Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Chart docs: note uid write permissions for existing pvc #17170

Merged
merged 3 commits into from
Jul 22, 2021
Merged

Chart docs: note uid write permissions for existing pvc #17170

merged 3 commits into from
Jul 22, 2021

Conversation

jedcunningham
Copy link
Member

Simple note to clarify the Airflow user needs write permission on existing pvc's.

@github-actions github-actions bot added the okay to merge It's ok to merge this PR as it does not require more tests label Jul 22, 2021
@github-actions
Copy link

The PR is likely OK to be merged with just subset of tests for default Python and Database versions without running the full matrix of tests, because it does not modify the core of Airflow. If the committers decide that the full tests matrix is needed, they will add the label 'full tests needed'. Then you should rebase to the latest main or amend the last commit of the PR, and push it with --force-with-lease.

@kaxil kaxil merged commit ccf3d45 into apache:main Jul 22, 2021
@kaxil kaxil deleted the chart_log_docs branch July 22, 2021 18:41
@kaxil
Copy link
Member

kaxil commented Jul 22, 2021

Tested this locally -- works fine.

@potiuk
Copy link
Member

potiuk commented Jul 22, 2021

Technically speaking you need 'root' (0) group write access @jedcunningham @kaxil

@potiuk
Copy link
Member

potiuk commented Jul 22, 2021

You can run airflow images with any user as long as you run it with group = 0

@potiuk
Copy link
Member

potiuk commented Jul 22, 2021

See https://airflow.apache.org/docs/docker-stack/entrypoint.html#allowing-arbitrary-user-to-run-the-container

@potiuk
Copy link
Member

potiuk commented Jul 22, 2021

Such arbitrary user has to be able to write to certain directories that needs write access, and since it is not advised to allow write access to “other” for security reasons, the OpenShift guidelines introduced the concept of making all such folders have the 0 (root) group id (GID). All the directories that need write access in the Airflow production image have GID set to 0 (and they are writable for the group). We are following that concept and all the directories that need write access follow that.

The GID=0 is set as default for the airflow user, so any directories it creates have GID set to 0 by default. The entrypoint sets umask to be 0002 - this means that any directories created by the user have also “group write” access for group 0 - they will be writable by other users with root group. Also whenever any “arbitrary” user creates a folder (for example in a mounted volume), that folder will have a “group write” access and GID=0, so that execution with another, arbitrary user will still continue to work, even if such directory is mounted by another arbitrary user later.

@jedcunningham
Copy link
Member Author

Thanks @potiuk, I somehow never quite connected the dots previously. I've opened #17177 to fix it up.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kaxil kaxil kaxil approved these changes

@ashb ashb Awaiting requested review from ashb

@dimberman dimberman Awaiting requested review from dimberman

Assignees
No one assigned
Labels
area:helm-chart Airflow Helm Chart kind:documentation okay to merge It's ok to merge this PR as it does not require more tests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jedcunningham @kaxil @potiuk