From 89f1f7de0a2d73ae650086756c01e350cd509e0f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jiri=20Dan=C4=9Bk?= Date: Wed, 12 Nov 2025 11:59:30 +0100 Subject: [PATCH 1/9] `#poke` placeholder --- jupyter/minimal/ubi9-python-3.12/Dockerfile.cpu | 2 ++ jupyter/minimal/ubi9-python-3.12/Dockerfile.konflux.cpu | 2 ++ 2 files changed, 4 insertions(+) diff --git a/jupyter/minimal/ubi9-python-3.12/Dockerfile.cpu b/jupyter/minimal/ubi9-python-3.12/Dockerfile.cpu index bc6ea645ea..a75f9b5609 100644 --- a/jupyter/minimal/ubi9-python-3.12/Dockerfile.cpu +++ b/jupyter/minimal/ubi9-python-3.12/Dockerfile.cpu @@ -1,3 +1,5 @@ +#poke + ######################### # configuration args # ######################### diff --git a/jupyter/minimal/ubi9-python-3.12/Dockerfile.konflux.cpu b/jupyter/minimal/ubi9-python-3.12/Dockerfile.konflux.cpu index 9c3871fa36..b8a1f55e8e 100644 --- a/jupyter/minimal/ubi9-python-3.12/Dockerfile.konflux.cpu +++ b/jupyter/minimal/ubi9-python-3.12/Dockerfile.konflux.cpu @@ -1,3 +1,5 @@ +#poke + ######################### # configuration args # ######################### From 7a26a34b9e258fa47afaf6ea875a3485961c2876 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jiri=20Dan=C4=9Bk?= Date: Wed, 12 Nov 2025 12:02:17 +0100 Subject: [PATCH 2/9] RHAIENG-948: update subscription value to "true" in build-notebooks-pr-aipcc workflow https://issues.redhat.com/browse/RHAIENG-948 --- .github/workflows/build-notebooks-pr-aipcc.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/build-notebooks-pr-aipcc.yaml b/.github/workflows/build-notebooks-pr-aipcc.yaml index f718bb67a7..ac62fa09df 100644 --- a/.github/workflows/build-notebooks-pr-aipcc.yaml +++ b/.github/workflows/build-notebooks-pr-aipcc.yaml @@ -89,5 +89,6 @@ jobs: python: "${{ matrix.python }}" github: "${{ toJSON(github) }}" platform: "${{ matrix.platform }}" - subscription: "${{ matrix.subscription }}" + # AIPCC base images are RHEL-based, subscription is good for them + subscription: "true" secrets: inherit From f2f5d54a2327f84ada16aeabad275616797db2a7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jiri=20Dan=C4=9Bk?= Date: Wed, 12 Nov 2025 12:08:02 +0100 Subject: [PATCH 3/9] NO-JIRA: add `workflow_dispatch` trigger to build-notebooks workflows that lacked it This is very nice for being able to test `pull_request_target` builds without having to push, and then raise PR against the branch. --- .github/workflows/build-notebooks-pr-aipcc.yaml | 1 + .github/workflows/build-notebooks-pr-rhel.yaml | 1 + 2 files changed, 2 insertions(+) diff --git a/.github/workflows/build-notebooks-pr-aipcc.yaml b/.github/workflows/build-notebooks-pr-aipcc.yaml index ac62fa09df..ab576c4aba 100644 --- a/.github/workflows/build-notebooks-pr-aipcc.yaml +++ b/.github/workflows/build-notebooks-pr-aipcc.yaml @@ -1,6 +1,7 @@ --- "name": "Build Notebooks (pr, AIPCC bases)" "on": + "workflow_dispatch": "pull_request_target": "paths-ignore": # Don't build images if the only thing that changed is image digests in manifests diff --git a/.github/workflows/build-notebooks-pr-rhel.yaml b/.github/workflows/build-notebooks-pr-rhel.yaml index 2ed351d224..8802153d03 100644 --- a/.github/workflows/build-notebooks-pr-rhel.yaml +++ b/.github/workflows/build-notebooks-pr-rhel.yaml @@ -1,6 +1,7 @@ --- "name": "Build Notebooks (pr, RHEL images)" "on": + "workflow_dispatch": "pull_request_target": "paths-ignore": # Don't build images if the only thing that changed is image digests in manifests From c2f05fab62d4ab3cdacb178871cf830c71dbd2e3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jiri=20Dan=C4=9Bk?