From c7ba8434f91cb608b5c235fc01b4b0123fadd848 Mon Sep 17 00:00:00 2001 From: Austin Denton Date: Tue, 11 May 2021 11:34:12 -0600 Subject: [PATCH 1/5] Update to 2.0.2 --- Dockerfile | 4 ++-- README.md | 4 ++-- prebuildfs/opt/bitnami/.bitnami_components.json | 8 ++++---- .../opt/bitnami/scripts/libvalidations.sh | 2 +- prebuildfs/opt/bitnami/scripts/libwebserver.sh | 5 ++++- .../scripts/airflow-scheduler/entrypoint.sh | 15 +++++++++++++++ rootfs/opt/bitnami/scripts/libairflow.sh | 17 +++++++++++++---- .../opt/bitnami/scripts/libairflowscheduler.sh | 1 - 8 files changed, 41 insertions(+), 15 deletions(-) diff --git a/Dockerfile b/Dockerfile index 873db88..9ff507d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ ARG BASE_REGISTRY=registry1.dsop.io ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8 ARG BASE_TAG=8.3 -FROM bitnami/airflow-scheduler:2.0.1-debian-10-r55 as base +FROM bitnami/airflow-scheduler:2.0.2-debian-10-r18 as base FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} ARG BITNAMI_HOME=/opt/bitnami ARG BITNAMI_DIR=/bitnami @@ -47,7 +47,7 @@ RUN /opt/bitnami/scripts/airflow-scheduler/postunpack.sh && \ ENV AIRFLOW_HOME="/opt/bitnami/airflow" \ BITNAMI_APP_NAME="airflow-scheduler" \ - BITNAMI_IMAGE_VERSION="2.0.1-debian-10-r54" \ + BITNAMI_IMAGE_VERSION="2.0.2-debian-10-r18" \ LD_LIBRARY_PATH="/opt/bitnami/python/lib/:/opt/bitnami/airflow/venv/lib/python3.8/site-packages/numpy.libs/:$LD_LIBRARY_PATH" \ LIBNSS_WRAPPER_PATH="/opt/bitnami/common/lib/libnss_wrapper.so" \ LNAME="airflow" \ diff --git a/README.md b/README.md index b0bb564..7a56359 100644 --- a/README.md +++ b/README.md @@ -34,8 +34,8 @@ You can find the default credentials and available configuration options in the Learn more about the Bitnami tagging policy and the difference between rolling tags and immutable tags [in our documentation page](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers/). -* [`2`, `2-debian-10`, `2.0.1`, `2.0.1-debian-10-r53`, `latest` (2/debian-10/Dockerfile)](https://github.com/bitnami/bitnami-docker-airflow-scheduler/blob/2.0.1-debian-10-r53/2/debian-10/Dockerfile) -* [`1`, `1-debian-10`, `1.10.15`, `1.10.15-debian-10-r19` (1/debian-10/Dockerfile)](https://github.com/bitnami/bitnami-docker-airflow-scheduler/blob/1.10.15-debian-10-r19/1/debian-10/Dockerfile) +* [`2`, `2-debian-10`, `2.0.2`, `2.0.2-debian-10-r18`, `latest` (2/debian-10/Dockerfile)](https://github.com/bitnami/bitnami-docker-airflow-scheduler/blob/2.0.2-debian-10-r18/2/debian-10/Dockerfile) +* [`1`, `1-debian-10`, `1.10.15`, `1.10.15-debian-10-r51` (1/debian-10/Dockerfile)](https://github.com/bitnami/bitnami-docker-airflow-scheduler/blob/1.10.15-debian-10-r51/1/debian-10/Dockerfile) Subscribe to project updates by watching the [bitnami/airflow GitHub repo](https://github.com/bitnami/bitnami-docker-airflow-scheduler). diff --git a/prebuildfs/opt/bitnami/.bitnami_components.json b/prebuildfs/opt/bitnami/.bitnami_components.json index 7e297f4..c3957df 100644 --- a/prebuildfs/opt/bitnami/.bitnami_components.json +++ b/prebuildfs/opt/bitnami/.bitnami_components.json @@ -1,10 +1,10 @@ { "airflow-scheduler": { "arch": "amd64", - "digest": "6f4388df02d2115b0981c067c284532ec1adf038e7b4dd65126b43c9b9ce815b", + "digest": "02fddc23d0f87f075cb9070a219329c6fe95b1c25e71dd0dd7f73d77e5e284ea", "distro": "debian-10", "type": "NAMI", - "version": "2.0.1-3" + "version": "2.0.2-1" }, "gosu": { "arch": "amd64", @@ -29,10 +29,10 @@ }, "python": { "arch": "amd64", - "digest": "4f1f6b81a3617dfaaa2c579510118ef6df07119977a5d6ca7df3cf485fca709a", + "digest": "b7a37a0590eff13717c191c90dc277f26706196c5fbf2a6b79019bd9f1032f68", "distro": "debian-10", "type": "NAMI", - "version": "3.8.9-0" + "version": "3.8.10-2" }, "wait-for-port": { "arch": "amd64", diff --git a/prebuildfs/opt/bitnami/scripts/libvalidations.sh b/prebuildfs/opt/bitnami/scripts/libvalidations.sh index 8d82792..ca5afc9 100644 --- a/prebuildfs/opt/bitnami/scripts/libvalidations.sh +++ b/prebuildfs/opt/bitnami/scripts/libvalidations.sh @@ -181,7 +181,7 @@ validate_ipv4() { local stat=1 if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then - read -r -a ip_array <<< "$(tr '.' ' ' <<< "$ip")" + read -r -a ip_array <<< "$(tr '.' ' ' <<< "$ip")" [[ ${ip_array[0]} -le 255 && ${ip_array[1]} -le 255 \ && ${ip_array[2]} -le 255 && ${ip_array[3]} -le 255 ]] stat=$? diff --git a/prebuildfs/opt/bitnami/scripts/libwebserver.sh b/prebuildfs/opt/bitnami/scripts/libwebserver.sh index 25bff4a..1280134 100644 --- a/prebuildfs/opt/bitnami/scripts/libwebserver.sh +++ b/prebuildfs/opt/bitnami/scripts/libwebserver.sh @@ -180,6 +180,7 @@ web_server_reload() { # --apache-move-htaccess - Move .htaccess files to a common place so they can be loaded during Apache startup # NGINX-specific flags: # --nginx-additional-configuration - Additional server block configuration (no default) +# --nginx-external-configuration - Configuration external to server block (no default) # Returns: # true if the configuration was enabled, false otherwise ######################## @@ -212,6 +213,7 @@ ensure_web_server_app_configuration_exists() { | --apache-before-vhost-configuration \ | --apache-allow-override \ | --apache-extra-directory-configuration \ + | --apache-proxy-address \ | --apache-move-htaccess \ ) apache_args+=("${1//apache-/}" "${2:?missing value}") @@ -219,7 +221,8 @@ ensure_web_server_app_configuration_exists() { ;; # Specific NGINX flags - --nginx-additional-configuration) + --nginx-additional-configuration \ + | --nginx-external-configuration) nginx_args+=("${1//nginx-/}" "${2:?missing value}") shift ;; diff --git a/rootfs/opt/bitnami/scripts/airflow-scheduler/entrypoint.sh b/rootfs/opt/bitnami/scripts/airflow-scheduler/entrypoint.sh index 59bfe24..f5dc789 100755 --- a/rootfs/opt/bitnami/scripts/airflow-scheduler/entrypoint.sh +++ b/rootfs/opt/bitnami/scripts/airflow-scheduler/entrypoint.sh @@ -16,6 +16,21 @@ set -o pipefail print_welcome_page +if ! am_i_root && [[ -e "$LIBNSS_WRAPPER_PATH" ]]; then + info "Enabling non-root system user with nss_wrapper" + echo "airflow:x:$(id -u):$(id -g):Airflow:$AIRFLOW_HOME:/bin/false" > "$NSS_WRAPPER_PASSWD" + echo "airflow:x:$(id -g):" > "$NSS_WRAPPER_GROUP" + + export LD_PRELOAD="$LIBNSS_WRAPPER_PATH" +fi + +# Install custom python package if requirements.txt is present +if [[ -f "/bitnami/python/requirements.txt" ]]; then + . /opt/bitnami/airflow/venv/bin/activate + pip install -r /bitnami/python/requirements.txt + deactivate +fi + if [[ "$*" = *"/opt/bitnami/scripts/airflow-scheduler/run.sh"* || "$*" = *"/run.sh"* ]]; then info "** Starting Airflow setup **" /opt/bitnami/scripts/airflow-scheduler/setup.sh diff --git a/rootfs/opt/bitnami/scripts/libairflow.sh b/rootfs/opt/bitnami/scripts/libairflow.sh index 7a6cde9..92549cf 100644 --- a/rootfs/opt/bitnami/scripts/libairflow.sh +++ b/rootfs/opt/bitnami/scripts/libairflow.sh @@ -2,8 +2,7 @@ # Bitnami Airflow library -# shellcheck disable=SC1091 -# shellcheck disable=SC2153 +# shellcheck disable=SC1091,SC2153 # Load Generic Libraries . /opt/bitnami/scripts/libfile.sh @@ -23,9 +22,17 @@ # Arguments: # None # Returns: -# None +# 0 if the validation succeeded, 1 otherwise ######################### airflow_validate() { + local error_code=0 + + # Auxiliary functions + print_validation_error() { + error "$1" + error_code=1 + } + # Check postgresql host [[ -z "$AIRFLOW_DATABASE_HOST" ]] && print_validation_error "Missing AIRFLOW_DATABASE_HOST" @@ -46,6 +53,8 @@ airflow_validate() { [[ -z "$AIRFLOW_POOL_DESC" ]] && print_validation_error "Provided AIRFLOW_POOL_NAME but missing AIRFLOW_POOL_DESC" [[ -z "$AIRFLOW_POOL_SIZE" ]] && print_validation_error "Provided AIRFLOW_POOL_NAME but missing AIRFLOW_POOL_SIZE" fi + + return "$error_code" } ######################## @@ -429,4 +438,4 @@ is_airflow_not_running() { airflow_stop() { info "Stopping Airflow..." stop_service_using_pid "$AIRFLOW_PID_FILE" -} \ No newline at end of file +} diff --git a/rootfs/opt/bitnami/scripts/libairflowscheduler.sh b/rootfs/opt/bitnami/scripts/libairflowscheduler.sh index c87be31..3fb78cf 100644 --- a/rootfs/opt/bitnami/scripts/libairflowscheduler.sh +++ b/rootfs/opt/bitnami/scripts/libairflowscheduler.sh @@ -3,7 +3,6 @@ # Bitnami Airflow library # shellcheck disable=SC1091 -# shellcheck disable=SC2153 # Load Generic Libraries . /opt/bitnami/scripts/libfile.sh -- GitLab From f9a7605e57f4582ffca04648f662a60b94a157ff Mon Sep 17 00:00:00 2001 From: Austin Denton Date: Tue, 11 May 2021 11:39:41 -0600 Subject: [PATCH 2/5] Update hm --- hardening_manifest.yaml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 9cbfb3d..b210204 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -8,7 +8,7 @@ name: "bitnami/airflow-scheduler" # The most specific version should be the first tag and will be shown # on ironbank.dsop.io tags: -- "2.0.1" +- "2.0.2" # Build args passed to Dockerfile ARGs args: @@ -26,7 +26,7 @@ labels: org.opencontainers.image.url: "https://bitnami.com/stack/airflow-scheduler/containers" ## Name of the distributing entity, organization or individual org.opencontainers.image.vendor: "Bitnami" - org.opencontainers.image.version: "2.0.1" + org.opencontainers.image.version: "2.0.2" ## Keywords to help with search (ex. "cicd,gitops,golang") mil.dso.ironbank.image.keywords: "workflows,orchestration,pipelines" ## This value can be "opensource" or "commercial" @@ -36,8 +36,8 @@ labels: # List of resources to make available to the offline build context resources: -- tag: bitnami/airflow-scheduler:2.0.1-debian-10-r55 - url: docker://docker.io/bitnami/airflow-scheduler@sha256:b9e5a2196d9f303bdb3d674a703fc106d37beeb0eb7d5b541deaf27c7b3428e6 +- tag: bitnami/airflow-scheduler:2.0.2-debian-10-r18 + url: docker://docker.io/bitnami/airflow-scheduler@sha256:da4f8485b409088de5e1ea47484d8ffdf1b9c54eedbdb9a14a34fe40ea8956c3 - filename: thrift-0.14.1.tar.gz url: https://apache.osuosl.org/thrift/0.14.1/thrift-0.14.1.tar.gz validation: -- GitLab From ca6f68bc40edc1b519d3ec6d9643c452f95eba0e Mon Sep 17 00:00:00 2001 From: Austin Denton Date: Tue, 11 May 2021 12:39:42 -0600 Subject: [PATCH 3/5] Update HM --- hardening_manifest.yaml | 38 ++++---------------------------------- 1 file changed, 4 insertions(+), 34 deletions(-) diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index b210204..1aea1a2 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -37,47 +37,17 @@ labels: # List of resources to make available to the offline build context resources: - tag: bitnami/airflow-scheduler:2.0.2-debian-10-r18 - url: docker://docker.io/bitnami/airflow-scheduler@sha256:da4f8485b409088de5e1ea47484d8ffdf1b9c54eedbdb9a14a34fe40ea8956c3 + url: docker://docker.io/bitnami/airflow-scheduler@sha256:da4f8485b409088de5e1ea47484d8ffdf1b9c54eedbdb9a14a34fe40ea8956c3 https://files.pythonhosted.org/packages/15/7e/51e5bd333c0afa1c7bdbf98eb3b0ccf5167e2b1ecc8b4d13e9cc29291f81/httplib2-0.19.0-py3-none-any.whl#sha256=749c32603f9bf16c1277f59531d502e8f1c2ca19901ae653b49c4ed698f0820e - filename: thrift-0.14.1.tar.gz url: https://apache.osuosl.org/thrift/0.14.1/thrift-0.14.1.tar.gz validation: type: sha256 value: 13da5e1cd9c8a3bb89778c0337cc57eb0c29b08f3090b41cf6ab78594b410ca5 -- filename: pylint-2.7.2-py3-none-any.whl - url: https://files.pythonhosted.org/packages/b3/66/af8f80d4fa77dcd4cba9e56e136522838920a2eaf6794b784e1f377f84d9/pylint-2.7.2-py3-none-any.whl +- filename: httplib2-0.19.0-py3-none-any.whl + url: https://files.pythonhosted.org/packages/15/7e/51e5bd333c0afa1c7bdbf98eb3b0ccf5167e2b1ecc8b4d13e9cc29291f81/httplib2-0.19.0-py3-none-any.whl validation: type: sha256 - value: d09b0b07ba06bcdff463958f53f23df25e740ecd81895f7d2699ec04bbd8dc3b -- filename: networkx-2.5.1-py3-none-any.whl - url: https://files.pythonhosted.org/packages/f3/b7/c7f488101c0bb5e4178f3cde416004280fd40262433496830de8a8c21613/networkx-2.5.1-py3-none-any.whl - validation: - type: sha256 - value: 0635858ed7e989f4c574c2328380b452df892ae85084144c73d8cd819f0c4e06 -- filename: decorator-4.4.2-py2.py3-none-any.whl - url: https://files.pythonhosted.org/packages/ed/1b/72a1821152d07cf1d8b6fce298aeb06a7eb90f4d6d41acec9861e7cc6df0/decorator-4.4.2-py2.py3-none-any.whl - validation: - type: sha256 - value: 41fa54c2a0cc4ba648be4fd43cff00aedf5b9465c9bf18d64325bc225f08f760 -- filename: aiohttp-3.7.4.post0-cp38-cp38-manylinux2014_x86_64.whl - url: https://files.pythonhosted.org/packages/a6/76/f18138b0ff84fcd939667a2efc2e1b49c871299f9091f84c06bb4c350c01/aiohttp-3.7.4.post0-cp38-cp38-manylinux2014_x86_64.whl - validation: - type: sha256 - value: 79ebfc238612123a713a457d92afb4096e2148be17df6c50fb9bf7a81c2f8013 -- filename: azure_storage_blob-12.8.0-py2.py3-none-any.whl - url: https://files.pythonhosted.org/packages/09/14/4ca417a9c92b0fb93516575dd7be9b058bf13d531dcc21239b5f8f216a69/azure_storage_blob-12.8.0-py2.py3-none-any.whl - validation: - type: sha256 - value: 46999df6e2cde8773739f7c3bd1eb5846d4b7dc1ef6e2161f3b6d1d0f21726ba -- filename: pytest-6.2.3-py3-none-any.whl - url: https://files.pythonhosted.org/packages/76/4d/9c00146923da9f1cabd1878209d71b1380d537ec331a1a613e8f4b9d7985/pytest-6.2.3-py3-none-any.whl - validation: - type: sha256 - value: 6ad9c7bdf517a808242b998ac20063c41532a570d088d77eec1ee12b0b5574bc -- filename: astroid-2.5.1-py3-none-any.whl - url: https://files.pythonhosted.org/packages/f1/49/d51e5ce77ea234ee416966e489283512a9852f78d9ff125747eae29e7b69/astroid-2.5.1-py3-none-any.whl - validation: - type: sha256 - value: 21d735aab248253531bb0f1e1e6d068f0ee23533e18ae8a6171ff892b98297cf + value: 749c32603f9bf16c1277f59531d502e8f1c2ca19901ae653b49c4ed698f0820e - filename: Babel-2.9.1-py2.py3-none-any.whl url: https://files.pythonhosted.org/packages/aa/96/4ba93c5f40459dc850d25f9ba93f869a623e77aaecc7a9344e19c01942cf/Babel-2.9.1-py2.py3-none-any.whl validation: -- GitLab From a8c5b2f6ad3793f8ee96aa0d935bbaf8c7736a85 Mon Sep 17 00:00:00 2001 From: Austin Denton Date: Tue, 11 May 2021 12:45:30 -0600 Subject: [PATCH 4/5] Update HM --- hardening_manifest.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 1aea1a2..26dfbce 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -37,7 +37,7 @@ labels: # List of resources to make available to the offline build context resources: - tag: bitnami/airflow-scheduler:2.0.2-debian-10-r18 - url: docker://docker.io/bitnami/airflow-scheduler@sha256:da4f8485b409088de5e1ea47484d8ffdf1b9c54eedbdb9a14a34fe40ea8956c3 https://files.pythonhosted.org/packages/15/7e/51e5bd333c0afa1c7bdbf98eb3b0ccf5167e2b1ecc8b4d13e9cc29291f81/httplib2-0.19.0-py3-none-any.whl#sha256=749c32603f9bf16c1277f59531d502e8f1c2ca19901ae653b49c4ed698f0820e + url: docker://docker.io/bitnami/airflow-scheduler@sha256:da4f8485b409088de5e1ea47484d8ffdf1b9c54eedbdb9a14a34fe40ea8956c3 - filename: thrift-0.14.1.tar.gz url: https://apache.osuosl.org/thrift/0.14.1/thrift-0.14.1.tar.gz validation: -- GitLab From de2583123d99f89ceb537035295a95c09e31d7df Mon Sep 17 00:00:00 2001 From: Austin Denton Date: Tue, 11 May 2021 16:21:01 -0600 Subject: [PATCH 5/5] Update airflow to 2.0.2 --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 9ff507d..66072bc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,6 +16,7 @@ ENV BITNAMI_PKG_EXTRA_DIRS="/opt/bitnami/airflow/dags" \ COPY --from=base ${BITNAMI_HOME} ${BITNAMI_HOME} COPY --from=base ${BITNAMI_DIR} ${BITNAMI_DIR} COPY --from=base \ + /usr/lib/x86_64-linux-gnu/libmariadb.so.3 \ /lib/x86_64-linux-gnu/libbz2.so.1.0 \ /usr/lib64/ -- GitLab