Add RHEL containers (#73)

* Add RHEL containers * Needs to pass secret envs differently * Maybe I understand how secrets are passed now... * Need secrets for push for multi-arch images * Add RHEL containers to web site
r-hub · Sep 18, 2024 · 1144a58 · 1144a58
1 parent 6e9088f
commit 1144a58
Show file tree

Hide file tree

Showing 6 changed files with 145 additions and 3 deletions.
diff --git a/.github/workflows/containers.yml b/.github/workflows/containers.yml
@@ -117,12 +117,26 @@ jobs:
     - name: Build
       uses: docker/build-push-action@v5
       with:
-        platforms: ${{ matrix.config.platform || 'linux/amd64' }}
+        platforms: ${{ matrix.config.testplatform || 'linux/amd64' }}
+        secret-envs: |
+          REDHAT_ORG_RHEL7=REDHAT_ORG_RHEL7
+          REDHAT_ORG_RHEL8=REDHAT_ORG_RHEL8
+          REDHAT_ORG_RHEL9=REDHAT_ORG_RHEL9
+          REDHAT_ACTIVATION_KEY_RHEL7=REDHAT_ACTIVATION_KEY_RHEL7
+          REDHAT_ACTIVATION_KEY_RHEL8=REDHAT_ACTIVATION_KEY_RHEL8
+          REDHAT_ACTIVATION_KEY_RHEL9=REDHAT_ACTIVATION_KEY_RHEL9
         provenance: false
         context: containers/${{ matrix.config.container }}
         load: true
         tags: |
           rhub/test:test
+      env:
+        REDHAT_ORG_RHEL7: ${{ secrets.REDHAT_ORG }}
+        REDHAT_ORG_RHEL8: ${{ secrets.REDHAT_ORG }}
+        REDHAT_ORG_RHEL9: ${{ secrets.REDHAT_ORG }}
+        REDHAT_ACTIVATION_KEY_RHEL7: ${{ secrets.REDHAT_ACTIVATION_KEY_RHEL7 }}
+        REDHAT_ACTIVATION_KEY_RHEL8: ${{ secrets.REDHAT_ACTIVATION_KEY_RHEL8 }}
+        REDHAT_ACTIVATION_KEY_RHEL9: ${{ secrets.REDHAT_ACTIVATION_KEY_RHEL9 }}
 
     - name: Test
       run: |
@@ -132,13 +146,27 @@ jobs:
       uses: docker/build-push-action@v5
       with:
         platforms: ${{ matrix.config.platform || 'linux/amd64' }}
+        secret-envs: |
+          REDHAT_ORG_RHEL7=REDHAT_ORG_RHEL7
+          REDHAT_ORG_RHEL8=REDHAT_ORG_RHEL8
+          REDHAT_ORG_RHEL9=REDHAT_ORG_RHEL9
+          REDHAT_ACTIVATION_KEY_RHEL7=REDHAT_ACTIVATION_KEY_RHEL7
+          REDHAT_ACTIVATION_KEY_RHEL8=REDHAT_ACTIVATION_KEY_RHEL8
+          REDHAT_ACTIVATION_KEY_RHEL9=REDHAT_ACTIVATION_KEY_RHEL9
         provenance: false
         context: containers/${{ matrix.config.container }}
         push: true
         outputs:
         tags: |
           rhub/${{ matrix.config.container }}:latest
           ghcr.io/r-hub/containers/${{ matrix.config.container }}:latest
+      env:
+        REDHAT_ORG_RHEL7: ${{ secrets.REDHAT_ORG }}
+        REDHAT_ORG_RHEL8: ${{ secrets.REDHAT_ORG }}
+        REDHAT_ORG_RHEL9: ${{ secrets.REDHAT_ORG }}
+        REDHAT_ACTIVATION_KEY_RHEL7: ${{ secrets.REDHAT_ACTIVATION_KEY_RHEL7 }}
+        REDHAT_ACTIVATION_KEY_RHEL8: ${{ secrets.REDHAT_ACTIVATION_KEY_RHEL8 }}
+        REDHAT_ACTIVATION_KEY_RHEL9: ${{ secrets.REDHAT_ACTIVATION_KEY_RHEL9 }}
 
