ctrought commented on issue #27318: URL: https://github.com/apache/airflow/issues/27318#issuecomment-1674954526
@potiuk If it is possible to support an arbitrary UID for airflow, then I guess it should be possible to run this under the restricted (<= OCP 4.11) restricted-v2 SCC in OpenShift (>= OCP 4.12) and the helm options for leveraging the anyuid would no longer be necessary which is generally frowned upon, is that right? https://airflow.apache.org/docs/helm-chart/stable/production-guide.html#security-context-constraints ```bash $ id uid=1002920000 gid=0(root) groups=0(root),1002920000 $ ls -l /usr/local/airflow/entrypoint.sh -rwxrwxr--. 1 airflow airflow 5026 Sep 17 2020 /usr/local/airflow/entrypoint.sh $ id airflow uid=1000(airflow) gid=1000(airflow) groups=1000(airflow) $ ls -ld /usr/local/airflow/logs drwxrwsrwx. 21 root 1002920000 19 Apr 7 2022 /usr/local/airflow/logs ``` Although there are airflow directories with the GID set to 0, the entrypoint is not. Our goal is to do the same as @ecerulm and satisfy the restricted PSA, but also satisfy the restricted-v2 SCC in OpenShift which requires arbitrary UIDs. ```yaml - name: worker state: waiting: reason: CreateContainerError message: > container create failed: time="2023-08-11T14:56:29Z" level=error msg="runc create failed: unable to start container process: eaccess /usr/local/airflow/entrypoint.sh: permission denied" ``` I supposed we can try and customize the image and modify the ownership to support this but it would be nice if it were set with the permissions/ownership required for arbitrary UID support out of box :) 🤞 https://airflow.apache.org/docs/docker-stack/build.html -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
