RHAIENG-2111: chore(trustyai): disable dnf caching on konflux builds

Author: jiridanek

jupyter/trustyai/ubi9-python-3.12/Dockerfile.cpu

@@ -3,6 +3,8 @@
 #########################
 ARG BASE_IMAGE
 
+ARG PKG_CACHE="on"
+
 ######################################################
 # mongocli-builder (build stage only, not published) #
 ######################################################
@@ -34,6 +36,7 @@ ARG TRUSTYAI_SOURCE_CODE=jupyter/trustyai/ubi9-python-3.12
 COPY ${TRUSTYAI_SOURCE_CODE}/pylock.toml .
 COPY ${TRUSTYAI_SOURCE_CODE}/devel_env_setup.sh .
 
+ARG PKG_CACHE
 RUN --mount=type=cache,target=/var/cache/dnf,sharing=locked,id=notebooks-dnf \
     --mount=type=cache,target=/root/.cache/uv /bin/bash <<'EOF'
 set -Eeuxo pipefail
@@ -52,6 +55,8 @@ source ./devel_env_setup.sh
 #  we often don't know the correct hashes and `--require-hashes` would therefore fail on non amd64, where building is common.
 # RHAIENG-2111: building pandas requires cython from PyPI
 UV_LINK_MODE=copy uv pip install --strict --no-deps --refresh --no-config --no-progress --verify-hashes --compile-bytecode --index-strategy=unsafe-best-match --extra-index-url https://pypi.org/simple --requirements=./pylock.toml
+
+if [ "${PKG_CACHE}" == "off" ]; then dnf clean all; fi
 EOF
 
 ####################
@@ -80,17 +85,23 @@ EOF
 # Problem: The operation would result in removing the following protected packages: systemd
 #  (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages)
 # Solution: --best --skip-broken does not work either, so use --nobest
+ARG PKG_CACHE
 RUN --mount=type=cache,target=/var/cache/dnf,sharing=locked,id=notebooks-dnf /bin/bash <<'EOF'
 set -Eeuxo pipefail
-dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=1
+dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=$DNF_KEEPCACHE
+
+if [ "${PKG_CACHE}" == "off" ]; then dnf clean all; fi
 EOF
 
 ### END upgrade first to avoid fixable vulnerabilities
 
 # Install useful OS packages
+ARG PKG_CACHE
 RUN --mount=type=cache,target=/var/cache/dnf,sharing=locked,id=notebooks-dnf /bin/bash <<'EOF'
 set -Eeuxo pipefail
 dnf install -y --setopt=keepcache=1 perl mesa-libGL skopeo
+
+if [ "${PKG_CACHE}" == "off" ]; then dnf clean all; fi
 EOF
 
 # Other apps and tools installed as default user
@@ -152,9 +163,12 @@ WORKDIR /opt/app-root/bin
 USER root
 
 # Install useful OS packages
+ARG PKG_CACHE
 RUN --mount=type=cache,target=/var/cache/dnf,sharing=locked,id=notebooks-dnf /bin/bash <<'EOF'
 set -Eeuxo pipefail
 dnf install -y --setopt=keepcache=1 jq unixODBC unixODBC-devel postgresql git-lfs libsndfile libxcrypt-compat
+
+if [ "${PKG_CACHE}" == "off" ]; then dnf clean all; fi
 EOF
 
 # Copy dynamically-linked mongocli built in earlier build stage
@@ -192,6 +206,7 @@ USER 0
 
 # Install jre that is needed to run the trustyai library
 # Also install runtime libraries for s390x/ppc64le
+ARG PKG_CACHE
 RUN --mount=type=cache,target=/var/cache/dnf,sharing=locked,id=notebooks-dnf /bin/bash <<'EOF'
 set -Eeuxo pipefail
 INSTALL_PKGS="java-17-openjdk"
@@ -206,6 +221,8 @@ if [ "$ARCH" = "s390x" ] || [ "$ARCH" = "ppc64le" ]; then
     ln -sf /usr/lib64/libopenblasp.so.0 /usr/lib64/libopenblas.so.0
     ldconfig
 fi
+
+if [ "${PKG_CACHE}" == "off" ]; then dnf clean all; fi
 EOF
 
