RHAIENG-1965: chore(cli): update Dockerfile.konflux* comments for consistency with scripts/dockerfile_fragments.py

* opendatahub-io#2682

Author: jiridanek

codeserver/ubi9-python-3.12/Dockerfile.cpu

@@ -335,3 +335,30 @@ EOF
 
 FROM codeserver
 COPY --from=tests /tmp/test_log.txt /tmp/test_log.txt
+
+### BEGIN upgrade first to avoid fixable vulnerabilities
+# Problem: The operation would result in removing the following protected packages: systemd
+#  (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages)
+# Solution: --best --skip-broken does not work either, so use --nobest
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0
+dnf clean all -y
+EOF
+
+### END upgrade first to avoid fixable vulnerabilities
+
+### BEGIN Install micropipenv and uv to deploy packages from requirements.txt
+RUN pip install --no-cache-dir --extra-index-url https://pypi.org/simple -U "micropipenv[toml]==1.9.0" "uv==0.8.12"
+### END Install micropipenv and uv to deploy packages from requirements.txt
+
+### BEGIN Install the oc client
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \
+    -o /tmp/openshift-client-linux.tar.gz
+tar -xzvf /tmp/openshift-client-linux.tar.gz oc
+rm -f /tmp/openshift-client-linux.tar.gz
+EOF
+
+### END Install the oc client

codeserver/ubi9-python-3.12/Dockerfile.konflux.cpu

@@ -85,7 +85,7 @@ USER 0
 # By copying ubi.repo from the public UBI 9 image, we enable package management for upgrades and installations.
 COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo
 
-# upgrade first to avoid fixable vulnerabilities begin
+### BEGIN upgrade first to avoid fixable vulnerabilities
 # Problem: The operation would result in removing the following protected packages: systemd
 #  (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages)
 # Solution: --best --skip-broken does not work either, so use --nobest
@@ -95,7 +95,7 @@ dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=in
 dnf clean all -y
 EOF
 
-# upgrade first to avoid fixable vulnerabilities end
+### END upgrade first to avoid fixable vulnerabilities
 
 # Install useful OS packages
 RUN /bin/bash <<'EOF'
@@ -116,11 +116,11 @@ EOF
 # Other apps and tools installed as default user
 USER 1001
 
-# Install micropipenv and uv to deploy packages from requirements.txt begin
+### BEGIN Install micropipenv and uv to deploy packages from requirements.txt
 RUN pip install --no-cache-dir --extra-index-url https://pypi.org/simple -U "micropipenv[toml]==1.9.0" "uv==0.8.12"
-# Install micropipenv and uv to deploy packages from requirements.txt end
+### END Install micropipenv and uv to deploy packages from requirements.txt
 
-# Install the oc client begin
+### BEGIN Install the oc client
 RUN /bin/bash <<'EOF'
 set -Eeuxo pipefail
 curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \
@@ -129,7 +129,7 @@ tar -xzvf /tmp/openshift-client-linux.tar.gz oc
 rm -f /tmp/openshift-client-linux.tar.gz
 EOF
 
-# Install the oc client end
+### END Install the oc client
 
 ####################
 # codeserver       #

jupyter/datascience/ubi9-python-3.12/Dockerfile.cpu

@@ -455,3 +455,36 @@ fix-permissions /opt/app-root -P
 EOF
 
 WORKDIR /opt/app-root/src
+
+### BEGIN upgrade first to avoid fixable vulnerabilities
+# Problem: The operation would result in removing the following protected packages: systemd
+#  (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages)
+# Solution: --best --skip-broken does not work either, so use --nobest
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0
+dnf clean all -y
+EOF
+
+### END upgrade first to avoid fixable vulnerabilities
+
+### BEGIN Install micropipenv and uv to deploy packages from requirements.txt
+RUN pip install --no-cache-dir --extra-index-url https://pypi.org/simple -U "micropipenv[toml]==1.9.0" "uv==0.8.12"
+### END Install micropipenv and uv to deploy packages from requirements.txt
+
+### BEGIN Install the oc client
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \
+    -o /tmp/openshift-client-linux.tar.gz
+tar -xzvf /tmp/openshift-client-linux.tar.gz oc
+rm -f /tmp/openshift-client-linux.tar.gz
+EOF
+
+### END Install the oc client
+
+### BEGIN Dependencies for PDF export
+RUN ./utils/install_pdf_deps.sh
+ENV PATH="/usr/local/texlive/bin/linux:/usr/local/pandoc/bin:$PATH"
+
+### END Dependencies for PDF export

