Skip to content

Use check permissions script and consolidation #1053

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 7 commits into from
Apr 9, 2025
Merged

Use check permissions script and consolidation #1053

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
e3aef2d
consolidate docker image with fix image size PRs
maltesander Apr 7, 2025
ed14561
adapted changelog
maltesander Apr 7, 2025
4e45c47
use $HOME for permissions check instead of /stackable
maltesander Apr 7, 2025
21bdea6
fix intendation
maltesander Apr 7, 2025
969173e
fix intendation 2
maltesander Apr 7, 2025
3a8a74f
fix
maltesander Apr 7, 2025
136a535
Merge remote-tracking branch 'origin/main' into fix/superset-fix-size…
maltesander Apr 9, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,8 @@ All notable changes to this project will be documented in this file.
`check-permissions-ownership.sh` provided in stackable-base image ([#1027]).
- opa: check for correct permissions and ownerships in /stackable folder via
`check-permissions-ownership.sh` provided in stackable-base image ([#1038]).
- superset: check for correct permissions and ownerships in /stackable folder via
`check-permissions-ownership.sh` provided in stackable-base image ([#1053]).
- trino: check for correct permissions and ownerships in /stackable folder via
`check-permissions-ownership.sh` provided in stackable-base image ([#1025]).

Expand Down Expand Up @@ -48,6 +50,7 @@ All notable changes to this project will be documented in this file.
[#1042]: https://github.com/stackabletech/docker-images/pull/1042
[#1044]: https://github.com/stackabletech/docker-images/pull/1044
[#1050]: https://github.com/stackabletech/docker-images/pull/1050
[#1053]: https://github.com/stackabletech/docker-images/pull/1053
[#1054]: https://github.com/stackabletech/docker-images/pull/1054

## [25.3.0] - 2025-03-21
Expand Down
51 changes: 29 additions & 22 deletions superset/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,13 +114,15 @@ RUN python3 -m venv /stackable/app \
&& if [ -n "$AUTHLIB" ]; then pip install Authlib==${AUTHLIB}; fi && \
pip install --no-cache-dir /tmp/opa_authorizer-0.1.0-py3-none-any.whl

COPY --from=statsd_exporter-builder /statsd_exporter/statsd_exporter /stackable/statsd_exporter
COPY superset/stackable/patches /patches
RUN /patches/apply_patches.sh ${PRODUCT}

WORKDIR /stackable
RUN source /stackable/app/bin/activate && cyclonedx-py environment --schema-version 1.5 --outfile app/superset-${PRODUCT}.cdx.json

COPY --from=statsd_exporter-builder /statsd_exporter/statsd_exporter /stackable/statsd_exporter
RUN <<EOF
/patches/apply_patches.sh ${PRODUCT}
cd /stackable
source /stackable/app/bin/activate && cyclonedx-py environment --schema-version 1.5 --outfile app/superset-${PRODUCT}.cdx.json
chmod --recursive g=u /stackable
EOF

# Final image
FROM stackable/image/vector
Expand All @@ -131,12 +133,12 @@ ARG RELEASE
ARG STACKABLE_USER_UID

LABEL name="Apache Superset" \
maintainer="[email protected]" \
vendor="Stackable GmbH" \
version="${PRODUCT}" \
release="${RELEASE}" \
summary="The Stackable image for Apache Superset." \
description="This image is deployed by the Stackable Operator for Apache Superset."
maintainer="[email protected]" \
vendor="Stackable GmbH" \
version="${PRODUCT}" \
release="${RELEASE}" \
summary="The Stackable image for Apache Superset." \
description="This image is deployed by the Stackable Operator for Apache Superset."

ENV FLASK_APP="superset.app:create_app()" \
FLASK_ENV="production" \
Expand All @@ -145,6 +147,10 @@ ENV FLASK_APP="superset.app:create_app()" \
ENV PATH="${HOME}/app/bin:${PATH}" \
PYTHONPATH="${HOME}/app/pythonpath"

COPY superset/licenses /licenses

COPY --from=builder --chown=${STACKABLE_USER_UID}:0 /stackable/ ${HOME}/

RUN <<EOF
microdnf update
microdnf install \
Expand All @@ -157,22 +163,23 @@ microdnf install \

microdnf clean all
rm -rf /var/cache/yum

# All files and folders owned by root group to support running as arbitrary users.
# This is best practice as all container users will belong to the root group (0).
chown -R "${STACKABLE_USER_UID}:0" /stackable
chmod -R g=u /stackable
EOF

COPY superset/licenses /licenses
# ----------------------------------------
# Checks
# This section is to run final checks to ensure the created final images
# adhere to several minimal requirements like:
# - check file permissions and ownerships
# ----------------------------------------

COPY --from=builder --chown=${STACKABLE_USER_UID}:0 /stackable/ ${HOME}/
# Check that permissions and ownership in ${HOME} are set correctly
# This will fail and stop the build if any mismatches are found.
RUN <<EOF
/bin/check-permissions-ownership.sh ${HOME} ${STACKABLE_USER_UID} 0
EOF

# ----------------------------------------
# Attention: We are changing the group of all files in /stackable directly above
# If you do any file based actions (copying / creating etc.) below this comment you
# absolutely need to make sure that the correct permissions are applied!
# chown ${STACKABLE_USER_UID}:0
# Attention: Do not perform any file based actions (copying/creating etc.) below this comment because the permissions would not be checked.
# ----------------------------------------

USER ${STACKABLE_USER_UID}
Expand Down