RHAIENG-987: remove skopeo and OpenShift client installation from RStudio Dockerfiles to address CVE-2025-4674

Author: jiridanek

rstudio/c9s-python-3.11/Dockerfile.cpu

@@ -23,18 +23,12 @@ RUN dnf -y upgrade --refresh --best --nodocs --noplugins --setopt=install_weak_d
 # upgrade first to avoid fixable vulnerabilities end
 
 # Install useful OS packages
-RUN dnf install -y mesa-libGL skopeo && dnf clean all && rm -rf /var/cache/yum
+# remove skopeo, CVE-2025-4674
+RUN dnf install -y mesa-libGL && dnf clean all && rm -rf /var/cache/yum
 
 # Other apps and tools installed as default user
 USER 1001
 
-# Install the oc client begin
-RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \
-        -o /tmp/openshift-client-linux.tar.gz && \
-    tar -xzvf /tmp/openshift-client-linux.tar.gz oc && \
-    rm -f /tmp/openshift-client-linux.tar.gz
-# Install the oc client end
-
 WORKDIR /opt/app-root/src
 
 #####################

rstudio/c9s-python-3.11/Dockerfile.cuda

@@ -25,18 +25,12 @@ RUN dnf -y upgrade --refresh --best --nodocs --noplugins --setopt=install_weak_d
 # upgrade first to avoid fixable vulnerabilities end
 
 # Install useful OS packages
-RUN dnf install -y mesa-libGL skopeo && dnf clean all && rm -rf /var/cache/yum
+# remove skopeo, CVE-2025-4674
+RUN dnf install -y mesa-libGL && dnf clean all && rm -rf /var/cache/yum
 
 # Other apps and tools installed as default user
 USER 1001
 
-# Install the oc client begin
-RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \
-        -o /tmp/openshift-client-linux.tar.gz && \
-    tar -xzvf /tmp/openshift-client-linux.tar.gz oc && \
-    rm -f /tmp/openshift-client-linux.tar.gz
-# Install the oc client end
-
 WORKDIR /opt/app-root/src
 
 #####################

rstudio/rhel9-python-3.11/Dockerfile.cpu

@@ -18,18 +18,12 @@ RUN dnf -y upgrade --refresh --best --nodocs --noplugins --setopt=install_weak_d
 # upgrade first to avoid fixable vulnerabilities end
 
 # Install useful OS packages
-RUN dnf install -y mesa-libGL skopeo && dnf clean all && rm -rf /var/cache/yum
+# remove skopeo, CVE-2025-4674
+RUN dnf install -y mesa-libGL && dnf clean all && rm -rf /var/cache/yum
 
 # Other apps and tools installed as default user
 USER 1001
 
-# Install the oc client begin
-RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \
-        -o /tmp/openshift-client-linux.tar.gz && \
-    tar -xzvf /tmp/openshift-client-linux.tar.gz oc && \
-    rm -f /tmp/openshift-client-linux.tar.gz
-# Install the oc client end
-
 WORKDIR /opt/app-root/src
 
 #####################

rstudio/rhel9-python-3.11/Dockerfile.cuda

@@ -20,18 +20,12 @@ RUN dnf -y upgrade --refresh --best --nodocs --noplugins --setopt=install_weak_d
 # upgrade first to avoid fixable vulnerabilities end
 
 # Install useful OS packages
-RUN dnf install -y mesa-libGL skopeo && dnf clean all && rm -rf /var/cache/yum
+# remove skopeo, CVE-2025-4674
+RUN dnf install -y mesa-libGL && dnf clean all && rm -rf /var/cache/yum
 
 # Other apps and tools installed as default user
 USER 1001
 
-# Install the oc client begin
-RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \
-        -o /tmp/openshift-client-linux.tar.gz && \
-    tar -xzvf /tmp/openshift-client-linux.tar.gz oc && \
-    rm -f /tmp/openshift-client-linux.tar.gz
-# Install the oc client end
-
 WORKDIR /opt/app-root/src
 
 ################

scripts/dockerfile_fragments.py

@@ -36,16 +36,17 @@ def main():
             prefix="Install micropipenv and uv to deploy packages from requirements.txt",
         )
 
-        blockinfile(
-            dockerfile,
-            textwrap.dedent(r"""
-            RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \
-                    -o /tmp/openshift-client-linux.tar.gz && \
-                tar -xzvf /tmp/openshift-client-linux.tar.gz oc && \
-                rm -f /tmp/openshift-client-linux.tar.gz
-            """),
-            prefix="Install the oc client",
-        )
+        if not is_rstudio(dockerfile):
+            blockinfile(
+                dockerfile,
+                textwrap.dedent(r"""
+                RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \
+                        -o /tmp/openshift-client-linux.tar.gz && \
+                    tar -xzvf /tmp/openshift-client-linux.tar.gz oc && \
+                    rm -f /tmp/openshift-client-linux.tar.gz
+                """),
+                prefix="Install the oc client",
+            )
 
         if is_jupyter(dockerfile):
             blockinfile(
@@ -106,6 +107,10 @@ def is_jupyter(filename: pathlib.Path) -> bool:
     return filename.is_relative_to(ROOT_DIR / "jupyter")
 
 
+def is_rstudio(filename: pathlib.Path) -> bool:
+    return filename.is_relative_to(ROOT_DIR / "rstudio")
+
+
 if __name__ == "__main__":
     main()
 

tests/containers/base_image_test.py

@@ -164,6 +164,8 @@ def test_oc_command_runs_fake_fips(self, image: str, subtests: pytest_subtests.S
         """Establishes a best-effort fake FIPS environment and attempts to execute `oc` binary in it.
 
         Related issue: RHOAIENG-4350 In workbench the oc CLI tool cannot be used on FIPS enabled cluster"""
+        if utils.is_rstudio_image(image):
+            pytest.skip("oc command is not preinstalled in RStudio images.")
         with tempfile.TemporaryDirectory() as tmp_crypto:
             # Ubuntu does not even have /proc/sys/crypto directory, unless FIPS is activated and machine
             #  is rebooted, see https://ubuntu.com/security/certifications/docs/fips-enablement