betodealmeida opened a new pull request, #41077:
URL: https://github.com/apache/superset/pull/41077
### SUMMARY
`docker compose up` against `master` no longer brings up a working dev
stack. Three independent regressions stacked on top of each other; this PR
fixes all of them while preserving the security goals of the original PRs.
**1. nginx wait loop loops forever (from #38161)**
`docker-compose.yml` overrides the nginx `command:` with a bash loop that
polls the webpack dev server before starting nginx. The loop has four bugs:
- Shell variable references (`$url`, `$attempt`, `$max_attempts`) are not
escaped, so Docker Compose interpolates them to empty strings before `bash`
sees them. `curl ""` fails immediately every iteration, and `[ "" -ge "" ]` is
a syntax error (non-zero return → false), so the timeout check never fires and
the loop runs forever instead of bailing at 5 min. Fixed by `$$` escaping.
- The loop polls silently — even a working loop looked like a hang during a
fresh `npm install` + first webpack compile. Added a heartbeat every ~30 s.
- The probe sends `Host: host.docker.internal:9000`, which is not in
webpack-dev-server's `allowedHosts` list
(`superset-frontend/webpack.config.js:692-701`), so the dev server returns
**403** instead of 200. Fixed by sending `-H "Host: localhost"` — the same
trick the nginx config itself uses when proxying to `superset-node`
(`docker/nginx/templates/superset.conf.template:43`).
- The override replaces nginx's default CMD, so the official nginx image's
`/docker-entrypoint.d/` scripts are skipped and
`/etc/nginx/templates/superset.conf.template` is never rendered via `envsubst`,
causing `open() "/etc/nginx/conf.d/superset.conf" failed (2: No such file or
directory)`. Fixed by `exec /docker-entrypoint.sh nginx -g 'daemon off;'` so
the image's init scripts run.
**2. Werkzeug debugger control over-reached (from #40327)**
That PR's *security goal* — keep the Werkzeug interactive debugger
(`/console`) off by default to mitigate the PIN-bypass attack in Docker — is
correct and preserved here. But the implementation also forcibly set
`FLASK_DEBUG=0`, which had an unrelated side effect:
`superset/initialization/__init__.py:996-998` picks `TALISMAN_DEV_CONFIG`
(with `'unsafe-eval'`) when `app.debug` is true and `TALISMAN_CONFIG`
otherwise. With `FLASK_DEBUG=0`, the dev stack started serving the **production
CSP**, which blocks the `eval()` that React Refresh's HMR client uses:
> Uncaught EvalError: Refused to evaluate a string as JavaScript because
'unsafe-eval' is not an allowed source of script…
The `FLASK_DEBUG` override also silently overrode `docker/.env`'s
`FLASK_DEBUG=true` (commented "keep 'true' for development") and any
`docker/.env-local` override, so there was no local-config escape hatch.
This PR decouples the two concerns:
- `FLASK_DEBUG=1` is always set in the dev `app` entrypoint (this restores
`app.debug = True` so the dev CSP is served and HMR works).
- `--debugger` / `--no-debugger` (the actual control for `/console`) is
still gated on `SUPERSET_DEBUG_ENABLED=true`, defaulting to `--no-debugger`.
Verified after the fix: `GET /console` still returns **404** in the default
setup — the security mitigation is intact. Only the CSP regression is reverted.
### TESTING INSTRUCTIONS
1. Clean environment:
```bash
docker compose down -v
```
2. Start the dev stack:
```bash
docker compose up
```
3. Watch the nginx logs — you should see `Waiting for webpack dev server…`,
a few `Still waiting…` heartbeats during the first build, then `Webpack dev
server is ready; starting nginx.` followed by the standard
`docker-entrypoint.sh` init log lines.
4. Open http://localhost — the UI should load and the browser console should
be clean (no `EvalError` from React Refresh).
5. Confirm the security mitigation is intact:
```bash
curl -sI http://localhost:8088/console # expect HTTP/1.1 404 NOT FOUND
```
6. Confirm the opt-in still works:
```bash
SUPERSET_DEBUG_ENABLED=true docker compose up
# superset container logs: "⚠️ Werkzeug debugger enabled"
curl -sI http://localhost:8088/console # expect 200 with PIN prompt
```
7. Confirm the dev CSP is served:
```bash
docker exec superset-superset-1 curl -sI http://localhost:8088/health \
| grep -oE "script-src[^;]*"
# expect: script-src 'self' 'unsafe-inline' 'unsafe-eval' 'nonce-…'
```
### ADDITIONAL INFORMATION
- [x] Has associated issue: regression of #38161 (nginx wait loop bugs) and
#40327 (CSP side effect)
- [ ] Required feature flags:
- [ ] Changes UI
- [ ] Includes DB Migration
- [ ] Introduces new feature or API
- [ ] Removes existing feature or API
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
