use dockerfile.konflux with ubi image with sha

Author: alexxfan

.tekton/odh-workbench-rstudio-minimal-cpu-py312-rhel9-poc-push.yaml

@@ -25,7 +25,7 @@ spec:
   - name: output-image
     value: quay.io/redhat-user-workloads/rhoai-tenant/odh-workbench-rstudio-minimal-cpu-py312-rhel9-poc:{{revision}}
   - name: dockerfile
-    value: rstudio/rhel9-python-3.12/Dockerfile.cpu
+    value: rstudio/rhel9-python-3.12/Dockerfile.cpu.konflux
   - name: path-context
     value: .
   pipelineSpec:

.tekton/odh-workbench-rstudio-minimal-cuda-py312-rhel9-poc-push.yaml

@@ -25,7 +25,7 @@ spec:
   - name: output-image
     value: quay.io/redhat-user-workloads/rhoai-tenant/odh-workbench-rstudio-minimal-cuda-py312-rhel9-poc:{{revision}}
   - name: dockerfile
-    value: rstudio/rhel9-python-3.12/Dockerfile.cuda
+    value: rstudio/rhel9-python-3.12/Dockerfile.cuda.konflux
   - name: path-context
     value: .
   pipelineSpec:

rstudio/rhel9-python-3.12/Dockerfile.cpu.konflux

@@ -0,0 +1,279 @@
+ARG TARGETARCH
+
+#########################
+# configuration args    #
+#########################
+ARG BASE_IMAGE
+
+# External image alias for UBI repository configuration
+FROM registry.access.redhat.com/ubi9/ubi@sha256:bbac76ac0310eefd6298ed3ab3c1710e1c842f1f778800de0f49e660b402bdc5 AS ubi-repos
+
+####################
+# cpu-base         #
+####################
+FROM ${BASE_IMAGE} AS cpu-base
+
+WORKDIR /opt/app-root/bin
+
+# OS Packages needs to be installed as root
+USER root
+
+# Inject the official UBI 9 repository configuration into the AIPCC base image.
+# The Quay-based AIPCC image is "repo-less" by default (https://gitlab.com/redhat/rhel-ai/core/base-images/app#repositories), so dnf cannot upgrade or install packages.
+# By copying ubi.repo from the public UBI 9 image, we enable package management for upgrades and installations.
+COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo
+COPY --from=ubi-repos /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+
+# upgrade first to avoid fixable vulnerabilities begin
+# Problem: The operation would result in removing the following protected packages: systemd
+#  (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages)
+# Solution: --best --skip-broken does not work either, so use --nobest
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0
+dnf clean all -y
+EOF
+
+# upgrade first to avoid fixable vulnerabilities end
+
+# Install useful OS packages
+# remove skopeo, CVE-2025-4674
+RUN dnf install -y perl mesa-libGL && dnf clean all && rm -rf /var/cache/yum
+
+# Other apps and tools installed as default user
+USER 1001
+
+# Install micropipenv and uv to deploy packages from requirements.txt begin
+RUN pip install --no-cache-dir --extra-index-url https://pypi.org/simple -U "micropipenv[toml]==1.9.0" "uv==0.8.12"
+# Install micropipenv and uv to deploy packages from requirements.txt end
+
+WORKDIR /opt/app-root/src
+
+#####################
+# cpu-rstudio       #
+#####################
+FROM cpu-base AS cpu-rstudio
+
+ARG RSTUDIO_SOURCE_CODE=rstudio/rhel9-python-3.12
+ARG TARGETARCH
+
+WORKDIR /opt/app-root/bin
+
+# TODO THIS SHOULD BE REMOVED
+# Access the client's secret for the subscription manager from the environment variable
+ARG SECRET_DIR=/opt/app-root/src/.sec
+ARG SERVERURL_DEFAULT=""
+ARG BASEURL_DEFAULT=""
+# TILL HERE
+
+LABEL name="odh-notebook-rstudio-server-rhel9-python-3.12" \
+      summary="RStudio Server image with python 3.12 based on Red Hat Enterprise Linux 9" \
+      description="RStudio Server image with python 3.12 based on Red Hat Enterprise Linux 9" \
+      io.k8s.display-name="RStudio Server image with python 3.12 based on Red Hat Enterprise Linux 9" \
+      io.k8s.description="RStudio Server image with python 3.12 based on Red Hat Enterprise Linux 9" \
+      authoritative-source-url="https://github.com/opendatahub-io/notebooks" \
+      io.openshift.build.commit.ref="main" \
+      io.openshift.build.source-location="https://github.com/opendatahub-io/notebooks/tree/main/rstudio/rhel9-python-3.12" \
