opendatahub-io · jiridanek · Nov 8, 2025 · Nov 6, 2025
diff --git a/rstudio/c9s-python-3.12/Dockerfile.cpu b/rstudio/c9s-python-3.12/Dockerfile.cpu
@@ -33,7 +33,12 @@ EOF
 
 # Install useful OS packages
 # remove skopeo, CVE-2025-4674
-RUN dnf install -y mesa-libGL && dnf clean all && rm -rf /var/cache/yum
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+dnf install -y mesa-libGL
+dnf clean all
+rm -rf /var/cache/yum
+EOF
 
 # Other apps and tools installed as default user
 USER 1001
@@ -65,51 +70,63 @@ USER 0
 ENV R_VERSION=4.5.1
 
 # Install R
-RUN dnf install -y 'dnf-command(config-manager)' && \
-    dnf config-manager --set-enabled crb && \
-    dnf install -y https://download.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm && \
-    INSTALL_PKGS="R-core R-core-devel R-java R-Rcpp R-highlight \
-    R-littler R-littler-examples openssl-libs compat-openssl11" && \
-    dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS && \
-    echo 'options(repos = c(CRAN = "https://cran.rstudio.com/"), download.file.method = "libcurl")' >> /usr/lib64/R/etc/Rprofile.site && \
-    (umask 002;touch /usr/lib64/R/etc/Renviron.site) && \
-    dnf -y clean all --enablerepo='*'
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+dnf install -y 'dnf-command(config-manager)'
+dnf config-manager --set-enabled crb
+dnf install -y https://download.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
+INSTALL_PKGS="R-core R-core-devel R-java R-Rcpp R-highlight \
+R-littler R-littler-examples openssl-libs compat-openssl11"
+dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS
+echo 'options(repos = c(CRAN = "https://cran.rstudio.com/"), download.file.method = "libcurl")' >> /usr/lib64/R/etc/Rprofile.site
+(umask 002;touch /usr/lib64/R/etc/Renviron.site)
+dnf -y clean all --enablerepo='*'
+EOF
 
 # set R library to default (used in install.r from littler)
 ENV LIBLOC=/usr/lib64/R/library
 ENV R_LIBS_USER=/opt/app-root/bin/Rpackages/4.5
 
-RUN chmod -R a+w ${LIBLOC} && \
-    # create User R Library path
-    mkdir -p ${R_LIBS_USER} && \
-    chmod -R a+w ${R_LIBS_USER}
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+chmod -R a+w ${LIBLOC}
+# create User R Library path
+mkdir -p ${R_LIBS_USER}
+chmod -R a+w ${R_LIBS_USER}
+EOF
 
 WORKDIR /tmp/
 COPY /rstudio/utils /tmp/utils
 
 # Install RStudio
 ARG RSTUDIO_RPM=rstudio-server-rhel-2025.09.0-387-x86_64.rpm
-RUN wget --progress=dot:giga https://download2.rstudio.org/server/rhel9/x86_64/${RSTUDIO_RPM} && \
-    dnf install -y ${RSTUDIO_RPM} && \
-    rm ${RSTUDIO_RPM} && \
-    dnf -y clean all  --enablerepo='*' && \
-    # Specific RStudio config and fixes
-    chmod 1777 /var/run/rstudio-server && \
-    mkdir -p /usr/share/doc/R && \
-    # package installation
-    # install necessary texlive-framed package to make Knit R markup to PDF rendering possible
-    dnf install -y libgit2-devel.x86_64 libcurl-devel harfbuzz-devel.x86_64 fribidi-devel.x86_64 cmake "flexiblas-*" texlive-framed && \
-    dnf clean all && \
-    rm -rf /var/cache/yum && \
-    (cd /tmp/utils && ./cve_remediation.sh)
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+wget --progress=dot:giga https://download2.rstudio.org/server/rhel9/x86_64/${RSTUDIO_RPM}
+dnf install -y ${RSTUDIO_RPM}
+rm ${RSTUDIO_RPM}
+dnf -y clean all  --enablerepo='*'
+# Specific RStudio config and fixes
+chmod 1777 /var/run/rstudio-server
+mkdir -p /usr/share/doc/R
+# package installation
+# install necessary texlive-framed package to make Knit R markup to PDF rendering possible
+dnf install -y libgit2-devel.x86_64 libcurl-devel harfbuzz-devel.x86_64 fribidi-devel.x86_64 cmake "flexiblas-*" texlive-framed
+dnf clean all
+rm -rf /var/cache/yum
+(cd /tmp/utils && ./cve_remediation.sh)
+EOF
 
