3333
3434# Install useful OS packages
3535# remove skopeo, CVE-2025-4674
36- RUN dnf install -y mesa-libGL && dnf clean all && rm -rf /var/cache/yum
36+ RUN /bin/bash <<'EOF'
37+ set -Eeuxo pipefail
38+ dnf install -y mesa-libGL
39+ dnf clean all
40+ rm -rf /var/cache/yum
41+ EOF
3742
3843# Other apps and tools installed as default user
3944USER 1001
@@ -65,51 +70,63 @@ USER 0
6570ENV R_VERSION=4.5.1
6671
6772# Install R
68- RUN dnf install -y 'dnf-command(config-manager)' && \
69- dnf config-manager --set-enabled crb && \
70- dnf install -y https://download.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm && \
71- INSTALL_PKGS="R-core R-core-devel R-java R-Rcpp R-highlight \
72- R-littler R-littler-examples openssl-libs compat-openssl11" && \
73- dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS && \
74- echo 'options(repos = c(CRAN = "https://cran.rstudio.com/"), download.file.method = "libcurl")' >> /usr/lib64/R/etc/Rprofile.site && \
75- (umask 002;touch /usr/lib64/R/etc/Renviron.site) && \
76- dnf -y clean all --enablerepo='*'
73+ RUN /bin/bash <<'EOF'
74+ set -Eeuxo pipefail
75+ dnf install -y 'dnf-command(config-manager)'
76+ dnf config-manager --set-enabled crb
77+ dnf install -y https://download.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
78+ INSTALL_PKGS="R-core R-core-devel R-java R-Rcpp R-highlight \
79+ R-littler R-littler-examples openssl-libs compat-openssl11"
80+ dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS
81+ echo 'options(repos = c(CRAN = "https://cran.rstudio.com/"), download.file.method = "libcurl")' >> /usr/lib64/R/etc/Rprofile.site
82+ (umask 002;touch /usr/lib64/R/etc/Renviron.site)
83+ dnf -y clean all --enablerepo='*'
84+ EOF
7785
7886# set R library to default (used in install.r from littler)
7987ENV LIBLOC=/usr/lib64/R/library
8088ENV R_LIBS_USER=/opt/app-root/bin/Rpackages/4.5
8189
82- RUN chmod -R a+w ${LIBLOC} && \
83- # create User R Library path
84- mkdir -p ${R_LIBS_USER} && \
85- chmod -R a+w ${R_LIBS_USER}
90+ RUN /bin/bash <<'EOF'
91+ set -Eeuxo pipefail
92+ chmod -R a+w ${LIBLOC}
93+ # create User R Library path
94+ mkdir -p ${R_LIBS_USER}
95+ chmod -R a+w ${R_LIBS_USER}
96+ EOF
8697
8798WORKDIR /tmp/
8899COPY /rstudio/utils /tmp/utils
89100
90101# Install RStudio
91102ARG RSTUDIO_RPM=rstudio-server-rhel-2025.09.0-387-x86_64.rpm
92- RUN wget --progress=dot:giga https://download2.rstudio.org/server/rhel9/x86_64/${RSTUDIO_RPM} && \
93- dnf install -y ${RSTUDIO_RPM} && \
94- rm ${RSTUDIO_RPM} && \
95- dnf -y clean all --enablerepo='*' && \
96- # Specific RStudio config and fixes
97- chmod 1777 /var/run/rstudio-server && \
98- mkdir -p /usr/share/doc/R && \
99- # package installation
100- # install necessary texlive-framed package to make Knit R markup to PDF rendering possible
101- dnf install -y libgit2-devel.x86_64 libcurl-devel harfbuzz-devel.x86_64 fribidi-devel.x86_64 cmake "flexiblas-*" texlive-framed && \
102- dnf clean all && \
103- rm -rf /var/cache/yum && \
104- (cd /tmp/utils && ./cve_remediation.sh)
103+ RUN /bin/bash <<'EOF'
104+ set -Eeuxo pipefail
105+ wget --progress=dot:giga https://download2.rstudio.org/server/rhel9/x86_64/${RSTUDIO_RPM}
106+ dnf install -y ${RSTUDIO_RPM}
107+ rm ${RSTUDIO_RPM}
