You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@nifi.apache.org by lo...@apache.org on 2022/03/11 14:25:33 UTC

[nifi-minifi-cpp] 01/02: MINIFICPP-1734 Tell kubernetes to run minifi as root instead of baking it into the image

This is an automated email from the ASF dual-hosted git repository.

lordgamez pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi-minifi-cpp.git

commit 5fc9e5656e8dd45174315bc3ade9635d66036eaa
Author: Ferenc Gerlits <fg...@cloudera.com>
AuthorDate: Mon Mar 7 17:06:49 2022 +0100

    MINIFICPP-1734 Tell kubernetes to run minifi as root instead of baking it into the image
    
    Signed-off-by: Gabor Gyimesi <ga...@gmail.com>
    
    This closes #1277
---
 docker/test/integration/minifi/core/ImageStore.py       | 11 -----------
 docker/test/integration/minifi/core/KindProxy.py        | 14 ++++----------
 .../minifi/core/MinifiAsPodInKubernetesCluster.py       | 17 +++++++++++++----
 .../resources/kubernetes/pods-etc/log-collector.pod.yml |  8 ++++++--
 4 files changed, 23 insertions(+), 27 deletions(-)

diff --git a/docker/test/integration/minifi/core/ImageStore.py b/docker/test/integration/minifi/core/ImageStore.py
index 56d81eb..8d3baed 100644
--- a/docker/test/integration/minifi/core/ImageStore.py
+++ b/docker/test/integration/minifi/core/ImageStore.py
@@ -45,8 +45,6 @@ class ImageStore:
 
         if container_engine == "minifi-cpp" or container_engine == "transient-minifi":
             image = self.__build_minifi_cpp_image()
-        elif container_engine == "minifi-cpp-in-kubernetes":
-            image = self.__build_simple_minifi_cpp_image_with_root()
         elif container_engine == "http-proxy":
             image = self.__build_http_proxy_image()
         elif container_engine == "nifi":
@@ -102,15 +100,6 @@ class ImageStore:
 
         return self.__build_image(dockerfile)
 
-    def __build_simple_minifi_cpp_image_with_root(self):
-        dockerfile = dedent(r"""\
-                FROM {base_image}
-                USER root
-                CMD ["/bin/sh", "-c", "cp /tmp/minifi_config/config.yml /tmp/minifi_config/minifi-log.properties ./conf/ && ./bin/minifi.sh run"]
-                """.format(base_image='apacheminificpp:' + MinifiContainer.MINIFI_VERSION))
-
-        return self.__build_image(dockerfile)
-
     def __build_http_proxy_image(self):
         dockerfile = dedent("""FROM {base_image}
                 RUN apt -y update && apt install -y apache2-utils
diff --git a/docker/test/integration/minifi/core/KindProxy.py b/docker/test/integration/minifi/core/KindProxy.py
index d304cc8..b8da30b 100644
--- a/docker/test/integration/minifi/core/KindProxy.py
+++ b/docker/test/integration/minifi/core/KindProxy.py
@@ -24,12 +24,9 @@ from textwrap import dedent
 
 
 class KindProxy:
-    def __init__(self, temp_directory, resources_directory, image_name, image_repository, image_tag):
+    def __init__(self, temp_directory, resources_directory):
         self.temp_directory = temp_directory
         self.resources_directory = resources_directory
-        self.image_name = image_name
-        self.image_repository = image_repository
-        self.image_tag = image_tag
 
         self.kind_binary_path = os.path.join(self.temp_directory, 'kind')
         self.kind_config_path = os.path.join(self.temp_directory, 'kind-config.yml')
@@ -67,12 +64,9 @@ class KindProxy:
         if subprocess.run([self.kind_binary_path, 'create', 'cluster', '--config=' + self.kind_config_path]).returncode != 0:
             raise Exception("Could not start the kind cluster")
 