 COPY ${RSTUDIO_SOURCE_CODE}/rsession.conf /etc/rstudio/rsession.conf
 
 # Install R packages
 # https://cran.r-project.org/web/packages
 COPY ${RSTUDIO_SOURCE_CODE}/install_packages.R ./
-RUN R -f ./install_packages.R && \
-    rm ./install_packages.R
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+R -f ./install_packages.R
+rm ./install_packages.R
+EOF
 
 ENV APP_ROOT=/opt/app-root
 
@@ -125,12 +142,15 @@ ENV NGINX_VERSION=1.24 \
     NGINX_PERL_MODULE_PATH=${APP_ROOT}/etc/perl
 
 # Modules does not exist
-RUN dnf -y module enable nginx:$NGINX_VERSION && \
-    INSTALL_PKGS="nss_wrapper bind-utils gettext hostname nginx nginx-mod-stream nginx-mod-http-perl httpd" && \
-    dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS && \
-    rpm -V $INSTALL_PKGS && \
-    nginx -v 2>&1 | grep -qe "nginx/$NGINX_VERSION\." && echo "Found VERSION $NGINX_VERSION" && \
-    dnf -y clean all --enablerepo='*'
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+dnf -y module enable nginx:$NGINX_VERSION
+INSTALL_PKGS="nss_wrapper bind-utils gettext hostname nginx nginx-mod-stream nginx-mod-http-perl httpd"
+dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS
+rpm -V $INSTALL_PKGS
+nginx -v 2>&1 | grep -qe "nginx/$NGINX_VERSION\." && echo "Found VERSION $NGINX_VERSION"
+dnf -y clean all --enablerepo='*'
+EOF
 
