RHAIENG-1965: chore(cli): introduce Download Elyra Bootstrapper template and subscription-manager refresh template

codeserver/ubi9-python-3.12/Dockerfile.konflux.cpu

@@ -72,8 +72,6 @@ RUN touch /tmp/control
 # cpu-base         #
 ####################
 FROM ${BASE_IMAGE} AS cpu-base
-USER 0
-RUN subscription-manager refresh
 
 WORKDIR /opt/app-root/bin
 
@@ -86,6 +84,14 @@ USER 0
 COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo
 
 ### BEGIN upgrade first to avoid fixable vulnerabilities
+# If we have a Red Hat subscription prepared, refresh it
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+if command -v subscription-manager &> /dev/null; then
+  subscription-manager identity &>/dev/null && subscription-manager refresh || echo "Not registered, skipping refresh."
+fi
+EOF
+
 # Problem: The operation would result in removing the following protected packages: systemd
 #  (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages)
 # Solution: --best --skip-broken does not work either, so use --nobest

jupyter/datascience/ubi9-python-3.12/Dockerfile.konflux.cpu

@@ -40,8 +40,6 @@ EOF
 # cpu-base         #
 ####################
 FROM ${BASE_IMAGE} AS cpu-base
-USER 0
-RUN subscription-manager refresh
 
 WORKDIR /opt/app-root/bin
 
@@ -55,6 +53,14 @@ ARG TARGETARCH
 COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo
 
 ### BEGIN upgrade first to avoid fixable vulnerabilities
+# If we have a Red Hat subscription prepared, refresh it
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+if command -v subscription-manager &> /dev/null; then
+  subscription-manager identity &>/dev/null && subscription-manager refresh || echo "Not registered, skipping refresh."
+fi
+EOF
+
 # Problem: The operation would result in removing the following protected packages: systemd
 #  (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages)
 # Solution: --best --skip-broken does not work either, so use --nobest

jupyter/minimal/ubi9-python-3.12/Dockerfile.cpu

@@ -14,6 +14,7 @@ FROM registry.access.redhat.com/ubi9/python-312:latest AS pdf-builder
 WORKDIR /opt/app-root/bin
 
 # OS Packages needs to be installed as root
+# hadolint ignore=DL3002
 USER 0
 
 # Copy scripts
@@ -119,6 +120,8 @@ RUN --mount=type=cache,from=pdf-builder,source=/usr/local/,target=/pdf_builder/,
         ./utils/install_pdf_deps.sh; \
     fi'
 
+ENV PATH="/usr/local/texlive/bin/linux:/usr/local/pandoc/bin:$PATH"
+
 USER 1001
 
 COPY ${MINIMAL_SOURCE_CODE}/pylock.toml ${MINIMAL_SOURCE_CODE}/start-notebook.sh ./

jupyter/minimal/ubi9-python-3.12/Dockerfile.konflux.cpu

@@ -14,6 +14,7 @@ FROM registry.access.redhat.com/ubi9/python-312:latest AS pdf-builder
 WORKDIR /opt/app-root/bin
 
 # OS Packages needs to be installed as root
+# hadolint ignore=DL3002
 USER 0
 
 # Copy scripts
@@ -28,8 +29,6 @@ RUN ./install_pandoc.sh
 # cpu-base         #
 ####################
 FROM ${BASE_IMAGE} AS cpu-base
-USER 0
-RUN subscription-manager refresh
 
 WORKDIR /opt/app-root/bin
 
@@ -42,6 +41,14 @@ USER 0
 COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo
 
 ### BEGIN upgrade first to avoid fixable vulnerabilities
+# If we have a Red Hat subscription prepared, refresh it
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+if command -v subscription-manager &> /dev/null; then
+  subscription-manager identity &>/dev/null && subscription-manager refresh || echo "Not registered, skipping refresh."
+fi
+EOF
+
 # Problem: The operation would result in removing the following protected packages: systemd
 #  (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages)
 # Solution: --best --skip-broken does not work either, so use --nobest
@@ -103,6 +110,8 @@ RUN --mount=type=cache,from=pdf-builder,source=/usr/local/,target=/pdf_builder/,
         ./utils/install_pdf_deps.sh; \
     fi'
 
+ENV PATH="/usr/local/texlive/bin/linux:/usr/local/pandoc/bin:$PATH"
+
 USER 1001
 
