From db65485607648ddfb67143d64d2461f7aa69de06 Mon Sep 17 00:00:00 2001 From: Austin Denton Date: Mon, 10 May 2021 12:21:06 -0600 Subject: [PATCH 1/3] Update eventlet to 0.31.0 --- hardening_manifest.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 40c3ad9..15012fd 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -83,6 +83,11 @@ resources: validation: type: sha256 value: ab49e12b91d937cd11f0b67cb259a57ab4ad2b59ac7a3b41d6c06c0ac5b0def9 +- filename: eventlet-0.31.0-py2.py3-none-any.whl + url: https://files.pythonhosted.org/packages/2f/75/c9c27956f0fb9c40b18bc686227e6df64a40484b78cc7f62fee9a7203ecf/eventlet-0.31.0-py2.py3-none-any.whl + validation: + type: sha256 + value: 27ae41fad9deed9bbf4166f3e3b65acc15d524d42210a518e5877da85a6b8c5d # List of project maintainers maintainers: -- GitLab From f9eec195603e15204bd9f6a3e167acfce8c2512e Mon Sep 17 00:00:00 2001 From: Austin Denton Date: Tue, 11 May 2021 13:44:03 -0600 Subject: [PATCH 2/3] Update to application version 2.0.2 --- Dockerfile | 4 +- README.md | 10 ++--- hardening_manifest.yaml | 44 +++---------------- .../opt/bitnami/.bitnami_components.json | 8 ++-- .../opt/bitnami/scripts/libvalidations.sh | 2 +- .../opt/bitnami/scripts/libwebserver.sh | 5 ++- .../opt/bitnami/scripts/airflow/entrypoint.sh | 15 +++++++ rootfs/opt/bitnami/scripts/libairflow.sh | 17 +++++-- 8 files changed, 49 insertions(+), 56 deletions(-) diff --git a/Dockerfile b/Dockerfile index d23cf63..04e2282 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,7 +2,7 @@ ARG BASE_REGISTRY=registry1.dsop.io ARG BASE_IMAGE=ironbank/redhat/ubi/ubi8 ARG BASE_TAG=8.3 -FROM bitnami/airflow:2.0.1-debian-10-r53 as base +FROM bitnami/airflow:2.0.2-debian-10-r7 as base FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG} ARG BITNAMI_HOME=/opt/bitnami ARG BITNAMI_DIR=/bitnami @@ -47,7 +47,7 @@ RUN /opt/bitnami/scripts/airflow/postunpack.sh && \ ENV AIRFLOW_HOME="/opt/bitnami/airflow" \ BITNAMI_APP_NAME="airflow" \ - BITNAMI_IMAGE_VERSION="2.0.1-debian-10-r51" \ + BITNAMI_IMAGE_VERSION="2.0.2-debian-10-r7" \ LANG="en_US.UTF-8" \ LANGUAGE="en_US:en" \ LD_LIBRARY_PATH="/opt/bitnami/python/lib/:/opt/bitnami/airflow/venv/lib/python3.8/site-packages/numpy.libs/:$LD_LIBRARY_PATH" \ diff --git a/README.md b/README.md index 8093895..906ffc6 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,5 @@ -# +# What is Apache Airflow? -<<<<<<< Updated upstream -Project template for all Iron Bank container repositories. -======= > Airflow is a platform to programmatically author, schedule and monitor workflows. https://airflow.apache.org/ @@ -37,8 +34,8 @@ You can find the default credentials and available configuration options in the Learn more about the Bitnami tagging policy and the difference between rolling tags and immutable tags [in our documentation page](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers/). -* [`2`, `2-debian-10`, `2.0.1`, `2.0.1-debian-10-r50`, `latest` (2/debian-10/Dockerfile)](https://github.com/bitnami/bitnami-docker-airflow/blob/2.0.1-debian-10-r50/2/debian-10/Dockerfile) -* [`1`, `1-debian-10`, `1.10.15`, `1.10.15-debian-10-r17` (1/debian-10/Dockerfile)](https://github.com/bitnami/bitnami-docker-airflow/blob/1.10.15-debian-10-r17/1/debian-10/Dockerfile) +* [`2`, `2-debian-10`, `2.0.2`, `2.0.2-debian-10-r7`, `latest` (2/debian-10/Dockerfile)](https://github.com/bitnami/bitnami-docker-airflow/blob/2.0.2-debian-10-r7/2/debian-10/Dockerfile) +* [`1`, `1-debian-10`, `1.10.15`, `1.10.15-debian-10-r37` (1/debian-10/Dockerfile)](https://github.com/bitnami/bitnami-docker-airflow/blob/1.10.15-debian-10-r37/1/debian-10/Dockerfile) Subscribe