and packages" +# This may have to download and compile some dependencies, and as we don't lock requirements from `build-system.requires`, +# we often don't know the correct hashes and `--require-hashes` would therefore fail on non amd64, where building is common. +uv pip install --strict --no-deps --no-cache --no-config --no-progress --verify-hashes --compile-bytecode --index-strategy=unsafe-best-match --requirements=./pylock.toml +# Fix permissions to support pip in Openshift environments +chmod -R g+w /opt/app-root/lib/python3.12/site-packages +fix-permissions /opt/app-root -P +EOF WORKDIR /opt/app-root/src diff --git a/rstudio/rhel9-python-3.12/Dockerfile.cuda b/rstudio/rhel9-python-3.12/Dockerfile.cuda index e37158f26..d12083a0d 100644 --- a/rstudio/rhel9-python-3.12/Dockerfile.cuda +++ b/rstudio/rhel9-python-3.12/Dockerfile.cuda @@ -82,8 +82,11 @@ USER 0 ENV XLA_FLAGS=--xla_gpu_cuda_data_dir=/usr/local/cuda # Install CUDA toolkit 12.8 -RUN dnf -y install cuda-toolkit-12-8 && \ - dnf -y clean all --enablerepo="*" +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +dnf -y install cuda-toolkit-12-8 +dnf -y clean all --enablerepo="*" +EOF WORKDIR /opt/app-root/src # TILL HERE @@ -93,69 +96,85 @@ WORKDIR /opt/app-root/src #RUN sed -i 's/\(def in_container():\)/\1\n return False/g' /usr/lib64/python*/*-packages/rhsm/config.py # If necessary, run the subscription manager command using the provided credentials. Only include --serverurl and --baseurl if they are provided -RUN if [ -d "${SECRET_DIR}" ]; then \ - SERVERURL=$(cat ${SECRET_DIR}/SERVERURL 2>/dev/null || echo ${SERVERURL_DEFAULT}) && \ - BASEURL=$(cat ${SECRET_DIR}/BASEURL 2>/dev/null || echo ${BASEURL_DEFAULT}) && \ - USERNAME=$(cat ${SECRET_DIR}/USERNAME) && \ - PASSWORD=$(cat ${SECRET_DIR}/PASSWORD) && \ +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +if [ -d "${SECRET_DIR}" ]; then + SERVERURL=$(cat ${SECRET_DIR}/SERVERURL 2>/dev/null || echo ${SERVERURL_DEFAULT}) + BASEURL=$(cat ${SECRET_DIR}/BASEURL 2>/dev/null || echo ${BASEURL_DEFAULT}) + USERNAME=$(cat ${SECRET_DIR}/USERNAME) + PASSWORD=$(cat ${SECRET_DIR}/PASSWORD) subscription-manager register \ ${SERVERURL:+--serverurl=$SERVERURL} \ ${BASEURL:+--baseurl=$BASEURL} \ --username=$USERNAME \ --password=$PASSWORD \ --force \ - --auto-attach; \ - fi + --auto-attach +fi +EOF + # TILL HERE ENV R_VERSION=4.5.1 # Install R -RUN dnf install -y dnf-plugins-core && \ - subscription-manager repos --enable codeready-builder-for-rhel-9-x86_64-rpms && \ - dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm && \ - INSTALL_PKGS="R-core R-core-devel R-java R-Rcpp R-highlight \ - R-littler R-littler-examples openssl-libs compat-openssl11" && \ - dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS && \ - echo 'options(repos = c(CRAN = "https://cran.rstudio.com/"), download.file.method = "libcurl")' >> /usr/lib64/R/etc/Rprofile.site && \ - (umask 002;touch /usr/lib64/R/etc/Renviron.site) && \ - dnf -y clean all --enablerepo='*' +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +dnf install -y dnf-plugins-core +subscription-manager repos --enable codeready-builder-for-rhel-9-x86_64-rpms +dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm +INSTALL_PKGS="R-core R-core-devel R-java R-Rcpp R-highlight \ +R-littler R-littler-examples openssl-libs compat-openssl11" +dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS +echo 'options(repos = c(CRAN = "https://cran.rstudio.com/"), download.file.method = "libcurl")' >> /usr/lib64/R/etc/Rprofile.site +(umask 002;touch /usr/lib64/R/etc/Renviron.site) +dnf -y clean all --enablerepo='*' +EOF # set R library to default (used in install.r from littler) ENV LIBLOC=/usr/lib64/R/library ENV R_LIBS_USER=/opt/app-root/bin/Rpackages/4.5 -RUN chmod -R a+w ${LIBLOC} && \ - # create User R Library path - mkdir -p ${R_LIBS_USER} && \ - chmod -R a+w ${R_LIBS_USER} +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +chmod -R a+w ${LIBLOC} +# create User R Library path +mkdir -p ${R_LIBS_USER} +chmod -R a+w ${R_LIBS_USER} +EOF WORKDIR /tmp/ COPY /rstudio/utils /tmp/utils # Install RStudio ARG RSTUDIO_RPM=rstudio-server-rhel-2025.09.0-387-x86_64.rpm -RUN wget --progress=dot:giga https://download2.rstudio.org/server/rhel9/x86_64/${RSTUDIO_RPM} && \ - dnf install -y ${RSTUDIO_RPM} && \ - rm ${RSTUDIO_RPM} && \ - dnf -y clean all --enablerepo='*' && \ - # Specific RStudio config and fixes - chmod 1777 /var/run/rstudio-server && \ - mkdir -p /usr/share/doc/R && \ - # package installation - # install necessary texlive-framed package to make Knit R markup to PDF rendering possible - dnf install -y libgit2-devel.x86_64 libcurl-devel harfbuzz-devel.x86_64 fribidi-devel.x86_64 cmake "flexiblas-*" texlive-framed && \ - dnf clean all && \ - rm -rf /var/cache/yum && \ - (cd /tmp/utils && ./cve_remediation.sh) +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +wget --progress=dot:giga https://download2.rstudio.org/server/rhel9/x86_64/${RSTUDIO_RPM} +dnf install -y ${RSTUDIO_RPM} +rm ${RSTUDIO_RPM} +dnf -y clean all --enablerepo='*' +# Specific RStudio config and fixes +chmod 1777 /var/run/rstudio-server +mkdir -p /usr/share/doc/R +# package installation +# install necessary texlive-framed package to make Knit R markup to PDF rendering possible +dnf install -y libgit2-devel.x86_64 libcurl-devel harfbuzz-devel.x86_64 fribidi-devel.x86_64 cmake "flexiblas-*" texlive-framed +dnf clean all +rm -rf /var/cache/yum +(cd /tmp/utils && ./cve_remediation.sh) +EOF COPY ${RSTUDIO_SOURCE_CODE}/rsession.conf /etc/rstudio/rsession.conf # Install R packages # https://cran.r-project.org/web/packages COPY ${RSTUDIO_SOURCE_CODE}/install_packages.R ./ -RUN R -f ./install_packages.R && \ - rm ./install_packages.R +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +R -f ./install_packages.R +rm ./install_packages.R +EOF ENV APP_ROOT=/opt/app-root @@ -172,12 +191,15 @@ ENV NGINX_VERSION=1.24 \ NGINX_PERL_MODULE_PATH=${APP_ROOT}/etc/perl # Modules does not exist -RUN dnf -y module enable nginx:$NGINX_VERSION && \ - INSTALL_PKGS="nss_wrapper bind-utils gettext hostname nginx nginx-mod-stream nginx-mod-http-perl httpd" && \ - dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS && \ - rpm -V $INSTALL_PKGS && \ - nginx -v 2>&1 | grep -qe "nginx/$NGINX_VERSION\." && echo "Found VERSION $NGINX_VERSION" && \ - dnf -y clean all --enablerepo='*' +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +dnf -y module enable nginx:$NGINX_VERSION +INSTALL_PKGS="nss_wrapper bind-utils gettext hostname nginx nginx-mod-stream nginx-mod-http-perl httpd" +dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS +rpm -V $INSTALL_PKGS +nginx -v 2>&1 | grep -qe "nginx/$NGINX_VERSION\." && echo "Found VERSION $NGINX_VERSION" +dnf -y clean all --enablerepo='*' +EOF # Configure httpd for CGI processing COPY --chown=1001:0 ${RSTUDIO_SOURCE_CODE}/httpd/httpd.conf /etc/httpd/conf/httpd.conf @@ -202,30 +224,33 @@ COPY ${RSTUDIO_SOURCE_CODE}/nginx/api/ /opt/app-root/api/ # UID=1001 && GID=0 # UID=&& GID=0 # UID=1001 && GID= -RUN sed -i -f ${NGINX_APP_ROOT}/nginxconf.sed ${NGINX_CONF_PATH} && \ - mkdir -p ${NGINX_APP_ROOT}/etc/nginx.d/ && \ - mkdir -p ${NGINX_APP_ROOT}/etc/nginx.default.d/ && \ - mkdir -p ${NGINX_APP_ROOT}/api/ && \ - mkdir -p ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start && \ - mkdir -p ${NGINX_LOG_PATH} && \ - mkdir -p ${NGINX_PERL_MODULE_PATH} && \ - # Create httpd directories and set permissions - mkdir -p /var/log/httpd /var/run/httpd /etc/httpd/logs && \ - chown -R 1001:0 ${NGINX_CONF_PATH} && \ - chown -R 1001:0 ${NGINX_APP_ROOT}/etc && \ - chown -R 1001:0 ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start && \ - chown -R 1001:0 /var/lib/nginx /var/log/nginx /run && \ - chown -R 1001:0 /var/log/httpd /var/run/httpd /etc/httpd/logs && \ - chmod ug+rw ${NGINX_CONF_PATH} && \ - chmod -R ug+rwX ${NGINX_APP_ROOT}/etc && \ - chmod -R ug+rwX ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start && \ - chmod -R ug+rwX /var/lib/nginx /var/log/nginx /run && \ - chmod -R ug+rwX /var/log/httpd /var/run/httpd /etc/httpd/logs && \ - # Make CGI scripts executable and set proper ownership - chmod +x /opt/app-root/api/kernels/access.cgi && \ - chmod +x /opt/app-root/api/probe.cgi && \ - chown -R 1001:0 /opt/app-root/api && \ - rpm-file-permissions +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +sed -i -f ${NGINX_APP_ROOT}/nginxconf.sed ${NGINX_CONF_PATH} +mkdir -p ${NGINX_APP_ROOT}/etc/nginx.d/ +mkdir -p ${NGINX_APP_ROOT}/etc/nginx.default.d/ +mkdir -p ${NGINX_APP_ROOT}/api/ +mkdir -p ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start +mkdir -p ${NGINX_LOG_PATH} +mkdir -p ${NGINX_PERL_MODULE_PATH} +# Create httpd directories and set permissions +mkdir -p /var/log/httpd /var/run/httpd /etc/httpd/logs +chown -R 1001:0 ${NGINX_CONF_PATH} +chown -R 1001:0 ${NGINX_APP_ROOT}/etc +chown -R 1001:0 ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start +chown -R 1001:0 /var/lib/nginx /var/log/nginx /run +chown -R 1001:0 /var/log/httpd /var/run/httpd /etc/httpd/logs +chmod ug+rw ${NGINX_CONF_PATH} +chmod -R ug+rwX ${NGINX_APP_ROOT}/etc +chmod -R ug+rwX ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start +chmod -R ug+rwX /var/lib/nginx /var/log/nginx /run +chmod -R ug+rwX /var/log/httpd /var/run/httpd /etc/httpd/logs +# Make CGI scripts executable and set proper ownership +chmod +x /opt/app-root/api/kernels/access.cgi +chmod +x /opt/app-root/api/probe.cgi +chown -R 1001:0 /opt/app-root/api +rpm-file-permissions +EOF # Launcher WORKDIR /opt/app-root/bin @@ -235,22 +260,29 @@ COPY ${RSTUDIO_SOURCE_CODE}/run-rstudio.sh ${RSTUDIO_SOURCE_CODE}/setup_rstudio. # TODO THIS SHOULD BE REMOVED in favor of: https://issues.redhat.com/browse/RHOAIENG-32541 # Unregister the system -RUN if [ -d "${SECRET_DIR}" ]; then \ - subscription-manager remove --all && subscription-manager unregister && subscription-manager clean; \ - fi +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +if [ -d "${SECRET_DIR}" ]; then + subscription-manager remove --all && subscription-manager unregister && subscription-manager clean +fi +EOF + # TILL HERE USER 1001 COPY ${RSTUDIO_SOURCE_CODE}/pylock.toml ./ -RUN echo "Installing softwares and packages" && \ - # This may have to download and compile some dependencies, and as we don't lock requirements from `build-system.requires`, - # we often don't know the correct hashes and `--require-hashes` would therefore fail on non amd64, where building is common. - uv pip install --strict --no-deps --no-cache --no-config --no-progress --verify-hashes --compile-bytecode --index-strategy=unsafe-best-match --requirements=./pylock.toml && \ - # Fix permissions to support pip in Openshift environments \ - chmod -R g+w /opt/app-root/lib/python3.12/site-packages && \ - fix-permissions /opt/app-root -P +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +echo "Installing softwares and packages" +# This may have to download and compile some dependencies, and as we don't lock requirements from `build-system.requires`, +# we often don't know the correct hashes and `--require-hashes` would therefore fail on non amd64, where building is common. +uv pip install --strict --no-deps --no-cache --no-config --no-progress --verify-hashes --compile-bytecode --index-strategy=unsafe-best-match --requirements=./pylock.toml +# Fix permissions to support pip in Openshift environments +chmod -R g+w /opt/app-root/lib/python3.12/site-packages +fix-permissions /opt/app-root -P +EOF WORKDIR /opt/app-root/src