-    def load_docker_image(self, image_store):
-        image = image_store.get_image(self.image_name)
-        image.tag(repository=self.image_repository, tag=self.image_tag)
-
-        if subprocess.run([self.kind_binary_path, 'load', 'docker-image', self.image_repository + ':' + self.image_tag]).returncode != 0:
-            raise Exception("Could not load the %s docker image (%s:%s) into the kind cluster" % (self.image_name, self.image_repository, self.image_tag))
+    def load_docker_image(self, image_name, image_tag):
+        if subprocess.run([self.kind_binary_path, 'load', 'docker-image', image_name + ':' + image_tag]).returncode != 0:
+            raise Exception("Could not load the %s docker image into the kind cluster" % image_name)
 
     def create_objects(self):
         self.__wait_for_default_service_account('default')
diff --git a/docker/test/integration/minifi/core/MinifiAsPodInKubernetesCluster.py b/docker/test/integration/minifi/core/MinifiAsPodInKubernetesCluster.py
index 43132b2..81ba5b0 100644
--- a/docker/test/integration/minifi/core/MinifiAsPodInKubernetesCluster.py
+++ b/docker/test/integration/minifi/core/MinifiAsPodInKubernetesCluster.py
@@ -14,6 +14,7 @@
 # limitations under the License.
 
 
+import docker
 import logging
 import os
 import shutil
@@ -24,12 +25,23 @@ from .MinifiContainer import MinifiContainer
 
 
 class MinifiAsPodInKubernetesCluster(MinifiContainer):
+    MINIFI_IMAGE_NAME = 'apacheminificpp'
+    MINIFI_IMAGE_TAG = 'docker_test'
+
     def __init__(self, config_dir, name, vols, network, image_store, command=None):
         super().__init__(config_dir, name, vols, network, image_store, command)
 
+        resources_directory = os.path.join(os.environ['TEST_DIRECTORY'], 'resources', 'kubernetes', 'pods-etc')
+        self.kind = KindProxy(self.config_dir, resources_directory)
+
         test_dir = os.environ['TEST_DIRECTORY']
+        shutil.copy(os.path.join(test_dir, os.pardir, os.pardir, os.pardir, 'conf', 'minifi.properties'), self.config_dir)
         shutil.copy(os.path.join(test_dir, 'resources', 'kubernetes', 'minifi-conf', 'minifi-log.properties'), self.config_dir)
 
+        docker_client = docker.from_env()
+        minifi_image = docker_client.images.get(MinifiAsPodInKubernetesCluster.MINIFI_IMAGE_NAME + ':' + os.environ['MINIFI_VERSION'])
+        minifi_image.tag(MinifiAsPodInKubernetesCluster.MINIFI_IMAGE_NAME, MinifiAsPodInKubernetesCluster.MINIFI_IMAGE_TAG)
+
     def deploy(self):
         if not self.set_deployed():
             return
@@ -38,12 +50,9 @@ class MinifiAsPodInKubernetesCluster(MinifiContainer):
 
         self._create_config()
 
-        resources_directory = os.path.join(os.environ['TEST_DIRECTORY'], 'resources', 'kubernetes', 'pods-etc')
-
-        self.kind = KindProxy(self.config_dir, resources_directory, 'minifi-cpp-in-kubernetes', 'minifi-kubernetes-test', 'v1')
         self.kind.create_config(self.vols)
         self.kind.start_cluster()
-        self.kind.load_docker_image(self.image_store)
+        self.kind.load_docker_image(MinifiAsPodInKubernetesCluster.MINIFI_IMAGE_NAME, MinifiAsPodInKubernetesCluster.MINIFI_IMAGE_TAG)
         self.kind.create_objects()
 
         logging.info('Finished setting up container: %s', self.name)
diff --git a/docker/test/integration/resources/kubernetes/pods-etc/log-collector.pod.yml b/docker/test/integration/resources/kubernetes/pods-etc/log-collector.pod.yml
index 2ea287c..307a9bc 100644
--- a/docker/test/integration/resources/kubernetes/pods-etc/log-collector.pod.yml
+++ b/docker/test/integration/resources/kubernetes/pods-etc/log-collector.pod.yml
@@ -4,16 +4,20 @@ metadata:
   namespace: daemon
   name: log-collector
 spec:
+  securityContext:
+    runAsUser: 0
   containers:
   - name: minifi
-    image: minifi-kubernetes-test:v1
+    image: apacheminificpp:docker_test
     imagePullPolicy: Never
+    securityContext:
+      allowPrivilegeEscalation: false
     volumeMounts:
     - name: var-log-pods
       mountPath: /var/log/pods
       readOnly: true
     - name: tmp-minifi-config
-      mountPath: /tmp/minifi_config
+      mountPath: /opt/minifi/minifi-current/conf
       readOnly: true
     - name: tmp-output
       mountPath: /tmp/output