RHAIENG-2042: fixup(base-images): add TARGETARCH as an argument to ubi9-python-3.12 Dockerfile

[jiridanek]

• RHAIENG-2042: chore(base-images): add ppc64le (and s390x todo later) architectures to odh-base-image-cpu-py312-c9s #2688
• RHAIENG-2042: chore(base-images): use AIPCC-style scripting instead of scl base to add s390x architecture to odh-base-image-cpu-py312-c9s #2690
  TODO

# AIPCC bases enable codeready-builder, so we need to do the CentOS equivalent
# In RHEL this is codeready-builder-for-rhel-${RELEASEVER_MAJOR}-${ARCH}-eus-rpms
# or codeready-builder-for-rhel-${RELEASEVER_MAJOR}-${ARCH}-rpms
/usr/bin/crb enable

Description

The c9s PR did not trigger building the ubi9 version, so I missed on the fact that changes are needed there.

It seems reasonable to remove the ubi9 base image as it is unused and only leave c9s. But I don't want to do it right now, first I will make it work and then make it go away.

How Has This Been Tested?

Self checklist (all need to be checked):

• Ensure that you have run make test (gmake on macOS) before asking for review
• Changes to everything except Dockerfile.konflux files should be done in odh/notebooks and automatically synced to rhds/notebooks. For Konflux-specific changes, modify Dockerfile.konflux files directly in rhds/notebooks as these require special attention in the downstream repository and flow to the upcoming RHOAI release.

Merge criteria:

• The commits are squashed in a cohesive manner and have meaningful messages.
• Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
• The developer has manually tested the changes and verified that the changes work

Summary by CodeRabbit

• Chores
  • Made base image builds architecture-aware so images adapt to the target CPU architecture.
  • Adjusted builder configuration in the base image build flow (toggled CodeReady Builder handling) to streamline build sequencing and tool enabling.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign andyatmiami for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Walkthrough

Adds TARGETARCH propagation to two CPU Docker base images and removes the install_csb() function (CRB enablement) and its invocation from base-images/utils/aipcc.sh, changing how codeready-builder is configured during image build.

Changes

Cohort / File(s)	Change Summary
Dockerfiles — TARGETARCH propagation base-images/cpu/ubi9-python-3.12/Dockerfile.cpu, base-images/cpu/c9s-python-3.12/Dockerfile.cpu	Declare and export ARG TARGETARCH in the base stage before running /mnt/aipcc.sh, making the build script receive the target architecture. In c9s-python-3.12, also adds a crb enable step inside the RUN sequence prior to invoking /mnt/aipcc.sh.
Build helper script — CRB removal base-images/utils/aipcc.sh	Removed the install_csb() function and its invocation from the main flow; main now proceeds from install_epel without attempting codeready-builder enablement.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Heterogeneous changes across Dockerfiles and a shared build script — requires checking multi-stage ARG positioning, build-time variable propagation, and interactions between Dockerfile CRB enablement and the removed function in aipcc.sh.
• Files to pay extra attention to:
  • base-images/cpu/*Dockerfile.cpu — ensure ARG TARGETARCH is declared in the correct stage(s) and exported properly.
  • base-images/utils/aipcc.sh — ensure removal of install_csb() doesn't leave unmet dependencies or assumptions elsewhere.

Possibly related issues

• Enhance multi-architecture Dockerfile structure and consistency #1332 — Matches recommendation to declare and export TARGETARCH to make base stages architecture-aware.
• Refactor: Use Docker build args for architecture detection in minimal Dockerfile.cpu #1160 — Related to replacing runtime uname-based detection with build-time TARGETARCH propagation.
• Fix ARG TARGETARCH declaration order in Dockerfile.cuda base-images#21 — Same objective: ensure TARGETARCH is available across build stages.
• Fix ARG TARGETARCH declaration order in Dockerfile.cuda base-images#22 — Addresses correct declaration/usage of TARGETARCH before reference.
• Add multi-architecture support for RStudio RPM installation in C9S CPU Dockerfile #2559 — Related to enabling architecture-specific behavior via TARGETARCH during image/RPM installation.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is incomplete. The 'How Has This Been Tested?' section lacks testing details, and all self-checklist and merge criteria items remain unchecked despite being required.	Provide specific testing details, check all applicable self-checklist items, check all merge criteria items, and ensure commits are squashed with meaningful messages before requesting review.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding TARGETARCH as an argument to the ubi9-python-3.12 Dockerfile, which aligns with the primary objectives and file changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[jiridanek]

@coderabbitai as expected, this fails on

  + dnf config-manager --set-enabled crb
  Updating Subscription Management repositories.
  Unable to read consumer identity
  
  This system is not registered with an entitlement server. You can use subscription-manager to register.
  