jupyter/datascience/ubi9-python-3.12/Dockerfile.konflux.cpu

@@ -54,7 +54,7 @@ ARG TARGETARCH
 # By copying ubi.repo from the public UBI 9 image, we enable package management for upgrades and installations.
 COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo
 
-# upgrade first to avoid fixable vulnerabilities begin
+### BEGIN upgrade first to avoid fixable vulnerabilities
 # Problem: The operation would result in removing the following protected packages: systemd
 #  (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages)
 # Solution: --best --skip-broken does not work either, so use --nobest
@@ -64,7 +64,7 @@ dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=in
 dnf clean all -y
 EOF
 
-# upgrade first to avoid fixable vulnerabilities end
+### END upgrade first to avoid fixable vulnerabilities
 
 # Install useful OS packages
 RUN --mount=type=cache,target=/var/cache/dnf /bin/bash <<'EOF'
@@ -114,11 +114,11 @@ EOF
 # Other apps and tools installed as default user
 USER 1001
 
-# Install micropipenv and uv to deploy packages from requirements.txt begin
+### BEGIN Install micropipenv and uv to deploy packages from requirements.txt
 RUN pip install --no-cache-dir --extra-index-url https://pypi.org/simple -U "micropipenv[toml]==1.9.0" "uv==0.8.12"
-# Install micropipenv and uv to deploy packages from requirements.txt end
+### END Install micropipenv and uv to deploy packages from requirements.txt
 
-# Install the oc client begin
+### BEGIN Install the oc client
 RUN /bin/bash <<'EOF'
 set -Eeuxo pipefail
 curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \
@@ -127,7 +127,7 @@ tar -xzvf /tmp/openshift-client-linux.tar.gz oc
 rm -f /tmp/openshift-client-linux.tar.gz
 EOF
 
-# Install the oc client end
+### END Install the oc client
 
 ##############################
 # wheel-builder stage        #
@@ -280,11 +280,11 @@ COPY ${MINIMAL_SOURCE_CODE}/start-notebook.sh ./
 
 USER 0
 
-# Dependencies for PDF export begin
+### BEGIN Dependencies for PDF export
 RUN ./utils/install_pdf_deps.sh
 ENV PATH="/usr/local/texlive/bin/linux:/usr/local/pandoc/bin:$PATH"
 
-# Dependencies for PDF export end
+### END Dependencies for PDF export
 
 USER 1001
 

jupyter/minimal/ubi9-python-3.12/Dockerfile.cpu

@@ -101,7 +101,7 @@ COPY ${JUPYTER_REUSABLE_UTILS} utils/
 
 USER 0
 
-# Dependencies for PDF export begin
+# Dependencies for PDF export
 RUN --mount=type=cache,from=pdf-builder,source=/usr/local/,target=/pdf_builder/,rw \
     bash -c ' \
     if [[ "$(uname -m)" == "ppc64le" ]]; then \
@@ -138,3 +138,36 @@ EOF
 WORKDIR /opt/app-root/src
 
