From e7e3283ea76289c1b5312611a18b8e9a1a2c78c3 Mon Sep 17 00:00:00 2001 From: Lars Francke Date: Tue, 8 Oct 2024 17:04:37 +0200 Subject: [PATCH 01/18] Make uid/gid configurable & change group of files This is a follow-up for https://github.com/stackabletech/docker-images/pull/849 and includes: - The missing bits for Hive - Kafka --- hive/Dockerfile | 37 +++++++++++++---------- kafka/Dockerfile | 76 ++++++++++++++++++++++-------------------------- 2 files changed, 56 insertions(+), 57 deletions(-) diff --git a/hive/Dockerfile b/hive/Dockerfile index af7555d6d..1da3c13c6 100644 --- a/hive/Dockerfile +++ b/hive/Dockerfile @@ -103,40 +103,47 @@ LABEL io.openshift.tags="ubi9,stackable,hive,sdp" LABEL io.k8s.description="${DESCRIPTION}" LABEL io.k8s.display-name="${NAME}" -RUN < /stackable/package_manifest.txt -rm -rf /var/cache/yum -EOF - -USER ${STACKABLE_USER_UID} WORKDIR /stackable COPY --chown=${STACKABLE_USER_UID}:0 --from=hive-builder /stackable/apache-hive-metastore-${PRODUCT}-bin /stackable/apache-hive-metastore-${PRODUCT}-bin -RUN ln -s /stackable/apache-hive-metastore-${PRODUCT}-bin /stackable/hive-metastore # It is useful to see which version of Hadoop is used at a glance # Therefore the use of the full name here # TODO: Do we really need all of Hadoop in here? COPY --chown=${STACKABLE_USER_UID}:0 --from=hadoop-builder /stackable/hadoop /stackable/hadoop-${HADOOP} -RUN ln -s /stackable/hadoop-${HADOOP} /stackable/hadoop + +RUN < /stackable/package_manifest.txt +rm -rf /var/cache/yum + +ln -s /stackable/apache-hive-metastore-${PRODUCT}-bin /stackable/hive-metastore +ln -s /stackable/hadoop-${HADOOP} /stackable/hadoop # The next two sections for S3 and Azure use hardcoded version numbers on purpose instead of wildcards # This way the build will fail should one of the files not be available anymore in a later Hadoop version! # Add S3 Support for Hive (support for s3a://) -RUN cp /stackable/hadoop/share/hadoop/tools/lib/hadoop-aws-${HADOOP}.jar /stackable/hive-metastore/lib/ -RUN cp /stackable/hadoop/share/hadoop/tools/lib/aws-java-sdk-bundle-${AWS_JAVA_SDK_BUNDLE}.jar /stackable/hive-metastore/lib/ +cp /stackable/hadoop/share/hadoop/tools/lib/hadoop-aws-${HADOOP}.jar /stackable/hive-metastore/lib/ +cp /stackable/hadoop/share/hadoop/tools/lib/aws-java-sdk-bundle-${AWS_JAVA_SDK_BUNDLE}.jar /stackable/hive-metastore/lib/ # Add Azure ABFS support (support for abfs://) -RUN cp /stackable/hadoop/share/hadoop/tools/lib/hadoop-azure-${HADOOP}.jar /stackable/hive-metastore/lib/ -RUN cp /stackable/hadoop/share/hadoop/tools/lib/azure-storage-${AZURE_STORAGE}.jar /stackable/hive-metastore/lib/ -RUN cp /stackable/hadoop/share/hadoop/tools/lib/azure-keyvault-core-${AZURE_KEYVAULT_CORE}.jar /stackable/hive-metastore/lib/ +cp /stackable/hadoop/share/hadoop/tools/lib/hadoop-azure-${HADOOP}.jar /stackable/hive-metastore/lib/ +cp /stackable/hadoop/share/hadoop/tools/lib/azure-storage-${AZURE_STORAGE}.jar /stackable/hive-metastore/lib/ +cp /stackable/hadoop/share/hadoop/tools/lib/azure-keyvault-core-${AZURE_KEYVAULT_CORE}.jar /stackable/hive-metastore/lib/ + +# All files and folders owned by root to support running as arbitrary users +# This is best practice as all container users will belong to the root group (0) +chown -R ${STACKABLE_USER_UID}:0 /stackable +chmod -R g=u /stackable +EOF COPY --chown=${STACKABLE_USER_UID}:0 --from=hive-builder /stackable/jmx /stackable/jmx COPY hive/licenses /licenses +USER ${STACKABLE_USER_UID} + ENV HADOOP_HOME=/stackable/hadoop ENV HIVE_HOME=/stackable/hive-metastore ENV PATH="${PATH}":/stackable/hadoop/bin:/stackable/hive-metastore/bin diff --git a/kafka/Dockerfile b/kafka/Dockerfile index e3fc02895..94b6ea409 100644 --- a/kafka/Dockerfile +++ b/kafka/Dockerfile @@ -9,8 +9,9 @@ ARG PRODUCT ARG SCALA ARG OPA_AUTHORIZER ARG JMX_EXPORTER +ARG STACKABLE_USER_UID -USER stackable +USER ${STACKABLE_USER_UID} WORKDIR /stackable RUN curl "https://repo.stackable.tech/repository/packages/kafka/kafka-${PRODUCT}-src.tgz" | tar -xzC . && \ @@ -27,28 +28,12 @@ RUN curl "https://repo.stackable.tech/repository/packages/kafka/kafka-${PRODUCT} RUN curl https://repo.stackable.tech/repository/packages/kafka-opa-authorizer/opa-authorizer-${OPA_AUTHORIZER}-all.jar \ -o /stackable/kafka_${SCALA}-${PRODUCT}/libs/opa-authorizer-${OPA_AUTHORIZER}-all.jar -COPY --chown=stackable:stackable kafka/stackable/jmx/ /stackable/jmx/ +COPY --chown=${STACKABLE_USER_UID}:0 kafka/stackable/jmx/ /stackable/jmx/ RUN curl https://repo.stackable.tech/repository/packages/jmx-exporter/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar \ -o /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar && \ chmod +x /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar && \ ln -s /stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar /stackable/jmx/jmx_prometheus_javaagent.jar -# For earlier versions this script removes the .class file that contains the -# vulnerable code. -# TODO: This can be restricted to target only versions which do not honor the environment -# varible that has been set above but this has not currently been implemented -COPY shared/log4shell.sh /bin -RUN /bin/log4shell.sh /stackable/kafka_${SCALA}-${PRODUCT} - -# Ensure no vulnerable files are left over -# This will currently report vulnerable files being present, as it also alerts on -# SocketNode.class, which we do not remove with our scripts. -# Further investigation will be needed whether this should also be removed. -COPY shared/log4shell_1.6.1-log4shell_Linux_x86_64 /bin/log4shell_scanner_x86_64 -COPY shared/log4shell_1.6.1-log4shell_Linux_aarch64 /bin/log4shell_scanner_aarch64 -COPY shared/log4shell_scanner /bin/log4shell_scanner -RUN /bin/log4shell_scanner s /stackable/kafka_${SCALA}-${PRODUCT} -# === FROM stackable/image/java-base AS final @@ -56,6 +41,7 @@ ARG RELEASE ARG PRODUCT ARG SCALA ARG KCAT +ARG STACKABLE_USER_UID LABEL name="Apache Kafka" \ maintainer="info@stackable.tech" \ @@ -67,32 +53,38 @@ LABEL name="Apache Kafka" \ # This is needed for kubectl COPY kafka/kubernetes.repo /etc/yum.repos.d/kubernetes.repo -RUN microdnf update && \ - microdnf install \ - # needed by kcat for kerberos - cyrus-sasl-gssapi \ - # Can be removed once listener-operator integration is used - kubectl && \ - microdnf clean all && \ - rpm -qa --qf "%{NAME}-%{VERSION}-%{RELEASE}\n" | sort > /stackable/package_manifest.txt && \ - rm -rf /var/cache/yum - -USER stackable -WORKDIR /stackable - -COPY --chown=stackable:stackable kafka/licenses /licenses +COPY --chown=${STACKABLE_USER_UID}:0 kafka/licenses /licenses +COPY --chown=${STACKABLE_USER_UID}:0 --from=kafka-builder /stackable/kafka_${SCALA}-${PRODUCT} /stackable/kafka_${SCALA}-${PRODUCT} +COPY --chown=${STACKABLE_USER_UID}:0 --from=kafka-builder /stackable/jmx/ /stackable/jmx/ +COPY --chown=${STACKABLE_USER_UID}:0 --from=kcat /stackable/kcat-${KCAT}/kcat /stackable/bin/kcat-${KCAT} +COPY --chown=${STACKABLE_USER_UID}:0 --from=kcat /licenses /licenses -# We copy opa-authorizer.jar and jmx-exporter through the builder image to have an absolutely minimal final image -# (e.g. we don't even need curl in it). -COPY --chown=stackable:stackable --from=kafka-builder /stackable/kafka_${SCALA}-${PRODUCT} /stackable/kafka_${SCALA}-${PRODUCT} -COPY --chown=stackable:stackable --from=kafka-builder /stackable/jmx/ /stackable/jmx/ -COPY --chown=stackable:stackable --from=kcat /stackable/kcat-${KCAT}/kcat /stackable/bin/kcat-${KCAT} -COPY --chown=stackable:stackable --from=kcat /licenses /licenses +WORKDIR /stackable -RUN ln -s /stackable/bin/kcat-${KCAT} /stackable/bin/kcat && \ - # kcat was located in /stackable/kcat - legacy - ln -s /stackable/bin/kcat /stackable/kcat && \ - ln -s /stackable/kafka_${SCALA}-${PRODUCT} /stackable/kafka +RUN < /stackable/package_manifest.txt +rm -rf /var/cache/yum + +ln -s /stackable/bin/kcat-${KCAT} /stackable/bin/kcat +# kcat was located in /stackable/kcat - legacy +ln -s /stackable/bin/kcat /stackable/kcat +ln -s /stackable/kafka_${SCALA}-${PRODUCT} /stackable/kafka + +# All files and folders owned by root to support running as arbitrary users +# This is best practice as all container users will belong to the root group (0) +chown -R ${STACKABLE_USER_UID}:0 /stackable +chmod -R g=u /stackable +EOF + +USER ${STACKABLE_USER_UID} ENV PATH="${PATH}:/stackable/bin:/stackable/kafka/bin" From e6606efe856dcab66f553e3ddbd15be7cb439423 Mon Sep 17 00:00:00 2001 From: Lars Francke Date: Tue, 8 Oct 2024 17:28:06 +0200 Subject: [PATCH 02/18] More tools now migrated but not tested yet: - Kafka Testing Tools - KCat - NiFi - Omid --- kafka-testing-tools/Dockerfile | 7 ++-- kcat/Dockerfile | 3 +- nifi/Dockerfile | 71 ++++++++++++++++------------------ omid/Dockerfile | 54 ++++++++++++++------------ 4 files changed, 68 insertions(+), 67 deletions(-) diff --git a/kafka-testing-tools/Dockerfile b/kafka-testing-tools/Dockerfile index 5fdda0d13..a939b6051 100644 --- a/kafka-testing-tools/Dockerfile +++ b/kafka-testing-tools/Dockerfile @@ -8,6 +8,7 @@ FROM stackable/image/stackable-base AS final ARG PRODUCT ARG KCAT ARG RELEASE +ARG STACKABLE_USER_UID LABEL name="Kafka Testing Tools" \ maintainer="info@stackable.tech" \ @@ -29,11 +30,11 @@ RUN microdnf install \ && rm -rf /var/cache/yum # Store kcat version with binary name and add softlink -COPY --chown=stackable:stackable --from=kcat /stackable/kcat-${KCAT}/kcat /stackable/kcat-${KCAT} +COPY --chown=${STACKABLE_USER_UID}:0 --from=kcat /stackable/kcat-${KCAT}/kcat /stackable/kcat-${KCAT} RUN ln -s /stackable/kcat-${KCAT} /stackable/kcat -COPY --chown=stackable:stackable --from=kcat /licenses /licenses +COPY --chown=${STACKABLE_USER_UID}:0 --from=kcat /licenses /licenses -COPY --chown=stackable:stackable kafka-testing-tools/licenses /licenses +COPY --chown=${STACKABLE_USER_UID}:0 kafka-testing-tools/licenses /licenses ENTRYPOINT ["/stackable/kcat"] diff --git a/kcat/Dockerfile b/kcat/Dockerfile index 4da109e21..5cd2ecf2e 100644 --- a/kcat/Dockerfile +++ b/kcat/Dockerfile @@ -7,6 +7,7 @@ FROM stackable/image/java-base AS builder ARG PRODUCT +ARG STACKABLE_USER_UID RUN microdnf update \ && microdnf install \ @@ -32,7 +33,7 @@ RUN curl -O https://repo.stackable.tech/repository/packages/kcat/kcat-${PRODUCT} && cd kcat-${PRODUCT} \ && ./bootstrap.sh -COPY --chown=stackable:stackable kcat/licenses /licenses +COPY --chown=${STACKABLE_USER_UID}:0 kcat/licenses /licenses # SNIPPET 1 # 145.2 gcc -I/stackable/kcat-1.7.0/tmp-bootstrap/usr/include -I/stackable/kcat-1.7.0/tmp-bootstrap/usr/include -g -O2 -Wall -Wsign-compare -Wfloat-equal -Wpointer-arith -Wcast-align -L/stackable/kcat-1.7.0/tmp-bootstrap/usr/lib -Wl,-rpath-link=/stackable/kcat-1.7.0/tmp-bootstrap/usr/lib -L/stackable/kcat-1.7.0/tmp-bootstrap/usr/lib -Wl,-rpath-link=/stackable/kcat-1.7.0/tmp-bootstrap/usr/lib kcat.o format.o tools.o input.o json.o avro.o -o kcat -lm -ldl -lpthread -lrt -lpthread -lrt -L/stackable/kcat-1.7.0/tmp-bootstrap/usr/lib /stackable/kcat-1.7.0/tmp-bootstrap/usr/lib/libavro.a /stackable/kcat-1.7.0/tmp-bootstrap/usr/lib/libjansson.a -lcurl /stackable/kcat-1.7.0/tmp-bootstrap/usr/lib/libserdes.a -Wl,-Bstatic -lavro -Wl,-Bdynamic /stackable/kcat-1.7.0/tmp-bootstrap/usr/lib/libyajl_s.a -L/stackable/kcat-1.7.0/tmp-bootstrap/usr/lib //stackable/kcat-1.7.0/tmp-bootstrap/usr/lib/librdkafka.a -lm -ldl -lpthread -lrt -lz -lcrypto -lssl -lsasl2 -lm -ldl -lpthread -lrt -lpthread -lrt -L/stackable/kcat-1.7.0/tmp-bootstrap/usr/lib /stackable/kcat-1.7.0/tmp-bootstrap/usr/lib/libavro.a /stackable/kcat-1.7.0/tmp-bootstrap/usr/lib/libjansson.a -lcurl diff --git a/nifi/Dockerfile b/nifi/Dockerfile index c5e5325da..f614b96b4 100644 --- a/nifi/Dockerfile +++ b/nifi/Dockerfile @@ -5,6 +5,7 @@ FROM stackable/image/java-devel AS nifi-builder ARG PRODUCT ARG MAVEN_VERSION="3.9.8" +ARG STACKABLE_USER_UID RUN microdnf update && \ microdnf clean all && \ @@ -22,10 +23,10 @@ RUN if [[ "${PRODUCT}" == 2.* ]] ; then \ ln -sf /tmp/apache-maven-${MAVEN_VERSION}/bin/mvn /usr/bin/mvn ; \ fi -USER stackable +USER ${STACKABLE_USER_UID} WORKDIR /stackable -COPY --chown=stackable:stackable nifi/stackable/patches /stackable/patches +COPY --chown=${STACKABLE_USER_UID}:0 nifi/stackable/patches /stackable/patches # NOTE: NiFi 1.21.0 source build does not work with the current arm64 git runners due to java heap issues: # @@ -82,28 +83,11 @@ RUN if [[ "${PRODUCT}" == "1.21.0" ]] ; then \ rm -rf /stackable/nifi-${PRODUCT}/docs ; \ fi -# === -# For earlier versions this script removes the .class file that contains the -# vulnerable code. -# TODO: This can be restricted to target only versions which do not honor the environment -# varible that has been set above but this has not currently been implemented -COPY shared/log4shell.sh /bin -RUN /bin/log4shell.sh /stackable/nifi-${PRODUCT} - -# Ensure no vulnerable files are left over -# This will currently report vulnerable files being present, as it also alerts on -# SocketNode.class, which we do not remove with our scripts. -# Further investigation will be needed whether this should also be removed. -COPY shared/log4shell_1.6.1-log4shell_Linux_x86_64 /bin/log4shell_scanner_x86_64 -COPY shared/log4shell_1.6.1-log4shell_Linux_aarch64 /bin/log4shell_scanner_aarch64 -COPY shared/log4shell_scanner /bin/log4shell_scanner -RUN /bin/log4shell_scanner s /stackable/nifi-${PRODUCT} -# === - FROM stackable/image/java-base AS final ARG PRODUCT ARG RELEASE +ARG STACKABLE_USER_UID LABEL name="Apache NiFi" \ maintainer="info@stackable.tech" \ @@ -113,28 +97,39 @@ LABEL name="Apache NiFi" \ summary="The Stackable image for Apache NiFi." \ description="This image is deployed by the Stackable Operator for Apache NiFi." -RUN microdnf update && \ - microdnf install \ - # Required to install nipyapi - python-pip && \ - microdnf clean all && \ - rm -rf /var/cache/yum && \ - # The nipyapi is required for the ReportingTaskJob - pip install --no-cache-dir nipyapi==0.19.1 && \ - # For backwards compatibility we create a softlink in /bin where the jar used to be as long as we are root - # This can be removed once older versions / operators using this are no longer supported - ln -s /stackable/stackable-bcrypt.jar /bin/stackable-bcrypt.jar +COPY --chown=${STACKABLE_USER_UID}:0 --from=nifi-builder /stackable/nifi-${PRODUCT} /stackable/nifi-${PRODUCT}/ +COPY --chown=${STACKABLE_USER_UID}:0 --from=nifi-builder /stackable/stackable-bcrypt.jar /stackable/stackable-bcrypt.jar + +COPY --chown=${STACKABLE_USER_UID}:0 nifi/stackable/bin /stackable/bin +COPY --chown=${STACKABLE_USER_UID}:0 nifi/licenses /licenses +COPY --chown=${STACKABLE_USER_UID}:0 nifi/python /stackable/python + +RUN < Date: Wed, 9 Oct 2024 13:07:38 +0200 Subject: [PATCH 03/18] - OPA - Spark (WIP) --- opa/Dockerfile | 37 +++++++++++++++++++++++-------------- spark-k8s/Dockerfile | 37 +++++++++++++++++++------------------ 2 files changed, 42 insertions(+), 32 deletions(-) diff --git a/opa/Dockerfile b/opa/Dockerfile index 6420ad5f2..c91c5642e 100644 --- a/opa/Dockerfile +++ b/opa/Dockerfile @@ -86,32 +86,41 @@ FROM stackable/image/vector ARG PRODUCT ARG RELEASE +ARG STACKABLE_USER_UID LABEL name="Open Policy Agent" \ maintainer="info@stackable.tech" \ vendor="Stackable GmbH" \ version="${PRODUCT}" \ release="${RELEASE}" \ - summary="The Stackable image for OPA." \ + summary="The Stackable image for Open Policy Agent (OPA)." \ description="This image is deployed by the Stackable Operator for OPA." -RUN microdnf update && \ - microdnf install \ - # Required for filtering logs - jq && \ - microdnf clean all && \ - rm -rf /var/cache/yum - COPY opa/licenses /licenses -USER stackable -WORKDIR /stackable/opa +COPY --from=opa-builder --chown=${STACKABLE_USER_UID}:0 /opa/opa /stackable/opa/opa +COPY --from=opa-bundle-builder --chown=${STACKABLE_USER_UID}:0 /opa-bundle-builder/target/release/stackable-opa-bundle-builder /stackable/opa-bundle-builder +COPY --from=multilog-builder --chown=${STACKABLE_USER_UID}:0 /daemontools/admin/daemontools/command/multilog /stackable/multilog -COPY --from=opa-builder /opa/opa /stackable/opa/opa -COPY --from=opa-bundle-builder --chown=stackable:stackable /opa-bundle-builder/target/release/stackable-opa-bundle-builder /stackable/opa-bundle-builder -COPY --from=multilog-builder --chown=stackable:stackable /daemontools/admin/daemontools/command/multilog /stackable/multilog +COPY --chown=${STACKABLE_USER_UID}:0 opa/stackable/bin /stackable/opa/bin -COPY --chown=stackable:stackable opa/stackable/bin /stackable/opa/bin +RUN < Date: Fri, 11 Oct 2024 09:37:58 +0200 Subject: [PATCH 04/18] Adds Spark and a changelog entry --- CHANGELOG.md | 3 ++ kafka-testing-tools/Dockerfile | 1 - spark-k8s/Dockerfile | 57 +++++++++++++++++++--------------- 3 files changed, 35 insertions(+), 26 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bd17dc544..00c150389 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,6 +29,7 @@ All notable changes to this project will be documented in this file. README file ([#819]). - Update cargo-cyclonedx to 0.5.5 and build CycloneDX 1.5 files ([#783]) - Enable [Docker build checks](https://docs.docker.com/build/checks/) ([#872]) +- Make username, user id, group id configurable, use numeric ids everywhere, change group of all files to 0 ([#849], [#890]) ### Removed @@ -63,6 +64,7 @@ All notable changes to this project will be documented in this file. [#822]: https://github.com/stackabletech/docker-images/pull/822 [#846]: https://github.com/stackabletech/docker-images/pull/846 [#848]: https://github.com/stackabletech/docker-images/pull/848 +[#849]: https://github.com/stackabletech/docker-images/pull/849 [#851]: https://github.com/stackabletech/docker-images/pull/851 [#852]: https://github.com/stackabletech/docker-images/pull/852 [#853]: https://github.com/stackabletech/docker-images/pull/853 @@ -76,6 +78,7 @@ All notable changes to this project will be documented in this file. [#879]: https://github.com/stackabletech/docker-images/pull/879 [#881]: https://github.com/stackabletech/docker-images/pull/881 [#882]: https://github.com/stackabletech/docker-images/pull/882 +[#890]: https://github.com/stackabletech/docker-images/pull/890 ## [24.7.0] - 2024-07-24 diff --git a/kafka-testing-tools/Dockerfile b/kafka-testing-tools/Dockerfile index a939b6051..a15cc7d9d 100644 --- a/kafka-testing-tools/Dockerfile +++ b/kafka-testing-tools/Dockerfile @@ -34,7 +34,6 @@ COPY --chown=${STACKABLE_USER_UID}:0 --from=kcat /stackable/kcat-${KCAT}/kcat /s RUN ln -s /stackable/kcat-${KCAT} /stackable/kcat COPY --chown=${STACKABLE_USER_UID}:0 --from=kcat /licenses /licenses - COPY --chown=${STACKABLE_USER_UID}:0 kafka-testing-tools/licenses /licenses ENTRYPOINT ["/stackable/kcat"] diff --git a/spark-k8s/Dockerfile b/spark-k8s/Dockerfile index 3e60d2402..c269dcfd4 100644 --- a/spark-k8s/Dockerfile +++ b/spark-k8s/Dockerfile @@ -172,6 +172,7 @@ ARG WOODSTOX_CORE ARG JMX_EXPORTER ARG TARGETARCH ARG TINI +ARG STACKABLE_USER_UID WORKDIR /stackable/spark-${PRODUCT} @@ -283,24 +284,6 @@ LABEL name="Apache Spark" \ summary="The Stackable image for Apache Spark with PySpark support." \ description="This image is deployed by the Stackable Operator for Apache Spark on Kubernetes." -RUN microdnf update && \ - microdnf install \ - gzip \ - hostname \ - # required for spark startup scripts - procps \ - "python${PYTHON}" \ - "python${PYTHON}-pip" \ - zip \ - # This is needed by the Spark UI to display process information using jps and jmap - # Copying the binaries from the builder stage failed. - "java-${JAVA_VERSION}-openjdk-devel" \ - && microdnf clean all \ - && rm -rf /var/cache/yum - -RUN ln -s /usr/bin/python${PYTHON} /usr/bin/python \ - && ln -s /usr/bin/pip-${PYTHON} /usr/bin/pip - ENV HOME=/stackable ENV SPARK_HOME=/stackable/spark @@ -308,20 +291,44 @@ ENV