  Error: No matching repo to modify: crb.
  subprocess exited with status 1
  subprocess exited with status 1

[coderabbitai]

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Look at the aipcc.sh script to understand what it's doing with the crb repository
cat base-images/utils/aipcc.sh

Length of output: 9069

---

🏁 Script executed:

#!/bin/bash
# Check if there are other Dockerfiles that might show how to handle UBI9 vs c9s differences
fd -e cpu -t f "Dockerfile" base-images/cpu

Length of output: 94

---

🏁 Script executed:

#!/bin/bash
# Look at the c9s equivalent to see if it handles this differently
cat base-images/cpu/c9s-python-3.12/Dockerfile.cpu 2>/dev/null || echo "File not found"

Length of output: 2395

---

🏁 Script executed:

#!/bin/bash
# Search for any existing handling of UBI9 vs c9s repository differences
rg -n "crb|CodeReady" base-images/

Length of output: 71

---

@jiridanek The issue is clear from the aipcc.sh script. The install_csb() function at line 343 tries to enable the crb (CodeReady Builder) repository, which exists in CentOS Stream 9 but not in UBI9.

The script assumes it's running on CentOS Stream 9 where the crb repository is available. UBI9 (Universal Base Image) has a different repository structure and doesn't include the CodeReady Builder repository.

Here are a few solutions:

Option 1: Detect the OS and conditionally enable crb

Modify aipcc.sh to check the OS type before enabling crb:

function install_csb() {
    dnf install "${DNF_OPTS[@]}" dnf-plugins-core
    
    # Only enable crb on CentOS Stream, not on UBI
    if grep -q "CentOS Stream" /etc/os-release; then
        dnf config-manager --set-enabled crb
    fi
}

Option 2: Check if the repository exists before enabling

function install_csb() {
    dnf install "${DNF_OPTS[@]}" dnf-plugins-core
    
    # Only enable crb if it exists
    if dnf repolist --all | grep -q "^crb"; then
        dnf config-manager --set-enabled crb
    fi
}

Option 3: Pass an environment variable from the Dockerfile

Set a variable in the ubi9 Dockerfile to indicate it's UBI9, and check it in the script.

The first option is probably the cleanest since it explicitly handles the different base images. Would you like me to prepare a patch for aipcc.sh with one of these approaches?

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5bbfb95 and 33d3969.

📒 Files selected for processing (3)

• base-images/cpu/c9s-python-3.12/Dockerfile.cpu (1 hunks)
• base-images/cpu/ubi9-python-3.12/Dockerfile.cpu (1 hunks)
• base-images/utils/aipcc.sh (0 hunks)

💤 Files with no reviewable changes (1)

• base-images/utils/aipcc.sh

🚧 Files skipped from review as they are similar to previous changes (1)

• base-images/cpu/ubi9-python-3.12/Dockerfile.cpu

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Red Hat Konflux / odh-base-image-cpu-py312-ubi9-on-pull-request

🔇 Additional comments (1)

base-images/cpu/c9s-python-3.12/Dockerfile.cpu (1)

1-1: TARGETARCH propagation and crb enable addition are correct and justified.

Verification confirms TARGETARCH is actively used by /mnt/aipcc.sh (line 4: ARCH=${TARGETARCH}) and the double declaration (global line 1 and stage-level line 27) correctly follows Docker multi-stage build patterns. The crb enable addition (line 69) is appropriately placed with explanatory comments for CentOS Stream 9 equivalence, replacing the previous responsibility from aipcc.sh (install_csb function no longer present). All architectural patterns align with build requirements.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

Clarify the shift of CRB enablement from script to Dockerfile.

The addition of /usr/bin/crb enable directly in the Dockerfile (lines 66-69) indicates that codeready-builder enablement has been moved from the aipcc.sh script (where install_csb() was presumably called). This is a functional shift that should be validated:

1. Confirm that the install_csb() function has been removed from base-images/utils/aipcc.sh
2. Verify that calling crb enable directly in the Dockerfile does not conflict with any invocations in the script
3. Ensure that this approach is consistent with the ubi9 variant (mentioned in the PR title but not shown in this review)

---

🏁 Script executed:

#!/bin/bash
# Description: Verify the removal of install_csb() and absence of conflicting crb enable calls

# Check if install_csb() exists in aipcc.sh
rg -n 'install_csb' base-images/utils/aipcc.sh

# Check if there are any remaining crb or codeready-builder references in aipcc.sh
rg -n -i 'crb|codeready' base-images/utils/aipcc.sh

# Verify that ubi9 Dockerfile also includes the same crb enable call
rg -n 'crb enable' base-images/cpu/ubi9-python-3.12/Dockerfile.cpu

Length of output: 0

---

I need to gather more information about the repository structure and file contents since the initial search produced no output.