 # Install Python packages and Jupyterlab extensions from requirements.txt

jupyter/trustyai/ubi9-python-3.12/Dockerfile.konflux.cpu

@@ -3,6 +3,8 @@
 #########################
 ARG BASE_IMAGE
 
+ARG PKG_CACHE="on"
+
 # External image alias for UBI repository configuration
 FROM registry.access.redhat.com/ubi9/ubi AS ubi-repos
 
@@ -52,6 +54,7 @@ EOF
 
 ### END Subscribe with subscription manager
 
+ARG PKG_CACHE
 RUN --mount=type=cache,target=/var/cache/dnf,sharing=locked,id=notebooks-dnf \
     --mount=type=cache,target=/root/.cache/uv /bin/bash <<'EOF'
 set -Eeuxo pipefail
@@ -65,6 +68,8 @@ source ./devel_env_setup.sh
 #  we often don't know the correct hashes and `--require-hashes` would therefore fail on non amd64, where building is common.
 # RHAIENG-2111: building pandas requires cython from PyPI
 UV_LINK_MODE=copy uv pip install --strict --no-deps --refresh --no-config --no-progress --verify-hashes --compile-bytecode --index-strategy=unsafe-best-match --extra-index-url https://pypi.org/simple --requirements=./pylock.toml
+
+if [ "${PKG_CACHE}" == "off" ]; then dnf clean all; fi
 EOF
 
 ####################
@@ -98,17 +103,23 @@ EOF
 # Problem: The operation would result in removing the following protected packages: systemd
 #  (try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages)
 # Solution: --best --skip-broken does not work either, so use --nobest
+ARG PKG_CACHE
 RUN --mount=type=cache,target=/var/cache/dnf,sharing=locked,id=notebooks-dnf /bin/bash <<'EOF'
 set -Eeuxo pipefail
-dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=1
+dnf -y upgrade --refresh --nobest --skip-broken --nodocs --noplugins --setopt=install_weak_deps=0 --setopt=keepcache=$DNF_KEEPCACHE
+
+if [ "${PKG_CACHE}" == "off" ]; then dnf clean all; fi
 EOF
 
 ### END upgrade first to avoid fixable vulnerabilities
 
 # Install useful OS packages
+ARG DNF_KEEPCACHE
 RUN --mount=type=cache,target=/var/cache/dnf,sharing=locked,id=notebooks-dnf /bin/bash <<'EOF'
 set -Eeuxo pipefail
 dnf install -y --setopt=keepcache=1 perl mesa-libGL skopeo
+
+if [ "${PKG_CACHE}" == "off" ]; then dnf clean all; fi
 EOF
 
 # Other apps and tools installed as default user
@@ -170,9 +181,12 @@ WORKDIR /opt/app-root/bin
 USER root
 
 # Install useful OS packages
+ARG PKG_CACHE
 RUN --mount=type=cache,target=/var/cache/dnf,sharing=locked,id=notebooks-dnf /bin/bash <<'EOF'
 set -Eeuxo pipefail
 dnf install -y --setopt=keepcache=1 jq unixODBC unixODBC-devel postgresql git-lfs libsndfile libxcrypt-compat
+
+if [ "${PKG_CACHE}" == "off" ]; then dnf clean all; fi
 EOF
 
 # Copy dynamically-linked mongocli built in earlier build stage
@@ -208,6 +222,7 @@ USER 0
 
 # Install jre that is needed to run the trustyai library
 # Also install runtime libraries for s390x/ppc64le
+ARG DNF_KEEPCACHE
 RUN --mount=type=cache,target=/var/cache/dnf,sharing=locked,id=notebooks-dnf /bin/bash <<'EOF'
 set -Eeuxo pipefail
 INSTALL_PKGS="java-17-openjdk"
@@ -222,6 +237,8 @@ if [ "$ARCH" = "s390x" ] || [ "$ARCH" = "ppc64le" ]; then
     ln -sf /usr/lib64/libopenblasp.so.0 /usr/lib64/libopenblas.so.0
     ldconfig
 fi
+
+if [ "${PKG_CACHE}" == "off" ]; then dnf clean all; fi
 EOF
 
 # Install Python packages and Jupyterlab extensions from requirements.txt

jupyter/trustyai/ubi9-python-3.12/build-args/konflux.cpu.conf

@@ -1,3 +1,4 @@
 # Base Image   : RHEL 9.6 with Python 3.12
 # Architectures: linux/arm64, linux/ppc64le, linux/x86_64, linux/s360x
 BASE_IMAGE=quay.io/aipcc/base-images/cpu:3.0-1761580156
+PKG_CACHE=off