Merge pull request #164 from harshad16/rsync-main

sync main branch with upstream OpenDatahub:main
red-hat-data-services · Mar 14, 2024 · 6f12dd6 · 6f12dd6
2 parents 6805b6a + 5c2fbc6
commit 6f12dd6
Show file tree

Hide file tree

Showing 101 changed files with 11,517 additions and 10,225 deletions.
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md
@@ -20,7 +20,7 @@ labels: 'kind/bug'
 - OpenDatahub Version: (please check the operator version)
 - Workbench: (all, data-science, etc)
 - Workbench Version: (2023.1, etc)
-- Specific tool: (jupyterlab, rstudio, code-server, elyra-pipelines,etc)
+- Specific tool: (jupyterlab, rstudio server, code-server, elyra-pipelines,etc)
 - Notebook-Controller Version: (please check the image version in notebook-controller deployment)
 
 **Logs/Screenshots**
diff --git a/.github/workflows/code-quality.yaml b/.github/workflows/code-quality.yaml
@@ -9,25 +9,26 @@ jobs:
   code-static-analysis:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
 
       - name: Validate YAML files (best code practices check included)
         id: validate-yaml-files
-        uses: ibiqlik/[email protected]
-        with:
-          config_file: ./ci/yamllint-config.yaml
+        run: |
+          type yamllint || sudo apt-get -y install yamllint
+          find . -name "*.yaml" | xargs yamllint --strict --config-file ./ci/yamllint-config.yaml
+          find . -name "*.yml" | xargs yamllint --strict --config-file ./ci/yamllint-config.yaml
 
       # In some YAML files we use JSON strings, let's check these
       - name: Validate JSON strings in YAML files (just syntax)
         id: validate-json-strings-in-yaml-files
         run: |
-          type json_verify || sudo apt-get install yajl-tools
+          type json_verify || sudo apt-get -y install yajl-tools
           bash ./ci/check-json.sh
 