 # Configure httpd for CGI processing
 COPY --chown=1001:0 ${RSTUDIO_SOURCE_CODE}/httpd/httpd.conf /etc/httpd/conf/httpd.conf
@@ -155,30 +175,33 @@ COPY ${RSTUDIO_SOURCE_CODE}/nginx/api/ /opt/app-root/api/
 # UID=1001 && GID=0
 # UID=<any>&& GID=0
 # UID=1001 && GID=<any>
-RUN sed -i -f ${NGINX_APP_ROOT}/nginxconf.sed ${NGINX_CONF_PATH} && \
-    mkdir -p ${NGINX_APP_ROOT}/etc/nginx.d/ && \
-    mkdir -p ${NGINX_APP_ROOT}/etc/nginx.default.d/ && \
-    mkdir -p ${NGINX_APP_ROOT}/api/ && \
-    mkdir -p ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start && \
-    mkdir -p ${NGINX_LOG_PATH} && \
-    mkdir -p ${NGINX_PERL_MODULE_PATH} && \
-    # Create httpd directories and set permissions
-    mkdir -p /var/log/httpd /var/run/httpd /etc/httpd/logs && \
-    chown -R 1001:0 ${NGINX_CONF_PATH} && \
-    chown -R 1001:0 ${NGINX_APP_ROOT}/etc && \
-    chown -R 1001:0 ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start && \
-    chown -R 1001:0 /var/lib/nginx /var/log/nginx /run && \
-    chown -R 1001:0 /var/log/httpd /var/run/httpd /etc/httpd/logs && \
-    chmod    ug+rw  ${NGINX_CONF_PATH} && \
-    chmod -R ug+rwX ${NGINX_APP_ROOT}/etc && \
-    chmod -R ug+rwX ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start && \
-    chmod -R ug+rwX /var/lib/nginx /var/log/nginx /run && \
-    chmod -R ug+rwX /var/log/httpd /var/run/httpd /etc/httpd/logs && \
-    # Make CGI scripts executable and set proper ownership
-    chmod +x /opt/app-root/api/kernels/access.cgi && \
-    chmod +x /opt/app-root/api/probe.cgi && \
-    chown -R 1001:0 /opt/app-root/api && \
-    rpm-file-permissions
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+sed -i -f ${NGINX_APP_ROOT}/nginxconf.sed ${NGINX_CONF_PATH}
+mkdir -p ${NGINX_APP_ROOT}/etc/nginx.d/
+mkdir -p ${NGINX_APP_ROOT}/etc/nginx.default.d/
+mkdir -p ${NGINX_APP_ROOT}/api/
+mkdir -p ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start
+mkdir -p ${NGINX_LOG_PATH}
+mkdir -p ${NGINX_PERL_MODULE_PATH}
+# Create httpd directories and set permissions
+mkdir -p /var/log/httpd /var/run/httpd /etc/httpd/logs
+chown -R 1001:0 ${NGINX_CONF_PATH}
+chown -R 1001:0 ${NGINX_APP_ROOT}/etc
+chown -R 1001:0 ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start
+chown -R 1001:0 /var/lib/nginx /var/log/nginx /run
+chown -R 1001:0 /var/log/httpd /var/run/httpd /etc/httpd/logs
+chmod    ug+rw  ${NGINX_CONF_PATH}
+chmod -R ug+rwX ${NGINX_APP_ROOT}/etc
+chmod -R ug+rwX ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start
+chmod -R ug+rwX /var/lib/nginx /var/log/nginx /run
+chmod -R ug+rwX /var/log/httpd /var/run/httpd /etc/httpd/logs
+# Make CGI scripts executable and set proper ownership
+chmod +x /opt/app-root/api/kernels/access.cgi
+chmod +x /opt/app-root/api/probe.cgi
+chown -R 1001:0 /opt/app-root/api
+rpm-file-permissions
+EOF
 
 # Launcher
 WORKDIR /opt/app-root/bin
@@ -190,13 +213,16 @@ USER 1001
 
 COPY ${RSTUDIO_SOURCE_CODE}/pylock.toml ./
 
-RUN echo "Installing softwares and packages" && \
-    # This may have to download and compile some dependencies, and as we don't lock requirements from `build-system.requires`,
-    #  we often don't know the correct hashes and `--require-hashes` would therefore fail on non amd64, where building is common.
-    uv pip install --strict --no-deps --no-cache --no-config --no-progress --verify-hashes --compile-bytecode --index-strategy=unsafe-best-match --requirements=./pylock.toml && \
-    # Fix permissions to support pip in Openshift environments \
-    chmod -R g+w /opt/app-root/lib/python3.12/site-packages && \
-    fix-permissions /opt/app-root -P
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+echo "Installing softwares and packages"
+# This may have to download and compile some dependencies, and as we don't lock requirements from `build-system.requires`,
+#  we often don't know the correct hashes and `--require-hashes` would therefore fail on non amd64, where building is common.
+uv pip install --strict --no-deps --no-cache --no-config --no-progress --verify-hashes --compile-bytecode --index-strategy=unsafe-best-match --requirements=./pylock.toml
+# Fix permissions to support pip in Openshift environments
+chmod -R g+w /opt/app-root/lib/python3.12/site-packages
+fix-permissions /opt/app-root -P
+EOF
 
 WORKDIR /opt/app-root/src