= Date: Wed, 12 Nov 2025 12:15:04 +0100 Subject: [PATCH 4/9] NO-JIRA: update subscription handling in build-notebooks workflows for AIPCC base images --- .github/workflows/build-notebooks-pr-aipcc.yaml | 2 +- .github/workflows/build-notebooks-push.yaml | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-notebooks-pr-aipcc.yaml b/.github/workflows/build-notebooks-pr-aipcc.yaml index ab576c4aba..8d000ebfe7 100644 --- a/.github/workflows/build-notebooks-pr-aipcc.yaml +++ b/.github/workflows/build-notebooks-pr-aipcc.yaml @@ -90,6 +90,6 @@ jobs: python: "${{ matrix.python }}" github: "${{ toJSON(github) }}" platform: "${{ matrix.platform }}" - # AIPCC base images are RHEL-based, subscription is good for them + # rhds/notebooks builds from AIPCC base images that are RHEL-based subscription: "true" secrets: inherit diff --git a/.github/workflows/build-notebooks-push.yaml b/.github/workflows/build-notebooks-push.yaml index c3c712c79c..25e60c43c3 100644 --- a/.github/workflows/build-notebooks-push.yaml +++ b/.github/workflows/build-notebooks-push.yaml @@ -53,5 +53,6 @@ jobs: python: "${{ matrix.python }}" github: "${{ toJSON(github) }}" platform: "${{ matrix.platform }}" - subscription: "${{ matrix.subscription }}" + # rhds/notebooks builds from AIPCC base images that are RHEL-based + subscription: "${{ matrix.subscription || (github.repository == 'red-hat-data-services/notebooks') }}" secrets: inherit From 7a73cf3e511f608bc0c8b761cf35d007aa4eb44c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jiri=20Dan=C4=9Bk?= Date: Wed, 12 Nov 2025 12:17:10 +0100 Subject: [PATCH 5/9] Revert "NO-JIRA: add `workflow_dispatch` trigger to build-notebooks workflows that lacked it" This reverts commit f2f5d54a2327f84ada16aeabad275616797db2a7. --- .github/workflows/build-notebooks-pr-aipcc.yaml | 1 - .github/workflows/build-notebooks-pr-rhel.yaml | 1 - 2 files changed, 2 deletions(-) diff --git a/.github/workflows/build-notebooks-pr-aipcc.yaml b/.github/workflows/build-notebooks-pr-aipcc.yaml index 8d000ebfe7..9c3d885231 100644 --- a/.github/workflows/build-notebooks-pr-aipcc.yaml +++ b/.github/workflows/build-notebooks-pr-aipcc.yaml @@ -1,7 +1,6 @@ --- "name": "Build Notebooks (pr, AIPCC bases)" "on": - "workflow_dispatch": "pull_request_target": "paths-ignore": # Don't build images if the only thing that changed is image digests in manifests diff --git a/.github/workflows/build-notebooks-pr-rhel.yaml b/.github/workflows/build-notebooks-pr-rhel.yaml index 8802153d03..2ed351d224 100644 --- a/.github/workflows/build-notebooks-pr-rhel.yaml +++ b/.github/workflows/build-notebooks-pr-rhel.yaml @@ -1,7 +1,6 @@ --- "name": "Build Notebooks (pr, RHEL images)" "on": - "workflow_dispatch": "pull_request_target": "paths-ignore": # Don't build images if the only thing that changed is image digests in manifests From 6774e04f09dc3ecccd450c397c5a528f4da1631a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jiri=20Dan=C4=9Bk?