PATH=$SPARK_HOME:$PATH:/bin:$JAVA_HOME/bin:$JAVA_HOME/jre/bin:$HOME/.local/b ENV PYSPARK_PYTHON=/usr/bin/python ENV PYTHONPATH=$SPARK_HOME/python +COPY spark-k8s/stackable /stackable +COPY spark-k8s/licenses /licenses + COPY --chown=${STACKABLE_USER_UID}:0 --from=spark-builder /stackable/spark-${PRODUCT}/dist /stackable/spark COPY --chown=${STACKABLE_USER_UID}:0 --from=spark-builder /stackable/spark-${PRODUCT}/assembly/target/bom.json /stackable/spark/spark-${PRODUCT}.cdx.json COPY --chown=${STACKABLE_USER_UID}:0 --from=spark-builder /stackable/jmx /stackable/jmx COPY --from=spark-builder /usr/bin/tini /usr/bin/tini -RUN ln -s "/stackable/jmx/jmx_prometheus_javaagent-${JMX_EXPORTER}.jar" /stackable/jmx/jmx_prometheus_javaagent.jar \ - # Symlink example jar, so that we can easily use it in tests - && ln -s /stackable/spark/examples/jars/spark-examples_*.jar /stackable/spark/examples/jars/spark-examples.jar +RUN < Date: Tue, 15 Oct 2024 09:12:26 +0200 Subject: [PATCH 05/18] - statsd_exporter - superset --- stackable-base/Dockerfile | 2 +- statsd_exporter/Dockerfile | 3 ++- superset/Dockerfile | 33 +++++++++++++++++++++------------ 3 files changed, 24 insertions(+), 14 deletions(-) diff --git a/stackable-base/Dockerfile b/stackable-base/Dockerfile index 3833d8d35..7bd8dd9d9 100644 --- a/stackable-base/Dockerfile +++ b/stackable-base/Dockerfile @@ -148,7 +148,7 @@ chown ${STACKABLE_USER_UID}:0 /stackable/.bashrc chown ${STACKABLE_USER_UID}:0 /stackable/.profile cp /root/.curlrc /stackable/.curlrc -chown stackable:0 /stackable/.curlrc +chown ${STACKABLE_USER_UID}:0 /stackable/.curlrc # CVE-2023-37920: Remove "e-Tugra" root certificates # e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems diff --git a/statsd_exporter/Dockerfile b/statsd_exporter/Dockerfile index bd018c6a7..5b4cf003c 100644 --- a/statsd_exporter/Dockerfile +++ b/statsd_exporter/Dockerfile @@ -3,10 +3,11 @@ FROM stackable/image/stackable-base ARG PRODUCT +ARG STACKABLE_USER_UID WORKDIR /statsd_exporter -RUN --mount=type=cache,id=go-statsd-exporter,uid=1000,target=/go_cache < Date: Wed, 16 Oct 2024 13:03:05 +0200 Subject: [PATCH 06/18] - superset - tools --- superset/Dockerfile | 4 ++-- tools/Dockerfile | 26 +++++++++++++++++--------- 2 files changed, 19 insertions(+), 11 deletions(-) diff --git a/superset/Dockerfile b/superset/Dockerfile index 93134e813..ed1396083 100644 --- a/superset/Dockerfile +++ b/superset/Dockerfile @@ -119,8 +119,8 @@ microdnf install \ microdnf clean all rm -rf /var/cache/yum -# All files and folders owned by root to support running as arbitrary users -# This is best practice as all container users will belong to the root group (0) +# All files and folders owned by root group to support running as arbitrary users. +# This is best practice as all container users will belong to the root group (0). chown -R ${STACKABLE_USER_UID}:0 /stackable chmod -R g=u /stackable EOF diff --git a/tools/Dockerfile b/tools/Dockerfile index b036e3fae..ee8d542cc 100644 --- a/tools/Dockerfile +++ b/tools/Dockerfile @@ -8,6 +8,7 @@ ARG KUBECTL_VERSION ARG RELEASE ARG JQ_VERSION ARG TARGETARCH +ARG STACKABLE_USER_UID LABEL name="Stackable Tools" \ maintainer="info@stackable.tech" \ @@ -30,16 +31,23 @@ RUN microdnf update && \ COPY tools/licenses /licenses -USER stackable WORKDIR /stackable/bin ENV PATH=/stackable/bin:$PATH # Get latest stable version from curl -L -s https://dl.k8s.io/release/stable.txt -RUN curl https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl \ - -o /stackable/bin/kubectl && chmod +x /stackable/bin/kubectl - -RUN curl https://github.com/stedolan/jq/releases/download/jq-${JQ_VERSION}/jq-linux64 \ - -o /stackable/bin/jq && \ - chmod +x /stackable/bin/jq - -USER stackable +RUN < Date: Wed, 16 Oct 2024 14:50:57 +0200 Subject: [PATCH 07/18] Adds Trino --- trino/Dockerfile | 113 +++++++++++++++++++++++++++++------------------ 1 file changed, 69 insertions(+), 44 deletions(-) diff --git a/trino/Dockerfile b/trino/Dockerfile index b02b99895..08a237d54 