Re: [PR] fix: allow production image to run with arbitrary UIDs on Podman [airflow]

Fri, 06 Mar 2026 02:33:40 -0800 


SakshamSinghal20 commented on PR #62318:
URL: https://github.com/apache/airflow/pull/62318#issuecomment-4010925545

   Thank you @potiuk, @Ajay9704, and @MCollier24 for the detailed feedback. I 
understand the concerns raised and I'd like to address them:
   
   ## Key Issues Identified
   
   1. **Root cause**: The issue stems from Podman's `keep-id` namespace mode 
automatically creating a user in `/etc/passwd` with the wrong HOME directory 
(`/opt/airflow` instead of `/home/airflow`). This prevents Python from finding 
packages in `$HOME/.local`.
   
   2. **Current approach problems**: My changes modified the Dockerfile in ways 
that are Podman-specific and could break Docker compatibility. Specifically:
      - Changing group permissions and ownership patterns that work well for 
Docker users
      - Not detecting whether the container is running in Podman vs Docker
   
   ## Proposed Next Steps
   
   1. **Fix static checks first**: Run `breeze run --all-files` to resolve the 
failing static checks as suggested by @Ajay9704.
   
   2. **Implement Podman detection**: As @potiuk suggested, modify the 
`create_system_user_if_missing` function to:
      - Detect if running under Podman (possibly by checking for 
Podman-specific environment variables or filesystem indicators)
      - Run in an idempotent manner as @MCollier24 suggested - always verify 
and adjust HOME directory for the current user
      - Only apply Podman-specific fixes when Podman is detected, maintaining 
backward compatibility with Docker
   
   3. **Keep the `g=u` change**: This seems like a beneficial change that 
doesn't break Docker.
   
   4. **Add CI tests for Podman**: If we want Podman to be officially 
supported, we should add CI tests to prevent regressions.
   
   I'll work on a revised approach that:
   - Detects the container runtime environment
   - Fixes the HOME directory issue for Podman without modifying Docker behavior
   - Ensures the solution works for both rootless and non-rootless 
configurations
   
   Would this approach address your concerns? Any suggestions on the best way 
to detect Podman vs Docker at runtime?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to