+      io.openshift.build.image="quay.io/opendatahub/workbench-images:rstudio-rhel9-python-3.12"
+
+USER 0
+
+# TODO THIS SHOULD BE REMOVED in favor of: https://issues.redhat.com/browse/RHOAIENG-32541
+# uncomment the below line if you fall on this error: subscription-manager is disabled when running inside a container. Please refer to your host system for subscription management.
+#RUN sed -i 's/\(def in_container():\)/\1\n    return False/g' /usr/lib64/python*/*-packages/rhsm/config.py
+
+# If necessary, run the subscription manager command using the provided credentials. Only include --serverurl and --baseurl if they are provided
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+if [ -d "${SECRET_DIR}" ]; then
+    SERVERURL=$(cat ${SECRET_DIR}/SERVERURL 2>/dev/null || echo ${SERVERURL_DEFAULT})
+    BASEURL=$(cat ${SECRET_DIR}/BASEURL 2>/dev/null || echo ${BASEURL_DEFAULT})
+    USERNAME=$(cat ${SECRET_DIR}/USERNAME)
+    PASSWORD=$(cat ${SECRET_DIR}/PASSWORD)
+    subscription-manager register \
+    ${SERVERURL:+--serverurl=$SERVERURL} \
+    ${BASEURL:+--baseurl=$BASEURL} \
+    --username=$USERNAME \
+    --password=$PASSWORD \
+    --force \
+    --auto-attach
+fi
+EOF
+
+# TILL HERE
+
+ENV R_VERSION=4.5.1
+
+# Install R
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+dnf install -y dnf-plugins-core
+if command -v subscription-manager &> /dev/null; then
+  subscription-manager repos --enable codeready-builder-for-rhel-9-x86_64-rpms
+else
+  dnf config-manager --set-enabled crb
+fi
+dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
+INSTALL_PKGS="R-core R-core-devel R-java R-Rcpp R-highlight \
+R-littler R-littler-examples openssl-libs compat-openssl11"
+dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS
+echo 'options(repos = c(CRAN = "https://cran.rstudio.com/"), download.file.method = "libcurl")' >> /usr/lib64/R/etc/Rprofile.site
+(umask 002;touch /usr/lib64/R/etc/Renviron.site)
+dnf -y clean all --enablerepo='*'
+EOF
+
+# set R library to default (used in install.r from littler)
+ENV LIBLOC=/usr/lib64/R/library
+ENV R_LIBS_USER=/opt/app-root/bin/Rpackages/4.5
+
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+chmod -R a+w ${LIBLOC}
+# create User R Library path
+mkdir -p ${R_LIBS_USER}
+chmod -R a+w ${R_LIBS_USER}
+EOF
+
+WORKDIR /tmp/
+COPY /rstudio/utils /tmp/utils
+
+# Install RStudio
+ARG RSTUDIO_RPM=rstudio-server-rhel-2025.09.0-387-x86_64.rpm
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+wget --progress=dot:giga https://download2.rstudio.org/server/rhel9/x86_64/${RSTUDIO_RPM}
+dnf install -y ${RSTUDIO_RPM}
+rm ${RSTUDIO_RPM}
+dnf -y clean all  --enablerepo='*'
+# Specific RStudio config and fixes
+chmod 1777 /var/run/rstudio-server
+mkdir -p /usr/share/doc/R
+# package installation
+# install necessary texlive-framed package to make Knit R markup to PDF rendering possible
+dnf install -y libgit2-devel.x86_64 libcurl-devel harfbuzz-devel.x86_64 fribidi-devel.x86_64 cmake "flexiblas-*" texlive-framed
+dnf clean all
+rm -rf /var/cache/yum
+(cd /tmp/utils && ./cve_remediation.sh)
+EOF
+
+COPY ${RSTUDIO_SOURCE_CODE}/rsession.conf /etc/rstudio/rsession.conf
+
+# # Install R packages
+# # https://cran.r-project.org/web/packages
+# COPY ${RSTUDIO_SOURCE_CODE}/install_packages.R ./
+# RUN /bin/bash <<'EOF'
+# set -Eeuxo pipefail
+# R -f ./install_packages.R
+# rm ./install_packages.R
+# EOF
+
+ENV APP_ROOT=/opt/app-root
+
+# Install NGINX to proxy RStudio and pass probes check
+ENV NGINX_VERSION=1.24 \
+    NGINX_SHORT_VER=124 \
+    NGINX_CONFIGURATION_PATH=${APP_ROOT}/etc/nginx.d \
+    NGINX_CONF_PATH=/etc/nginx/nginx.conf \
+    NGINX_DEFAULT_CONF_PATH=${APP_ROOT}/etc/nginx.default.d \
+    NGINX_CONTAINER_SCRIPTS_PATH=/usr/share/container-scripts/nginx \
+    NGINX_APP_ROOT=${APP_ROOT} \
+    NGINX_LOG_PATH=/var/log/nginx \
+    NGINX_PERL_MODULE_PATH=${APP_ROOT}/etc/perl
+
+# Modules does not exist
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+dnf -y module enable nginx:$NGINX_VERSION
