RHAIENG-987: remove skopeo and OpenShift client installation from RStudio Dockerfiles to address CVE-2025-4674

rstudio/c9s-python-3.11/Dockerfile.cpu

@@ -23,18 +23,12 @@ RUN dnf -y upgrade --refresh --best --nodocs --noplugins --setopt=install_weak_d
 # upgrade first to avoid fixable vulnerabilities end
 
 # Install useful OS packages
-RUN dnf install -y mesa-libGL skopeo && dnf clean all && rm -rf /var/cache/yum
+# remove skopeo, CVE-2025-4674
+RUN dnf install -y mesa-libGL && dnf clean all && rm -rf /var/cache/yum
 
 # Other apps and tools installed as default user
 USER 1001
 
-# Install the oc client begin
-RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \
-        -o /tmp/openshift-client-linux.tar.gz && \
-    tar -xzvf /tmp/openshift-client-linux.tar.gz oc && \
-    rm -f /tmp/openshift-client-linux.tar.gz
-# Install the oc client end
-
 WORKDIR /opt/app-root/src
 
 #####################

rstudio/c9s-python-3.11/Dockerfile.cuda

@@ -25,18 +25,12 @@ RUN dnf -y upgrade --refresh --best --nodocs --noplugins --setopt=install_weak_d
 # upgrade first to avoid fixable vulnerabilities end
 
 # Install useful OS packages
-RUN dnf install -y mesa-libGL skopeo && dnf clean all && rm -rf /var/cache/yum
+# remove skopeo, CVE-2025-4674
+RUN dnf install -y mesa-libGL && dnf clean all && rm -rf /var/cache/yum
 
 # Other apps and tools installed as default user
 USER 1001
 
-# Install the oc client begin
-RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \
-        -o /tmp/openshift-client-linux.tar.gz && \
-    tar -xzvf /tmp/openshift-client-linux.tar.gz oc && \
-    rm -f /tmp/openshift-client-linux.tar.gz
-# Install the oc client end
-
 WORKDIR /opt/app-root/src
 
 #####################

rstudio/rhel9-python-3.11/Dockerfile.cpu

@@ -18,18 +18,12 @@ RUN dnf -y upgrade --refresh --best --nodocs --noplugins --setopt=install_weak_d
 # upgrade first to avoid fixable vulnerabilities end
 
 # Install useful OS packages
-RUN dnf install -y mesa-libGL skopeo && dnf clean all && rm -rf /var/cache/yum
+# remove skopeo, CVE-2025-4674
+RUN dnf install -y mesa-libGL && dnf clean all && rm -rf /var/cache/yum
 
 # Other apps and tools installed as default user
 USER 1001
 
-# Install the oc client begin
-RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \
-        -o /tmp/openshift-client-linux.tar.gz && \
-    tar -xzvf /tmp/openshift-client-linux.tar.gz oc && \
-    rm -f /tmp/openshift-client-linux.tar.gz
-# Install the oc client end
-
 WORKDIR /opt/app-root/src
 
 #####################

rstudio/rhel9-python-3.11/Dockerfile.cuda

@@ -20,18 +20,12 @@ RUN dnf -y upgrade --refresh --best --nodocs --noplugins --setopt=install_weak_d
 # upgrade first to avoid fixable vulnerabilities end
 
 # Install useful OS packages
-RUN dnf install -y mesa-libGL skopeo && dnf clean all && rm -rf /var/cache/yum
+# remove skopeo, CVE-2025-4674
+RUN dnf install -y mesa-libGL && dnf clean all && rm -rf /var/cache/yum
 
 # Other apps and tools installed as default user
 USER 1001
 
-# Install the oc client begin
-RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \
-        -o /tmp/openshift-client-linux.tar.gz && \
-    tar -xzvf /tmp/openshift-client-linux.tar.gz oc && \
-    rm -f /tmp/openshift-client-linux.tar.gz
-# Install the oc client end
-
 WORKDIR /opt/app-root/src
 
 ################

scripts/dockerfile_fragments.py

@@ -36,16 +36,17 @@ def main():
             prefix="Install micropipenv and uv to deploy packages from requirements.txt",
         )
 
-        blockinfile(
-            dockerfile,
-            textwrap.dedent(r"""
-            RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \
-                    -o /tmp/openshift-client-linux.tar.gz && \
-                tar -xzvf /tmp/openshift-client-linux.tar.gz oc && \
-                rm -f /tmp/openshift-client-linux.tar.gz
-            """),
-            prefix="Install the oc client",
-        )
+        if not is_rstudio(dockerfile):
+            blockinfile(
+                dockerfile,
+                textwrap.dedent(r"""
+                RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/ocp/stable/openshift-client-linux.tar.gz \
+                        -o /tmp/openshift-client-linux.tar.gz && \
+                    tar -xzvf /tmp/openshift-client-linux.tar.gz oc && \
+                    rm -f /tmp/openshift-client-linux.tar.gz
+                """),
+                prefix="Install the oc client",
+            )
 
         if is_jupyter(dockerfile):
             blockinfile(
@@ -106,6 +107,10 @@ def is_jupyter(filename: pathlib.Path) -> bool:
     return filename.is_relative_to(ROOT_DIR / "jupyter")
 
 
+def is_rstudio(filename: pathlib.Path) -> bool:
+    return filename.is_relative_to(ROOT_DIR / "rstudio")
+
+
 if __name__ == "__main__":
     main()
 

tests/containers/base_image_test.py

@@ -92,11 +92,6 @@ def check_elf_file():
                         json.dumps({"dir": path, "count_scanned": count_scanned, "unsatisfied": unsatisfied_deps}),
                     )
 
-                ecode, output = container.exec(["/bin/sh", "-c", "oc version"])
-
-                logging.debug(output.decode())
-                assert ecode == 0
-
             _ecode, output = container.exec(
                 encode_python_function_execution_command_interpreter("/usr/bin/python3", check_elf_file)
             )
@@ -128,6 +123,9 @@ def check_elf_file():
         self._run_test(image=image, test_fn=test_fn)
 
     def test_oc_command_runs(self, image: str):
+        if utils.is_rstudio_image(image):
+            pytest.skip("oc command is not preinstalled in RStudio images.")
+
         def test_fn(container: testcontainers.core.container.DockerContainer):
             ecode, output = container.exec(["/bin/sh", "-c", "oc version"])
 
@@ -137,6 +135,9 @@ def test_fn(container: testcontainers.core.container.DockerContainer):
         self._run_test(image=image, test_fn=test_fn)
 
     def test_skopeo_command_runs(self, image: str):
+        if utils.is_rstudio_image(image):
+            pytest.skip("skopeo command is not preinstalled in RStudio images.")
+
         def test_fn(container: testcontainers.core.container.DockerContainer):
             ecode, output = container.exec(["/bin/sh", "-c", "skopeo --version"])
 
@@ -164,6 +165,8 @@ def test_oc_command_runs_fake_fips(self, image: str, subtests: pytest_subtests.S
         """Establishes a best-effort fake FIPS environment and attempts to execute `oc` binary in it.
 
         Related issue: RHOAIENG-4350 In workbench the oc CLI tool cannot be used on FIPS enabled cluster"""
+        if utils.is_rstudio_image(image):
+            pytest.skip("oc command is not preinstalled in RStudio images.")
         with tempfile.TemporaryDirectory() as tmp_crypto:
             # Ubuntu does not even have /proc/sys/crypto directory, unless FIPS is activated and machine
             #  is rebooted, see https://ubuntu.com/security/certifications/docs/fips-enablement