You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by "Daniel Imberman (JIRA)" <ji...@apache.org> on 2019/07/24 20:23:01 UTC
[jira] [Resolved] (AIRFLOW-4856) KubernetesExecutor's git
initContainer run always as user 65533
[ https://issues.apache.org/jira/browse/AIRFLOW-4856?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Daniel Imberman resolved AIRFLOW-4856.
--------------------------------------
Resolution: Fixed
> KubernetesExecutor's git initContainer run always as user 65533
> ---------------------------------------------------------------
>
> Key: AIRFLOW-4856
> URL: https://issues.apache.org/jira/browse/AIRFLOW-4856
> Project: Apache Airflow
> Issue Type: Bug
> Components: executors
> Affects Versions: 1.10.3
> Reporter: Mingjie LI
> Priority: Major
> Fix For: 1.10.5
>
>
> when try to use KubernetesExecutor with git sync functionality,
> i got this error :
> [2019-06-26 14:09:37,428] \{kubernetes_executor.py:745} ERROR - ApiException when attempting to run task, re-queueing.
> Traceback (most recent call last):
> File "/usr/local/lib/python3.6/site-packages/airflow/contrib/executors/kubernetes_executor.py", line 742, in sync
> self.kube_scheduler.run_next(task)
> File "/usr/local/lib/python3.6/site-packages/airflow/contrib/executors/kubernetes_executor.py", line 420, in run_next
> self.launcher.run_pod_async(pod)
> File "/usr/local/lib/python3.6/site-packages/airflow/contrib/kubernetes/pod_launcher.py", line 57, in run_pod_async
> resp = self._client.create_namespaced_pod(body=req, namespace=pod.namespace)
> File "/usr/local/lib/python3.6/site-packages/kubernetes/client/apis/core_v1_api.py", line 6115, in create_namespaced_pod
> (data) = self.create_namespaced_pod_with_http_info(namespace, body, **kwargs)
> File "/usr/local/lib/python3.6/site-packages/kubernetes/client/apis/core_v1_api.py", line 6206, in create_namespaced_pod_with_http_info
> collection_formats=collection_formats)
> File "/usr/local/lib/python3.6/site-packages/kubernetes/client/api_client.py", line 334, in call_api
> _return_http_data_only, collection_formats, _preload_content, _request_timeout)
> File "/usr/local/lib/python3.6/site-packages/kubernetes/client/api_client.py", line 168, in __call_api
> _request_timeout=_request_timeout)
> File "/usr/local/lib/python3.6/site-packages/kubernetes/client/api_client.py", line 377, in request
> body=body)
> File "/usr/local/lib/python3.6/site-packages/kubernetes/client/rest.py", line 266, in POST
> body=body)
> File "/usr/local/lib/python3.6/site-packages/kubernetes/client/rest.py", line 222, in request
> raise ApiException(http_resp=r)
> kubernetes.client.rest.ApiException: (403)
> Reason: Forbidden
> HTTP response headers: HTTPHeaderDict(\{'Cache-Control': 'no-store', 'Content-Type': 'application/json', 'Date': 'Wed, 26 Jun 2019 14:09:37 GMT', 'Content-Length': '500'})
> HTTP response body: \{"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"pods \"runandreportuuid-7f6131159da94637a0f5fbdd6b80be18\" is forbidden: unable to validate against any security context constraint: [securityContext.runAsUser: Invalid value: 65533: UID on container git-sync-clone does not match required range. Found 65533, required min: 1000000000 max: 1000009999]","reason":"Forbidden","details":\{"name":"runandreportuuid-7f6131159da94637a0f5fbdd6b80be18","kind":"pods"},"code":403}
> even the run_as_user options has been set in the cfg file as below
> [kubernetes]
> run_as_user = 1000000000
>
> [https://github.com/apache/airflow/blob/6afb12f0e5c18e8634daa0119d6e5797aa770b80/airflow/kubernetes/worker_configuration.py#L128]
> from here we can see the init container is always running as user 65533.
> maybe we can use self.kube_config.worker_run_as_user instead.
> Br,
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)