to project updates by watching the [bitnami/airflow GitHub repo](https://github.com/bitnami/bitnami-docker-airflow). @@ -483,4 +480,3 @@ distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. ->>>>>>> Stashed changes diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml index 15012fd..1c5e0b8 100644 --- a/hardening_manifest.yaml +++ b/hardening_manifest.yaml @@ -8,7 +8,7 @@ name: "bitnami/airflow" # The most specific version should be the first tag and will be shown # on ironbank.dsop.io tags: -- "2.0.1" +- "2.0.2" # Build args passed to Dockerfile ARGs args: @@ -26,7 +26,7 @@ labels: org.opencontainers.image.url: "https://airflow.apache.org" ## Name of the distributing entity, organization or individual org.opencontainers.image.vendor: "Bitnami" - org.opencontainers.image.version: "2.0.1" + org.opencontainers.image.version: "2.0.2" ## Keywords to help with search (ex. "cicd,gitops,golang") mil.dso.ironbank.image.keywords: "workflows,dags,tasks" ## This value can be "opensource" or "commercial" @@ -36,48 +36,18 @@ labels: # List of resources to make available to the offline build context resources: -- tag: bitnami/airflow:2.0.1-debian-10-r53 - url: docker://docker.io/bitnami/airflow@sha256:4a151e0f304bffa5d2804de9c2ef26200002a655ee46420a571684b19267e4a4 +- tag: bitnami/airflow:2.0.2-debian-10-r7 + url: docker://docker.io/bitnami/airflow@sha256:16218f6758effc084a391095feebe660f1b764f74e9f6a89f33c96a3524b9a1b - filename: thrift-0.14.1.tar.gz url: https://apache.osuosl.org/thrift/0.14.1/thrift-0.14.1.tar.gz validation: type: sha256 value: 13da5e1cd9c8a3bb89778c0337cc57eb0c29b08f3090b41cf6ab78594b410ca5 -- filename: pylint-2.7.2-py3-none-any.whl - url: https://files.pythonhosted.org/packages/b3/66/af8f80d4fa77dcd4cba9e56e136522838920a2eaf6794b784e1f377f84d9/pylint-2.7.2-py3-none-any.whl +- filename: httplib2-0.19.0-py3-none-any.whl + url: https://files.pythonhosted.org/packages/15/7e/51e5bd333c0afa1c7bdbf98eb3b0ccf5167e2b1ecc8b4d13e9cc29291f81/httplib2-0.19.0-py3-none-any.whl validation: type: sha256 - value: d09b0b07ba06bcdff463958f53f23df25e740ecd81895f7d2699ec04bbd8dc3b -- filename: networkx-2.5.1-py3-none-any.whl - url: https://files.pythonhosted.org/packages/f3/b7/c7f488101c0bb5e4178f3cde416004280fd40262433496830de8a8c21613/networkx-2.5.1-py3-none-any.whl - validation: - type: sha256 - value: 0635858ed7e989f4c574c2328380b452df892ae85084144c73d8cd819f0c4e06 -- filename: decorator-4.4.2-py2.py3-none-any.whl - url: https://files.pythonhosted.org/packages/ed/1b/72a1821152d07cf1d8b6fce298aeb06a7eb90f4d6d41acec9861e7cc6df0/decorator-4.4.2-py2.py3-none-any.whl - validation: - type: sha256 - value: 41fa54c2a0cc4ba648be4fd43cff00aedf5b9465c9bf18d64325bc225f08f760 -- filename: aiohttp-3.7.4.post0-cp38-cp38-manylinux2014_x86_64.whl - url: https://files.pythonhosted.org/packages/a6/76/f18138b0ff84fcd939667a2efc2e1b49c871299f9091f84c06bb4c350c01/aiohttp-3.7.4.post0-cp38-cp38-manylinux2014_x86_64.whl - validation: - type: sha256 - value: 79ebfc238612123a713a457d92afb4096e2148be17df6c50fb9bf7a81c2f8013 -- filename: azure_storage_blob-12.8.0-py2.py3-none-any.whl - url: https://files.pythonhosted.org/packages/09/14/4ca417a9c92b0fb93516575dd7be9b058bf13d531dcc21239b5f8f216a69/azure_storage_blob-12.8.0-py2.py3-none-any.whl - validation: - type: sha256 - value: 46999df6e2cde8773739f7c3bd1eb5846d4b7dc1ef6e2161f3b6d1d0f21726ba -- filename: pytest-6.2.3-py3-none-any.whl - url: https://files.pythonhosted.org/packages/76/4d/9c00146923da9f1cabd1878209d71b1380d537ec331a1a613e8f4b9d7985/pytest-6.2.3-py3-none-any.whl - validation: - type: sha256 - value: 6ad9c7bdf517a808242b998ac20063c41532a570d088d77eec1ee12b0b5574bc -- filename: astroid-2.5.1-py3-none-any.whl - url: https://files.pythonhosted.org/packages/f1/49/d51e5ce77ea234ee416966e489283512a9852f78d9ff125747eae29e7b69/astroid-2.5.1-py3-none-any.whl - validation: - type: sha256 - value: 21d735aab248253531bb0f1e1e6d068f0ee23533e18ae8a6171ff892b98297cf + value: 749c32603f9bf16c1277f59531d502e8f1c2ca19901ae653b49c4ed698f0820e - filename: Babel-2.9.1-py2.py3-none-any.whl url: https://files.pythonhosted.org/packages/aa/96/4ba93c5f40459dc850d25f9ba93f869a623e77aaecc7a9344e19c01942cf/Babel-2.9.1-py2.py3-none-any.whl validation: diff --git a/prebuildfs/opt/bitnami/.bitnami_components.json b/prebuildfs/opt/bitnami/.bitnami_components.json index 67b2f78..b5ccf13 100644 --- a/prebuildfs/opt/bitnami/.bitnami_components.json +++ b/prebuildfs/opt/bitnami/.bitnami_components.json @@ -1,10 +1,10 @@ { "airflow": { "arch": "amd64", - "digest": "d837c8af9305cfcbed7dd0493336ba0e38d7a3aa211192a8f05d117a7b7734ab", + "digest": "3e17197854fd63215cef17296619809f92aad1d5f65f11826c58f40ce8cc914c", "distro": "debian-10", "type": "NAMI", - "version": "2.0.1-4" + "version": "2.0.2-0" }, "gosu": { "arch": "amd64", @@ -29,10 +29,10 @@ }, "python": { "arch": "amd64", - "digest": "4f1f6b81a3617dfaaa2c579510118ef6df07119977a5d6ca7df3cf485fca709a", + "digest": "b7a37a0590eff13717c191c90dc277f26706196c5fbf2a6b79019bd9f1032f68", "distro": "debian-10", "type": "NAMI", - "version": "3.8.9-0" + "version": "3.8.10-2" }, "wait-for-port": { "arch": "amd64", diff --git a/prebuildfs/opt/bitnami/scripts/libvalidations.sh b/prebuildfs/opt/bitnami/scripts/libvalidations.sh index 8d82792..ca5afc9 100644 --- a/prebuildfs/opt/bitnami/scripts/libvalidations.sh +++ b/prebuildfs/opt/bitnami/scripts/libvalidations.sh @@ -181,7 +181,7 @@ validate_ipv4() { local stat=1 if [[ $ip =~ ^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$ ]]; then - read -r -a ip_array <<< "$(tr '.' ' ' <<< "$ip")" + read -r -a ip_array <<< "$(tr '.' ' ' <<< "$ip")" [[ ${ip_array[0]} -le 255 && ${ip_array[1]} -le 255 \ && ${ip_array[2]} -le 255 && ${ip_array[3]} -le 255 ]] stat=$? diff --git a/prebuildfs/opt/bitnami/scripts/libwebserver.sh b/prebuildfs/opt/bitnami/scripts/libwebserver.sh index 25bff4a..1280134 100644 --- a/prebuildfs/opt/bitnami/scripts/libwebserver.sh +++ b/prebuildfs/opt/bitnami/scripts/libwebserver.sh @@ -180,6 +180,7 @@ web_server_reload() { # --apache-move-htaccess - Move .htaccess files to a common place so they can be loaded during Apache startup # NGINX-specific flags: # --nginx-additional-configuration - Additional server block configuration (no default) +# --nginx-external-configuration - Configuration external to server block (no default) # Returns: # true if the configuration was enabled, false otherwise ######################## @@ -212,6 +213,7 @@ ensure_web_server_app_configuration_exists() { | --apache-before-vhost-configuration \ | --apache-allow-override \ | --apache-extra-directory-configuration \ + | --apache-proxy-address \ | --apache-move-htaccess \ ) apache_args+=("${1//apache-/}" "${2:?missing value}") @@ -219,7 +221,8 @@ ensure_web_server_app_configuration_exists() { ;; # Specific NGINX flags - --nginx-additional-configuration) + --nginx-additional-configuration \ + | --nginx-external-configuration) nginx_args+=("${1//nginx-/}" "${2:?missing value}") shift ;; diff --git a/rootfs/opt/bitnami/scripts/airflow/entrypoint.sh b/rootfs/opt/bitnami/scripts/airflow/entrypoint.sh index c808f10..8fc9075 100755 --- a/rootfs/opt/bitnami/scripts/airflow/entrypoint.sh +++ b/rootfs/opt/bitnami/scripts/airflow/entrypoint.sh @@ -16,6 +16,21 @@ set -o pipefail print_welcome_page +if ! am_i_root && [[ -e "$LIBNSS_WRAPPER_PATH" ]]; then + info "Enabling non-root system user with nss_wrapper" + echo "airflow:x:$(id -u):$(id -g):Airflow:$AIRFLOW_HOME:/bin/false" > "$NSS_WRAPPER_PASSWD" + echo "airflow:x:$(id -g):" > "$NSS_WRAPPER_GROUP" + + export LD_PRELOAD="$LIBNSS_WRAPPER_PATH" +fi + +# Install custom python package if requirements.txt is present +if [[ -f "/bitnami/python/requirements.txt" ]]; then + . /opt/bitnami/airflow/venv/bin/activate + pip install -r /bitnami/python/requirements.txt + deactivate +fi + if [[ "$*" = *"/opt/bitnami/scripts/airflow/run.sh"* || "$*" = *"/run.sh"* ]]; then info "** Starting Airflow setup **" /opt/bitnami/scripts/airflow/setup.sh diff --git a/rootfs/opt/bitnami/scripts/libairflow.sh b/rootfs/opt/bitnami/scripts/libairflow.sh index 7a6cde9..92549cf 100644 --- a/rootfs/opt/bitnami/scripts/libairflow.sh +++ b/rootfs/opt/bitnami/scripts/libairflow.sh @@ -2,8 +2,7 @@ # Bitnami Airflow library -# shellcheck disable=SC1091 -# shellcheck disable=SC2153 +# shellcheck disable=SC1091,SC2153 # Load Generic Libraries . /opt/bitnami/scripts/libfile.sh @@ -23,9 +22,17 @@ # Arguments: # None # Returns: -# None +# 0 if the validation succeeded, 1 otherwise ######################### airflow_validate() { + local error_code=0 + + # Auxiliary functions + print_validation_error() { + error "$1" + error_code=1 + } + # Check postgresql host [[ -z "$AIRFLOW_DATABASE_HOST" ]] && print_validation_error "Missing AIRFLOW_DATABASE_HOST" @@ -46,6 +53,8 @@ airflow_validate() { [[ -z "$AIRFLOW_POOL_DESC" ]] && print_validation_error "Provided AIRFLOW_POOL_NAME but missing AIRFLOW_POOL_DESC" [[ -z "$AIRFLOW_POOL_SIZE" ]] && print_validation_error "Provided AIRFLOW_POOL_NAME but missing AIRFLOW_POOL_SIZE" fi + + return "$error_code" } ######################## @@ -429,4 +438,4 @@ is_airflow_not_running() { airflow_stop() { info "Stopping Airflow..." stop_service_using_pid "$AIRFLOW_PID_FILE" -} \ No newline at end of file +} -- GitLab From 534aefac5d0b177681932aaab66c9d5c6b64ca26 Mon Sep 17 00:00:00 2001 From: Austin Denton Date: Tue, 11 May 2021 16:19:36 -0600 Subject: [PATCH 3/3] Update airflow to 2.0.2 --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 04e2282..e3dfa15 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,6 +16,7 @@ ENV BITNAMI_PKG_EXTRA_DIRS="/opt/bitnami/airflow/dags" \ COPY --from=base ${BITNAMI_HOME} ${BITNAMI_HOME} COPY --from=base ${BITNAMI_DIR} ${BITNAMI_DIR} COPY --from=base \ + /usr/lib/x86_64-linux-gnu/libmariadb.so.3 \ /lib/x86_64-linux-gnu/libbz2.so.1.0 \ /usr/lib64/ -- GitLab