 COPY ${MINIMAL_SOURCE_CODE}/pylock.toml ${MINIMAL_SOURCE_CODE}/start-notebook.sh ./
@@ -138,9 +147,3 @@ LABEL name="rhoai/odh-workbench-jupyter-minimal-cpu-py312-rhel9" \
     description="Minimal Jupyter CPU notebook image with base Python 3.12 builder image based on UBI9 for ODH notebooks" \
     io.k8s.description="Minimal Jupyter CPU notebook image with base Python 3.12 builder image based on UBI9 for ODH notebooks" \
     com.redhat.license_terms="https://www.redhat.com/licenses/Red_Hat_Standard_EULA_20191108.pdf"
-
-### BEGIN Dependencies for PDF export
-RUN ./utils/install_pdf_deps.sh
-ENV PATH="/usr/local/texlive/bin/linux:/usr/local/pandoc/bin:$PATH"
-
-### END Dependencies for PDF export

jupyter/minimal/ubi9-python-3.12/Dockerfile.konflux.cuda

@@ -12,8 +12,6 @@ FROM registry.access.redhat.com/ubi9/ubi AS ubi-repos
 # cuda-base        #
 ####################
 FROM ${BASE_IMAGE} AS cuda-base
-USER 0
-RUN subscription-manager refresh
 
 WORKDIR /opt/app-root/bin
 
@@ -26,6 +24,14 @@ USER 0
 COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo
 
 ### BEGIN upgrade first to avoid fixable vulnerabilities
+# If we have a Red Hat subscription prepared, refresh it
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+if command -v subscription-manager &> /dev/null; then
+  subscription-manager identity &>/dev/null && subscription-manager refresh || echo "Not registered, skipping refresh."
+fi
+EOF
+
 # Problem: The operation would result in removing the following protected packages: systemd
 #  (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages)
 # Solution: --best --skip-broken does not work either, so use --nobest

jupyter/minimal/ubi9-python-3.12/Dockerfile.konflux.rocm

@@ -10,8 +10,6 @@ FROM registry.access.redhat.com/ubi9/ubi AS ubi-repos
 # rocm-base        #
 ####################
 FROM ${BASE_IMAGE} AS rocm-base
-USER 0
-RUN subscription-manager refresh
 
 WORKDIR /opt/app-root/bin
 
@@ -24,6 +22,14 @@ USER 0
 COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo
 
 ### BEGIN upgrade first to avoid fixable vulnerabilities
+# If we have a Red Hat subscription prepared, refresh it
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+if command -v subscription-manager &> /dev/null; then
+  subscription-manager identity &>/dev/null && subscription-manager refresh || echo "Not registered, skipping refresh."
+fi
+EOF
+
 # Problem: The operation would result in removing the following protected packages: systemd
 #  (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages)
 # Solution: --best --skip-broken does not work either, so use --nobest

jupyter/pytorch+llmcompressor/ubi9-python-3.12/Dockerfile.konflux.cuda

@@ -40,6 +40,14 @@ USER 0
 COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo
 
 ### BEGIN upgrade first to avoid fixable vulnerabilities
+# If we have a Red Hat subscription prepared, refresh it
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+if command -v subscription-manager &> /dev/null; then
+  subscription-manager identity &>/dev/null && subscription-manager refresh || echo "Not registered, skipping refresh."
+fi
+EOF
+
 # Problem: The operation would result in removing the following protected packages: systemd
 #  (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages)
 # Solution: --best --skip-broken does not work either, so use --nobest

jupyter/pytorch/ubi9-python-3.12/Dockerfile.konflux.cuda

@@ -40,6 +40,14 @@ USER 0
 COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo
 
 ### BEGIN upgrade first to avoid fixable vulnerabilities
+# If we have a Red Hat subscription prepared, refresh it
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+if command -v subscription-manager &> /dev/null; then
+  subscription-manager identity &>/dev/null && subscription-manager refresh || echo "Not registered, skipping refresh."
+fi
+EOF
+
 # Problem: The operation would result in removing the following protected packages: systemd
 #  (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages)
 # Solution: --best --skip-broken does not work either, so use --nobest

jupyter/rocm/pytorch/ubi9-python-3.12/Dockerfile.konflux.rocm

@@ -38,6 +38,14 @@ USER 0
 COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo
 
 ### BEGIN upgrade first to avoid fixable vulnerabilities
+# If we have a Red Hat subscription prepared, refresh it
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+if command -v subscription-manager &> /dev/null; then
+  subscription-manager identity &>/dev/null && subscription-manager refresh || echo "Not registered, skipping refresh."
+fi
+EOF
+
 # Problem: The operation would result in removing the following protected packages: systemd
 #  (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages)
 # Solution: --best --skip-broken does not work either, so use --nobest

jupyter/rocm/tensorflow/ubi9-python-3.12/Dockerfile.konflux.rocm

@@ -38,6 +38,14 @@ USER 0
 COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo
 