100644 --- a/trino/Dockerfile +++ b/trino/Dockerfile @@ -4,6 +4,7 @@ FROM stackable/image/java-devel AS storage-connector-builder ARG STORAGE_CONNECTOR +ARG STACKABLE_USER_UID RUN < Date: Wed, 16 Oct 2024 14:52:15 +0200 Subject: [PATCH 08/18] Update CHANGELOG --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index d204cc377..f45d701d1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -31,7 +31,7 @@ All notable changes to this project will be documented in this file. - Enable [Docker build checks](https://docs.docker.com/build/checks/) ([#872]). - java: migrate to temurin jdk/jre ([#894]). - tools: bump kubectl to `1.31.1` and jq to `1.7.1` ([#896]). -- Make username, user id, group id configurable, use numeric ids everywhere, change group of all files to 0 ([#849], [#890]). +- Make username, user id, group id configurable, use numeric ids everywhere, change group of all files to 0 ([#849], [#890], [#897]). ### Removed @@ -85,6 +85,7 @@ All notable changes to this project will be documented in this file. [#890]: https://github.com/stackabletech/docker-images/pull/890 [#894]: https://github.com/stackabletech/docker-images/pull/894 [#896]: https://github.com/stackabletech/docker-images/pull/896 +[#897]: https://github.com/stackabletech/docker-images/pull/897 ## [24.7.0] - 2024-07-24 From f1c1071f6f66de1e4c8dc118b2d4d0cac0a60a86 Mon Sep 17 00:00:00 2001 From: Lars Francke Date: Wed, 16 Oct 2024 14:56:02 +0200 Subject: [PATCH 09/18] Add Trino CLI --- trino-cli/Dockerfile | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/trino-cli/Dockerfile b/trino-cli/Dockerfile index 29ff233f2..07ad70ff0 100644 --- a/trino-cli/Dockerfile +++ b/trino-cli/Dockerfile @@ -5,6 +5,7 @@ FROM stackable/image/java-base ARG PRODUCT ARG RELEASE +ARG STACKABLE_USER_UID LABEL name="Trino CLI" \ maintainer="info@stackable.tech" \ @@ -22,14 +23,20 @@ RUN microdnf update && \ microdnf clean all && \ rm -rf /var/cache/yum -USER stackable -WORKDIR /stackable -COPY --chown=stackable:stackable trino-cli/licenses /licenses +COPY --chown=${STACKABLE_USER_UID}:0 trino-cli/licenses /licenses WORKDIR /stackable/trino-cli -RUN curl -O https://repo.stackable.tech/repository/packages/trino-cli/trino-cli-${PRODUCT}-executable.jar \ - && ln -s trino-cli-${PRODUCT}-executable.jar trino-cli-executable.jar +RUN < Date: Wed, 16 Oct 2024 14:57:03 +0200 Subject: [PATCH 10/18] Add Vector --- vector/Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/vector/Dockerfile b/vector/Dockerfile index ad7ff0a27..e73571b64 100644 --- a/vector/Dockerfile +++ b/vector/Dockerfile @@ -7,6 +7,7 @@ ARG PRODUCT ARG RPM_RELEASE ARG INOTIFY_TOOLS ARG TARGETARCH +ARG STACKABLE_USER_UID # Init Jobs/Pods often start a Vector Sidecar Container which collects the logs. # As soon as an Init Container is done it'll need to tell the Vector sidecar that it can now also stop @@ -25,4 +26,4 @@ RUN ARCH="${TARGETARCH/amd64/x86_64}" ARCH="${ARCH/arm64/aarch64}" && \ # Vector state, such as on-disk buffers, file checkpoints, and more. # Vector needs write permissions. mkdir --parents /stackable/vector/var && \ - chown --recursive stackable:stackable /stackable/ + chown --recursive ${STACKABLE_USER_UID}:0 /stackable/ From f8546fe6641ea3b44eeec5cb4927ec3b5c704f00 Mon Sep 17 00:00:00 2001 From: Lars Francke Date: Thu, 17 Oct 2024 10:39:51 +0200 Subject: [PATCH 11/18] Add note --- airflow/Dockerfile | 7 +++++++ druid/Dockerfile | 7 +++++++ hadoop/Dockerfile | 7 +++++++ hbase/Dockerfile | 7 +++++++ hello-world/Dockerfile | 7 +++++++ hive/Dockerfile | 7 +++++++ kafka/Dockerfile | 7 +++++++ nifi/Dockerfile | 7 +++++++ omid/Dockerfile | 7 +++++++ opa/Dockerfile | 7 +++++++ spark-k8s/Dockerfile | 7 +++++++ superset/Dockerfile | 7 +++++++ tools/Dockerfile | 7 +++++++ trino-cli/Dockerfile | 7 +++++++ trino/Dockerfile | 7 +++++++ zookeeper/Dockerfile | 28 ++++++++++++++++++++++------ 16 files changed, 127 insertions(+), 6 deletions(-) diff --git a/airflow/Dockerfile