You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by ka...@apache.org on 2021/02/27 20:12:32 UTC

[airflow] branch master updated: Production image can be run as root (#14226)

This is an automated email from the ASF dual-hosted git repository.

kamilbregula pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/airflow.git


The following commit(s) were added to refs/heads/master by this push:
     new 7979b75  Production image can be run as root (#14226)
7979b75 is described below

commit 7979b7581cc21f9b946ca66f1f243731f4a39d74
Author: Kamil Breguła <mi...@users.noreply.github.com>
AuthorDate: Sat Feb 27 21:12:20 2021 +0100

    Production image can be run as root (#14226)
    
    * Production image can be run as root
    
    * fixup! Production image can be run as root
    
    * fixup! fixup! Production image can be run as root
    
    Co-authored-by: Kamil Bregula <ka...@Kamils-MacBook-Pro.local>
    Co-authored-by: Kamil Breguła <ka...@apache.org>
---
 scripts/ci/libraries/_verify_image.sh        | 46 ++++++++++++++++++++++++++++
 scripts/in_container/prod/entrypoint_prod.sh | 13 ++++++++
 2 files changed, 59 insertions(+)

diff --git a/scripts/ci/libraries/_verify_image.sh b/scripts/ci/libraries/_verify_image.sh
index 5ce9c0d..05e91c6 100644
--- a/scripts/ci/libraries/_verify_image.sh
+++ b/scripts/ci/libraries/_verify_image.sh
@@ -197,6 +197,50 @@ function verify_image::verify_production_image_python_modules() {
     start_end::group_end
 }
 
+function verify_image::verify_prod_image_as_root() {
+    start_end::group_start "Checking if the image can be run as root."
+    set +e
+    echo "Checking airflow as root"
+    local output
+    local res
+    output=$(docker run --rm --user 0 "${DOCKER_IMAGE}" "airflow" "info" 2>&1)
+    res=$?
+    if [[ ${res} == "0" ]]; then
+        echo "${COLOR_GREEN}OK${COLOR_RESET}"
+    else
+        echo "${COLOR_RED}NOK${COLOR_RESET}"
+        echo "${COLOR_BLUE}========================= OUTPUT start ============================${COLOR_RESET}"
+        echo "${output}"
+        echo "${COLOR_BLUE}========================= OUTPUT end   ===========================${COLOR_RESET}"
+        IMAGE_VALID="false"
+    fi
+
+    echo "Checking root container with custom PYTHONPATH"
+    local tmp_dir
+    tmp_dir="$(mktemp -d)"
+    touch "${tmp_dir}/__init__.py"
+    echo 'print("Awesome")' >> "${tmp_dir}/awesome.py"
+    output=$(docker run \
+        --rm \
+        -e "PYTHONPATH=${tmp_dir}" \
+        -v "${tmp_dir}:${tmp_dir}" \
+        --user 0 "${DOCKER_IMAGE}" \
+            "python" "-c" "import awesome" \
+        2>&1)
+    res=$?
+    if [[ ${res} == "0" ]]; then
+        echo "${COLOR_GREEN}OK${COLOR_RESET}"
+    else
+        echo "${COLOR_RED}NOK${COLOR_RESET}"
+        echo "${COLOR_BLUE}========================= OUTPUT start ============================${COLOR_RESET}"
+        echo "${output}"
+        echo "${COLOR_BLUE}========================= OUTPUT end   ===========================${COLOR_RESET}"
+        IMAGE_VALID="false"
+    fi
+    rm -rf "${tmp_dir}"
+    set -e
+}
+
 function verify_image::display_result {
     if [[ ${IMAGE_VALID} == "true" ]]; then
         echo
@@ -219,6 +263,8 @@ function verify_image::verify_prod_image {
 
     verify_image::verify_prod_image_dependencies
 
+    verify_image::verify_prod_image_as_root
+
     verify_image::display_result
 }
 
diff --git a/scripts/in_container/prod/entrypoint_prod.sh b/scripts/in_container/prod/entrypoint_prod.sh
index a4c4a73..12214be 100755
--- a/scripts/in_container/prod/entrypoint_prod.sh
+++ b/scripts/in_container/prod/entrypoint_prod.sh
@@ -178,6 +178,18 @@ function create_system_user_if_missing() {
     fi
 }
 
+function set_pythonpath_for_root_user() {
+    # Airflow is installed as a local user application which means that if the container is running as root
+    # the application is not available. because Python then only load system-wide applications.
+    # Now also adds applications installed as local user "airflow".
+    if [[ $UID == "0" ]]; then
+        local python_major_minor
+        python_major_minor="$(python --version | cut -d " " -f 2 | cut -d "." -f 1-2)"
+        export PYTHONPATH="${AIRFLOW_USER_HOME_DIR}/.local/lib/python${python_major_minor}/site-packages:${PYTHONPATH:-}"
+        >&2 echo "The container is run as root user. For security, consider using a regular user account."
+    fi
+}
+
 function wait_for_airflow_db() {
     # Verifies connection to the Airflow DB
     if [[ -n "${AIRFLOW__CORE__SQL_ALCHEMY_CONN_CMD=}" ]]; then
@@ -226,6 +238,7 @@ CONNECTION_CHECK_SLEEP_TIME=${CONNECTION_CHECK_SLEEP_TIME:=3}
 readonly CONNECTION_CHECK_SLEEP_TIME
 
 create_system_user_if_missing
+set_pythonpath_for_root_user
 wait_for_airflow_db
 
 if [[ -n "${_AIRFLOW_DB_UPGRADE=}" ]] ; then