feat(Dockerfiles): switch from s2i python images to plain ubi/cs9 ones

jiridanek · jiridanek · commit 31a6c9da61fc · 2024-10-04T09:26:16.000+02:00
The main benefit is size and cve exposure, as the python images come with packages we don't use; python and pip is enough for us.

Additionally, using plain ubi makes things more explicit.
diff --git a/base/c9s-python-3.9/Dockerfile b/base/c9s-python-3.9/Dockerfile
@@ -1,4 +1,15 @@
-FROM quay.io/sclorg/python-39-c9s:c9s
+FROM quay.io/centos/centos:stream9
+
+# perform the setup that python image used to do for us
+#  but this way it uses a lot less disk space (hundreds of megabytes less)
+ENV VIRTUAL_ENV="/opt/app-root"
+ENV PATH="${VIRTUAL_ENV}/bin:${PATH}"
+RUN useradd --uid 1001 --gid 0 --create-home --base-dir / --home-dir /opt/app-root/src \
+      --comment "Default Application User" --shell /bin/bash default && \
+    dnf install -y python3-pip && dnf clean all && rm -rf /var/cache/yum/* && \
+    python3.9 -m venv "${VIRTUAL_ENV}"
+
+USER 1001
 
 LABEL name="odh-notebook-base-centos-stream9-python-3.9" \
       summary="Python 3.9 CentOS Stream 9 base image for ODH notebooks" \
diff --git a/base/ubi9-python-3.11/Dockerfile b/base/ubi9-python-3.11/Dockerfile
@@ -1,4 +1,15 @@
-FROM registry.access.redhat.com/ubi9/python-311:latest
+FROM registry.access.redhat.com/ubi9/ubi:latest
+
+# perform the setup that python s2i image used to do for us
+#  but this way it uses a lot less disk space (hundreds of megabytes less)
+ENV VIRTUAL_ENV="/opt/app-root"
+ENV PATH="${VIRTUAL_ENV}/bin:${PATH}"
+RUN useradd --uid 1001 --gid 0 --create-home --base-dir / --home-dir /opt/app-root/src \
+      --comment "Default Application User" --shell /bin/bash default && \
+    dnf install -y python311-pip && dnf clean all && rm -rf /var/cache/yum/* && \
+    python3.11 -m venv "${VIRTUAL_ENV}"
+
+USER 1001
 
 LABEL name="odh-notebook-base-ubi9-python-3.11" \
       summary="Python 3.11 base image for ODH notebooks" \
@@ -18,7 +29,7 @@ RUN pip install --no-cache-dir -U "micropipenv[toml]"
 # Install Python dependencies from Pipfile.lock file
 COPY Pipfile.lock ./
 
-RUN echo "Installing softwares and packages" && micropipenv install && rm -f ./Pipfile.lock
+RUN echo "Installing software and packages" && micropipenv install && rm -f ./Pipfile.lock
 
 # OS Packages needs to be installed as root
 USER root
diff --git a/base/ubi9-python-3.9/Dockerfile b/base/ubi9-python-3.9/Dockerfile
@@ -1,4 +1,15 @@
-FROM registry.access.redhat.com/ubi9/python-39:latest
+FROM registry.access.redhat.com/ubi9/ubi:latest
+
+# perform the setup that python s2i image used to do for us
+#  but this way it uses a lot less disk space (hundreds of megabytes less)
+ENV VIRTUAL_ENV="/opt/app-root"
+ENV PATH="${VIRTUAL_ENV}/bin:${PATH}"
+RUN useradd --uid 1001 --gid 0 --create-home --base-dir / --home-dir /opt/app-root/src \
+      --comment "Default Application User" --shell /bin/bash default && \
+    dnf install -y python3-pip && dnf clean all && rm -rf /var/cache/yum/* && \
+    python3.9 -m venv "${VIRTUAL_ENV}"
+
+USER 1001
 
 LABEL name="odh-notebook-base-ubi9-python-3.9" \
       summary="Python 3.9 base image for ODH notebooks" \