 ENTRYPOINT ["start-notebook.sh"]
+
+### BEGIN upgrade first to avoid fixable vulnerabilities
+# Problem: The operation would result in removing the following protected packages: systemd
+#  (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages)
+# Solution: --best --skip-broken does not work either, so use --nobest
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0
+dnf clean all -y
+EOF
+
+### END upgrade first to avoid fixable vulnerabilities
+
+### BEGIN Install micropipenv and uv to deploy packages from requirements.txt
+RUN pip install --no-cache-dir --extra-index-url https://pypi.org/simple -U "micropipenv[toml]==1.9.0" "uv==0.8.12"
+### END Install micropipenv and uv to deploy packages from requirements.txt
+
+### BEGIN Install the oc client
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \
+    -o /tmp/openshift-client-linux.tar.gz
+tar -xzvf /tmp/openshift-client-linux.tar.gz oc
+rm -f /tmp/openshift-client-linux.tar.gz
+EOF
+
+### END Install the oc client
+
+### BEGIN Dependencies for PDF export
+RUN ./utils/install_pdf_deps.sh
+ENV PATH="/usr/local/texlive/bin/linux:/usr/local/pandoc/bin:$PATH"
+
+### END Dependencies for PDF export

jupyter/minimal/ubi9-python-3.12/Dockerfile.cuda

@@ -118,3 +118,36 @@ EOF
 WORKDIR /opt/app-root/src
 
 ENTRYPOINT ["start-notebook.sh"]
+
+### BEGIN upgrade first to avoid fixable vulnerabilities
+# Problem: The operation would result in removing the following protected packages: systemd
+#  (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages)
+# Solution: --best --skip-broken does not work either, so use --nobest
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=0
+dnf clean all -y
+EOF
+
+### END upgrade first to avoid fixable vulnerabilities
+
+### BEGIN Install micropipenv and uv to deploy packages from requirements.txt
+RUN pip install --no-cache-dir --extra-index-url https://pypi.org/simple -U "micropipenv[toml]==1.9.0" "uv==0.8.12"
+### END Install micropipenv and uv to deploy packages from requirements.txt
+
+### BEGIN Install the oc client
+RUN /bin/bash <<'EOF'
+set -Eeuxo pipefail
+curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \
+    -o /tmp/openshift-client-linux.tar.gz
+tar -xzvf /tmp/openshift-client-linux.tar.gz oc
+rm -f /tmp/openshift-client-linux.tar.gz
+EOF
+
+### END Install the oc client
+
+### BEGIN Dependencies for PDF export
+RUN ./utils/install_pdf_deps.sh
+ENV PATH="/usr/local/texlive/bin/linux:/usr/local/pandoc/bin:$PATH"
+
+### END Dependencies for PDF export

jupyter/minimal/ubi9-python-3.12/Dockerfile.konflux.cpu

@@ -41,7 +41,7 @@ USER 0
 # By copying ubi.repo from the public UBI 9 image, we enable package management for upgrades and installations.
 COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo
 
-# upgrade first to avoid fixable vulnerabilities begin
+### BEGIN upgrade first to avoid fixable vulnerabilities
 # Problem: The operation would result in removing the following protected packages: systemd
 #  (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages)
 # Solution: --best --skip-broken does not work either, so use --nobest
@@ -51,7 +51,7 @@ dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=in
 dnf clean all -y
 EOF
 
-# upgrade first to avoid fixable vulnerabilities end
+### END upgrade first to avoid fixable vulnerabilities
 
 # Install useful OS packages
 RUN /bin/bash <<'EOF'
@@ -64,11 +64,11 @@ EOF
 # Other apps and tools installed as default user
 USER 1001
 
-# Install micropipenv and uv to deploy packages from requirements.txt begin
+### BEGIN Install micropipenv and uv to deploy packages from requirements.txt
 RUN pip install --no-cache-dir --extra-index-url https://pypi.org/simple -U "micropipenv[toml]==1.9.0" "uv==0.8.12"
-# Install micropipenv and uv to deploy packages from requirements.txt end
+### END Install micropipenv and uv to deploy packages from requirements.txt
 