       - name: Validate JSON files (just syntax)
         id: validate-json-files
         run: |
-          type json_verify || sudo apt-get install yajl-tools
+          type json_verify || sudo apt-get -y install yajl-tools
           shopt -s globstar
           ret_code=0
           echo "-- Checking a regular '*.json' files"
@@ -40,3 +41,13 @@ jobs:
               echo "There were errors in some of the checked files. Please run `json_verify` on such files and fix issues there."
           fi
           exit "${ret_code}"
+
+      - name: Validate Dockerfiles
+        id: validate-dockerfiles
+        run: |
+          type hadolint || sudo apt-get -y install wget \
+                             && wget --output-document=hadolint https://github.com/hadolint/hadolint/releases/download/v2.12.0/hadolint-Linux-x86_64 \
+                             && chmod a+x hadolint
+          echo "Starting Hadolint"
+          find . -name "Dockerfile" | xargs ./hadolint --config ./ci/hadolint-config.yaml
+          echo "Hadolint done"
diff --git a/.github/workflows/params-env.yaml b/.github/workflows/params-env.yaml
@@ -0,0 +1,23 @@
+---
+name: Validation of params.env content (image SHAs)
+on:  # yamllint disable-line rule:truthy
+  pull_request:
+    paths:
+      - 'manifests/base/params.env'
+
+permissions:
+  contents: read
+
+jobs:
+  validation-of-params-env:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Install dependencies
+        run: |
+          sudo apt-get install -y skopeo jq
+
+      - name: Validate the 'manifests/base/params.env' file content
+        run: |
+          bash ./ci/check-params-env.sh
diff --git a/.github/workflows/sec-scan.yml b/.github/workflows/sec-scan.yml
@@ -0,0 +1,148 @@
+---
+# The aim of this GitHub workflow is to update the `ci/securitty-scan/security_scan_results.md` with latest security scan results.
+name: Update notebook image security reports
+on:  # yamllint disable-line rule:truthy
+  workflow_dispatch:
+    inputs:
+      branch:
+        required: true
+        description: "Provide the name of the branch you want to update ex main, vYYYYx etc: "
+  schedule:
+    - cron: "0 0 */21 * 5"  # Scheduled every third Friday
+env:
+  SEC_SCAN_BRANCH: sec-scan-${{ github.run_id }}
+  BRANCH_NAME: main
+  RELEASE_VERSION_N: 2023b
+  RELEASE_VERSION_N_1: 2023a
+jobs:
+  initialize:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Install Skopeo CLI
+        shell: bash
+        run: |
+          sudo apt-get -y update
+          sudo apt-get -y install skopeo
+
+      # Checkout the branch
+      - name: Checkout branch
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ env.BRANCH_NAME }}
+
+      # Create a new branch
+      - name: Create a new branch
+        run: |
+         echo ${{ env.SEC_SCAN_BRANCH }}
+         git checkout -b ${{ env.SEC_SCAN_BRANCH }}
+         git push --set-upstream origin ${{ env.SEC_SCAN_BRANCH }}
+
+  check-vulnerabilities:
+    needs: [initialize]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - name: Configure Git
+        run: |
+         git config --global user.email "github-actions[bot]@users.noreply.github.com"
+         git config --global user.name "GitHub Actions"
+
+      # Get the latest weekly build commit hash: https://github.com/opendatahub-io/notebooks/commits/2023b
+      - name: Checkout upstream notebooks repo
+        uses: actions/checkout@v3
+        with:
+          repository: opendatahub-io/notebooks.git
+          ref: ${{ env.RELEASE_VERSION_N }}
+
+      - name: Retrieve latest weekly commit hash from the "N" branch
+        id: hash-n
+        shell: bash
+        run: |
+          echo "HASH_N=$(git rev-parse --short HEAD)" >> ${GITHUB_OUTPUT}
+
+      - name: Checkout "N - 1" branch
+        uses: actions/checkout@v3
+        with:
+          repository: opendatahub-io/notebooks.git
+          ref: ${{ env.RELEASE_VERSION_N_1 }}
+
+      - name: Retrieve latest weekly commit hash from the "N - 1" branch
+        id: hash-n-1
+        shell: bash
+        run: |
+          echo "HASH_N_1=$(git rev-parse --short HEAD)" >> ${GITHUB_OUTPUT}
+
+      - name: Checkout "main" branch
+        uses: actions/checkout@v3
+        with:
+          repository: opendatahub-io/notebooks.git
+          ref: main
+
+      - name: Retrieve latest weekly commit hash from the "main" branch
+        id: hash-main
+        shell: bash
+        run: |