   # ------------------------------------------------------------------------
 

diff --git a/containers/rhel7/Dockerfile b/containers/rhel7/Dockerfile
@@ -0,0 +1,37 @@
+FROM registry.access.redhat.com/ubi7/ubi
+
+ARG R_VERSION=release
+
+RUN rm /etc/rhsm-host
+
+# To work around a rig bug and a pak bug
+ENV RIG_PLATFORM=rhel-7
+ENV PKG_SYSREQS_PLATFORM=redhat-7
+
+# ## Notes
+#
+# * Need to do this in a single step, so no layer is registered.
+#   (Although I am not sure if that would be a real problem.)
+# * Need to supply two secrets, for the RedHat Org and the activation key:
+#   REDHAT_ORG_RHEL7=... REDHAT_ACTIVATION_KEY_RHEL7=... \
+#     docker build --platform linux/amd64 \
+#     --secret id=REDHAT_ORG_RHEL7 --secret id=REDHAT_ACTIVATION_KEY_RHEL7 .
+# * There is no RHEL7 for linux/arm64, you need to supply `--platform` when
+#   building on a non-x86_64 platform.
+# * We install a couple of packages that allow installing the tidyverse
+#   without registration.
+# * You can use rig to install more R versions, but this currently needs
+#   registration: https://github.com/r-lib/rig/issues/247
+
+RUN --mount=type=secret,id=REDHAT_ORG_RHEL7 \
+    --mount=type=secret,id=REDHAT_ACTIVATION_KEY_RHEL7 \
+    subscription-manager register \
+        --org `cat /run/secrets/REDHAT_ORG_RHEL7` \
+        --activationkey `cat /run/secrets/REDHAT_ACTIVATION_KEY_RHEL7` && \
+    yum install -y https://archives.fedoraproject.org/pub/archive/epel/7/x86_64/Packages/e/epel-release-7-14.noarch.rpm && \
+    yum install -y https://github.com/r-lib/rig/releases/download/latest/r-rig-latest-1.$(arch).rpm && \
+    rig add ${R_VERSION} && \
+    yum install -y harfbuzz-devel fribidi-devel libtiff-devel && \
+    yum clean all && \
+    rm -rf /tmp/* && \
+    subscription-manager unregister
diff --git a/containers/rhel8/Dockerfile b/containers/rhel8/Dockerfile
@@ -0,0 +1,32 @@
+FROM redhat/ubi8:latest
+
+ARG R_VERSION=release
+
+# To work around a rig bug and a pak bug
+ENV RIG_PLATFORM=rhel-8
+ENV PKG_SYSREQS_PLATFORM=redhat-8
+
+# ## Notes
+#
+# * Need to do this in a single step, so no layer is registered.
+#   (Although I am not sure if that would be a real problem.)
+# * Need to supply two secrets, for the RedHat Org and the activation key:
+#   REDHAT_ORG_RHEL8=... REDHAT_ACTIVATION_KEY_RHEL8=... \
+#     docker build --secret id=REDHAT_ORG_RHEL8 \
+#     --secret id=REDHAT_ACTIVATION_KEY_RHEL8 .
+# * We install a couple of packages that allow installing the tidyverse
+#   without registration.
+# * You can use rig to install more R versions, but this currently needs
+#   registration: https://github.com/r-lib/rig/issues/247
+
+RUN --mount=type=secret,id=REDHAT_ORG_RHEL8 \
+    --mount=type=secret,id=REDHAT_ACTIVATION_KEY_RHEL8 \
+    subscription-manager register \
+        --org `cat /run/secrets/REDHAT_ORG_RHEL8` \
+        --activationkey `cat /run/secrets/REDHAT_ACTIVATION_KEY_RHEL8` && \
+    yum install -y https://github.com/r-lib/rig/releases/download/latest/r-rig-latest-1.$(arch).rpm && \
+    rig add ${R_VERSION} && \
+    yum install -y harfbuzz-devel fribidi-devel && \
+    yum clean all && \
+    rm -rf /tmp/* && \
+    subscription-manager unregister
diff --git a/containers/rhel9/Dockerfile b/containers/rhel9/Dockerfile
@@ -0,0 +1,34 @@
+FROM redhat/ubi9:latest
+
+ARG R_VERSION=release
+
+# To work around a rig bug and a pak bug
+ENV RIG_PLATFORM=rhel-9
+ENV PKG_SYSREQS_PLATFORM=redhat-9
+
+# ## Notes
+#
+# * Need to do this in a single step, so no layer is registered.
+#   (Although I am not sure if that would be a real problem.)
+# * Need to supply two secrets, for the RedHat Org and the activation key:
+#   REDHAT_ORG_RHEL9=... REDHAT_ACTIVATION_KEY_RHEL9=... \
+#     docker build --secret id=REDHAT_ORG_RHEL9 \
+#     --secret id=REDHAT_ACTIVATION_KEY_RHEL9 .
+# * We install a couple of packages that allow installing the tidyverse
+#   without registration.
+# * You can use rig to install more R versions, but this currently needs
+#   registration: https://github.com/r-lib/rig/issues/247
+# * The sed line fixes this bug: https://github.com/r-lib/rig/issues/248
+
+RUN --mount=type=secret,id=REDHAT_ORG_RHEL9 \
+    --mount=type=secret,id=REDHAT_ACTIVATION_KEY_RHEL9 \
+    subscription-manager register \
+        --org `cat /run/secrets/REDHAT_ORG_RHEL9` \
+        --activationkey `cat /run/secrets/REDHAT_ACTIVATION_KEY_RHEL9` && \
+    yum install -y https://github.com/r-lib/rig/releases/download/latest/r-rig-latest-1.$(arch).rpm && \
+    rig add ${R_VERSION} && \
+    sed -i 's|/rhel8/|/rhel9/|g' /opt/R/current/lib/R/library/base/R/Rprofile && \
+    yum install -y git libgit2 fribidi-devel && \
+    yum clean all && \
+    rm -rf /tmp/* && \
+    subscription-manager unregister
diff --git a/tests/get-containers.py b/tests/get-containers.py
@@ -19,10 +19,18 @@
     containers = args.containers.split(",")
     conts = [ p for p in containers if p in conts ]
 
