You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by lo...@apache.org on 2022/03/11 14:25:33 UTC
[nifi-minifi-cpp] 01/02: MINIFICPP-1734 Tell kubernetes to run minifi as root instead of baking it into the image
This is an automated email from the ASF dual-hosted git repository.
lordgamez pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi-minifi-cpp.git
commit 5fc9e5656e8dd45174315bc3ade9635d66036eaa
Author: Ferenc Gerlits <fg...@cloudera.com>
AuthorDate: Mon Mar 7 17:06:49 2022 +0100
MINIFICPP-1734 Tell kubernetes to run minifi as root instead of baking it into the image
Signed-off-by: Gabor Gyimesi <ga...@gmail.com>
This closes #1277
---
docker/test/integration/minifi/core/ImageStore.py | 11 -----------
docker/test/integration/minifi/core/KindProxy.py | 14 ++++----------
.../minifi/core/MinifiAsPodInKubernetesCluster.py | 17 +++++++++++++----
.../resources/kubernetes/pods-etc/log-collector.pod.yml | 8 ++++++--
4 files changed, 23 insertions(+), 27 deletions(-)
diff --git a/docker/test/integration/minifi/core/ImageStore.py b/docker/test/integration/minifi/core/ImageStore.py
index 56d81eb..8d3baed 100644
--- a/docker/test/integration/minifi/core/ImageStore.py
+++ b/docker/test/integration/minifi/core/ImageStore.py
@@ -45,8 +45,6 @@ class ImageStore:
if container_engine == "minifi-cpp" or container_engine == "transient-minifi":
image = self.__build_minifi_cpp_image()
- elif container_engine == "minifi-cpp-in-kubernetes":
- image = self.__build_simple_minifi_cpp_image_with_root()
elif container_engine == "http-proxy":
image = self.__build_http_proxy_image()
elif container_engine == "nifi":
@@ -102,15 +100,6 @@ class ImageStore:
return self.__build_image(dockerfile)
- def __build_simple_minifi_cpp_image_with_root(self):
- dockerfile = dedent(r"""\
- FROM {base_image}
- USER root
- CMD ["/bin/sh", "-c", "cp /tmp/minifi_config/config.yml /tmp/minifi_config/minifi-log.properties ./conf/ && ./bin/minifi.sh run"]
- """.format(base_image='apacheminificpp:' + MinifiContainer.MINIFI_VERSION))
-
- return self.__build_image(dockerfile)
-
def __build_http_proxy_image(self):
dockerfile = dedent("""FROM {base_image}
RUN apt -y update && apt install -y apache2-utils
diff --git a/docker/test/integration/minifi/core/KindProxy.py b/docker/test/integration/minifi/core/KindProxy.py
index d304cc8..b8da30b 100644
--- a/docker/test/integration/minifi/core/KindProxy.py
+++ b/docker/test/integration/minifi/core/KindProxy.py
@@ -24,12 +24,9 @@ from textwrap import dedent
class KindProxy:
- def __init__(self, temp_directory, resources_directory, image_name, image_repository, image_tag):
+ def __init__(self, temp_directory, resources_directory):
self.temp_directory = temp_directory
self.resources_directory = resources_directory
- self.image_name = image_name
- self.image_repository = image_repository
- self.image_tag = image_tag
self.kind_binary_path = os.path.join(self.temp_directory, 'kind')
self.kind_config_path = os.path.join(self.temp_directory, 'kind-config.yml')
@@ -67,12 +64,9 @@ class KindProxy:
if subprocess.run([self.kind_binary_path, 'create', 'cluster', '--config=' + self.kind_config_path]).returncode != 0:
raise Exception("Could not start the kind cluster")
- def load_docker_image(self, image_store):
- image = image_store.get_image(self.image_name)
- image.tag(repository=self.image_repository, tag=self.image_tag)
-
- if subprocess.run([self.kind_binary_path, 'load', 'docker-image', self.image_repository + ':' + self.image_tag]).returncode != 0:
- raise Exception("Could not load the %s docker image (%s:%s) into the kind cluster" % (self.image_name, self.image_repository, self.image_tag))
+ def load_docker_image(self, image_name, image_tag):
+ if subprocess.run([self.kind_binary_path, 'load', 'docker-image', image_name + ':' + image_tag]).returncode != 0:
+ raise Exception("Could not load the %s docker image into the kind cluster" % image_name)
def create_objects(self):
self.__wait_for_default_service_account('default')
diff --git a/docker/test/integration/minifi/core/MinifiAsPodInKubernetesCluster.py b/docker/test/integration/minifi/core/MinifiAsPodInKubernetesCluster.py