 ### BEGIN upgrade first to avoid fixable vulnerabilities
+# If we have a Red Hat subscription prepared, refresh it
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+if command -v subscription-manager &> /dev/null; then
+  subscription-manager identity &>/dev/null && subscription-manager refresh || echo "Not registered, skipping refresh."
+fi
+EOF
+
 # Problem: The operation would result in removing the following protected packages: systemd
 #  (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages)
 # Solution: --best --skip-broken does not work either, so use --nobest

jupyter/tensorflow/ubi9-python-3.12/Dockerfile.konflux.cuda

@@ -40,6 +40,14 @@ USER 0
 COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo
 
 ### BEGIN upgrade first to avoid fixable vulnerabilities
+# If we have a Red Hat subscription prepared, refresh it
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+if command -v subscription-manager &> /dev/null; then
+  subscription-manager identity &>/dev/null && subscription-manager refresh || echo "Not registered, skipping refresh."
+fi
+EOF
+
 # Problem: The operation would result in removing the following protected packages: systemd
 #  (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages)
 # Solution: --best --skip-broken does not work either, so use --nobest

jupyter/trustyai/ubi9-python-3.12/Dockerfile.konflux.cpu

@@ -26,8 +26,6 @@ EOF
 # wheel-cache-base #
 ####################
 FROM ${BASE_IMAGE} AS whl-cache
-USER 0
-RUN subscription-manager refresh
 
 # hadolint ignore=DL3002
 USER root
@@ -53,8 +51,6 @@ EOF
 # cpu-base         #
 ####################
 FROM ${BASE_IMAGE} AS cpu-base
-USER 0
-RUN subscription-manager refresh
 
 WORKDIR /opt/app-root/bin
 
@@ -67,6 +63,14 @@ USER root
 COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo
 
 ### BEGIN upgrade first to avoid fixable vulnerabilities
+# If we have a Red Hat subscription prepared, refresh it
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+if command -v subscription-manager &> /dev/null; then
+  subscription-manager identity &>/dev/null && subscription-manager refresh || echo "Not registered, skipping refresh."
+fi
+EOF
+
 # Problem: The operation would result in removing the following protected packages: systemd
 #  (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages)
 # Solution: --best --skip-broken does not work either, so use --nobest

jupyter/trustyai/ubi9-python-3.12/pylock.toml

@@ -3915,6 +3915,8 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/42/cd/85b422d24ee2096eaf6faa360c95ef9bdb59097d19b9624cebce4dd9bc2a/ruamel.yaml.clib-0.2.14-cp39-cp39-musllinux_1_2_x86_64.whl", upload-time = 2025-09-22T19:51:19Z, size = 725028, hashes = { sha256 = "808c7190a0fe7ae7014c42f73897cf8e9ef14ff3aa533450e51b1e72ec5239ad" } },
     { url = "https://files.pythonhosted.org/packages/4d/ac/99e6e0ea2584f84f447069d0187fe411e9b5deb7e3ddecda25001cfc7a95/ruamel.yaml.clib-0.2.14-cp39-cp39-win32.whl", upload-time = 2025-09-22T19:51:21Z, size = 100915, hashes = { sha256 = "6d5472f63a31b042aadf5ed28dd3ef0523da49ac17f0463e10fda9c4a2773352" } },
     { url = "https://files.pythonhosted.org/packages/5d/8d/846e43369658958c99d959bb7774136fff9210f9017d91a4277818ceafbf/ruamel.yaml.clib-0.2.14-cp39-cp39-win_amd64.whl", upload-time = 2025-09-22T19:51:20Z, size = 118706, hashes = { sha256 = "8dd3c2cc49caa7a8d64b67146462aed6723a0495e44bf0aa0a2e94beaa8432f6" } },
+    { url = "https://files.pythonhosted.org/packages/e7/cd/150fdb96b8fab27fe08d8a59fe67554568727981806e6bc2677a16081ec7/ruamel_yaml_clib-0.2.14-cp314-cp314-win32.whl", upload-time = 2025-11-14T21:57:36Z, size = 102394, hashes = { sha256 = "9b4104bf43ca0cd4e6f738cb86326a3b2f6eef00f417bd1e7efb7bdffe74c539" } },
+    { url = "https://files.pythonhosted.org/packages/bd/e6/a3fa40084558c7e1dc9546385f22a93949c890a8b2e445b2ba43935f51da/ruamel_yaml_clib-0.2.14-cp314-cp314-win_amd64.whl", upload-time = 2025-11-14T21:57:38Z, size = 122673, hashes = { sha256 = "13997d7d354a9890ea1ec5937a219817464e5cc344805b37671562a401ca3008" } },
 ]
 
 [[packages]]

rstudio/rhel9-python-3.12/Dockerfile.konflux.cpu

@@ -32,6 +32,14 @@ fi
 EOF
 
 ### BEGIN upgrade first to avoid fixable vulnerabilities
+# If we have a Red Hat subscription prepared, refresh it
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+if command -v subscription-manager &> /dev/null; then
+  subscription-manager identity &>/dev/null && subscription-manager refresh || echo "Not registered, skipping refresh."
+fi
+EOF
+
 # Problem: The operation would result in removing the following protected packages: systemd
 #  (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages)
 # Solution: --best --skip-broken does not work either, so use --nobest

rstudio/rhel9-python-3.12/Dockerfile.konflux.cuda

@@ -32,6 +32,14 @@ fi
 EOF
 
 ### BEGIN upgrade first to avoid fixable vulnerabilities
+# If we have a Red Hat subscription prepared, refresh it
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+if command -v subscription-manager &> /dev/null; then
+  subscription-manager identity &>/dev/null && subscription-manager refresh || echo "Not registered, skipping refresh."
+fi
+EOF
+
 # Problem: The operation would result in removing the following protected packages: systemd
 #  (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages)
 # Solution: --best --skip-broken does not work either, so use --nobest

runtimes/datascience/ubi9-python-3.12/Dockerfile.konflux.cpu

@@ -10,8 +10,6 @@ FROM registry.access.redhat.com/ubi9/ubi AS ubi-repos
 # cpu-base         #
 ####################
 FROM ${BASE_IMAGE} AS cpu-base
-USER 0
-RUN subscription-manager refresh
 
 ARG TARGETARCH
 
@@ -28,6 +26,14 @@ COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo
 ARG TARGETARCH
 
 ### BEGIN upgrade first to avoid fixable vulnerabilities
+# If we have a Red Hat subscription prepared, refresh it
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+if command -v subscription-manager &> /dev/null; then
+  subscription-manager identity &>/dev/null && subscription-manager refresh || echo "Not registered, skipping refresh."
+fi
+EOF
+
 # Problem: The operation would result in removing the following protected packages: systemd
 #  (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages)
 # Solution: --best --skip-broken does not work either, so use --nobest
@@ -379,7 +385,14 @@ EOF
 # Install Python packages from pylock.toml
 COPY ${DATASCIENCE_SOURCE_CODE}/pylock.toml ./
 # Copy Elyra dependencies for air-gapped enviroment
-COPY ${DATASCIENCE_SOURCE_CODE}/utils ./utils/
+COPY --chown=1001 ${DATASCIENCE_SOURCE_CODE}/utils ./utils/
+### BEGIN Download Elyra Bootstrapper
+RUN curl -fL https://raw.githubusercontent.com/opendatahub-io/elyra/refs/tags/v4.3.1/elyra/kfp/bootstrapper.py \
+         -o ./utils/bootstrapper.py
+# Prevent Elyra from re-installing the dependencies
+ENV ELYRA_INSTALL_PACKAGES="false"
+
+### END Download Elyra Bootstrapper
 
 RUN --mount=type=cache,target=/root/.cache/pip /bin/bash <<'EOF'
 set -Eeuxo pipefail

runtimes/minimal/ubi9-python-3.12/Dockerfile.konflux.cpu

@@ -10,8 +10,6 @@ FROM registry.access.redhat.com/ubi9/ubi AS ubi-repos
 # cpu-base         #
 ####################
 FROM ${BASE_IMAGE} AS cpu-base
-USER 0
-RUN subscription-manager refresh
 
 WORKDIR /opt/app-root/bin
 
@@ -24,6 +22,14 @@ USER 0
 COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo
 
 ### BEGIN upgrade first to avoid fixable vulnerabilities
+# If we have a Red Hat subscription prepared, refresh it
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+if command -v subscription-manager &> /dev/null; then
+  subscription-manager identity &>/dev/null && subscription-manager refresh || echo "Not registered, skipping refresh."
+fi
+EOF
+
 # Problem: The operation would result in removing the following protected packages: systemd
 #  (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages)
 # Solution: --best --skip-broken does not work either, so use --nobest
@@ -78,8 +84,16 @@ WORKDIR /opt/app-root/bin
 
 # Install Python packages from requirements.txt
 COPY ${MINIMAL_SOURCE_CODE}/pylock.toml ./
+
 # Copy Elyra dependencies for air-gapped enviroment
-COPY ${MINIMAL_SOURCE_CODE}/utils ./utils/
+COPY --chown=1001 ${MINIMAL_SOURCE_CODE}/utils ./utils/
+### BEGIN Download Elyra Bootstrapper
+RUN curl -fL https://raw.githubusercontent.com/opendatahub-io/elyra/refs/tags/v4.3.1/elyra/kfp/bootstrapper.py \
+         -o ./utils/bootstrapper.py
+# Prevent Elyra from re-installing the dependencies
+ENV ELYRA_INSTALL_PACKAGES="false"
+
+### END Download Elyra Bootstrapper
 
 RUN /bin/bash <<'EOF'
 set -Eeuxo pipefail