+          echo "LATEST_MAIN_COMMIT=$(git rev-parse --short HEAD)" >> ${GITHUB_OUTPUT}
+
+      # Checkout the release branch to apply the updates
+      - name: Checkout release branch
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ env.SEC_SCAN_BRANCH }}
+
+      - name: setup python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.10'  # install the python version needed
+
+      - name: install python packages
+        run: |
+          python -m pip install --upgrade pip
+          pip install requests
+
+      - name: execute py script  # run trial.py
+        env:
+          HASH_N: ${{ steps.hash-n.outputs.HASH_N }}
+          RELEASE_VERSION_N: ${{ env.RELEASE_VERSION_N }}
+
+          HASH_N_1: ${{ steps.hash-n-1.outputs.HASH_N_1 }}
+          RELEASE_VERSION_N_1: ${{ env.RELEASE_VERSION_N_1 }}
+
+          LATEST_MAIN_COMMIT: ${{ steps.hash-main.outputs.LATEST_MAIN_COMMIT }}
+        run: make scan-image-vulnerabilities
+
+      - name: Push the files
+        run: |
+              git fetch origin  ${{ env.SEC_SCAN_BRANCH }} && git pull origin  ${{ env.SEC_SCAN_BRANCH }} && git add . && git commit -m "Update security scans" && git push origin  ${{ env.SEC_SCAN_BRANCH }}
+
+  # Creates the Pull Request
+  open-pull-request:
+    needs: [check-vulnerabilities]
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v3
+
+      - name: pull-request
+        uses: repo-sync/pull-request@v2
+        with:
+          source_branch: ${{ env.SEC_SCAN_BRANCH }}
+          destination_branch: ${{ env.BRANCH_NAME}}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          pr_label: "automated pr"
+          pr_title: "[Security Scanner Action] Weekly update of security vulnerabilities reported by Quay"
+          pr_body: |
+            :rocket: This is an automated Pull Request.
+
+            This PR updates:
+
+            * `ci/security-scan/security_scan_results.md` file with the latest security vulnerabilities reported by Quay.
+            * `ci/security-scan/weekly_commit_ids` with the latest updated SHA digests of the notebooks (N & N-1)
+            Created by `/.github/workflows/sec-scan.yaml`
+
+            :exclamation: **IMPORTANT NOTE**: Remember to delete the ` ${{ env.SEC_SCAN_BRANCH }}` branch after merging the changes
diff --git a/Makefile b/Makefile
@@ -438,22 +438,45 @@ validate-codeserver-image: bin/kubectl
 .PHONY: validate-rstudio-image
 validate-rstudio-image: bin/kubectl
 	$(eval NOTEBOOK_NAME := $(subst .,-,$(subst cuda-,,$*)))
-	$(info # Running tests for $(NOTEBOOK_NAME) code-server image...)
+	$(info # Running tests for $(NOTEBOOK_NAME) RStudio Server image...)
 	$(KUBECTL_BIN) wait --for=condition=ready pod rstudio-pod --timeout=300s
 	@required_commands=$(REQUIRED_R_STUDIO_IMAGE_COMMANDS) ; \
 	if [[ $$image == "" ]] ; then \
 		echo "Usage: make validate-rstudio-image image=<container-image-name>" ; \
 		exit 1 ; \
 	fi ; \
+	echo "=> Checking container image $$image for package intallation..." ; \
+	$(KUBECTL_BIN) exec -it rstudio-pod -- mkdir -p /opt/app-root/src/R/temp-library > /dev/null 2>&1 ; \
+	$(KUBECTL_BIN) exec rstudio-pod -- R -e "install.packages('tinytex', lib='/opt/app-root/src/R/temp-library')" > /dev/null 2>&1 ; \
+	if [ $$? -eq 0 ]; then \
+        echo "Tinytex installation successful!"; \
+    else \
+        echo "Error: Tinytex installation failed."; \
+	fi; \
 	for cmd in $$required_commands ; do \
 		echo "=> Checking container image $$image for $$cmd..." ; \
 		$(KUBECTL_BIN) exec rstudio-pod which $$cmd > /dev/null 2>&1 ; \
-		if [ $$? -ne 0 ]; then \
-			echo "ERROR: Container image $$image  does not meet criteria for command: $$cmd" ; \
+		if [ $$? -eq 0 ]; then \
+        	echo "$$cmd executed successfuly!"; \
+		else \
+        	echo "ERROR: Container image $$image  does not meet criteria for command: $$cmd" ; \
 			fail=1; \
 			continue; \
 		fi; \
 	done ; \
+	echo "=> Fetching R script from URL and executing on the container..."; \
+	curl -sSL -o test_script.R "${NOTEBOOK_REPO_BRANCH_BASE}/rstudio/c9s-python-3.9/test/test_script.R" > /dev/null 2>&1 ; \
+	$(KUBECTL_BIN) cp test_script.R rstudio-pod:/opt/app-root/src/test_script.R > /dev/null 2>&1; \
+	$(KUBECTL_BIN) exec rstudio-pod -- Rscript /opt/app-root/src/test_script.R > /dev/null 2>&1 ; \
+	if [ $$? -eq 0 ]; then \
+        echo "R script executed successfully!"; \
+		rm test_script.R ; \
+	else \
+        echo "Error: R script failed."; \
+		fail=1; \
+		continue; \
+	fi; \
+
 