---

🏁 Script executed:

#!/bin/bash
# Check if files exist and get directory structure
echo "=== Checking directory structure ==="
find base-images -type f -name "aipcc.sh" 2>/dev/null || echo "aipcc.sh not found in base-images"
find base-images -type f -name "Dockerfile.cpu" 2>/dev/null | head -20

echo -e "\n=== Checking aipcc.sh exists and has content ==="
if [ -f "base-images/utils/aipcc.sh" ]; then
  wc -l base-images/utils/aipcc.sh
  echo "File exists"
else
  echo "aipcc.sh not found at expected path"
fi

echo -e "\n=== Checking c9s Dockerfile exists ==="
if [ -f "base-images/cpu/c9s-python-3.12/Dockerfile.cpu" ]; then
  echo "File exists"
else
  echo "c9s Dockerfile not found"
fi

Length of output: 303

---

---

🏁 Script executed:

#!/bin/bash
# View content of aipcc.sh to check for install_csb and crb references
echo "=== Searching aipcc.sh for install_ functions ==="
grep -n "^install_" base-images/utils/aipcc.sh | head -20

echo -e "\n=== Searching aipcc.sh for crb or codeready (case-insensitive) ==="
grep -n -i "crb\|codeready" base-images/utils/aipcc.sh || echo "No matches found"

echo -e "\n=== Viewing c9s Dockerfile (lines 60-75) ==="
sed -n '60,75p' base-images/cpu/c9s-python-3.12/Dockerfile.cpu

echo -e "\n=== Viewing ubi9 Dockerfile (lines 60-75) ==="
sed -n '60,75p' base-images/cpu/ubi9-python-3.12/Dockerfile.cpu

echo -e "\n=== Checking for any crb enable in aipcc.sh ==="
grep -n "crb enable" base-images/utils/aipcc.sh || echo "No crb enable found in aipcc.sh"

Length of output: 796

---

---

🏁 Script executed:

#!/bin/bash
# Check if crb enable exists anywhere in ubi9 Dockerfile
echo "=== Searching ubi9 Dockerfile for crb enable ==="
grep -n "crb enable" base-images/cpu/ubi9-python-3.12/Dockerfile.cpu || echo "No crb enable found in ubi9"

echo -e "\n=== ubi9 Dockerfile total lines ==="
wc -l base-images/cpu/ubi9-python-3.12/Dockerfile.cpu

echo -e "\n=== Viewing full ubi9 Dockerfile ==="
cat base-images/cpu/ubi9-python-3.12/Dockerfile.cpu

Length of output: 742

---

Address inconsistency: crb enable missing from ubi9 variant.

The verification confirms a significant inconsistency between the c9s and ubi9 variants:

• c9s Dockerfile (lines 66-69): Includes /usr/bin/crb enable before calling /mnt/aipcc.sh
• ubi9 Dockerfile (24 lines total): No crb enable call present

The original concerns were validated:

1. ✓ install_csb() confirmed removed from base-images/utils/aipcc.sh
2. ✓ No conflicting crb enable calls in the script
3. ✗ Inconsistency with ubi9: the functional shift was applied only to c9s

Either add /usr/bin/crb enable to the ubi9 Dockerfile (before calling /mnt/aipcc.sh) for consistency, or document why ubi9 differs from c9s.

🤖 Prompt for AI Agents

In base-images/cpu/ubi9-python-3.12/Dockerfile.cpu (the ubi9 variant, full file
~24 lines) the `/usr/bin/crb enable` call is missing compared to c9s (which runs
it before `/mnt/aipcc.sh` around lines 66-69); add a `/usr/bin/crb enable`
invocation immediately before the `/mnt/aipcc.sh` call in the ubi9 Dockerfile to
mirror c9s behavior, or if ubi9 must differ, add a short comment in the ubi9
Dockerfile documenting why the CRB enable step is intentionally omitted and
reference the c9s Dockerfile for context.

[openshift-ci]

@jiridanek: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/images	33d3969	link	true	/test images

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.