Merge pull request #430 from jstourac/codeQuality

Add hadolint checks for Dockerfiles

Author: openshift-merge-bot[bot]

.github/workflows/code-quality.yaml

@@ -40,3 +40,13 @@ jobs:
               echo "There were errors in some of the checked files. Please run `json_verify` on such files and fix issues there."
           fi
           exit "${ret_code}"
+
+      - name: Validate Dockerfiles
+        id: validate-dockerfiles
+        run: |
+          type hadolint || sudo apt-get -y install wget \
+                             && wget --output-document=hadolint https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 \
+                             && chmod a+x hadolint
+          echo "Starting Hadolint"
+          find . -name "Dockerfile" | xargs ./hadolint --config ./ci/hadolint-config.yaml
+          echo "Hadolint done"

base/anaconda-python-3.8/Dockerfile

@@ -79,7 +79,7 @@ ENV BASH_ENV="source /opt/anaconda3/bin/activate ${APP_ROOT}" \
 USER 1001
 
 # Set the default CMD to print the usage of the language image.
-CMD $STI_SCRIPTS_PATH/usage
+CMD ["$STI_SCRIPTS_PATH/usage"]
 
 
 FROM s2i-python-anaconda-38-base

base/c9s-python-3.9/Dockerfile

@@ -13,7 +13,7 @@ LABEL name="odh-notebook-base-centos-stream9-python-3.9" \
 WORKDIR /opt/app-root/bin
 
 # Install micropipenv to deploy packages from Pipfile.lock
-RUN pip install -U "micropipenv[toml]"
+RUN pip install --no-cache-dir -U "micropipenv[toml]"
 
 # Install Python dependencies from Pipfile.lock file
 COPY Pipfile.lock ./
@@ -22,7 +22,7 @@ COPY Pipfile.lock ./
 USER root
 
 # Install usefull OS packages
-RUN dnf install -y mesa-libGL
+RUN dnf install -y mesa-libGL && dnf clean all && rm -rf /var/cache/yum
 
 # Other apps and tools installed as default user
 USER 1001

base/ubi8-python-3.8/Dockerfile

@@ -13,7 +13,7 @@ LABEL name="odh-notebook-base-ubi8-python-3.8" \
 WORKDIR /opt/app-root/bin
 
 # Install micropipenv to deploy packages from Pipfile.lock
-RUN pip install -U "micropipenv[toml]"
+RUN pip install --no-cache-dir -U "micropipenv[toml]"
 
 # Install Python dependencies from Pipfile.lock file
 COPY Pipfile.lock ./

base/ubi9-python-3.9/Dockerfile

@@ -13,7 +13,7 @@ LABEL name="odh-notebook-base-ubi9-python-3.9" \
 WORKDIR /opt/app-root/bin
 
 # Install micropipenv to deploy packages from Pipfile.lock
-RUN pip install -U "micropipenv[toml]"
+RUN pip install --no-cache-dir -U "micropipenv[toml]"
 
 # Install Python dependencies from Pipfile.lock file
 COPY Pipfile.lock ./
@@ -24,7 +24,7 @@ RUN echo "Installing softwares and packages" && micropipenv install && rm -f ./P
 USER root
 
 # Install usefull OS packages
-RUN dnf install -y mesa-libGL
+RUN dnf install -y mesa-libGL && dnf clean all && rm -rf /var/cache/yum
 
 # Other apps and tools installed as default user
 USER 1001

ci/hadolint-config.yaml

@@ -0,0 +1,36 @@
+---
+
+# Reference https://github.com/hadolint/hadolint
+# hadolint --config ./ci/hadolint-config.yaml <Dockerfile>
+
+# We should revisit this ignore list and reduce it regularly
+
+ignored:
+  # DL3006 warning: Always tag the version of an image explicitly
+  - DL3006
+  # DL3033 warning: Specify version with `yum install -y <package>-<version>`.
+  - DL3033
+  # DL3045 warning: `COPY` to a relative destination without `WORKDIR` set.
+  - DL3045
+  # DL3041 warning: Specify version with `dnf install -y <package>-<version>`.
+  - DL3041
+  # DL3059 info: Multiple consecutive `RUN` instructions. Consider consolidation.
+  - DL3059
+  # DL3013 warning: Pin versions in pip. Instead of `pip install <package>` use
+  # `pip install <package>==<version>` or `pip install --requirement <requirements file>`
+  - DL3013
+  # DL4006 warning: Set the SHELL option -o pipefail before RUN with a pipe in it.
+  # If you are using /bin/sh in an alpine image or if your shell is symlinked to busybox
+  # then consider explicitly setting your SHELL to /bin/ash, or disable this check
+  - DL4006
+  # DL3007 warning: Using latest is prone to errors if the image will ever update.
+  # Pin the version explicitly to a release tag
+  - DL3007
+  # SC3060 warning: In POSIX sh, string replacement is undefined.
+  - SC3060
+  # SC2086 info: Double quote to prevent globbing and word splitting.
+  - SC2086
+  # SC2046 warning: Quote this to prevent word splitting.
+  - SC2046
+  # SC2140 warning: Word is of the form "A"B"C" (B indicated). Did you mean "ABC" or "A\"B\"C"?
+  - SC2140

