Address review findings from PR #3000: Konflux Dockerfile improvements #3006
Description
Context
This issue consolidates review findings from PR #3000 (review #3835564350) to be addressed in a follow-up.
References:
- PR: RHAIENG-3346, RHAIENG-3349: chore(Dockerfile.konflux): bring over the Dockerfile.konflux files from RHDS to ODH #3000
- Review: RHAIENG-3346, RHAIENG-3349: chore(Dockerfile.konflux): bring over the Dockerfile.konflux files from RHDS to ODH #3000 (review)
Findings to Address
1. Cross-architecture build issues with oc client download
File: jupyter/datascience/ubi9-python-3.12/Dockerfile.konflux.cpu (lines 123-129)
Issue: $(uname -m) returns the host architecture, not the target architecture during cross-compilation. This will download the wrong oc binary for ppc64le or s390x builds on amd64 hosts.
Action: Map $TARGETARCH to OpenShift mirror conventions (amd64→x86_64, arm64→aarch64, keep ppc64le/s390x as-is) and use the mapped value in the download URL.
2. Conflicting LABEL blocks
File: jupyter/minimal/ubi9-python-3.12/Dockerfile.konflux.cuda (lines 72-80, 122-128)
Issue: Two LABEL blocks with overlapping keys where the second block silently overrides the first. name and io.k8s.display-name end up with wrong values.
Action: Remove the first ODH-style LABEL block (lines 72-80) or merge any required labels into the second block to match the pattern used in Dockerfile.konflux.rocm.
3. Incorrect USER context for privileged operations
File: jupyter/minimal/ubi9-python-3.12/Dockerfile.konflux.cuda (lines 94-99)
Issue: The install heredoc runs as USER 1001 but contains operations requiring root privileges (chmod -R g+w, fix-permissions). This is inconsistent with Dockerfile.konflux.rocm and other variants.
Action: Switch to USER 0 before the install heredoc, then switch back to USER 1001 afterward if needed.
4. Inconsistent skopeo handling (CVE-2025-4674)
File: jupyter/pytorch+llmcompressor/ubi9-python-3.12/Dockerfile.konflux.cuda (lines 57-63)
Issue: RStudio Dockerfiles explicitly remove skopeo due to CVE-2025-4674, but many runtime/jupyter Dockerfiles still install it. Remediation should be consistent across images.
Action: Either remove skopeo from all affected Dockerfiles or add comments explaining why certain images are exempt from the CVE mitigation.
5. Wheel installation bypasses hash verification
File: jupyter/trustyai/ubi9-python-3.12/Dockerfile.konflux.cpu (line 242)
Issue: Architecture-specific wheel installation (uv pip install /wheelsdir/*.whl accelerate) bypasses --verify-hashes, --no-deps, and --strict flags used elsewhere in the file.
Action: Install local wheels with --no-deps --verify-hashes --strict and add accelerate to pylock.toml with its expected hash, or install it via the lockfile.
6. Dead code marked with TODO
File: rstudio/rhel9-python-3.12/Dockerfile.konflux.cuda (lines 61-66)
Issue: ARG declarations (SECRET_DIR, SERVERURL_DEFAULT, BASEURL_DEFAULT) are marked "TODO THIS SHOULD BE REMOVED" and appear unused.
Action: Remove these ARG declarations and the surrounding TODO comment block.
7. Hardcoded x86_64 in subscription-manager
File: rstudio/rhel9-python-3.12/Dockerfile.konflux.cuda (line 103)
Issue: subscription-manager repos --enable codeready-builder-for-rhel-9-x86_64-rpms hardcodes x86_64, which will fail on aarch64 builds.
Action: Make the repo name architecture-aware by using $(uname -m) or mapping $TARGETARCH appropriately (arm64→aarch64).
Priority
These items are non-blocking and can be addressed in a follow-up PR after the initial Konflux migration is complete.
Metadata
Metadata
Assignees
Labels
Type
Projects
Status