+INSTALL_PKGS="nss_wrapper bind-utils gettext hostname nginx nginx-mod-stream nginx-mod-http-perl httpd"
+dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS
+rpm -V $INSTALL_PKGS
+nginx -v 2>&1 | grep -qe "nginx/$NGINX_VERSION\." && echo "Found VERSION $NGINX_VERSION"
+dnf -y clean all --enablerepo='*'
+EOF
+
+# Configure httpd for CGI processing
+COPY --chown=1001:0 ${RSTUDIO_SOURCE_CODE}/httpd/httpd.conf /etc/httpd/conf/httpd.conf
+COPY --chown=1001:0 ${RSTUDIO_SOURCE_CODE}/httpd/rstudio-cgi.conf /etc/httpd/conf.d/rstudio-cgi.conf
+
+# Copy extra files to the image.
+COPY --chown=1001:0 ${RSTUDIO_SOURCE_CODE}/nginx/root/ /
+
+# Configure nginx
+COPY ${RSTUDIO_SOURCE_CODE}/nginx/serverconf/ /opt/app-root/etc/nginx.default.d/
+COPY ${RSTUDIO_SOURCE_CODE}/nginx/httpconf/ /opt/app-root/etc/nginx.d/
+COPY ${RSTUDIO_SOURCE_CODE}/nginx/api/ /opt/app-root/api/
+
+# Changing ownership and user rights to support following use-cases:
+# 1) running container on OpenShift, whose default security model
+#    is to run the container under random UID, but GID=0
+# 2) for working root-less container with UID=1001, which does not have
+#    to have GID=0
+# 3) for default use-case, that is running container directly on operating system,
+#    with default UID and GID (1001:0)
+# Supported combinations of UID:GID are thus following:
+# UID=1001 && GID=0
+# UID=<any>&& GID=0
+# UID=1001 && GID=<any>
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+sed -i -f ${NGINX_APP_ROOT}/nginxconf.sed ${NGINX_CONF_PATH}
+mkdir -p ${NGINX_APP_ROOT}/etc/nginx.d/
+mkdir -p ${NGINX_APP_ROOT}/etc/nginx.default.d/
+mkdir -p ${NGINX_APP_ROOT}/api/
+mkdir -p ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start
+mkdir -p ${NGINX_LOG_PATH}
+mkdir -p ${NGINX_PERL_MODULE_PATH}
+# Create httpd directories and set permissions
+mkdir -p /var/log/httpd /var/run/httpd /etc/httpd/logs
+chown -R 1001:0 ${NGINX_CONF_PATH}
+chown -R 1001:0 ${NGINX_APP_ROOT}/etc
+chown -R 1001:0 ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start
+chown -R 1001:0 /var/lib/nginx /var/log/nginx /run
+chown -R 1001:0 /var/log/httpd /var/run/httpd /etc/httpd/logs
+chmod    ug+rw  ${NGINX_CONF_PATH}
+chmod -R ug+rwX ${NGINX_APP_ROOT}/etc
+chmod -R ug+rwX ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start
+chmod -R ug+rwX /var/lib/nginx /var/log/nginx /run
+chmod -R ug+rwX /var/log/httpd /var/run/httpd /etc/httpd/logs
+# Make CGI scripts executable and set proper ownership
+chmod +x /opt/app-root/api/kernels/access.cgi
+chmod +x /opt/app-root/api/probe.cgi
+chown -R 1001:0 /opt/app-root/api
+rpm-file-permissions
+EOF
+
+# Launcher
+WORKDIR /opt/app-root/bin
+
+COPY ${RSTUDIO_SOURCE_CODE}/utils utils/
+COPY ${RSTUDIO_SOURCE_CODE}/run-rstudio.sh ${RSTUDIO_SOURCE_CODE}/setup_rstudio.py ${RSTUDIO_SOURCE_CODE}/rsession.sh ${RSTUDIO_SOURCE_CODE}/run-nginx.sh ./
+
+# TODO THIS SHOULD BE REMOVED in favor of: https://issues.redhat.com/browse/RHOAIENG-32541
+# Unregister the system
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+if [ -d "${SECRET_DIR}" ]; then
+    subscription-manager remove --all && subscription-manager unregister && subscription-manager clean
+fi
+EOF
+
+# TILL HERE
+
+USER 1001
+
+COPY ${RSTUDIO_SOURCE_CODE}/pylock.toml ./
+
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+echo "Installing softwares and packages"
+# This may have to download and compile some dependencies, and as we don't lock requirements from `build-system.requires`,
+#  we often don't know the correct hashes and `--require-hashes` would therefore fail on non amd64, where building is common.
+uv pip install --strict --no-deps --no-cache --no-config --no-progress --verify-hashes --compile-bytecode --index-strategy=unsafe-best-match --requirements=./pylock.toml
+# Fix permissions to support pip in Openshift environments
+chmod -R g+w /opt/app-root/lib/python3.12/site-packages
+fix-permissions /opt/app-root -P
+EOF
+
+WORKDIR /opt/app-root/src
+
+CMD ["/opt/app-root/bin/run-rstudio.sh"]