 # This is only for the workflow action
 .PHONY: refresh-pipfilelock-files
@@ -475,4 +498,9 @@ refresh-pipfilelock-files:
 	cd runtimes/tensorflow/ubi8-python-3.8 && pipenv lock
 	cd runtimes/tensorflow/ubi9-python-3.9 && pipenv lock
 	cd base/c9s-python-3.9 && pipenv lock
-
+
+# This is only for the workflow action
+# For running manually, set the required environment variables
+.PHONY: scan-image-vulnerabilities
+scan-image-vulnerabilities:
+	python ci/security-scan/quay_security_analysis.py
diff --git a/README.md b/README.md
@@ -124,7 +124,7 @@ graph TB
         %% Nodes
         c9s-python-3.9("CentOS Stream Base<br/>(c9s-python-3.9)");
         code-server-c9s-python-3.9("code-server <br/>(code-server-c9s-python-3.9)");
-        r-studio-c9s-python-3.9("R Studio <br/>(r-studio-c9s-python-3.9)");
+        r-studio-c9s-python-3.9("RStudio Server<br/>(r-studio-c9s-python-3.9)");
 
         %% Edges
         c9s-python-3.9 --> code-server-c9s-python-3.9;

diff --git a/base/anaconda-python-3.8/Dockerfile b/base/anaconda-python-3.8/Dockerfile
@@ -79,7 +79,7 @@ ENV BASH_ENV="source /opt/anaconda3/bin/activate ${APP_ROOT}" \
 USER 1001
 
 # Set the default CMD to print the usage of the language image.
-CMD $STI_SCRIPTS_PATH/usage
+CMD ["$STI_SCRIPTS_PATH/usage"]
 
 
 FROM s2i-python-anaconda-38-base

diff --git a/base/c9s-python-3.9/Dockerfile b/base/c9s-python-3.9/Dockerfile
@@ -13,7 +13,7 @@ LABEL name="odh-notebook-base-centos-stream9-python-3.9" \
 WORKDIR /opt/app-root/bin
 
 # Install micropipenv to deploy packages from Pipfile.lock
-RUN pip install -U "micropipenv[toml]"
+RUN pip install --no-cache-dir -U "micropipenv[toml]"
 
 # Install Python dependencies from Pipfile.lock file
 COPY Pipfile.lock ./
@@ -22,7 +22,7 @@ COPY Pipfile.lock ./
 USER root
 
 # Install usefull OS packages
-RUN dnf install -y mesa-libGL
+RUN dnf install -y mesa-libGL && dnf clean all && rm -rf /var/cache/yum
 
 # Other apps and tools installed as default user
 USER 1001

diff --git a/base/ubi8-python-3.8/Dockerfile b/base/ubi8-python-3.8/Dockerfile
@@ -17,7 +17,7 @@ RUN dnf update -y libnghttp2 && dnf clean all
 USER 1001
 
 # Install micropipenv to deploy packages from Pipfile.lock
-RUN pip install -U "micropipenv[toml]"
+RUN pip install --no-cache-dir -U "micropipenv[toml]"
 
 # Install Python dependencies from Pipfile.lock file
 COPY Pipfile.lock ./

diff --git a/base/ubi9-python-3.9/Dockerfile b/base/ubi9-python-3.9/Dockerfile
@@ -13,7 +13,7 @@ LABEL name="odh-notebook-base-ubi9-python-3.9" \
 WORKDIR /opt/app-root/bin
 
 # Install micropipenv to deploy packages from Pipfile.lock
-RUN pip install -U "micropipenv[toml]"
+RUN pip install --no-cache-dir -U "micropipenv[toml]"
 
 # Install Python dependencies from Pipfile.lock file
 COPY Pipfile.lock ./
@@ -24,7 +24,7 @@ RUN echo "Installing softwares and packages" && micropipenv install && rm -f ./P
 USER root
 
 # Install usefull OS packages
-RUN dnf install -y mesa-libGL
+RUN dnf install -y mesa-libGL && dnf clean all && rm -rf /var/cache/yum
 
 # Other apps and tools installed as default user
 USER 1001