= Date: Wed, 12 Nov 2025 12:31:34 +0100 Subject: [PATCH 6/9] RHOAIENG-38630: update RHEL base images and architectures for rstudio configurations https://issues.redhat.com/browse/RHOAIENG-38630 Go to https://console.redhat.com/insights/connector/activation-keys * Red Hat Enterprise Linux 9 for ARM 64 - AppStream - Extended Update Support (RPMs) (`rhel-9-for-aarch64-appstream-eus-rpms`) Then at a minimum https://konflux.pages.redhat.com/docs/users/building/activation-keys-subscription.html#automatic-registration sudo subscription-manger refresh ``` [2/3] STEP 6/10: RUN /bin/bash <<'EOF' (set -Eeuxo pipefail...) + dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 Red Hat Enterprise Linux 9 for x86_64 - AppStre 6.5 kB/s | 473 B 00:00 Errors during downloading metadata for repository 'rhel-9-for-x86_64-appstream-eus-rpms': - Status code: 403 for https://cdn.redhat.com/content/eus/rhel9/9.6/x86_64/appstream/os/repodata/repomd.xml (IP: 23.60.144.251) Error: Failed to download metadata for repo 'rhel-9-for-x86_64-appstream-eus-rpms': Cannot download repomd.xml: Cannot download repodata/repomd.xml: All mirrors were tried Error: building at STEP "RUN /bin/bash <<'EOF'": while running runtime: exit status 1 ``` --- rstudio/rhel9-python-3.12/build-args/cpu.conf | 7 ++++--- rstudio/rhel9-python-3.12/build-args/cuda.conf | 5 +++-- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/rstudio/rhel9-python-3.12/build-args/cpu.conf b/rstudio/rhel9-python-3.12/build-args/cpu.conf index 2dec27f449..4af0b8d1a9 100644 --- a/rstudio/rhel9-python-3.12/build-args/cpu.conf +++ b/rstudio/rhel9-python-3.12/build-args/cpu.conf @@ -1,3 +1,4 @@ -# Base Image : CentOS Stream 9 with Python 3.12 -# Architectures: linux/arm64, linux/x86_64 -BASE_IMAGE=quay.io/opendatahub/odh-base-image-cpu-py312-c9s:latest +# Base Image : RHEL 9.6 with Python 3.12 +# Architectures: linux/arm64, linux/ppc64le, linux/x86_64, linux/s360x +# Source : https://quay.io/repository/aipcc/base-images/cpu +BASE_IMAGE=quay.io/aipcc/base-images/cpu:3.1-1762903336 diff --git a/rstudio/rhel9-python-3.12/build-args/cuda.conf b/rstudio/rhel9-python-3.12/build-args/cuda.conf index d6c3287261..065bc1be6a 100644 --- a/rstudio/rhel9-python-3.12/build-args/cuda.conf +++ b/rstudio/rhel9-python-3.12/build-args/cuda.conf @@ -1,4 +1,5 @@ -# Base Image : CentOS Stream 9 with Python 3.12 +# Base Image : RHEL 9.6 with Python 3.12 # CUDA Version : 12.8.1 # Architectures: linux/arm64, linux/x86_64 -BASE_IMAGE=quay.io/opendatahub/odh-base-image-cuda-py312-c9s:v12.8 +# Source : https://quay.io/repository/aipcc/base-images/cuda +BASE_IMAGE=quay.io/aipcc/base-images/cuda:3.1-1762903318 From 2dccd4530e44a94330b488e4524a20f07a0de2b4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jiri=20Dan=C4=9Bk?= Date: Wed, 12 Nov 2025 12:45:44 +0100 Subject: [PATCH 7/9] RHAIENG-948: add `subscription-manager refresh` to improve subscription handling in rhel9-python-3.12 Dockerfile --- rstudio/rhel9-python-3.12/Dockerfile.cpu | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/rstudio/rhel9-python-3.12/Dockerfile.cpu b/rstudio/rhel9-python-3.12/Dockerfile.cpu index 48a3c33742..481cb2403b 100644 --- a/rstudio/rhel9-python-3.12/Dockerfile.cpu +++ b/rstudio/rhel9-python-3.12/Dockerfile.cpu @@ -24,6 +24,13 @@ USER root COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo COPY --from=ubi-repos /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +if command -v subscription-manager &> /dev/null; then + subscription-manager refresh +fi +EOF + # upgrade first to avoid fixable vulnerabilities begin # Problem: The operation would result in removing the following protected packages: systemd # (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages) From 71d0fbb855df6acebb0f3274d866836da87fc84b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jiri=20Dan=C4=9Bk?