index 43132b2..81ba5b0 100644
--- a/docker/test/integration/minifi/core/MinifiAsPodInKubernetesCluster.py
+++ b/docker/test/integration/minifi/core/MinifiAsPodInKubernetesCluster.py
@@ -14,6 +14,7 @@
# limitations under the License.
+import docker
import logging
import os
import shutil
@@ -24,12 +25,23 @@ from .MinifiContainer import MinifiContainer
class MinifiAsPodInKubernetesCluster(MinifiContainer):
+ MINIFI_IMAGE_NAME = 'apacheminificpp'
+ MINIFI_IMAGE_TAG = 'docker_test'
+
def __init__(self, config_dir, name, vols, network, image_store, command=None):
super().__init__(config_dir, name, vols, network, image_store, command)
+ resources_directory = os.path.join(os.environ['TEST_DIRECTORY'], 'resources', 'kubernetes', 'pods-etc')
+ self.kind = KindProxy(self.config_dir, resources_directory)
+
test_dir = os.environ['TEST_DIRECTORY']
+ shutil.copy(os.path.join(test_dir, os.pardir, os.pardir, os.pardir, 'conf', 'minifi.properties'), self.config_dir)
shutil.copy(os.path.join(test_dir, 'resources', 'kubernetes', 'minifi-conf', 'minifi-log.properties'), self.config_dir)
+ docker_client = docker.from_env()
+ minifi_image = docker_client.images.get(MinifiAsPodInKubernetesCluster.MINIFI_IMAGE_NAME + ':' + os.environ['MINIFI_VERSION'])
+ minifi_image.tag(MinifiAsPodInKubernetesCluster.MINIFI_IMAGE_NAME, MinifiAsPodInKubernetesCluster.MINIFI_IMAGE_TAG)
+
def deploy(self):
if not self.set_deployed():
return
@@ -38,12 +50,9 @@ class MinifiAsPodInKubernetesCluster(MinifiContainer):
self._create_config()
- resources_directory = os.path.join(os.environ['TEST_DIRECTORY'], 'resources', 'kubernetes', 'pods-etc')
-
- self.kind = KindProxy(self.config_dir, resources_directory, 'minifi-cpp-in-kubernetes', 'minifi-kubernetes-test', 'v1')
self.kind.create_config(self.vols)
self.kind.start_cluster()
- self.kind.load_docker_image(self.image_store)
+ self.kind.load_docker_image(MinifiAsPodInKubernetesCluster.MINIFI_IMAGE_NAME, MinifiAsPodInKubernetesCluster.MINIFI_IMAGE_TAG)
self.kind.create_objects()
logging.info('Finished setting up container: %s', self.name)
diff --git a/docker/test/integration/resources/kubernetes/pods-etc/log-collector.pod.yml b/docker/test/integration/resources/kubernetes/pods-etc/log-collector.pod.yml
index 2ea287c..307a9bc 100644
--- a/docker/test/integration/resources/kubernetes/pods-etc/log-collector.pod.yml
+++ b/docker/test/integration/resources/kubernetes/pods-etc/log-collector.pod.yml
@@ -4,16 +4,20 @@ metadata:
namespace: daemon
name: log-collector
spec:
+ securityContext:
+ runAsUser: 0
containers:
- name: minifi
- image: minifi-kubernetes-test:v1
+ image: apacheminificpp:docker_test
imagePullPolicy: Never
+ securityContext:
+ allowPrivilegeEscalation: false
volumeMounts:
- name: var-log-pods
mountPath: /var/log/pods
readOnly: true
- name: tmp-minifi-config
- mountPath: /tmp/minifi_config
+ mountPath: /opt/minifi/minifi-current/conf
readOnly: true
- name: tmp-output
mountPath: /tmp/output