codeserver/c9s-python-3.9/Dockerfile

@@ -87,4 +87,4 @@ WORKDIR /opt/app-root/src
 
 USER 1001
 
-CMD /opt/app-root/bin/run-code-server.sh
+CMD ["/opt/app-root/bin/run-code-server.sh"]

codeserver/ubi9-python-3.9/Dockerfile

@@ -29,7 +29,7 @@ RUN echo "Installing softwares and packages" && \
     fix-permissions /opt/app-root -P
 
 # Install usefull OS packages
-RUN dnf install -y jq git-lfs libsndfile
+RUN dnf install -y jq git-lfs libsndfile && dnf clean all && rm -rf /var/cache/yum
 
 # Install code-server
 RUN yum install -y "https://github.com/coder/code-server/releases/download/${CODESERVER_VERSION}/code-server-${CODESERVER_VERSION/v/}-amd64.rpm" && \
@@ -105,4 +105,4 @@ WORKDIR /opt/app-root/src
 
 USER 1001
 
-CMD /opt/app-root/bin/run-code-server.sh
+CMD ["/opt/app-root/bin/run-code-server.sh"]

jupyter/datascience/ubi8-python-3.8/Dockerfile

@@ -28,20 +28,20 @@ COPY utils ./utils/
 USER root
 
 # Install usefull OS packages
-RUN dnf install -y jq unixODBC git-lfs libsndfile
+RUN dnf install -y jq unixODBC git-lfs libsndfile && dnf clean all && rm -rf /var/cache/yum
 
 # Disable announcement plugin of jupyterlab
 RUN jupyter labextension disable "@jupyterlab/apputils-extension:announcements"
 
 # Install MongoDB Client, We need a special repo for MongoDB as they do their own distribution
 COPY mongodb-org-6.0.repo-x86_64 /etc/yum.repos.d/mongodb-org-6.0.repo
 
-RUN dnf install -y mongocli
+RUN dnf install -y mongocli && dnf clean all && rm -rf /var/cache/yum
 
 # Install MSSQL Client, We need a special repo for MSSQL as they do their own distribution
 COPY mssql-2022.repo-x86_64 /etc/yum.repos.d/mssql-2022.repo
 
-RUN ACCEPT_EULA=Y dnf install -y mssql-tools18 unixODBC-devel
+RUN ACCEPT_EULA=Y dnf install -y mssql-tools18 unixODBC-devel && dnf clean all && rm -rf /var/cache/yum
 
 ENV PATH="$PATH:/opt/mssql-tools18/bin"
 

jupyter/datascience/ubi9-python-3.9/Dockerfile

@@ -28,20 +28,20 @@ COPY utils ./utils/
 USER root
 
 # Install usefull OS packages
-RUN dnf install -y jq unixODBC postgresql git-lfs libsndfile
+RUN dnf install -y jq unixODBC postgresql git-lfs libsndfile && dnf clean all && rm -rf /var/cache/yum
 
 # Disable announcement plugin of jupyterlab
 RUN jupyter labextension disable "@jupyterlab/apputils-extension:announcements"
 
 # Install MongoDB Client, We need a special repo for MongoDB as they do their own distribution
 COPY mongodb-org-6.0.repo-x86_64 /etc/yum.repos.d/mongodb-org-6.0.repo
 
-RUN dnf install -y mongocli
+RUN dnf install -y mongocli && dnf clean all && rm -rf /var/cache/yum
 
 # Install MSSQL Client, We need a special repo for MSSQL as they do their own distribution
 COPY mssql-2022.repo-x86_64 /etc/yum.repos.d/mssql-2022.repo
 
-RUN ACCEPT_EULA=Y dnf install -y mssql-tools18 unixODBC-devel
+RUN ACCEPT_EULA=Y dnf install -y mssql-tools18 unixODBC-devel && dnf clean all && rm -rf /var/cache/yum
 
 ENV PATH="$PATH:/opt/mssql-tools18/bin"