108+ dnf -y clean all --enablerepo='*'
109+ # Specific RStudio config and fixes
110+ chmod 1777 /var/run/rstudio-server
111+ mkdir -p /usr/share/doc/R
112+ # package installation
113+ # install necessary texlive-framed package to make Knit R markup to PDF rendering possible
114+ dnf install -y libgit2-devel.x86_64 libcurl-devel harfbuzz-devel.x86_64 fribidi-devel.x86_64 cmake "flexiblas-*" texlive-framed
115+ dnf clean all
116+ rm -rf /var/cache/yum
117+ (cd /tmp/utils && ./cve_remediation.sh)
118+ EOF
105119
106120COPY ${RSTUDIO_SOURCE_CODE}/rsession.conf /etc/rstudio/rsession.conf
107121
108122# Install R packages
109123# https://cran.r-project.org/web/packages
110124COPY ${RSTUDIO_SOURCE_CODE}/install_packages.R ./
111- RUN R -f ./install_packages.R && \
112- rm ./install_packages.R
125+ RUN /bin/bash <<'EOF'
126+ set -Eeuxo pipefail
127+ R -f ./install_packages.R
128+ rm ./install_packages.R
129+ EOF
113130
114131ENV APP_ROOT=/opt/app-root
115132
@@ -125,12 +142,15 @@ ENV NGINX_VERSION=1.24 \
125142 NGINX_PERL_MODULE_PATH=${APP_ROOT}/etc/perl
126143
127144# Modules does not exist
128- RUN dnf -y module enable nginx:$NGINX_VERSION && \
129- INSTALL_PKGS="nss_wrapper bind-utils gettext hostname nginx nginx-mod-stream nginx-mod-http-perl httpd" && \
130- dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS && \
131- rpm -V $INSTALL_PKGS && \
132- nginx -v 2>&1 | grep -qe "nginx/$NGINX_VERSION\." && echo "Found VERSION $NGINX_VERSION" && \
133- dnf -y clean all --enablerepo='*'
145+ RUN /bin/bash <<'EOF'
146+ set -Eeuxo pipefail
147+ dnf -y module enable nginx:$NGINX_VERSION
148+ INSTALL_PKGS="nss_wrapper bind-utils gettext hostname nginx nginx-mod-stream nginx-mod-http-perl httpd"
149+ dnf install -y --setopt=tsflags=nodocs $INSTALL_PKGS
150+ rpm -V $INSTALL_PKGS
151+ nginx -v 2>&1 | grep -qe "nginx/$NGINX_VERSION\." && echo "Found VERSION $NGINX_VERSION"
152+ dnf -y clean all --enablerepo='*'
153+ EOF
134154
135155# Configure httpd for CGI processing
136156COPY --chown=1001:0 ${RSTUDIO_SOURCE_CODE}/httpd/httpd.conf /etc/httpd/conf/httpd.conf
@@ -155,30 +175,33 @@ COPY ${RSTUDIO_SOURCE_CODE}/nginx/api/ /opt/app-root/api/
155175# UID=1001 && GID=0
156176# UID=<any>&& GID=0
157177# UID=1001 && GID=<any>
158- RUN sed -i -f ${NGINX_APP_ROOT}/nginxconf.sed ${NGINX_CONF_PATH} && \
159- mkdir -p ${NGINX_APP_ROOT}/etc/nginx.d/ && \
160- mkdir -p ${NGINX_APP_ROOT}/etc/nginx.default.d/ && \
161- mkdir -p ${NGINX_APP_ROOT}/api/ && \
162- mkdir -p ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start && \
163- mkdir -p ${NGINX_LOG_PATH} && \
164- mkdir -p ${NGINX_PERL_MODULE_PATH} && \
165- # Create httpd directories and set permissions
166- mkdir -p /var/log/httpd /var/run/httpd /etc/httpd/logs && \
167- chown -R 1001:0 ${NGINX_CONF_PATH} && \
168- chown -R 1001:0 ${NGINX_APP_ROOT}/etc && \
169- chown -R 1001:0 ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start && \
170- chown -R 1001:0 /var/lib/nginx /var/log/nginx /run && \
171- chown -R 1001:0 /var/log/httpd /var/run/httpd /etc/httpd/logs && \
172- chmod ug+rw ${NGINX_CONF_PATH} && \
173- chmod -R ug+rwX ${NGINX_APP_ROOT}/etc && \
174- chmod -R ug+rwX ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start && \
