Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Python base image: create airbyte user #36544

Open
wants to merge 2 commits into
base: augustin/11-20-base-images_prompt_for_bump_type_with_optional_pre-releases
Choose a base branch
from
Open

Python base image: create airbyte user #36544

wants to merge 2 commits into from
+143 −36

Conversation

alafanechere
Copy link
Contributor

@alafanechere alafanechere commented Mar 27, 2024
edited
Loading

We want to make our python connector image use a non root user.
This PR cuts a new base image version which:

  • Creates an airbyte user
  • Make it the owner of /airbyte
  • Make it able to read the cache dir and the path to the nltk data

@vercel Vercel
Copy link

vercel bot commented Mar 27, 2024
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Skipped Deployment
Name Status Preview Comments Updated (UTC)
airbyte-docs ⬜️ Ignored (Inspect) Visit Preview Nov 20, 2024 3:45pm

@alafanechere Graphite App
Copy link
Contributor Author

alafanechere commented Mar 27, 2024
edited
Loading

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

This stack of pull requests is managed by Graphite. Learn more about stacking.

@alafanechere alafanechere mentioned this pull request Mar 27, 2024
Open
alafanechere
alafanechere commented Mar 27, 2024
View reviewed changes
airbyte-ci/connectors/base_images/base_images/hacks.py Outdated
Comment on lines 25 to 27
field
for field in list(container._ctx.selections)
if isinstance(field, dagger.client._core.Field) and field.type_name == "Container"
]
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change is due to a change in the latest dagger version

@alafanechere alafanechere force-pushed the augustin/03-27-Python_base_image_create_airbyte_user branch from 1e27a25 to 95e918c Compare March 27, 2024 13:51
@alafanechere alafanechere changed the base branch from ng/base_images/rootless to master March 27, 2024 13:51
@alafanechere alafanechere mentioned this pull request Mar 27, 2024
Closed
@alafanechere alafanechere marked this pull request as ready for review March 27, 2024 13:59
@alafanechere alafanechere requested a review from a team as a code owner March 27, 2024 13:59
erohmensing
erohmensing reviewed Mar 27, 2024
View reviewed changes
Copy link
Contributor

@erohmensing erohmensing left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll let someone else like Angel approve the functionality as I'm not comfortable saying I know all the pieces that need to change to make this change. Reviewing from a "update to base image side" and looks good

airbyte-ci/connectors/base_images/base_images/bases.py
@@ -19,6 +19,10 @@ class AirbyteConnectorBaseImage(ABC):
Please do not declare any Dagger with_exec instruction in this class as in the abstract class context we have no guarantee about the underlying system used in the base image.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this concern still apply? I assume that the commands we're using are so basic as to not be concerned, but the messaging is confusing

airbyte-ci/connectors/base_images/base_images/python/bases.py Outdated
@@ -67,7 +71,7 @@ def with_file_based_connector_dependencies(container: dagger.Container) -> dagge
- nltk data
"""
container = with_tesseract_and_poppler(container)
container = container.with_exec(["mkdir", self.nltk_data_path], skip_entrypoint=True).with_directory(
container = container.with_exec(["mkdir", "-p", "755", self.nltk_data_path], skip_entrypoint=True).with_directory(
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Optional: as we in the base class are doing the setup of the airbyte user, I think(?) that all new directories in the python base or other future bases have to be made with these permissions. Maybe in the base class we could define a method that we can use in the subsclasses to create based on the permissions required from the base.

airbyte-ci/connectors/base_images/base_images/sanity_checks.py Outdated
@@ -99,3 +99,74 @@ async def check_socat_version(container: dagger.Container, expected_socat_versio
raise errors.SanityCheckError(f"unexpected socat version: {version_number}")
else:
raise errors.SanityCheckError(f"Could not find the socat version in the version output: {socat_version_line}")


async def check_user_exists(container: dagger.Container, user: str):
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lots of sanity checks 🙏🏻

airbyte-ci/connectors/base_images/base_images/python/bases.py
Comment on lines +122 to +134
await base_sanity_checks.check_user_can_read_dir(container, self.USER, self.AIRBYTE_DIR_PATH)
await base_sanity_checks.check_user_can_read_dir(container, self.USER, self.nltk_data_path)
await base_sanity_checks.check_user_can_read_dir(container, self.USER, self.CACHE_DIR_PATH)
await base_sanity_checks.check_user_can_write_dir(container, self.USER, self.AIRBYTE_DIR_PATH)
await base_sanity_checks.check_user_cant_write_dir(container, self.USER, self.CACHE_DIR_PATH)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: For a second I thought 124 and 126 were contradicting. I think this is easier to parse when organized by file:

