diff --git a/jupyter/datascience/ubi9-python-3.12/Dockerfile.konflux.cpu b/jupyter/datascience/ubi9-python-3.12/Dockerfile.konflux.cpu index 629fdbed6f..ff4adf36d0 100644 --- a/jupyter/datascience/ubi9-python-3.12/Dockerfile.konflux.cpu +++ b/jupyter/datascience/ubi9-python-3.12/Dockerfile.konflux.cpu @@ -3,6 +3,9 @@ ######################### ARG BASE_IMAGE +# External image alias for UBI repository configuration +FROM registry.access.redhat.com/ubi9/ubi AS ubi-repos + ###################################################### # mongocli-builder (build stage only, not published) # ###################################################### @@ -20,7 +23,7 @@ RUN arch="${TARGETARCH:-$(uname -m)}" && \ arch=$(echo "$arch" | cut -d- -f1) && \ if [ "$arch" = "s390x" ]; then \ echo "Skipping mongocli build for ${arch}, creating dummy binary"; \ - mkdir -p /tmp && echo -e '#!/bin/sh\necho "mongocli not supported on s390x"' > /tmp/mongocli && \ + mkdir -p /tmp && printf '#!/bin/sh\necho "mongocli not supported on s390x"\n' > /tmp/mongocli && \ chmod +x /tmp/mongocli; \ else \ echo "Building mongocli for ${arch}"; \ @@ -44,7 +47,7 @@ ARG TARGETARCH # Inject the official UBI 9 repository configuration into the AIPCC base image. # The Quay-based AIPCC image is "repo-less" by default (https://gitlab.com/redhat/rhel-ai/core/base-images/app#repositories), so dnf cannot upgrade or install packages. # By copying ubi.repo from the public UBI 9 image, we enable package management for upgrades and installations. -COPY --from=registry.access.redhat.com/ubi9/ubi /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo +COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo # upgrade first to avoid fixable vulnerabilities begin # Problem: The operation would result in removing the following protected packages: systemd @@ -66,27 +69,35 @@ RUN --mount=type=cache,target=/var/cache/dnf \ dnf install -y $PACKAGES && \ dnf clean all && rm -rf /var/cache/yum -RUN if [ "$TARGETARCH" = "s390x" ]; then \ +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +if [ "$TARGETARCH" = "s390x" ]; then # Install Rust and set up environment - mkdir -p /opt/.cargo && \ - export HOME=/root && \ - curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs -o rustup-init.sh && \ - chmod +x rustup-init.sh && \ - CARGO_HOME=/opt/.cargo HOME=/root ./rustup-init.sh -y --no-modify-path && \ - rm -f rustup-init.sh && \ - chown -R 1001:0 /opt/.cargo && \ + mkdir -p /opt/.cargo + export HOME=/root + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs -o rustup-init.sh + chmod +x rustup-init.sh + CARGO_HOME=/opt/.cargo HOME=/root ./rustup-init.sh -y --no-modify-path + rm -f rustup-init.sh + chown -R 1001:0 /opt/.cargo # Set environment variables - echo 'export PATH=/opt/.cargo/bin:$PATH' >> /etc/profile.d/cargo.sh && \ - echo 'export CARGO_HOME=/opt/.cargo' >> /etc/profile.d/cargo.sh && \ - echo 'export GRPC_PYTHON_BUILD_SYSTEM_OPENSSL=1' >> /etc/profile.d/cargo.sh; \ + cat > /etc/profile.d/cargo.sh <<'CARGO_EOF' +export PATH=/opt/.cargo/bin:$PATH +export CARGO_HOME=/opt/.cargo +export GRPC_PYTHON_BUILD_SYSTEM_OPENSSL=1 +CARGO_EOF fi +EOF # Set python alternatives only for s390x (not needed for other arches) -RUN if [ "$TARGETARCH" = "s390x" ]; then \ - alternatives --install /usr/bin/python python /usr/bin/python3.12 1 && \ - alternatives --install /usr/bin/python3 python3 /usr/bin/python3.12 1 && \ - python --version && python3 --version; \ +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +if [ "$TARGETARCH" = "s390x" ]; then + alternatives --install /usr/bin/python python /usr/bin/python3.12 1 + alternatives --install /usr/bin/python3 python3 /usr/bin/python3.12 1 + python --version && python3 --version fi +EOF # Other apps and tools installed as default user USER 1001 @@ -109,6 +120,7 @@ RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/oc FROM cpu-base AS pyarrow-builder ARG TARGETARCH +# hadolint ignore=DL3002 USER 0 WORKDIR /tmp/build-wheels @@ -167,8 +179,9 @@ RUN --mount=type=cache,target=/root/.cache/pip \ ####################################################### FROM cpu-base AS common-builder ARG TARGETARCH +# hadolint ignore=DL3002 USER root -RUN <<'EOF' +RUN /bin/bash <<'EOF' set -Eeuxo pipefail if [ "${TARGETARCH}" = "ppc64le" ]; then dnf install -y gcc-toolset-13 cmake ninja-build git wget unzip @@ -193,8 +206,9 @@ if [ "${TARGETARCH}" = "ppc64le" ]; then cd onnx git checkout ${ONNX_VERSION} git submodule update --init --recursive - pip install -r requirements.txt - export CMAKE_ARGS="-DPython3_EXECUTABLE=$(which python3.12)" + pip install --no-cache-dir -r requirements.txt + CMAKE_ARGS="-DPython3_EXECUTABLE=$(which python3.12)" + export CMAKE_ARGS pip wheel . -w /root/onnx_wheel else echo "Skipping ONNX build on non-Power" @@ -212,7 +226,7 @@ WORKDIR /root RUN <<'EOF' set -Eeuxo pipefail if [ "${TARGETARCH}" = "ppc64le" ]; then - wget https://github.com/OpenMathLib/OpenBLAS/releases/download/v${OPENBLAS_VERSION}/OpenBLAS-${OPENBLAS_VERSION}.zip + wget --progress=dot:giga https://github.com/OpenMathLib/OpenBLAS/releases/download/v${OPENBLAS_VERSION}/OpenBLAS-${OPENBLAS_VERSION}.zip unzip OpenBLAS-${OPENBLAS_VERSION}.zip cd OpenBLAS-${OPENBLAS_VERSION} make -j$(nproc) TARGET=POWER9 BINARY=64 USE_OPENMP=1 USE_THREAD=1 NUM_THREADS=120 DYNAMIC_ARCH=1 INTERFACE64=0 @@ -221,6 +235,7 @@ else echo "Skipping OpenBLAS build on non-Power" fi EOF + #################### # jupyter-minimal # #################### @@ -296,17 +311,17 @@ COPY --from=openblas-builder /root/OpenBLAS-${OPENBLAS_VERSION} /openblas COPY --from=onnx-builder /root/onnx_wheel/ /onnxwheels/ # Power-specific ONNX/OpenBLAS installation -RUN <<'EOF' +RUN /bin/bash <<'EOF' set -Eeuxo pipefail if [ "${TARGETARCH}" = "ppc64le" ]; then - pip install /onnxwheels/*.whl + pip install --no-cache-dir /onnxwheels/*.whl else echo "Skipping ONNX/OpenBLAS install on non-Power" fi EOF USER root -RUN <<'EOF' +RUN /bin/bash <<'EOF' set -Eeuxo pipefail if [ "${TARGETARCH}" = "ppc64le" ]; then rm -rf /onnxwheels @@ -315,7 +330,7 @@ else fi EOF -RUN <<'EOF' +RUN /bin/bash <<'EOF' set -Eeuxo pipefail if [ "${TARGETARCH}" = "ppc64le" ]; then PREFIX=/usr/local make -C /openblas install diff --git a/jupyter/minimal/ubi9-python-3.12/Dockerfile.cpu b/jupyter/minimal/ubi9-python-3.12/Dockerfile.cpu index 3b0030be1c..8cf803cce0 100644 --- a/jupyter/minimal/ubi9-python-3.12/Dockerfile.cpu +++ b/jupyter/minimal/ubi9-python-3.12/Dockerfile.cpu @@ -6,6 +6,24 @@ ARG BASE_IMAGE # External image alias for UBI repository configuration FROM registry.access.redhat.com/ubi9/ubi AS ubi-repos +############################ +# Stage 1: PDF Tool Build # +############################ +FROM registry.access.redhat.com/ubi9/python-312:latest AS pdf-builder + +WORKDIR /opt/app-root/bin + +# OS Packages needs to be installed as root +USER 0 + +# Copy scripts +COPY jupyter/utils/install_texlive.sh ./install_texlive.sh +COPY jupyter/utils/install_pandoc.sh ./install_pandoc.sh +RUN chmod +x install_texlive.sh install_pandoc.sh + +RUN ./install_texlive.sh +RUN ./install_pandoc.sh + #################### # cpu-base # #################### @@ -71,9 +89,14 @@ COPY ${JUPYTER_REUSABLE_UTILS} utils/ USER 0 # Dependencies for PDF export begin -RUN ./utils/install_pdf_deps.sh -ENV PATH="/usr/local/texlive/bin/linux:/usr/local/pandoc/bin:$PATH" -# Dependencies for PDF export end +RUN --mount=type=cache,from=pdf-builder,source=/usr/local/,target=/pdf_builder/,rw \ + bash -c ' \ + if [[ "$(uname -m)" == "ppc64le" ]]; then \ + cp -r /pdf_builder/texlive /usr/local/; \ + cp -r /pdf_builder/pandoc /usr/local/; \ + else \ + ./utils/install_pdf_deps.sh; \ + fi' USER 1001 diff --git a/jupyter/minimal/ubi9-python-3.12/Dockerfile.konflux.cpu b/jupyter/minimal/ubi9-python-3.12/Dockerfile.konflux.cpu index cf9e3dbf93..eece2861a0 100644 --- a/jupyter/minimal/ubi9-python-3.12/Dockerfile.konflux.cpu +++ b/jupyter/minimal/ubi9-python-3.12/Dockerfile.konflux.cpu @@ -3,6 +3,9 @@ ######################### ARG BASE_IMAGE +# External image alias for UBI repository configuration +FROM registry.access.redhat.com/ubi9/ubi AS ubi-repos + ############################ # Stage 1: PDF Tool Build # ############################ @@ -34,7 +37,7 @@ USER 0 # Inject the official UBI 9 repository configuration into the AIPCC base image. # The Quay-based AIPCC image is "repo-less" by default (https://gitlab.com/redhat/rhel-ai/core/base-images/app#repositories), so dnf cannot upgrade or install packages. # By copying ubi.repo from the public UBI 9 image, we enable package management for upgrades and installations. -COPY --from=registry.access.redhat.com/ubi9/ubi /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo +COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo # upgrade first to avoid fixable vulnerabilities begin # Problem: The operation would result in removing the following protected packages: systemd @@ -69,18 +72,6 @@ FROM cpu-base AS jupyter-minimal ARG JUPYTER_REUSABLE_UTILS=jupyter/utils ARG MINIMAL_SOURCE_CODE=jupyter/minimal/ubi9-python-3.12 -LABEL name="odh-notebook-jupyter-minimal-ubi9-python-3.12" \ - summary="Minimal Jupyter notebook image for ODH notebooks" \ - description="Minimal Jupyter notebook image with base Python 3.12 builder image based on UBI9 for ODH notebooks" \ - io.k8s.display-name="Minimal Jupyter notebook image for ODH notebooks" \ - io.k8s.description="Minimal Jupyter notebook image with base Python 3.12 builder image based on UBI9 for ODH notebooks" \ - authoritative-source-url="https://github.com/opendatahub-io/notebooks" \ - io.openshift.build.commit.ref="main" \ - io.openshift.build.source-location="https://github.com/opendatahub-io/notebooks/tree/main/jupyter/minimal/ubi9-python-3.12" \ - io.openshift.build.image="quay.io/opendatahub/workbench-images:jupyter-minimal-ubi9-python-3.12" \ - com.redhat.component="odh-workbench-jupyter-minimal-cpu-py312-rhel9" \ - com.redhat.license_terms="https://www.redhat.com/licenses/Red_Hat_Standard_EULA_20191108.pdf" - WORKDIR /opt/app-root/bin COPY ${JUPYTER_REUSABLE_UTILS} utils/ @@ -88,9 +79,14 @@ COPY ${JUPYTER_REUSABLE_UTILS} utils/ USER 0 # Dependencies for PDF export begin -RUN ./utils/install_pdf_deps.sh -ENV PATH="/usr/local/texlive/bin/linux:/usr/local/pandoc/bin:$PATH" -# Dependencies for PDF export end +RUN --mount=type=cache,from=pdf-builder,source=/usr/local/,target=/pdf_builder/,rw \ + bash -c ' \ + if [[ "$(uname -m)" == "ppc64le" ]]; then \ + cp -r /pdf_builder/texlive /usr/local/; \ + cp -r /pdf_builder/pandoc /usr/local/; \ + else \ + ./utils/install_pdf_deps.sh; \ + fi' USER 1001 @@ -116,3 +112,11 @@ RUN echo "Installing softwares and packages" && \ WORKDIR /opt/app-root/src ENTRYPOINT ["start-notebook.sh"] + +LABEL name="rhoai/odh-workbench-jupyter-minimal-cpu-py312-rhel9" \ + com.redhat.component="odh-workbench-jupyter-minimal-cpu-py312-rhel9" \ + io.k8s.display-name="odh-workbench-jupyter-minimal-cpu-py312-rhel9" \ + summary="Minimal Jupyter CPU notebook image for ODH notebooks" \ + description="Minimal Jupyter CPU notebook image with base Python 3.12 builder image based on UBI9 for ODH notebooks" \ + io.k8s.description="Minimal Jupyter CPU notebook image with base Python 3.12 builder image based on UBI9 for ODH notebooks" \ + com.redhat.license_terms="https://www.redhat.com/licenses/Red_Hat_Standard_EULA_20191108.pdf" diff --git a/jupyter/minimal/ubi9-python-3.12/Dockerfile.konflux.cuda b/jupyter/minimal/ubi9-python-3.12/Dockerfile.konflux.cuda index b5ec6fb4b0..3c741d9715 100644 --- a/jupyter/minimal/ubi9-python-3.12/Dockerfile.konflux.cuda +++ b/jupyter/minimal/ubi9-python-3.12/Dockerfile.konflux.cuda @@ -5,6 +5,9 @@ ARG TARGETARCH ######################### ARG BASE_IMAGE +# External image alias for UBI repository configuration +FROM registry.access.redhat.com/ubi9/ubi AS ubi-repos + #################### # cuda-base # #################### @@ -18,7 +21,7 @@ USER 0 # Inject the official UBI 9 repository configuration into the AIPCC base image. # The Quay-based AIPCC image is "repo-less" by default (https://gitlab.com/redhat/rhel-ai/core/base-images/app#repositories), so dnf cannot upgrade or install packages. # By copying ubi.repo from the public UBI 9 image, we enable package management for upgrades and installations. -COPY --from=registry.access.redhat.com/ubi9/ubi /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo +COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo # upgrade first to avoid fixable vulnerabilities begin # Problem: The operation would result in removing the following protected packages: systemd diff --git a/jupyter/minimal/ubi9-python-3.12/Dockerfile.konflux.rocm b/jupyter/minimal/ubi9-python-3.12/Dockerfile.konflux.rocm index 8a5c31b4be..0dfa9b3db8 100644 --- a/jupyter/minimal/ubi9-python-3.12/Dockerfile.konflux.rocm +++ b/jupyter/minimal/ubi9-python-3.12/Dockerfile.konflux.rocm @@ -3,6 +3,9 @@ ######################### ARG BASE_IMAGE +# External image alias for UBI repository configuration +FROM registry.access.redhat.com/ubi9/ubi AS ubi-repos + #################### # rocm-base # #################### @@ -16,7 +19,7 @@ USER 0 # Inject the official UBI 9 repository configuration into the AIPCC base image. # The Quay-based AIPCC image is "repo-less" by default (https://gitlab.com/redhat/rhel-ai/core/base-images/app#repositories), so dnf cannot upgrade or install packages. # By copying ubi.repo from the public UBI 9 image, we enable package management for upgrades and installations. -COPY --from=registry.access.redhat.com/ubi9/ubi /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo +COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo # upgrade first to avoid fixable vulnerabilities begin # Problem: The operation would result in removing the following protected packages: systemd diff --git a/jupyter/pytorch+llmcompressor/ubi9-python-3.12/Dockerfile.konflux.cuda b/jupyter/pytorch+llmcompressor/ubi9-python-3.12/Dockerfile.konflux.cuda index 426c9715c3..0a087f3ceb 100644 --- a/jupyter/pytorch+llmcompressor/ubi9-python-3.12/Dockerfile.konflux.cuda +++ b/jupyter/pytorch+llmcompressor/ubi9-python-3.12/Dockerfile.konflux.cuda @@ -5,6 +5,9 @@ ARG TARGETARCH ######################### ARG BASE_IMAGE +# External image alias for UBI repository configuration +FROM registry.access.redhat.com/ubi9/ubi AS ubi-repos + ###################################################### # mongocli-builder (build stage only, not published) # ###################################################### @@ -31,7 +34,7 @@ USER 0 # Inject the official UBI 9 repository configuration into the AIPCC base image. # The Quay-based AIPCC image is "repo-less" by default (https://gitlab.com/redhat/rhel-ai/core/base-images/app#repositories), so dnf cannot upgrade or install packages. # By copying ubi.repo from the public UBI 9 image, we enable package management for upgrades and installations. -COPY --from=registry.access.redhat.com/ubi9/ubi /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo +COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo # upgrade first to avoid fixable vulnerabilities begin # Problem: The operation would result in removing the following protected packages: systemd diff --git a/jupyter/pytorch/ubi9-python-3.12/Dockerfile.konflux.cuda b/jupyter/pytorch/ubi9-python-3.12/Dockerfile.konflux.cuda index 22ab75e103..9067136801 100644 --- a/jupyter/pytorch/ubi9-python-3.12/Dockerfile.konflux.cuda +++ b/jupyter/pytorch/ubi9-python-3.12/Dockerfile.konflux.cuda @@ -5,6 +5,9 @@ ARG TARGETARCH ######################### ARG BASE_IMAGE +# External image alias for UBI repository configuration +FROM registry.access.redhat.com/ubi9/ubi AS ubi-repos + ###################################################### # mongocli-builder (build stage only, not published) # ###################################################### @@ -31,7 +34,7 @@ USER 0 # Inject the official UBI 9 repository configuration into the AIPCC base image. # The Quay-based AIPCC image is "repo-less" by default (https://gitlab.com/redhat/rhel-ai/core/base-images/app#repositories), so dnf cannot upgrade or install packages. # By copying ubi.repo from the public UBI 9 image, we enable package management for upgrades and installations. -COPY --from=registry.access.redhat.com/ubi9/ubi /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo +COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo # upgrade first to avoid fixable vulnerabilities begin # Problem: The operation would result in removing the following protected packages: systemd diff --git a/jupyter/rocm/pytorch/ubi9-python-3.12/Dockerfile.konflux.rocm b/jupyter/rocm/pytorch/ubi9-python-3.12/Dockerfile.konflux.rocm index 96773f544a..69696aa3fe 100644 --- a/jupyter/rocm/pytorch/ubi9-python-3.12/Dockerfile.konflux.rocm +++ b/jupyter/rocm/pytorch/ubi9-python-3.12/Dockerfile.konflux.rocm @@ -3,6 +3,9 @@ ######################### ARG BASE_IMAGE +# External image alias for UBI repository configuration +FROM registry.access.redhat.com/ubi9/ubi AS ubi-repos + ###################################################### # mongocli-builder (build stage only, not published) # ###################################################### @@ -29,7 +32,7 @@ USER 0 # Inject the official UBI 9 repository configuration into the AIPCC base image. # The Quay-based AIPCC image is "repo-less" by default (https://gitlab.com/redhat/rhel-ai/core/base-images/app#repositories), so dnf cannot upgrade or install packages. # By copying ubi.repo from the public UBI 9 image, we enable package management for upgrades and installations. -COPY --from=registry.access.redhat.com/ubi9/ubi /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo +COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo # upgrade first to avoid fixable vulnerabilities begin # Problem: The operation would result in removing the following protected packages: systemd diff --git a/jupyter/rocm/tensorflow/ubi9-python-3.12/Dockerfile.konflux.rocm b/jupyter/rocm/tensorflow/ubi9-python-3.12/Dockerfile.konflux.rocm index b2b04aae65..6d51a77eca 100644 --- a/jupyter/rocm/tensorflow/ubi9-python-3.12/Dockerfile.konflux.rocm +++ b/jupyter/rocm/tensorflow/ubi9-python-3.12/Dockerfile.konflux.rocm @@ -3,6 +3,9 @@ ######################### ARG BASE_IMAGE +# External image alias for UBI repository configuration +FROM registry.access.redhat.com/ubi9/ubi AS ubi-repos + ###################################################### # mongocli-builder (build stage only, not published) # ###################################################### @@ -29,7 +32,7 @@ USER 0 # Inject the official UBI 9 repository configuration into the AIPCC base image. # The Quay-based AIPCC image is "repo-less" by default (https://gitlab.com/redhat/rhel-ai/core/base-images/app#repositories), so dnf cannot upgrade or install packages. # By copying ubi.repo from the public UBI 9 image, we enable package management for upgrades and installations. -COPY --from=registry.access.redhat.com/ubi9/ubi /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo +COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo # upgrade first to avoid fixable vulnerabilities begin # Problem: The operation would result in removing the following protected packages: systemd @@ -114,6 +117,7 @@ WORKDIR /opt/app-root/src ########################### FROM rocm-jupyter-datascience AS rocm-jupyter-tensorflow +ARG JUPYTER_REUSABLE_UTILS=jupyter/utils ARG DATASCIENCE_SOURCE_CODE=jupyter/datascience/ubi9-python-3.12 ARG TENSORFLOW_SOURCE_CODE=jupyter/rocm/tensorflow/ubi9-python-3.12 @@ -145,6 +149,8 @@ RUN chmod -R g+w /opt/app-root/lib/python3.12/site-packages && \ fix-permissions /opt/app-root -P USER 1001 +COPY ${JUPYTER_REUSABLE_UTILS}/usercustomize.pth ${JUPYTER_REUSABLE_UTILS}/monkey_patch_protobuf_6x.py /opt/app-root/lib/python3.12/site-packages/ + WORKDIR /opt/app-root/src LABEL name="rhoai/odh-workbench-jupyter-tensorflow-rocm-py312-rhel9" \ diff --git a/jupyter/tensorflow/ubi9-python-3.12/Dockerfile.konflux.cuda b/jupyter/tensorflow/ubi9-python-3.12/Dockerfile.konflux.cuda index f15b5ea5a2..e5c665cfe7 100644 --- a/jupyter/tensorflow/ubi9-python-3.12/Dockerfile.konflux.cuda +++ b/jupyter/tensorflow/ubi9-python-3.12/Dockerfile.konflux.cuda @@ -5,6 +5,9 @@ ARG TARGETARCH ######################### ARG BASE_IMAGE +# External image alias for UBI repository configuration +FROM registry.access.redhat.com/ubi9/ubi AS ubi-repos + ###################################################### # mongocli-builder (build stage only, not published) # ###################################################### @@ -31,7 +34,7 @@ USER 0 # Inject the official UBI 9 repository configuration into the AIPCC base image. # The Quay-based AIPCC image is "repo-less" by default (https://gitlab.com/redhat/rhel-ai/core/base-images/app#repositories), so dnf cannot upgrade or install packages. # By copying ubi.repo from the public UBI 9 image, we enable package management for upgrades and installations. -COPY --from=registry.access.redhat.com/ubi9/ubi /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo +COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo # upgrade first to avoid fixable vulnerabilities begin # Problem: The operation would result in removing the following protected packages: systemd @@ -103,11 +106,6 @@ RUN dnf install -y jq unixODBC postgresql git-lfs libsndfile