-# Install the oc client begin
+### BEGIN Install the oc client
 RUN /bin/bash <<'EOF'
 set -Eeuxo pipefail
 curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \
@@ -77,7 +77,7 @@ tar -xzvf /tmp/openshift-client-linux.tar.gz oc
 rm -f /tmp/openshift-client-linux.tar.gz
 EOF
 
-# Install the oc client end
+### END Install the oc client
 
 ####################
 # jupyter-minimal  #
@@ -93,7 +93,7 @@ COPY ${JUPYTER_REUSABLE_UTILS} utils/
 
 USER 0
 
-# Dependencies for PDF export begin
+# Dependencies for PDF export
 RUN --mount=type=cache,from=pdf-builder,source=/usr/local/,target=/pdf_builder/,rw \
     bash -c ' \
     if [[ "$(uname -m)" == "ppc64le" ]]; then \
@@ -138,3 +138,9 @@ LABEL name="rhoai/odh-workbench-jupyter-minimal-cpu-py312-rhel9" \
     description="Minimal Jupyter CPU notebook image with base Python 3.12 builder image based on UBI9 for ODH notebooks" \
     io.k8s.description="Minimal Jupyter CPU notebook image with base Python 3.12 builder image based on UBI9 for ODH notebooks" \
     com.redhat.license_terms="https://www.redhat.com/licenses/Red_Hat_Standard_EULA_20191108.pdf"
+
+### BEGIN Dependencies for PDF export
+RUN ./utils/install_pdf_deps.sh
+ENV PATH="/usr/local/texlive/bin/linux:/usr/local/pandoc/bin:$PATH"
+
+### END Dependencies for PDF export

jupyter/minimal/ubi9-python-3.12/Dockerfile.konflux.cuda

@@ -25,7 +25,7 @@ USER 0
 # By copying ubi.repo from the public UBI 9 image, we enable package management for upgrades and installations.
 COPY --from=ubi-repos /etc/yum.repos.d/ubi.repo /etc/yum.repos.d/ubi.repo
 
-# upgrade first to avoid fixable vulnerabilities begin
+### BEGIN upgrade first to avoid fixable vulnerabilities
 # Problem: The operation would result in removing the following protected packages: systemd
 #  (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages)
 # Solution: --best --skip-broken does not work either, so use --nobest
@@ -35,7 +35,7 @@ dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=in
 dnf clean all -y
 EOF
 
-# upgrade first to avoid fixable vulnerabilities end
+### END upgrade first to avoid fixable vulnerabilities
 
 # Install useful OS packages
 RUN /bin/bash <<'EOF'
@@ -48,11 +48,11 @@ EOF
 # Other apps and tools installed as default user
 USER 1001
 
-# Install micropipenv and uv to deploy packages from requirements.txt begin
+### BEGIN Install micropipenv and uv to deploy packages from requirements.txt
 RUN pip install --no-cache-dir --extra-index-url https://pypi.org/simple -U "micropipenv[toml]==1.9.0" "uv==0.8.12"
-# Install micropipenv and uv to deploy packages from requirements.txt end
+### END Install micropipenv and uv to deploy packages from requirements.txt
 
-# Install the oc client begin
+### BEGIN Install the oc client
 RUN /bin/bash <<'EOF'
 set -Eeuxo pipefail
 curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \
@@ -61,7 +61,7 @@ tar -xzvf /tmp/openshift-client-linux.tar.gz oc
 rm -f /tmp/openshift-client-linux.tar.gz
 EOF
 
-# Install the oc client end
+### END Install the oc client
 
 #########################
 # cuda-jupyter-minimal  #
@@ -87,11 +87,11 @@ COPY ${JUPYTER_REUSABLE_UTILS} utils/
 
 USER 0
 
-# Dependencies for PDF export begin
+### BEGIN Dependencies for PDF export
 RUN ./utils/install_pdf_deps.sh
 ENV PATH="/usr/local/texlive/bin/linux:/usr/local/pandoc/bin:$PATH"
 
-# Dependencies for PDF export end
+### END Dependencies for PDF export
 
 USER 1001