You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by ka...@apache.org on 2021/02/27 20:12:32 UTC
[airflow] branch master updated: Production image can be run as
root (#14226)
This is an automated email from the ASF dual-hosted git repository.
kamilbregula pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/airflow.git
The following commit(s) were added to refs/heads/master by this push:
new 7979b75 Production image can be run as root (#14226)
7979b75 is described below
commit 7979b7581cc21f9b946ca66f1f243731f4a39d74
Author: Kamil Breguła <mi...@users.noreply.github.com>
AuthorDate: Sat Feb 27 21:12:20 2021 +0100
Production image can be run as root (#14226)
* Production image can be run as root
* fixup! Production image can be run as root
* fixup! fixup! Production image can be run as root
Co-authored-by: Kamil Bregula <ka...@Kamils-MacBook-Pro.local>
Co-authored-by: Kamil Breguła <ka...@apache.org>
---
scripts/ci/libraries/_verify_image.sh | 46 ++++++++++++++++++++++++++++
scripts/in_container/prod/entrypoint_prod.sh | 13 ++++++++
2 files changed, 59 insertions(+)
diff --git a/scripts/ci/libraries/_verify_image.sh b/scripts/ci/libraries/_verify_image.sh
index 5ce9c0d..05e91c6 100644
--- a/scripts/ci/libraries/_verify_image.sh
+++ b/scripts/ci/libraries/_verify_image.sh
@@ -197,6 +197,50 @@ function verify_image::verify_production_image_python_modules() {
start_end::group_end
}
+function verify_image::verify_prod_image_as_root() {
+ start_end::group_start "Checking if the image can be run as root."
+ set +e
+ echo "Checking airflow as root"
+ local output
+ local res
+ output=$(docker run --rm --user 0 "${DOCKER_IMAGE}" "airflow" "info" 2>&1)
+ res=$?
+ if [[ ${res} == "0" ]]; then
+ echo "${COLOR_GREEN}OK${COLOR_RESET}"
+ else
+ echo "${COLOR_RED}NOK${COLOR_RESET}"
+ echo "${COLOR_BLUE}========================= OUTPUT start ============================${COLOR_RESET}"
+ echo "${output}"
+ echo "${COLOR_BLUE}========================= OUTPUT end ===========================${COLOR_RESET}"
+ IMAGE_VALID="false"
+ fi
+
+ echo "Checking root container with custom PYTHONPATH"
+ local tmp_dir
+ tmp_dir="$(mktemp -d)"
+ touch "${tmp_dir}/__init__.py"
+ echo 'print("Awesome")' >> "${tmp_dir}/awesome.py"
+ output=$(docker run \
+ --rm \
+ -e "PYTHONPATH=${tmp_dir}" \
+ -v "${tmp_dir}:${tmp_dir}" \
+ --user 0 "${DOCKER_IMAGE}" \
+ "python" "-c" "import awesome" \
+ 2>&1)
+ res=$?
+ if [[ ${res} == "0" ]]; then
+ echo "${COLOR_GREEN}OK${COLOR_RESET}"
+ else
+ echo "${COLOR_RED}NOK${COLOR_RESET}"
+ echo "${COLOR_BLUE}========================= OUTPUT start ============================${COLOR_RESET}"
+ echo "${output}"
+ echo "${COLOR_BLUE}========================= OUTPUT end ===========================${COLOR_RESET}"
+ IMAGE_VALID="false"
+ fi
+ rm -rf "${tmp_dir}"
+ set -e
+}
+
function verify_image::display_result {
if [[ ${IMAGE_VALID} == "true" ]]; then
echo
@@ -219,6 +263,8 @@ function verify_image::verify_prod_image {
verify_image::verify_prod_image_dependencies
+ verify_image::verify_prod_image_as_root
+
verify_image::display_result
}
diff --git a/scripts/in_container/prod/entrypoint_prod.sh b/scripts/in_container/prod/entrypoint_prod.sh
index a4c4a73..12214be 100755
--- a/scripts/in_container/prod/entrypoint_prod.sh
+++ b/scripts/in_container/prod/entrypoint_prod.sh
@@ -178,6 +178,18 @@ function create_system_user_if_missing() {
fi
}
+function set_pythonpath_for_root_user() {
+ # Airflow is installed as a local user application which means that if the container is running as root
+ # the application is not available. because Python then only load system-wide applications.
+ # Now also adds applications installed as local user "airflow".
+ if [[ $UID == "0" ]]; then
+ local python_major_minor
+ python_major_minor="$(python --version | cut -d " " -f 2 | cut -d "." -f 1-2)"
+ export PYTHONPATH="${AIRFLOW_USER_HOME_DIR}/.local/lib/python${python_major_minor}/site-packages:${PYTHONPATH:-}"
+ >&2 echo "The container is run as root user. For security, consider using a regular user account."
+ fi
+}
+
function wait_for_airflow_db() {
# Verifies connection to the Airflow DB
if [[ -n "${AIRFLOW__CORE__SQL_ALCHEMY_CONN_CMD=}" ]]; then
@@ -226,6 +238,7 @@ CONNECTION_CHECK_SLEEP_TIME=${CONNECTION_CHECK_SLEEP_TIME:=3}
readonly CONNECTION_CHECK_SLEEP_TIME
create_system_user_if_missing
+set_pythonpath_for_root_user
wait_for_airflow_db
if [[ -n "${_AIRFLOW_DB_UPGRADE=}" ]] ; then