libxcrypt-compat && # Copy dynamically-linked mongocli built in earlier build stage COPY --from=mongocli-builder /tmp/mongocli /opt/app-root/bin/ -# hdf5 is needed for h5py -RUN dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm && \ - dnf install -y hdf5-devel && \ - dnf clean all - # Other apps and tools installed as default user USER 1001 @@ -121,6 +119,7 @@ WORKDIR /opt/app-root/src ############################ FROM cuda-jupyter-datascience AS cuda-jupyter-tensorflow +ARG JUPYTER_REUSABLE_UTILS=jupyter/utils ARG DATASCIENCE_SOURCE_CODE=jupyter/datascience/ubi9-python-3.12 ARG TENSORFLOW_SOURCE_CODE=jupyter/tensorflow/ubi9-python-3.12 @@ -149,6 +148,8 @@ RUN echo "Installing softwares and packages" && \ chmod -R g+w /opt/app-root/lib/python3.12/site-packages && \ fix-permissions /opt/app-root -P +COPY ${JUPYTER_REUSABLE_UTILS}/usercustomize.pth ${JUPYTER_REUSABLE_UTILS}/monkey_patch_protobuf_6x.py /opt/app-root/lib/python3.12/site-packages/ + WORKDIR /opt/app-root/src LABEL name="rhoai/odh-workbench-jupyter-tensorflow-cuda-py312-rhel9" \ diff --git a/jupyter/trustyai/ubi9-python-3.12/Dockerfile.konflux.cpu b/jupyter/trustyai/ubi9-python-3.12/Dockerfile.konflux.cpu index 7ce1e4f71c..985431abd9 100644 --- a/jupyter/trustyai/ubi9-python-3.12/Dockerfile.konflux.cpu +++ b/jupyter/trustyai/ubi9-python-3.12/Dockerfile.konflux.cpu @@ -3,6 +3,9 @@ ######################### ARG BASE_IMAGE +# External image alias for UBI repository configuration +FROM registry.access.redhat.com/ubi9/ubi AS ubi-repos + ###################################################### # mongocli-builder (build stage only, not published) # ###################################################### @@ -21,6 +24,7 @@ RUN cd ./mongodb-cli-mongocli-v${MONGOCLI_VERSION}/ && \ #################### FROM ${BASE_IMAGE} AS whl-cache +# hadolint ignore=DL3002 USER root ENV HOME=/root WORKDIR /root @@ -31,7 +35,7 @@ COPY ${TRUSTYAI_SOURCE_CODE}/pylock.toml . COPY ${TRUSTYAI_SOURCE_CODE}/devel_env_setup.sh . RUN --mount=type=cache,target=/root/.cache/uv \ - pip install --no-cache uv && \ + pip install --no-cache-dir uv && \ # the devel script is ppc64le and s390x specific - sets up build-time dependencies source ./devel_env_setup.sh && \ # This may have to download and compile some dependencies, and as we don't lock requirements from `build-system.requires`, @@ -51,7 +55,7 @@ USER root # Inject the official UBI 9 repository configuration into the AIPCC base image. # The Quay-based AIPCC image is "repo-less" by default (https://gitlab.com/redhat/rhel-ai/core/base-images/app#repositories), so dnf cannot upgrade or install packages. # By copying ubi.repo from the public UBI 9 image, we enable package management for upgrades and installations. -COPY --from=registry.access.redhat.com/ubi9/ubi /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo +COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo # upgrade first to avoid fixable vulnerabilities begin # Problem: The operation would result in removing the following protected packages: systemd @@ -194,7 +198,8 @@ RUN --mount=type=cache,target=/root/.cache/uv \ # Build debugpy from source instead UV_LINK_MODE=copy uv pip install --no-cache git+https://github.com/microsoft/debugpy.git@v$(grep -A1 '\"debugpy\"' ./pylock.toml | grep -Eo '\b[0-9\.]+\b') && \ # change ownership to default user (all packages were installed as root and has root:root ownership \ - chown -R 1001:0 /opt/app-root/ + chown -R 1001:0 /opt/app-root/ && \ + chmod -R g=u /opt/app-root USER 1001 diff --git a/jupyter/utils/install_texlive.sh b/jupyter/utils/install_texlive.sh index 0e53665f60..78566a7a8f 100755 --- a/jupyter/utils/install_texlive.sh +++ b/jupyter/utils/install_texlive.sh @@ -81,4 +81,4 @@ ln -sf "$TEX_BIN_DIR" /usr/local/texlive/bin/linux pdflatex --version tlmgr --version -fi \ No newline at end of file +fi diff --git a/runtimes/datascience/ubi9-python-3.12/Dockerfile.konflux.cpu b/runtimes/datascience/ubi9-python-3.12/Dockerfile.konflux.cpu index bcb87bf9cd..12875d9e6b 100644 --- a/runtimes/datascience/ubi9-python-3.12/Dockerfile.konflux.cpu +++ b/runtimes/datascience/ubi9-python-3.12/Dockerfile.konflux.cpu @@ -3,6 +3,9 @@ ######################### ARG BASE_IMAGE +# External image alias for UBI repository configuration +FROM registry.access.redhat.com/ubi9/ubi AS ubi-repos + #################### # cpu-base # #################### @@ -18,7 +21,7 @@ USER 0 # Inject the official UBI 9 repository configuration into the AIPCC base image. # The Quay-based AIPCC image is "repo-less" by default (https://gitlab.com/redhat/rhel-ai/core/base-images/app#repositories), so dnf cannot upgrade or install packages. # By copying ubi.repo from the public UBI 9 image, we enable package management for upgrades and installations. -COPY --from=registry.access.redhat.com/ubi9/ubi /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo +COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo ARG TARGETARCH @@ -47,38 +50,50 @@ RUN --mount=type=cache,target=/var/cache/dnf \ dnf clean all && rm -rf /var/cache/yum; \ fi -RUN if [ "$TARGETARCH" = "ppc64le" ]; then \ - echo 'export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig/' >> /etc/profile.d/ppc64le.sh && \ - echo 'export LD_LIBRARY_PATH=/usr/local/lib64:/usr/local/lib:/usr/lib64:/usr/lib:$LD_LIBRARY_PATH' >> /etc/profile.d/ppc64le.sh && \ - echo 'export OPENBLAS_VERSION=0.3.30' >> /etc/profile.d/ppc64le.sh && \ - echo 'export ONNX_VERSION=1.19.0' >> /etc/profile.d/ppc64le.sh && \ - echo 'export PYARROW_VERSION=17.0.0' >> /etc/profile.d/ppc64le.sh && \ - echo 'export PATH="$HOME/.cargo/bin:$PATH"' >> /etc/profile.d/ppc64le.sh && \ - echo 'export GRPC_PYTHON_BUILD_SYSTEM_OPENSSL=1' >> /etc/profile.d/ppc64le.sh; \ - fi +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +if [ "$TARGETARCH" = "ppc64le" ]; then cat > /etc/profile.d/ppc64le.sh <<'PROFILE_EOF' +export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig/ +export LD_LIBRARY_PATH=/usr/local/lib64:/usr/local/lib:/usr/lib64:/usr/lib:$LD_LIBRARY_PATH +export OPENBLAS_VERSION=0.3.30 +export ONNX_VERSION=1.19.0 +export PYARROW_VERSION=17.0.0 +export PATH="$HOME/.cargo/bin:$PATH" +export GRPC_PYTHON_BUILD_SYSTEM_OPENSSL=1 +PROFILE_EOF +fi +EOF # For s390x only, set ENV vars and install Rust -RUN if [ "$TARGETARCH" = "s390x" ]; then \ +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +if [ "$TARGETARCH" = "s390x" ]; then # Install Rust and set up environment - mkdir -p /opt/.cargo && \ - export HOME=/root && \ - curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs -o rustup-init.sh && \ - chmod +x rustup-init.sh && \ - CARGO_HOME=/opt/.cargo HOME=/root ./rustup-init.sh -y --no-modify-path && \ - rm -f rustup-init.sh && \ - chown -R 1001:0 /opt/.cargo && \ + mkdir -p /opt/.cargo + export HOME=/root + curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs -o rustup-init.sh + chmod +x rustup-init.sh + CARGO_HOME=/opt/.cargo HOME=/root ./rustup-init.sh -y --no-modify-path + rm -f rustup-init.sh + chown -R 1001:0 /opt/.cargo # Set environment variables - echo 'export PATH=/opt/.cargo/bin:$PATH' >> /etc/profile.d/cargo.sh && \ - echo 'export CARGO_HOME=/opt/.cargo' >> /etc/profile.d/cargo.sh && \ - echo 'export GRPC_PYTHON_BUILD_SYSTEM_OPENSSL=1' >> /etc/profile.d/cargo.sh; \ + cat > /etc/profile.d/cargo.sh <<'CARGO_EOF' +export PATH=/opt/.cargo/bin:$PATH +export CARGO_HOME=/opt/.cargo +export GRPC_PYTHON_BUILD_SYSTEM_OPENSSL=1 +CARGO_EOF fi +EOF # Set python alternatives only for s390x (not needed for other arches) -RUN if [ "$TARGETARCH" = "s390x" ]; then \ - alternatives --install /usr/bin/python python /usr/bin/python3.12 1 && \ - alternatives --install /usr/bin/python3 python3 /usr/bin/python3.12 1 && \ - python --version && python3 --version; \ +RUN /bin/bash <<'EOF' +set -Eeuxo pipefail +if [ "$TARGETARCH" = "s390x" ]; then + alternatives --install /usr/bin/python python /usr/bin/python3.12 1 + alternatives --install /usr/bin/python3 python3 /usr/bin/python3.12 1 + python --version && python3 --version fi +EOF # Other apps and tools installed as default user USER 1001 @@ -101,6 +116,7 @@ RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/oc FROM cpu-base AS s390x-builder ARG TARGETARCH +# hadolint ignore=DL3002 USER 0 WORKDIR /tmp/build-wheels @@ -179,6 +195,7 @@ RUN --mount=type=cache,target=/root/.cache/pip \ ################################## FROM cpu-base AS openblas-builder +# hadolint ignore=DL3002 USER root WORKDIR /root @@ -191,7 +208,7 @@ RUN echo "openblas-builder stage TARGETARCH: ${TARGETARCH}" # Download and build OpenBLAS RUN if [ "$TARGETARCH" = "ppc64le" ]; then \ source /opt/rh/gcc-toolset-13/enable && \ - wget https://github.com/OpenMathLib/OpenBLAS/releases/download/v${OPENBLAS_VERSION}/OpenBLAS-${OPENBLAS_VERSION}.zip && \ + wget --progress=dot:giga https://github.com/OpenMathLib/OpenBLAS/releases/download/v${OPENBLAS_VERSION}/OpenBLAS-${OPENBLAS_VERSION}.zip && \ unzip OpenBLAS-${OPENBLAS_VERSION}.zip && cd OpenBLAS-${OPENBLAS_VERSION} && \ make -j$(nproc) TARGET=POWER9 BINARY=64 USE_OPENMP=1 USE_THREAD=1 NUM_THREADS=120 DYNAMIC_ARCH=1 INTERFACE64=0; \ else \ @@ -203,6 +220,7 @@ RUN if [ "$TARGETARCH" = "ppc64le" ]; then \ ################################### FROM cpu-base AS onnx-builder +# hadolint ignore=DL3002 USER root WORKDIR /root @@ -216,8 +234,9 @@ RUN if [ "$TARGETARCH" = "ppc64le" ]; then \ git clone --recursive https://github.com/onnx/onnx.git && \ cd onnx && git checkout v${ONNX_VERSION} && \ git submodule update --init --recursive && \ - pip install -r requirements.txt && \ - export CMAKE_ARGS="-DPython3_EXECUTABLE=$(which python3.12)" && \ + pip install --no-cache-dir -r requirements.txt && \ + CMAKE_ARGS="-DPython3_EXECUTABLE=$(which python3.12)" && \ + export CMAKE_ARGS && \ pip wheel . -w /onnx_wheels; \ else \ echo "Not ppc64le, skipping ONNX build" && mkdir -p /onnx_wheels; \ @@ -228,6 +247,7 @@ RUN if [ "$TARGETARCH" = "ppc64le" ]; then \ ################################## FROM cpu-base AS arrow-builder +# hadolint ignore=DL3002 USER root WORKDIR /root @@ -239,9 +259,11 @@ RUN echo "arrow-builder stage TARGETARCH: ${TARGETARCH}" RUN if [ "$TARGETARCH" = "ppc64le" ]; then \ git clone -b apache-arrow-${PYARROW_VERSION} https://github.com/apache/arrow.git --recursive && \ cd arrow && rm -rf .git && mkdir dist && \ - pip3 install -r python/requirements-build.txt && \ - export ARROW_HOME=$(pwd)/dist && \ - export LD_LIBRARY_PATH=$(pwd)/dist/lib:$LD_LIBRARY_PATH && \ + pip3 install --no-cache-dir -r python/requirements-build.txt && \ + ARROW_HOME=$(pwd)/dist && \ + export ARROW_HOME && \ + LD_LIBRARY_PATH=$(pwd)/dist/lib:$LD_LIBRARY_PATH && \ + export