Suggested change
await base_sanity_checks.check_user_can_read_dir(container, self.USER, self.AIRBYTE_DIR_PATH)
await base_sanity_checks.check_user_can_read_dir(container, self.USER, self.nltk_data_path)
await base_sanity_checks.check_user_can_read_dir(container, self.USER, self.CACHE_DIR_PATH)
await base_sanity_checks.check_user_can_write_dir(container, self.USER, self.AIRBYTE_DIR_PATH)
await base_sanity_checks.check_user_cant_write_dir(container, self.USER, self.CACHE_DIR_PATH)
await base_sanity_checks.check_user_can_read_dir(container, self.USER, self.AIRBYTE_DIR_PATH)
await base_sanity_checks.check_user_can_write_dir(container, self.USER, self.AIRBYTE_DIR_PATH)
await base_sanity_checks.check_user_can_read_dir(container, self.USER, self.nltk_data_path)
await base_sanity_checks.check_user_can_read_dir(container, self.USER, self.CACHE_DIR_PATH)
await base_sanity_checks.check_user_cant_write_dir(container, self.USER, self.CACHE_DIR_PATH)

perangel
perangel reviewed Mar 27, 2024
View reviewed changes
airbyte-ci/connectors/base_images/base_images/bases.py Outdated
.with_exec(["ln", "-snf", "/usr/share/zoneinfo/Etc/UTC", "/etc/localtime"], skip_entrypoint=True)
# Install socat 1.7.4.4
.with_exec(["sh", "-c", "apt update && apt-get install -y socat=1.7.4.4-2"], skip_entrypoint=True)
.with_exec(["adduser", "--system", "--group", "--no-create-home", self.USER], skip_entrypoint=True)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
.with_exec(["adduser", "--system", "--group", "--no-create-home", self.USER], skip_entrypoint=True)
.with_exec(["adduser", "-u", "1000", "--system", "--group", "--no-create-home", self.USER], skip_entrypoint=True)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We'd like to make the uid/gid consistent with the platform images (where uid=1000(airbyte) gid=1000(airbyte))

@alafanechere alafanechere force-pushed the augustin/03-27-Python_base_image_create_airbyte_user branch from 95e918c to 13f5b18 Compare March 28, 2024 08:33
@alafanechere alafanechere force-pushed the augustin/03-27-Python_base_image_create_airbyte_user branch from 13f5b18 to 1eef8aa Compare June 6, 2024 12:30
@alafanechere alafanechere mentioned this pull request Jun 6, 2024
Closed
2 tasks
@alafanechere alafanechere force-pushed the augustin/03-27-Python_base_image_create_airbyte_user branch from 1eef8aa to c16bb07 Compare June 7, 2024 17:13
@alafanechere alafanechere force-pushed the augustin/03-27-Python_base_image_create_airbyte_user branch 2 times, most recently from c402324 to c12d318 Compare June 26, 2024 04:24
@alafanechere alafanechere force-pushed the augustin/03-27-Python_base_image_create_airbyte_user branch from c12d318 to c1d53e3 Compare November 20, 2024 13:41
@alafanechere alafanechere requested a review from a team as a code owner November 20, 2024 13:41
@alafanechere alafanechere force-pushed the augustin/03-27-Python_base_image_create_airbyte_user branch from c1d53e3 to f7a67a8 Compare November 20, 2024 14:46
@alafanechere alafanechere changed the base branch from master to augustin/11-20-base-images_prompt_for_bump_type_with_optional_pre-releases November 20, 2024 14:47
@alafanechere alafanechere mentioned this pull request Nov 20, 2024
Draft
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@erohmensing erohmensing erohmensing left review comments

@perangel perangel perangel left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@alafanechere @perangel @erohmensing