You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2021/07/22 18:25:33 UTC

[GitHub] [airflow] jedcunningham opened a new pull request #17170: Chart docs: note uid write permissions for existing pvc

jedcunningham opened a new pull request #17170:
URL: https://github.com/apache/airflow/pull/17170


   Simple note to clarify the Airflow user needs write permission on existing pvc's.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] potiuk commented on pull request #17170: Chart docs: note uid write permissions for existing pvc

Posted by GitBox <gi...@apache.org>.
potiuk commented on pull request #17170:
URL: https://github.com/apache/airflow/pull/17170#issuecomment-885168160


   See https://airflow.apache.org/docs/docker-stack/entrypoint.html#allowing-arbitrary-user-to-run-the-container


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] potiuk commented on pull request #17170: Chart docs: note uid write permissions for existing pvc

Posted by GitBox <gi...@apache.org>.
potiuk commented on pull request #17170:
URL: https://github.com/apache/airflow/pull/17170#issuecomment-885164009


   You can run airflow images with any user as long as you run it with group = 0


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] jedcunningham commented on pull request #17170: Chart docs: note uid write permissions for existing pvc

Posted by GitBox <gi...@apache.org>.
jedcunningham commented on pull request #17170:
URL: https://github.com/apache/airflow/pull/17170#issuecomment-885216633


   Thanks @potiuk, I somehow never quite connected the dots previously. I've opened #17177 to fix it up.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] potiuk commented on pull request #17170: Chart docs: note uid write permissions for existing pvc

Posted by GitBox <gi...@apache.org>.
potiuk commented on pull request #17170:
URL: https://github.com/apache/airflow/pull/17170#issuecomment-885169362


   Such arbitrary user has to be able to write to certain directories that needs write access, and since it is not advised to allow write access to “other” for security reasons, the OpenShift guidelines introduced the concept of making all such folders have the 0 (root) group id (GID). All the directories that need write access in the Airflow production image have GID set to 0 (and they are writable for the group). We are following that concept and all the directories that need write access follow that.
   
   The GID=0 is set as default for the airflow user, so any directories it creates have GID set to 0 by default. The entrypoint sets umask to be 0002 - this means that any directories created by the user have also “group write” access for group 0 - they will be writable by other users with root group. Also whenever any “arbitrary” user creates a folder (for example in a mounted volume), that folder will have a “group write” access and GID=0, so that execution with another, arbitrary user will still continue to work, even if such directory is mounted by another arbitrary user later.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] potiuk commented on pull request #17170: Chart docs: note uid write permissions for existing pvc

Posted by GitBox <gi...@apache.org>.
potiuk commented on pull request #17170:
URL: https://github.com/apache/airflow/pull/17170#issuecomment-885163399


   Technically  speaking you need 'root' (0) group write access @jedcunningham @kaxil 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] kaxil commented on pull request #17170: Chart docs: note uid write permissions for existing pvc

Posted by GitBox <gi...@apache.org>.
kaxil commented on pull request #17170:
URL: https://github.com/apache/airflow/pull/17170#issuecomment-885147047


   Tested this locally -- works fine.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] kaxil merged pull request #17170: Chart docs: note uid write permissions for existing pvc

Posted by GitBox <gi...@apache.org>.
kaxil merged pull request #17170:
URL: https://github.com/apache/airflow/pull/17170


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] github-actions[bot] commented on pull request #17170: Chart docs: note uid write permissions for existing pvc

Posted by GitBox <gi...@apache.org>.
github-actions[bot] commented on pull request #17170:
URL: https://github.com/apache/airflow/pull/17170#issuecomment-885145749


   The PR is likely OK to be merged with just subset of tests for default Python and Database versions without running the full matrix of tests, because it does not modify the core of Airflow. If the committers decide that the full tests matrix is needed, they will add the label 'full tests needed'. Then you should rebase to the latest main or amend the last commit of the PR, and push it with --force-with-lease.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [airflow] kaxil commented on a change in pull request #17170: Chart docs: note uid write permissions for existing pvc

Posted by GitBox <gi...@apache.org>.
kaxil commented on a change in pull request #17170:
URL: https://github.com/apache/airflow/pull/17170#discussion_r675073063



##########
File path: docs/helm-chart/manage-logs.rst
##########
@@ -75,6 +75,8 @@ In this approach, Airflow will log to an existing ``ReadWriteMany`` PVC. You pas
       --set logs.persistence.enabled=true \
       --set logs.persistence.existingClaim=my-volume-claim
 
+Note that the Airflow user (default uid 50000) needs write permission on the volume.

Review comment:
       ```suggestion
   Note that the Airflow user (default uid ``50000``) needs write permission on the volume.
   ```




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org