LD_LIBRARY_PATH && \ export CMAKE_PREFIX_PATH=$ARROW_HOME:$CMAKE_PREFIX_PATH && \ export PARQUET_TEST_DATA="${PWD}/cpp/submodules/parquet-testing/data" && \ export ARROW_TEST_DATA="${PWD}/testing/data" && \ @@ -269,7 +291,7 @@ RUN if [ "$TARGETARCH" = "ppc64le" ]; then \ export PYARROW_WITH_PARQUET=1 && \ export PYARROW_WITH_DATASET=1 && \ export PYARROW_BUNDLE_ARROW_CPP=1 && \ - pip3 install wheel && \ + pip3 install --no-cache-dir wheel && \ cd ../../python && \ python setup.py build_ext \ --build-type=release \ @@ -297,7 +319,7 @@ COPY --from=arrow-builder /arrowwheels /tmp/arrowwheels RUN if [ "$TARGETARCH" = "ppc64le" ]; then \ echo "Installing ppc64le ONNX, pyarrow wheels and OpenBLAS..." && \ - HOME=/root pip install /tmp/onnx_wheels/*.whl /tmp/arrowwheels/*.whl && \ + HOME=/root pip install --no-cache-dir /tmp/onnx_wheels/*.whl /tmp/arrowwheels/*.whl && \ if [ -d "/openblas" ] && [ "$(ls -A /openblas 2>/dev/null)" ]; then \ PREFIX=/usr/local make -C /openblas install; \ fi && rm -rf /openblas /tmp/onnx_wheels /tmp/arrowwheels; \ diff --git a/runtimes/minimal/ubi9-python-3.12/Dockerfile.konflux.cpu b/runtimes/minimal/ubi9-python-3.12/Dockerfile.konflux.cpu index e80367972b..3913bec0c2 100644 --- a/runtimes/minimal/ubi9-python-3.12/Dockerfile.konflux.cpu +++ b/runtimes/minimal/ubi9-python-3.12/Dockerfile.konflux.cpu @@ -3,6 +3,9 @@ ######################### ARG BASE_IMAGE +# External image alias for UBI repository configuration +FROM registry.access.redhat.com/ubi9/ubi AS ubi-repos + #################### # cpu-base # #################### @@ -16,7 +19,7 @@ USER 0 # Inject the official UBI 9 repository configuration into the AIPCC base image. # The Quay-based AIPCC image is "repo-less" by default (https://gitlab.com/redhat/rhel-ai/core/base-images/app#repositories), so dnf cannot upgrade or install packages. # By copying ubi.repo from the public UBI 9 image, we enable package management for upgrades and installations. -COPY --from=registry.access.redhat.com/ubi9/ubi /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo +COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo # upgrade first to avoid fixable vulnerabilities begin # Problem: The operation would result in removing the following protected packages: systemd diff --git a/runtimes/pytorch+llmcompressor/ubi9-python-3.12/Dockerfile.konflux.cuda b/runtimes/pytorch+llmcompressor/ubi9-python-3.12/Dockerfile.konflux.cuda index abce56ce28..9837967d08 100644 --- a/runtimes/pytorch+llmcompressor/ubi9-python-3.12/Dockerfile.konflux.cuda +++ b/runtimes/pytorch+llmcompressor/ubi9-python-3.12/Dockerfile.konflux.cuda @@ -5,6 +5,9 @@ ARG TARGETARCH ######################### ARG BASE_IMAGE +# External image alias for UBI repository configuration +FROM registry.access.redhat.com/ubi9/ubi AS ubi-repos + #################### # cuda-base # #################### @@ -18,7 +21,7 @@ USER 0 # Inject the official UBI 9 repository configuration into the AIPCC base image. # The Quay-based AIPCC image is "repo-less" by default (https://gitlab.com/redhat/rhel-ai/core/base-images/app#repositories), so dnf cannot upgrade or install packages. # By copying ubi.repo from the public UBI 9 image, we enable package management for upgrades and installations. -COPY --from=registry.access.redhat.com/ubi9/ubi /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo +COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo # upgrade first to avoid fixable vulnerabilities begin # Problem: The operation would result in removing the following protected packages: systemd @@ -29,7 +32,7 @@ RUN dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setop # upgrade first to avoid fixable vulnerabilities end # Install useful OS packages -RUN dnf install -y perl mesa-libGL skopeo && dnf clean all && rm -rf /var/cache/yum +RUN dnf install -y perl mesa-libGL skopeo libxcrypt-compat && dnf clean all && rm -rf /var/cache/yum # Other apps and tools installed as default user USER 1001 diff --git a/runtimes/pytorch/ubi9-python-3.12/Dockerfile.konflux.cuda b/runtimes/pytorch/ubi9-python-3.12/Dockerfile.konflux.cuda index 67867bf887..73169b4a63 100644 --- a/runtimes/pytorch/ubi9-python-3.12/Dockerfile.konflux.cuda +++ b/runtimes/pytorch/ubi9-python-3.12/Dockerfile.konflux.cuda @@ -5,6 +5,9 @@ ARG TARGETARCH ######################### ARG BASE_IMAGE +# External image alias for UBI repository configuration +FROM registry.access.redhat.com/ubi9/ubi AS ubi-repos + #################### # cuda-base # #################### @@ -18,7 +21,7 @@ USER 0 # Inject the official UBI 9 repository configuration into the AIPCC base image. # The Quay-based AIPCC image is "repo-less" by default (https://gitlab.com/redhat/rhel-ai/core/base-images/app#repositories), so dnf cannot upgrade or install packages. # By copying ubi.repo from the public UBI 9 image, we enable package management for upgrades and installations. -COPY --from=registry.access.redhat.com/ubi9/ubi /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo +COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo # upgrade first to avoid fixable vulnerabilities begin # Problem: The operation would result in removing the following protected packages: systemd diff --git a/runtimes/rocm-pytorch/ubi9-python-3.12/Dockerfile.konflux.rocm b/runtimes/rocm-pytorch/ubi9-python-3.12/Dockerfile.konflux.rocm index 