What is the correct permission for directories that will be used in airflow docker?

[bobfang1992]

Hi I want to run an airflow setup using the following docker-compose file

version: "3.8"

services:
  postgres:
    image: postgres:12
    environment:
      - POSTGRES_USER=airflow
      - POSTGRES_PASSWORD=airflow
      - POSTGRES_DB=airflow
      - PGDATA=/var/lib/postgresql/data/pgdata
    ports:
      - "5433:5432"
    volumes:
      - ~/airflow-data/pg:/var/lib/postgresql/data/pgdata

  scheduler:
    image:apache/airflow
    restart: always
    depends_on:
      - postgres
      - webserver
    env_file:
      - .env
    ports:
      - "8793:8793"
    volumes:
      - ./airflow-dags:/opt/airflow/dags
      - ~/airflow-data/logs:/opt/airflow/logs
    command: scheduler
    healthcheck:
      test: ["CMD-SHELL", "[ -f /usr/local/airflow/airflow-webserver.pid ]"]
      interval: 30s
      timeout: 30s
      retries: 3
  webserver:
    image:apache/airflow
    hostname: webserver
    restart: always
    depends_on:
      - postgres
    env_file:
      - .env
    volumes:
      - ./airflow-dags:/opt/airflow/dags
      - ~/airflow-data/logs:/opt/airflow/logs
      - ./scripts:/opt/airflow/scripts
    ports:
      - "8080:8080"
    entrypoint: ./scripts/webserver-entrypoint.sh
    healthcheck:
      test: ["CMD-SHELL", "[ -f /usr/local/airflow/airflow-webserver.pid ]"]
      interval: 30s
      timeout: 30s
      retries: 32

As you can see that I am going to use ~/airflow-data/ to store logs and ./airflow-dags to store dags file, when I start these containers using docker-compose up I can see in the logs that the airflow user inside the docker image simply do not have permission to read/write to these locations which are created by hand using mkdir -p outside the container. I am just wondering, what is the correct permission I should give to these directories? Of course 777 is an option but I just feel that is too blunt, is there any other option that can make sure only my user (outside the docker container) and the airflow user can use these files and no one else?

Also, what is the recommended way of storing logs and dags? Do you guys simply create a derived image using COPY to copy over the dag files? And leave the logs inside? That's another option I can see working.

Thanks!

[potiuk]

I think this is not a question of what are the permissions of the volumes, but about the ownership.

The question is what user/groups should be used to run airflow. By default, Airflow user 50000:50000 to run using the prod image, however this user might not have access to the volumes, which will have HOST_USER/HOST_GROUP ownership/permission by default.

Unfortunately in Linux, the mounted volumes in docker container use the native Linux filesystem user/group permissions, and this cannot be easily changed without changing the configuration of docker engine (userns-remap) and is not suitable for "developer" case as it requires engine-wide configuration changes and cannot be done per-container.

There are plenty of guides in the internet suggesting changing permission/ownership inside the container, but they have a major drawback - the permissions are changed also in the host.

However there is another option. Our image is OpenShift compatible, which means that you can run airlfow as any user, as long as the group of that user is set to "0". https://docs.openshift.com/container-platform/4.1/openshift_images/create-images.html#images-create-guide-openshift_create-images (look for "Support arbitrary user ids").

This means that you can run airflow using your HOST user id - example here: https://stackoverflow.com/questions/56844746/how-to-set-uid-and-gid-in-docker-compose (example here: https://dev.to/acro5piano/specifying-user-and-group-in-docker-i2e) but with UID = host user, GID = 0. Then you will be able to access the mounted volumes because they will be mounted as UID user.

Let me know if it works.

@mik-laj -> in your docker-compose solution I think we will need to do the same approach, however the (slight) problem it introduces is that you have to execute the docker-compose with UID=${UID} set as UID is shell rather than environment variable (docker/compose#4725). I am not aware of any other, better way.

[potiuk]

You can read more about it in https://docs.openshift.com/container-platform/3.3/creating_images/guidelines.html#openshift-container-platform-specific-guidelines -> our image is OpenShift-compliance and there is the whole chapter "Support Arbitrary User IDs" about it.

[mik-laj]

Here are some examples of what it should look like.

$ docker run --user 501:0 apache/airflow:2.0.1 bash -c "id"
uid=501(default) gid=0(root) groups=0(root)
$ docker run --user 501:0 apache/airflow:2.0.1 bash -c "cat /etc/passwd"
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
airflow:x:50000:50000:,,,:/home/airflow:/bin/bash
default:x:501:0:default user:/home/airflow:/sbin/nologin

Apache Airflow 2.0.1 will also support --user 0. See: #14226

[swotai]

Many thanks to @potiuk and @mik-laj for the pointers. I've managed to un-mess up the docker file and un-confuse myself on the UID part.
I have a follow-up question. The above setting helped to make sure the dags folder is able to be read-write by the various airflow containers. Does that do the same for /var/run/docker.sock? I'm trying to see if I can avoid doing chmod 777 on the host for that.

[potiuk]

I think if you run your user insde as group 0, it will be enough to change group for the /var/run/docker.sock to be 0 as well on the host (it is usually group-owned by docker group). Alternatively you could also create a docker group with the same ID as docker group on the host and assign the user to that group. But you'd have to customize the entrypoint to do that.

[mik-laj]

You can also use tecnativa/docker-socket-proxy to forward Linux socket to TCP socket and this way to avoid any permission issue and as a side effect, security will be improved by limiting the operations that the container can perform.
Seee:#8605 (comment)