175- chmod -R ug+rwX /var/lib/nginx /var/log/nginx /run && \
176- chmod -R ug+rwX /var/log/httpd /var/run/httpd /etc/httpd/logs && \
177- # Make CGI scripts executable and set proper ownership
178- chmod +x /opt/app-root/api/kernels/access.cgi && \
179- chmod +x /opt/app-root/api/probe.cgi && \
180- chown -R 1001:0 /opt/app-root/api && \
181- rpm-file-permissions
178+ RUN /bin/bash <<'EOF'
179+ set -Eeuxo pipefail
180+ sed -i -f ${NGINX_APP_ROOT}/nginxconf.sed ${NGINX_CONF_PATH}
181+ mkdir -p ${NGINX_APP_ROOT}/etc/nginx.d/
182+ mkdir -p ${NGINX_APP_ROOT}/etc/nginx.default.d/
183+ mkdir -p ${NGINX_APP_ROOT}/api/
184+ mkdir -p ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start
185+ mkdir -p ${NGINX_LOG_PATH}
186+ mkdir -p ${NGINX_PERL_MODULE_PATH}
187+ # Create httpd directories and set permissions
188+ mkdir -p /var/log/httpd /var/run/httpd /etc/httpd/logs
189+ chown -R 1001:0 ${NGINX_CONF_PATH}
190+ chown -R 1001:0 ${NGINX_APP_ROOT}/etc
191+ chown -R 1001:0 ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start
192+ chown -R 1001:0 /var/lib/nginx /var/log/nginx /run
193+ chown -R 1001:0 /var/log/httpd /var/run/httpd /etc/httpd/logs
194+ chmod ug+rw ${NGINX_CONF_PATH}
195+ chmod -R ug+rwX ${NGINX_APP_ROOT}/etc
196+ chmod -R ug+rwX ${NGINX_CONTAINER_SCRIPTS_PATH}/nginx-start
197+ chmod -R ug+rwX /var/lib/nginx /var/log/nginx /run
198+ chmod -R ug+rwX /var/log/httpd /var/run/httpd /etc/httpd/logs
199+ # Make CGI scripts executable and set proper ownership
200+ chmod +x /opt/app-root/api/kernels/access.cgi
201+ chmod +x /opt/app-root/api/probe.cgi
202+ chown -R 1001:0 /opt/app-root/api
203+ rpm-file-permissions
204+ EOF
182205
183206# Launcher
184207WORKDIR /opt/app-root/bin
@@ -190,13 +213,16 @@ USER 1001
190213
191214COPY ${RSTUDIO_SOURCE_CODE}/pylock.toml ./
192215
193- RUN echo "Installing softwares and packages" && \
194- # This may have to download and compile some dependencies, and as we don't lock requirements from `build-system.requires`,
195- # we often don't know the correct hashes and `--require-hashes` would therefore fail on non amd64, where building is common.
196- uv pip install --strict --no-deps --no-cache --no-config --no-progress --verify-hashes --compile-bytecode --index-strategy=unsafe-best-match --requirements=./pylock.toml && \
197- # Fix permissions to support pip in Openshift environments \
198- chmod -R g+w /opt/app-root/lib/python3.12/site-packages && \
199- fix-permissions /opt/app-root -P
216+ RUN /bin/bash <<'EOF'
217+ set -Eeuxo pipefail
218+ echo "Installing softwares and packages"
219+ # This may have to download and compile some dependencies, and as we don't lock requirements from `build-system.requires`,
220+ # we often don't know the correct hashes and `--require-hashes` would therefore fail on non amd64, where building is common.
221+ uv pip install --strict --no-deps --no-cache --no-config --no-progress --verify-hashes --compile-bytecode --index-strategy=unsafe-best-match --requirements=./pylock.toml
222+ # Fix permissions to support pip in Openshift environments
223+ chmod -R g+w /opt/app-root/lib/python3.12/site-packages
224+ fix-permissions /opt/app-root -P
225+ EOF
200226
201227WORKDIR /opt/app-root/src
202228
0 commit comments