14f654f150..6b7dac4bca 100644 --- a/runtimes/rocm-pytorch/ubi9-python-3.12/Dockerfile.konflux.rocm +++ b/runtimes/rocm-pytorch/ubi9-python-3.12/Dockerfile.konflux.rocm @@ -3,6 +3,9 @@ ######################### ARG BASE_IMAGE +# External image alias for UBI repository configuration +FROM registry.access.redhat.com/ubi9/ubi AS ubi-repos + #################### # rocm-base # #################### @@ -16,7 +19,7 @@ USER 0 # Inject the official UBI 9 repository configuration into the AIPCC base image. # The Quay-based AIPCC image is "repo-less" by default (https://gitlab.com/redhat/rhel-ai/core/base-images/app#repositories), so dnf cannot upgrade or install packages. # By copying ubi.repo from the public UBI 9 image, we enable package management for upgrades and installations. -COPY --from=registry.access.redhat.com/ubi9/ubi /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo +COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo # upgrade first to avoid fixable vulnerabilities begin # Problem: The operation would result in removing the following protected packages: systemd diff --git a/runtimes/rocm-tensorflow/ubi9-python-3.12/Dockerfile.konflux.rocm b/runtimes/rocm-tensorflow/ubi9-python-3.12/Dockerfile.konflux.rocm index 80c360dfc8..9e84179401 100644 --- a/runtimes/rocm-tensorflow/ubi9-python-3.12/Dockerfile.konflux.rocm +++ b/runtimes/rocm-tensorflow/ubi9-python-3.12/Dockerfile.konflux.rocm @@ -3,6 +3,9 @@ ######################### ARG BASE_IMAGE +# External image alias for UBI repository configuration +FROM registry.access.redhat.com/ubi9/ubi AS ubi-repos + #################### # rocm-base # #################### @@ -16,7 +19,7 @@ USER 0 # Inject the official UBI 9 repository configuration into the AIPCC base image. # The Quay-based AIPCC image is "repo-less" by default (https://gitlab.com/redhat/rhel-ai/core/base-images/app#repositories), so dnf cannot upgrade or install packages. # By copying ubi.repo from the public UBI 9 image, we enable package management for upgrades and installations. -COPY --from=registry.access.redhat.com/ubi9/ubi /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo +COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo # upgrade first to avoid fixable vulnerabilities begin # Problem: The operation would result in removing the following protected packages: systemd @@ -27,7 +30,7 @@ RUN dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setop # upgrade first to avoid fixable vulnerabilities end # Install useful OS packages -RUN dnf install -y perl mesa-libGL skopeo && dnf clean all && rm -rf /var/cache/yum +RUN dnf install -y perl mesa-libGL skopeo libxcrypt-compat && dnf clean all && rm -rf /var/cache/yum # Other apps and tools installed as default user USER 1001 @@ -48,6 +51,7 @@ RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/oc ########################### FROM rocm-base AS rocm-runtime-tensorflow +ARG JUPYTER_REUSABLE_UTILS=jupyter/utils ARG TENSORFLOW_SOURCE_CODE=runtimes/rocm-tensorflow/ubi9-python-3.12 WORKDIR /opt/app-root/bin @@ -69,6 +73,8 @@ RUN chmod -R g+w /opt/app-root/lib/python3.12/site-packages && \ fix-permissions /opt/app-root -P USER 1001 +COPY ${JUPYTER_REUSABLE_UTILS}/usercustomize.pth ${JUPYTER_REUSABLE_UTILS}/monkey_patch_protobuf_6x.py /opt/app-root/lib/python3.12/site-packages/ + WORKDIR /opt/app-root/src LABEL name="rhoai/odh-pipeline-runtime-tensorflow-rocm-py312-rhel9" \ diff --git a/runtimes/tensorflow/ubi9-python-3.12/Dockerfile.konflux.cuda b/runtimes/tensorflow/ubi9-python-3.12/Dockerfile.konflux.cuda index f975a6a3aa..51a07c005d 100644 --- a/runtimes/tensorflow/ubi9-python-3.12/Dockerfile.konflux.cuda +++ b/runtimes/tensorflow/ubi9-python-3.12/Dockerfile.konflux.cuda @@ -5,6 +5,9 @@ ARG TARGETARCH ######################### ARG BASE_IMAGE +# External image alias for UBI repository configuration +FROM registry.access.redhat.com/ubi9/ubi AS ubi-repos + #################### # cuda-base # #################### @@ -20,7 +23,7 @@ USER 0 # Inject the official UBI 9 repository configuration into the AIPCC base image. # The Quay-based AIPCC image is "repo-less" by default (https://gitlab.com/redhat/rhel-ai/core/base-images/app#repositories), so dnf cannot upgrade or install packages. # By copying ubi.repo from the public UBI 9 image, we enable package management for upgrades and installations. -COPY --from=registry.access.redhat.com/ubi9/ubi /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo +COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo # upgrade first to avoid fixable vulnerabilities begin # Problem: The operation would result in removing the following protected packages: systemd @@ -52,6 +55,7 @@ RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/oc ############################ FROM cuda-base AS cuda-runtime-tensorflow +ARG JUPYTER_REUSABLE_UTILS=jupyter/utils ARG TENSORFLOW_SOURCE_CODE=runtimes/tensorflow/ubi9-python-3.12 WORKDIR /opt/app-root/bin @@ -69,6 +73,8 @@ RUN echo "Installing softwares and packages" && \ chmod -R g+w /opt/app-root/lib/python3.12/site-packages && \ fix-permissions /opt/app-root -P +COPY ${JUPYTER_REUSABLE_UTILS}/usercustomize.pth ${JUPYTER_REUSABLE_UTILS}/monkey_patch_protobuf_6x.py /opt/app-root/lib/python3.12/site-packages/ + WORKDIR /opt/app-root/src LABEL name="rhoai/odh-pipeline-runtime-tensorflow-cuda-py312-rhel9" \