Skip to content

Kubernetes worker pod doesn't use docker container entrypoint, removing OpenShift support #12602

New issue
New issue
Closed
#12766
Closed
Kubernetes worker pod doesn't use docker container entrypoint, removing OpenShift support#12602
#12766
Assignees
dimbermanmatthieu-foucault
Labels
kind:bugThis is a clearly a bugpriority:criticalShowstopper bug that should be patched immediatelyprovider:cncf-kubernetesKubernetes (k8s) provider related issues
Milestone
Airflow 2.1
@matthieu-foucault

Description

@matthieu-foucault
matthieu-foucault
opened on Nov 25, 2020

Apache Airflow version: 2.0.0-b3

Kubernetes version: v1.18.3+47c0e71, OpenShift v4.5

What happened:

When starting a worker pod with the KubernetesOperator, the python script fails to import airflow

What you expected to happen:

Running a docker container in OpenShift is usually done with the "Restricted" Security Context Constraint, meaning that the container will be run with an arbitrary UID, and GID 0. The airflow docker image supports this (#9545), which relies on the following lines from the container entrypoint:

airflow/scripts/in_container/prod/entrypoint_prod.sh

Lines 93 to 99 in 6caf260

if ! whoami &> /dev/null; then
if [[ -w /etc/passwd ]]; then
echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:${AIRFLOW_USER_HOME_DIR}:/sbin/nologin" \
>> /etc/passwd
fi
export HOME="${AIRFLOW_USER_HOME_DIR}"
fi

However, the entrypoint is currently overridden:

airflow/airflow/kubernetes/pod_generator.py

Lines 395 to 399 in dd2095f

k8s.V1Container(
name="base",
command=command,
image=image,
)

airflow/airflow/executors/kubernetes_executor.py

Lines 291 to 303 in dd2095f

pod = PodGenerator.construct_pod(
namespace=self.namespace,
scheduler_job_id=self.scheduler_job_id,
pod_id=create_pod_id(dag_id, task_id),
dag_id=dag_id,
task_id=task_id,
kube_image=self.kube_config.kube_image,
try_number=try_number,
date=execution_date,
command=command,
pod_override_object=kube_executor_config,
base_worker_pod=base_worker_pod,
)

command changes the container ENTRYPOINT (not the CMD as one might think 🤪 ), which means that the production image entrypoint is not used by the worker pod, preventing the airflow command from executing properly. To execute a custom command while keeping the original entrypoint, one should use the args parameter instead of command

Looking at this with @pbastia. Sounds like a solution would be to:

  • add an args parameter to PodGenerator.construct_pod
  • in the kubernetes_executor, set args to command[1:], since the container entrypoint expects an airflow command by default (see below)

airflow/scripts/in_container/prod/entrypoint_prod.sh

Line 135 in 6caf260

exec airflow "${@}"

Happy to open a PR for it if that sounds like an acceptable change.
cc @dimberman

How to reproduce it:

Run any dag in OpenShift, using the restricted SCC

Metadata

Metadata

Assignees

Labels

kind:bugThis is a clearly a bugpriority:criticalShowstopper bug that should be patched immediatelyprovider:cncf-kubernetesKubernetes (k8s) provider related issues

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions