From 7979b7581cc21f9b946ca66f1f243731f4a39d74 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kamil=20Bregu=C5=82a?= Date: Sat, 27 Feb 2021 21:12:20 +0100 Subject: [PATCH] Production image can be run as root (#14226) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Production image can be run as root * fixup! Production image can be run as root * fixup! fixup! Production image can be run as root Co-authored-by: Kamil Bregula Co-authored-by: Kamil BreguĊ‚a --- scripts/ci/libraries/_verify_image.sh | 46 ++++++++++++++++++++ scripts/in_container/prod/entrypoint_prod.sh | 13 ++++++ 2 files changed, 59 insertions(+) diff --git a/scripts/ci/libraries/_verify_image.sh b/scripts/ci/libraries/_verify_image.sh index 5ce9c0d3a92d8..05e91c6b0e6c7 100644 --- a/scripts/ci/libraries/_verify_image.sh +++ b/scripts/ci/libraries/_verify_image.sh @@ -197,6 +197,50 @@ function verify_image::verify_production_image_python_modules() { start_end::group_end } +function verify_image::verify_prod_image_as_root() { + start_end::group_start "Checking if the image can be run as root." + set +e + echo "Checking airflow as root" + local output + local res + output=$(docker run --rm --user 0 "${DOCKER_IMAGE}" "airflow" "info" 2>&1) + res=$? + if [[ ${res} == "0" ]]; then + echo "${COLOR_GREEN}OK${COLOR_RESET}" + else + echo "${COLOR_RED}NOK${COLOR_RESET}" + echo "${COLOR_BLUE}========================= OUTPUT start ============================${COLOR_RESET}" + echo "${output}" + echo "${COLOR_BLUE}========================= OUTPUT end ===========================${COLOR_RESET}" + IMAGE_VALID="false" + fi + + echo "Checking root container with custom PYTHONPATH" + local tmp_dir + tmp_dir="$(mktemp -d)" + touch "${tmp_dir}/__init__.py" + echo 'print("Awesome")' >> "${tmp_dir}/awesome.py" + output=$(docker run \ + --rm \ + -e "PYTHONPATH=${tmp_dir}" \ + -v "${tmp_dir}:${tmp_dir}" \ + --user 0 "${DOCKER_IMAGE}" \ + "python" "-c" "import awesome" \ + 2>&1) + res=$? + if [[ ${res} == "0" ]]; then + echo "${COLOR_GREEN}OK${COLOR_RESET}" + else + echo "${COLOR_RED}NOK${COLOR_RESET}" + echo "${COLOR_BLUE}========================= OUTPUT start ============================${COLOR_RESET}" + echo "${output}" + echo "${COLOR_BLUE}========================= OUTPUT end ===========================${COLOR_RESET}" + IMAGE_VALID="false" + fi + rm -rf "${tmp_dir}" + set -e +} + function verify_image::display_result { if [[ ${IMAGE_VALID} == "true" ]]; then echo @@ -219,6 +263,8 @@ function verify_image::verify_prod_image { verify_image::verify_prod_image_dependencies + verify_image::verify_prod_image_as_root + verify_image::display_result } diff --git a/scripts/in_container/prod/entrypoint_prod.sh b/scripts/in_container/prod/entrypoint_prod.sh index a4c4a73d1623e..12214be8a1bac 100755 --- a/scripts/in_container/prod/entrypoint_prod.sh +++ b/scripts/in_container/prod/entrypoint_prod.sh @@ -178,6 +178,18 @@ function create_system_user_if_missing() { fi } +function set_pythonpath_for_root_user() { + # Airflow is installed as a local user application which means that if the container is running as root + # the application is not available. because Python then only load system-wide applications. + # Now also adds applications installed as local user "airflow". + if [[ $UID == "0" ]]; then + local python_major_minor + python_major_minor="$(python --version | cut -d " " -f 2 | cut -d "." -f 1-2)" + export PYTHONPATH="${AIRFLOW_USER_HOME_DIR}/.local/lib/python${python_major_minor}/site-packages:${PYTHONPATH:-}" + >&2 echo "The container is run as root user. For security, consider using a regular user account." + fi +} + function wait_for_airflow_db() { # Verifies connection to the Airflow DB if [[ -n "${AIRFLOW__CORE__SQL_ALCHEMY_CONN_CMD=}" ]]; then @@ -226,6 +238,7 @@ CONNECTION_CHECK_SLEEP_TIME=${CONNECTION_CHECK_SLEEP_TIME:=3} readonly CONNECTION_CHECK_SLEEP_TIME create_system_user_if_missing +set_pythonpath_for_root_user wait_for_airflow_db if [[ -n "${_AIRFLOW_DB_UPGRADE=}" ]] ; then