-# some hardcoded platforms
-platforms = { 's390x': 'linux/s390x' }
+# some hardcoded platforms and secrets
+testplatforms = {
+    's390x': 'linux/s390x'
+}
+platforms = {
+    's390x': 'linux/s390x',
+    'rhel8': 'linux/amd64,linux/arm64',
+    'rhel9': 'linux/amd64,linux/arm64'
+}
 conf = [ {
     'container': c,
+    'testplatform': testplatforms[c] if c in testplatforms else 'linux/amd64',
     'platform': platforms[c] if c in platforms else 'linux/amd64'
 } for c in conts ]
 

diff --git a/website/index.qmd b/website/index.qmd
@@ -55,6 +55,9 @@ And these additional containers:
 
 |R-hub name | Description                                                      | OS                     | R version                        | Details                                |
 |:----------|:-----------------------------------------------------------------|:-----------------------|:---------------------------------|----------------------------------------|
+| rhel7     | RedHat Enterprise Linux 7 (needs RedHat subscription)            | `r os_name("rhel7")`   | `r r_ver("rhel7")`               | [Details](containers.html#rhel7)       |
+| rhel8     | RedHat Enterprise Linux 8 (needs RedHat subscription)            | `r os_name("rhel8")`   | `r r_ver("rhel8")`               | [Details](containers.html#rhel8)       |
+| rhel9     | RedHat Enterprise Linux 9 (needs RedHat subscription)            | `r os_name("rhel9")`   | `r r_ver("rhel9")`               | [Details](containers.html#rhel9)       |
 | s390x     | Test on a big-endian platform: s390x Linux                       | `r os_name("s390x")`   | `r r_ver("s390x")`               | [Details](containers.html#s390x)       |
 | centos7   | Test R on CentOS 7 (equivalent to RHEL 7), w/ multiple R versions| `r os_name("centos7")` | Last 5 releases, R-next, R-devel | [Details](containers.html#centos7)     |