= Date: Wed, 12 Nov 2025 13:09:12 +0100 Subject: [PATCH 8/9] RHAIENG-XXXXX: add npm installation to support cve_remediation in rhel9-python-3.12 Dockerfiles ``` + ./cve_remediation.sh ++ uname -m + rm /usr/lib/rstudio-server/bin/quarto/bin/tools/x86_64/esbuild + npm ci ./cve_remediation.sh: line 7: npm: command not found ``` --- rstudio/rhel9-python-3.12/Dockerfile.cpu | 2 ++ rstudio/rhel9-python-3.12/Dockerfile.cuda | 2 ++ 2 files changed, 4 insertions(+) diff --git a/rstudio/rhel9-python-3.12/Dockerfile.cpu b/rstudio/rhel9-python-3.12/Dockerfile.cpu index 481cb2403b..91c872e7c0 100644 --- a/rstudio/rhel9-python-3.12/Dockerfile.cpu +++ b/rstudio/rhel9-python-3.12/Dockerfile.cpu @@ -158,6 +158,8 @@ mkdir -p /usr/share/doc/R # package installation # install necessary texlive-framed package to make Knit R markup to PDF rendering possible dnf install -y libgit2-devel.x86_64 libcurl-devel harfbuzz-devel.x86_64 fribidi-devel.x86_64 cmake "flexiblas-*" texlive-framed +# install npm to run cve_remediation script +dnf install -y npm dnf clean all rm -rf /var/cache/yum (cd /tmp/utils && ./cve_remediation.sh) diff --git a/rstudio/rhel9-python-3.12/Dockerfile.cuda b/rstudio/rhel9-python-3.12/Dockerfile.cuda index fcd672931e..f97424b352 100644 --- a/rstudio/rhel9-python-3.12/Dockerfile.cuda +++ b/rstudio/rhel9-python-3.12/Dockerfile.cuda @@ -165,6 +165,8 @@ mkdir -p /usr/share/doc/R # package installation # install necessary texlive-framed package to make Knit R markup to PDF rendering possible dnf install -y libgit2-devel.x86_64 libcurl-devel harfbuzz-devel.x86_64 fribidi-devel.x86_64 cmake "flexiblas-*" texlive-framed +# install npm to run cve_remediation script +dnf install -y npm dnf clean all rm -rf /var/cache/yum (cd /tmp/utils && ./cve_remediation.sh) From b871eb7de4e973b37b7e61c38a986abf7808ea35 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jiri=20Dan=C4=9Bk?= Date: Wed, 12 Nov 2025 13:15:44 +0100 Subject: [PATCH 9/9] RHAIENG-XXXXX: improve subscription handling in rhel9-python-3.12 Dockerfiles with conditional refresh logic --- rstudio/rhel9-python-3.12/Dockerfile.cpu | 2 +- rstudio/rhel9-python-3.12/Dockerfile.cuda | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/rstudio/rhel9-python-3.12/Dockerfile.cpu b/rstudio/rhel9-python-3.12/Dockerfile.cpu index 91c872e7c0..dd57a7b6a1 100644 --- a/rstudio/rhel9-python-3.12/Dockerfile.cpu +++ b/rstudio/rhel9-python-3.12/Dockerfile.cpu @@ -27,7 +27,7 @@ COPY --from=ubi-repos /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release /etc/pki/rpm-g RUN /bin/bash <<'EOF' set -Eeuxo pipefail if command -v subscription-manager &> /dev/null; then - subscription-manager refresh + subscription-manager identity &>/dev/null && subscription-manager refresh || echo "Not registered, skipping refresh." fi EOF diff --git a/rstudio/rhel9-python-3.12/Dockerfile.cuda b/rstudio/rhel9-python-3.12/Dockerfile.cuda index f97424b352..92c02bb69b 100644 --- a/rstudio/rhel9-python-3.12/Dockerfile.cuda +++ b/rstudio/rhel9-python-3.12/Dockerfile.cuda @@ -24,6 +24,13 @@ USER root COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo COPY --from=ubi-repos /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +if command -v subscription-manager &> /dev/null; then + subscription-manager identity &>/dev/null && subscription-manager refresh || echo "Not registered, skipping refresh." +fi +EOF + # upgrade first to avoid fixable vulnerabilities begin # Problem: The operation would result in removing the following protected packages: systemd # (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages)