@@ -55,13 +55,15 @@ COPY ${CODESERVER_SOURCE_CODE}/devel_env_setup.sh ./
5555# Important: Since HOME & USER for the python-312 has been changed,
5656# we need to ensure the same cache directory is mounted in
5757# the final stage with the necessary permissions to consume from cache
58- RUN --mount=type=cache,target=/root/.cache/uv \
59- pip install --no-cache-dir uv && \
60- # the devel script is ppc64le and s390x specific - sets up build-time dependencies
61- source ./devel_env_setup.sh && \
62- # This may have to download and compile some dependencies, and as we don't lock requirements from `build-system.requires`,
63- # we often don't know the correct hashes and `--require-hashes` would therefore fail on non amd64, where building is common.
64- UV_LINK_MODE=copy uv pip install --strict --no-deps --refresh --no-config --no-progress --verify-hashes --compile-bytecode --index-strategy=unsafe-best-match --requirements=./pylock.toml
58+ RUN --mount=type=cache,target=/root/.cache/uv /bin/bash <<'EOF'
59+ set -Eeuxo pipefail
60+ pip install --no-cache-dir uv
61+ # the devel script is ppc64le and s390x specific - sets up build-time dependencies
62+ source ./devel_env_setup.sh
63+ # This may have to download and compile some dependencies, and as we don't lock requirements from `build-system.requires`,
64+ # we often don't know the correct hashes and `--require-hashes` would therefore fail on non amd64, where building is common.
65+ UV_LINK_MODE=copy uv pip install --strict --no-deps --refresh --no-config --no-progress --verify-hashes --compile-bytecode --index-strategy=unsafe-best-match --requirements=./pylock.toml
66+ EOF
6567
6668# dummy file to make image build wait for this stage
6769RUN touch /tmp/control
@@ -85,19 +87,29 @@ COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo
8587# Problem: The operation would result in removing the following protected packages: systemd
8688# (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages)
8789# Solution: --best --skip-broken does not work either, so use --nobest
88- RUN dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0 \
89- && dnf clean all -y
90+ RUN /bin/bash <<'EOF'
91+ set -Eeuxo pipefail
92+ dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0
93+ dnf clean all -y
94+ EOF
95+
9096# upgrade first to avoid fixable vulnerabilities end
9197
9298# Install useful OS packages
93- RUN dnf install -y tar perl mesa-libGL skopeo && dnf clean all && rm -rf /var/cache/dnf
99+ RUN /bin/bash <<'EOF'
100+ set -Eeuxo pipefail
101+ dnf install -y tar perl mesa-libGL skopeo
102+ dnf clean all
103+ rm -rf /var/cache/dnf
104+ EOF
94105
95106# (ARCH-ppc64le): since wheels are compiled from source, we need shared libs available at runtime
96- RUN --mount=type=cache,from=whl-cache,source=/root/OpenBLAS,target=/OpenBlas,rw \
97- bash -c ' \
98- if [[ $(uname -m) == "ppc64le" ]]; then \
99- PREFIX=/usr/ make install -C /OpenBlas; \
100- fi '
107+ RUN --mount=type=cache,from=whl-cache,source=/root/OpenBLAS,target=/OpenBlas,rw /bin/bash <<'EOF'
108+ set -Eeuxo pipefail
109+ if [[ $(uname -m) == "ppc64le" ]]; then
110+ PREFIX=/usr/ make install -C /OpenBlas
111+ fi
112+ EOF
101113
102114# Other apps and tools installed as default user
103115USER 1001
@@ -107,10 +119,14 @@ RUN pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12"
107119# Install micropipenv and uv to deploy packages from requirements.txt end
108120
109121# Install the oc client begin
110- RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \
111- -o /tmp/openshift-client-linux.tar.gz && \
112- tar -xzvf /tmp/openshift-client-linux.tar.gz oc && \
113- rm -f /tmp/openshift-client-linux.tar.gz
122+ RUN /bin/bash <<'EOF'
123+ set -Eeuxo pipefail
124+ curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \
125+ -o /tmp/openshift-client-linux.tar.gz
126+ tar -xzvf /tmp/openshift-client-linux.tar.gz oc
127+ rm -f /tmp/openshift-client-linux.tar.gz
128+ EOF
129+
114130# Install the oc client end
115131
116132####################
@@ -157,21 +173,28 @@ COPY --from=rpm-base /tmp/control /dev/null
157173# Install code-server
158174# Note: Use cache mounts, bind mounts fail on konflux
159175# https://redhat-internal.slack.com/archives/C04PZ7H0VA8/p1755628065772589?thread_ts=1755597929.335999&cid=C04PZ7H0VA8
160- RUN --mount=type=cache,from=rpm-base,source=/tmp/,target=/code-server-rpm/,rw \
161- # EXPLANATION: dnf installation produces an "unsigned rpm" error from Konflux (Conforma)
162- # since we're building rpm from source, we will simply unpack it over /
163- # dnf install -y "/code-server-rpm/code-server-${CODESERVER_VERSION/v/}-${TARGETARCH}.rpm"
164- # dnf -y clean all --enablerepo='*'
165- dnf install -y cpio && dnf -y clean all && \
166- cd / && rpm2cpio "/code-server-rpm/code-server-${CODESERVER_VERSION/v/}-${TARGETARCH}.rpm" | cpio -idmv
176+ RUN --mount=type=cache,from=rpm-base,source=/tmp/,target=/code-server-rpm/,rw /bin/bash <<'EOF'
177+ set -Eeuxo pipefail
178+ # EXPLANATION: dnf installation produces an "unsigned rpm" error from Konflux (Conforma)
179+ # since we're building rpm from source, we will simply unpack it over /
180+ # dnf install -y "/code-server-rpm/code-server-${CODESERVER_VERSION/v/}-${TARGETARCH}.rpm"
181+ # dnf -y clean all --enablerepo='*'
182+ dnf install -y cpio
183+ dnf -y clean all
184+ cd /
185+ rpm2cpio "/code-server-rpm/code-server-${CODESERVER_VERSION/v/}-${TARGETARCH}.rpm" | cpio -idmv
186+ EOF
167187
168188COPY --chown=1001:0 ${CODESERVER_SOURCE_CODE}/utils utils/
169189
170190# Create and intall the extensions though build-time on a temporary directory. Later this directory will copied on the `/opt/app-root/src/.local/share/code-server/extensions` via run-code-server.sh file when it starts up.
171191# https://coder.com/docs/code-server/FAQ#how-do-i-install-an-extension
172- RUN mkdir -p /opt/app-root/extensions-temp && \
173- code-server --install-extension /opt/app-root/bin/utils/ms-python.python-2025.14.0.vsix --extensions-dir /opt/app-root/extensions-temp && \
174- code-server --install-extension /opt/app-root/bin/utils/ms-toolsai.jupyter-2025.8.0.vsix --extensions-dir /opt/app-root/extensions-temp
192+ RUN /bin/bash <<'EOF'
193+ set -Eeuxo pipefail
194+ mkdir -p /opt/app-root/extensions-temp
195+ code-server --install-extension /opt/app-root/bin/utils/ms-python.python-2025.14.0.vsix --extensions-dir /opt/app-root/extensions-temp
196+ code-server --install-extension /opt/app-root/bin/utils/ms-toolsai.jupyter-2025.8.0.vsix --extensions-dir /opt/app-root/extensions-temp
197+ EOF
175198
176199# Install NGINX to proxy code-server and pass probes check
177200ENV APP_ROOT=/opt/app-root
@@ -188,10 +211,13 @@ ENV NGINX_CONFIGURATION_PATH=${APP_ROOT}/etc/nginx.d \
188211 NGINX_PERL_MODULE_PATH=${APP_ROOT}/etc/perl
189212
190213# Modules does not exist
191- RUN INSTALL_PKGS="bind-utils nginx nginx-mod-stream nginx-mod-http-perl httpd" && \
192- dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS && \
193- rpm -V $INSTALL_PKGS && \
194- dnf -y clean all --enablerepo='*'
214+ RUN /bin/bash <<'EOF'
215+ set -Eeuxo pipefail
216+ INSTALL_PKGS="bind-utils nginx nginx-mod-stream nginx-mod-http-perl httpd"
217+ dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS
218+ rpm -V $INSTALL_PKGS
219+ dnf -y clean all --enablerepo='*'
220+ EOF
195221
196222# Configure httpd for CGI processing
197223COPY --chown=1001:0 ${CODESERVER_SOURCE_CODE}/httpd/httpd.conf /etc/httpd/conf/httpd.conf
@@ -216,34 +242,37 @@ COPY ${CODESERVER_SOURCE_CODE}/nginx/api/ /opt/app-root/api/
216242# UID=1001 && GID=0
217243# UID=<any>&& GID=0
218244# UID=1001 && GID=<any>
219- RUN sed -i -f ${NGINX_APP_ROOT}/nginxconf.sed ${NGINX_CONF_PATH} && \
220- mkdir -p ${NGINX_APP_ROOT}/etc/nginx.d/ && \
221- mkdir -p ${NGINX_APP_ROOT}/etc/nginx.default.d/ && \
222- mkdir -p ${NGINX_APP_ROOT}/api/ && \
223- mkdir -p ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start && \
224- mkdir -p ${NGINX_LOG_PATH} && \
225- mkdir -p ${NGINX_PERL_MODULE_PATH} && \
226- # Create httpd directories and set permissions
227- mkdir -p /var/log/httpd /var/run/httpd /etc/httpd/logs && \
228- chown -R 1001:0 ${NGINX_CONF_PATH} && \
229- chown -R 1001:0 ${NGINX_APP_ROOT}/etc && \
230- chown -R 1001:0 ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start && \
231- chown -R 1001:0 /var/lib/nginx /var/log/nginx /run && \
232- chown -R 1001:0 /var/log/httpd /var/run/httpd /etc/httpd/logs && \
233- chmod ug+rw ${NGINX_CONF_PATH} && \
234- chmod -R ug+rwX ${NGINX_APP_ROOT}/etc && \
235- chmod -R ug+rwX ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start && \
236- chmod -R ug+rwX /var/lib/nginx /var/log/nginx /run && \
237- chmod -R ug+rwX /var/log/httpd /var/run/httpd /etc/httpd/logs && \
238- # Make CGI script executable
239- chmod +x /opt/app-root/api/kernels/access.cgi && \
240- rpm-file-permissions && \
241- # Ensure the temporary directory and target directory have the correct permissions
242- mkdir -p /opt/app-root/src/.local/share/code-server/extensions && \
243- mkdir -p /opt/app-root/src/.local/share/code-server/coder-logs && \
244- chown -R 1001:0 /opt/app-root/src/.local/share/code-server && \
245- chown -R 1001:0 /opt/app-root/extensions-temp && \
246- chown -R 1001:0 /opt/app-root/src/.config/code-server
245+ RUN /bin/bash <<'EOF'
246+ set -Eeuxo pipefail
247+ sed -i -f ${NGINX_APP_ROOT}/nginxconf.sed ${NGINX_CONF_PATH}
248+ mkdir -p ${NGINX_APP_ROOT}/etc/nginx.d/
249+ mkdir -p ${NGINX_APP_ROOT}/etc/nginx.default.d/
250+ mkdir -p ${NGINX_APP_ROOT}/api/
251+ mkdir -p ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start
252+ mkdir -p ${NGINX_LOG_PATH}
253+ mkdir -p ${NGINX_PERL_MODULE_PATH}
254+ # Create httpd directories and set permissions
255+ mkdir -p /var/log/httpd /var/run/httpd /etc/httpd/logs
256+ chown -R 1001:0 ${NGINX_CONF_PATH}
257+ chown -R 1001:0 ${NGINX_APP_ROOT}/etc
258+ chown -R 1001:0 ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start
259+ chown -R 1001:0 /var/lib/nginx /var/log/nginx /run
260+ chown -R 1001:0 /var/log/httpd /var/run/httpd /etc/httpd/logs
261+ chmod ug+rw ${NGINX_CONF_PATH}
262+ chmod -R ug+rwX ${NGINX_APP_ROOT}/etc
263+ chmod -R ug+rwX ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start
264+ chmod -R ug+rwX /var/lib/nginx /var/log/nginx /run
265+ chmod -R ug+rwX /var/log/httpd /var/run/httpd /etc/httpd/logs
266+ # Make CGI script executable
267+ chmod +x /opt/app-root/api/kernels/access.cgi
268+ rpm-file-permissions
269+ # Ensure the temporary directory and target directory have the correct permissions
270+ mkdir -p /opt/app-root/src/.local/share/code-server/extensions
271+ mkdir -p /opt/app-root/src/.local/share/code-server/coder-logs
272+ chown -R 1001:0 /opt/app-root/src/.local/share/code-server
273+ chown -R 1001:0 /opt/app-root/extensions-temp
274+ chown -R 1001:0 /opt/app-root/src/.config/code-server
275+ EOF
247276
248277# Launcher
249278COPY --chown=1001:0 ${CODESERVER_SOURCE_CODE}/run-code-server.sh ${CODESERVER_SOURCE_CODE}/run-nginx.sh ./
@@ -261,28 +290,35 @@ COPY --from=whl-cache /tmp/control /dev/null
261290# Install packages and cleanup
262291# (ARCH-ppc64le): install packages (eg. pyarrow) that need to be built from source repository on ppc64le
263292RUN --mount=type=cache,target=/root/.cache/uv \
264- --mount=type=cache,from=whl-cache,source=/wheelsdir/,target=/wheelsdir/,rw \
265- bash -c ' \
266- if [[ $(uname -m) == "ppc64le" ]] || [[ $(uname -m) == "s390x" ]]; then \
267- uv pip install /wheelsdir/*.whl; \
268- fi '
293+ --mount=type=cache,from=whl-cache,source=/wheelsdir/,target=/wheelsdir/,rw /bin/bash <<'EOF'
294+ set -Eeuxo pipefail
295+ if [[ $(uname -m) == "ppc64le" ]] || [[ $(uname -m) == "s390x" ]]; then
296+ uv pip install /wheelsdir/*.whl
297+ fi
298+ EOF
299+
269300# install packages as USER 0 (this will allow us to consume uv cache)
270- RUN --mount=type=cache,target=/root/.cache/uv \
271- echo "Installing softwares and packages" && \
272- # we can ensure wheels are consumed from the cache only by restricting internet access for uv install with '--offline' flag
273- # TODO(jdanek): seen some builds fail on GitHub Actions with --offline and see no need to limit ourselves to the cache, will remove this
274- UV_LINK_MODE=copy uv pip install --cache-dir /root/.cache/uv --requirements=./pylock.toml && \
275- # Note: debugpy wheel availabe on pypi (in uv cache) is none-any but bundles amd64.so files
276- # Build debugpy from source instead
277- UV_LINK_MODE=copy uv pip install --no-cache git+https://github.com/microsoft/debugpy.git@v$(grep -A1 '\"debugpy\"' ./pylock.toml | grep -Eo '\b[0-9\.]+\b') && \
278- # change ownership to default user (all packages were installed as root and has root:root ownership \
279- chown -R 1001:0 /opt/app-root
301+ RUN --mount=type=cache,target=/root/.cache/uv /bin/bash <<'EOF'
302+ set -Eeuxo pipefail
303+ echo "Installing softwares and packages"
304+ # we can ensure wheels are consumed from the cache only by restricting internet access for uv install with '--offline' flag
305+ # TODO(jdanek): seen some builds fail on GitHub Actions with --offline and see no need to limit ourselves to the cache, will remove this
306+ UV_LINK_MODE=copy uv pip install --cache-dir /root/.cache/uv --requirements=./pylock.toml
307+ # Note: debugpy wheel availabe on pypi (in uv cache) is none-any but bundles amd64.so files
308+ # Build debugpy from source instead
309+ UV_LINK_MODE=copy uv pip install --no-cache git+https://github.com/microsoft/debugpy.git@v$(grep -A1 '\"debugpy\"' ./pylock.toml | grep -Eo '\b[0-9\.]+\b')
310+ # change ownership to default user (all packages were installed as root and has root:root ownership
311+ chown -R 1001:0 /opt/app-root
312+ EOF
280313
281314USER 1001
282315
283316# Fix permissions to support pip in Openshift environments
284- RUN chmod -R g+w /opt/app-root/lib/python3.12/site-packages && \
285- fix-permissions /opt/app-root -P
317+ RUN /bin/bash <<'EOF'
318+ set -Eeuxo pipefail
319+ chmod -R g+w /opt/app-root/lib/python3.12/site-packages
320+ fix-permissions /opt/app-root -P
321+ EOF
286322
287323WORKDIR /opt/app-root/src
288324
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?v=4&size=40){kind=avatar}
0 commit comments