You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@superset.apache.org by GitBox <gi...@apache.org> on 2021/05/26 17:00:52 UTC
[GitHub] [superset] ethack opened a new issue #14847: Docker /app permission issue
ethack opened a new issue #14847:
URL: https://github.com/apache/superset/issues/14847
Attempting to run the Superset container using the command on DockerHub fails.
### Expected results
Superset to successfully start in docker.
### Actual results
Attempting to run the Superset container using the command on DockerHub results in a permission error in the logs and the gunicorn service shutting down.
#### How to reproduce the bug
```
docker run -d -p 8080:8088 --name superset apache/superset
```
```
docker logs superset
```
```
[2021-05-26 16:01:24 +0000] [7] [INFO] Starting gunicorn 20.0.4
[2021-05-26 16:01:25 +0000] [7] [INFO] Listening at: http://0.0.0.0:8088 (7)
[2021-05-26 16:01:25 +0000] [7] [INFO] Using worker: gthread
[2021-05-26 16:01:25 +0000] [10] [INFO] Booting worker with pid: 10
Failed to create app
Traceback (most recent call last):
File "/app/superset/app.py", line 63, in create_app
app_initializer.init_app()
File "/app/superset/app.py", line 576, in init_app
self.pre_init()
File "/app/superset/app.py", line 95, in pre_init
os.makedirs(self.config["DATA_DIR"])
File "/usr/local/lib/python3.7/os.py", line 223, in makedirs
mkdir(name, mode)
PermissionError: [Errno 13] Permission denied: '/app/superset_home'
[2021-05-26 16:01:26 +0000] [10] [ERROR] Exception in worker process
Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/gunicorn/arbiter.py", line 583, in spawn_worker
worker.init_process()
File "/usr/local/lib/python3.7/site-packages/gunicorn/workers/gthread.py", line 92, in init_process
super().init_process()
File "/usr/local/lib/python3.7/site-packages/gunicorn/workers/base.py", line 119, in init_process
self.load_wsgi()
File "/usr/local/lib/python3.7/site-packages/gunicorn/workers/base.py", line 144, in load_wsgi
self.wsgi = self.app.wsgi()
File "/usr/local/lib/python3.7/site-packages/gunicorn/app/base.py", line 67, in wsgi
self.callable = self.load()
File "/usr/local/lib/python3.7/site-packages/gunicorn/app/wsgiapp.py", line 49, in load
return self.load_wsgiapp()
File "/usr/local/lib/python3.7/site-packages/gunicorn/app/wsgiapp.py", line 39, in load_wsgiapp
return util.import_app(self.app_uri)
File "/usr/local/lib/python3.7/site-packages/gunicorn/util.py", line 411, in import_app
app = app(*args, **kwargs)
File "/app/superset/app.py", line 70, in create_app
raise ex
File "/app/superset/app.py", line 63, in create_app
app_initializer.init_app()
File "/app/superset/app.py", line 576, in init_app
self.pre_init()
File "/app/superset/app.py", line 95, in pre_init
os.makedirs(self.config["DATA_DIR"])
File "/usr/local/lib/python3.7/os.py", line 223, in makedirs
mkdir(name, mode)
PermissionError: [Errno 13] Permission denied: '/app/superset_home'
[2021-05-26 16:01:26 +0000] [10] [INFO] Worker exiting (pid: 10)
[2021-05-26 16:01:26 +0000] [7] [INFO] Shutting down: Master
[2021-05-26 16:01:26 +0000] [7] [INFO] Reason: Worker failed to boot.
```
### Environment
I pulled the `apache/superset:latest` tag for the docker image, which says it was uploaded 2 hours ago. I believe this is equivalent to `apache/superset:e466066229ec8262583bc118af1f39e2dbf77bcf` and the issue also happens with that tag.
- superset version: Superset 0.999.0dev
- Note: this version may be inaccurate according to https://github.com/apache/superset/issues/14517
- python version: Python 3.7.9
- node.js version: /usr/bin/docker-entrypoint.sh: line 21: exec: node: not found
### Checklist
Make sure to follow these steps before submitting your issue - thank you!
- [x] I have checked the superset logs for python stacktraces and included it here as text if there are any.
- [x] I have reproduced the issue with at least the latest released version of superset.
- [x] I have checked the issue tracker for the same issue and I haven't found one similar.
### Additional context
The problem appears to be that the `/app` directory is owned by root and permissions are such that the superset user cannot create a new directory inside it.
```
superset@f1d5214ff28c:/app$ ls -ld /app
drwxr-xr-x 1 root root 4096 May 26 14:55 /app
```
I didn't do a full bisect to find the tag the issue was introduced, but it appears to be recent. The docker tag `apache/superset:45020860d5c65f08c73f550054166ba1089fecef` starts successfully and that tag was uploaded 19 hours ago.
My suggested fix is either:
- Make superset the owner of the app directory: e.g. `chown superset:superset /app`. I think this is likely the best solution.
- Create the missing directory in the docker image build: e.g. `mkdir /app/superset_home && chown superset:superset /app/superset_home`. I'm not sure this is feasible and I'm not sure if other permission issues will come up later for creating files in `/app`.
My workaround is to just launch the container with the user set to root. However, this is removes security boundaries.
```
docker run -d -p 8080:8088 -u 0 --name superset apache/superset
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [superset] shawnzhu commented on issue #14847: Docker /app permission issue
Posted by GitBox <gi...@apache.org>.
shawnzhu commented on issue #14847:
URL: https://github.com/apache/superset/issues/14847#issuecomment-850571583
I had this issue as well by using fix from #14736 looks like it didn't create the home folder when creating the user.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [superset] dpgaspar closed issue #14847: Docker /app permission issue
Posted by GitBox <gi...@apache.org>.
dpgaspar closed issue #14847:
URL: https://github.com/apache/superset/issues/14847
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org
[GitHub] [superset] ethack commented on issue #14847: Docker /app permission issue
Posted by GitBox <gi...@apache.org>.
ethack commented on issue #14847:
URL: https://github.com/apache/superset/issues/14847#issuecomment-848961017
https://github.com/apache/superset/commit/d46aa6004d3ee78929048f607e853f7a77237af5#diff-dd2c0eb6ea5cfc6c4bd4eac30934e2d5746747af48fef6da689e85b752f39557 appears to be related. It is a recent commit that references `/app/superset_home` and the commit message is about fixing docker superset permissions.
It looks like that change is counting on `useradd` to create the user's home directory. `useradd` doesn't appear to do this by default, but will with the `--create-home` flag. Additionally, it seems that `useradd` will not create parent directories, meaning that `/app` already has to exist. These steps seem to work and give the desired result.
```
$ docker run --rm -it python:3.7.9 bash
root@2a032833e3c4:/# mkdir /app
root@2a032833e3c4:/# useradd --user-group -d /app/superset_home --no-log-init --create-home --shell /bin/bash superset
root@2a032833e3c4:/# ls -l /app
total 4
drwxr-xr-x 2 superset superset 4096 May 26 17:14 superset_home
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@superset.apache.org
For additional commands, e-mail: notifications-help@superset.apache.org