b/airflow/Dockerfile index 83b9896e7..7727a3d02 100644 --- a/airflow/Dockerfile +++ b/airflow/Dockerfile @@ -115,6 +115,13 @@ chown -R ${STACKABLE_USER_UID}:0 /stackable chmod -R g=u /stackable EOF +# ---------------------------------------- +# Attention: We are changing the group of all files in /stackable directly above +# If you do any file based actions (copying / creating etc.) below this comment you +# absolutely need to make sure that the correct permissions are applied! +# chown ${STACKABLE_USER_UID}:0 +# ---------------------------------------- + USER ${STACKABLE_USER_UID} WORKDIR /stackable diff --git a/druid/Dockerfile b/druid/Dockerfile index a294ac552..6cc597774 100644 --- a/druid/Dockerfile +++ b/druid/Dockerfile @@ -126,6 +126,13 @@ chown -R ${STACKABLE_USER_UID}:0 /stackable chmod -R g=u /stackable EOF +# ---------------------------------------- +# Attention: We are changing the group of all files in /stackable directly above +# If you do any file based actions (copying / creating etc.) below this comment you +# absolutely need to make sure that the correct permissions are applied! +# chown ${STACKABLE_USER_UID}:0 +# ---------------------------------------- + USER ${STACKABLE_USER_UID} ENV PATH="${PATH}":/stackable/druid/bin diff --git a/hadoop/Dockerfile b/hadoop/Dockerfile index 124a7abc4..28e65634c 100644 --- a/hadoop/Dockerfile +++ b/hadoop/Dockerfile @@ -177,6 +177,13 @@ EOF COPY hadoop/licenses /licenses +# ---------------------------------------- +# Attention: We are changing the group of all files in /stackable directly above +# If you do any file based actions (copying / creating etc.) below this comment you +# absolutely need to make sure that the correct permissions are applied! +# chown ${STACKABLE_USER_UID}:0 +# ---------------------------------------- + USER ${STACKABLE_USER_UID} ENV HOME=/stackable diff --git a/hbase/Dockerfile b/hbase/Dockerfile index a8228dec7..4112d8fd2 100644 --- a/hbase/Dockerfile +++ b/hbase/Dockerfile @@ -360,6 +360,13 @@ chown -R ${STACKABLE_USER_UID}:0 /stackable chmod -R g=u /stackable EOF +# ---------------------------------------- +# Attention: We are changing the group of all files in /stackable directly above +# If you do any file based actions (copying / creating etc.) below this comment you +# absolutely need to make sure that the correct permissions are applied! +# chown ${STACKABLE_USER_UID}:0 +# ---------------------------------------- + USER ${STACKABLE_USER_UID} ENV HBASE_CONF_DIR=/stackable/hbase/conf ENV HOME=/stackable diff --git a/hello-world/Dockerfile b/hello-world/Dockerfile index 9680043b6..3a27047cf 100644 --- a/hello-world/Dockerfile +++ b/hello-world/Dockerfile @@ -28,6 +28,13 @@ chown -R ${STACKABLE_USER_UID}:0 /stackable chmod -R g=u /stackable EOF +# ---------------------------------------- +# Attention: We are changing the group of all files in /stackable directly above +# If you do any file based actions (copying / creating etc.) below this comment you +# absolutely need to make sure that the correct permissions are applied! +# chown ${STACKABLE_USER_UID}:0 +# ---------------------------------------- + USER ${STACKABLE_USER_UID} WORKDIR /stackable diff --git a/hive/Dockerfile b/hive/Dockerfile index 794faef6b..d3f5f61ae 100644 --- a/hive/Dockerfile +++ b/hive/Dockerfile @@ -142,6 +142,13 @@ EOF COPY --chown=${STACKABLE_USER_UID}:0 --from=hive-builder /stackable/jmx /stackable/jmx COPY hive/licenses /licenses +# ---------------------------------------- +# Attention: We are changing the group of all files in /stackable directly above +# If you do any file based actions (copying / creating etc.) below this comment you +# absolutely need to make sure that the correct permissions are applied! +# chown ${STACKABLE_USER_UID}:0 +# ---------------------------------------- + USER ${STACKABLE_USER_UID} ENV HADOOP_HOME=/stackable/hadoop diff --git a/kafka/Dockerfile b/kafka/Dockerfile index 4d7b204c0..88ba1ec64 100644 --- a/kafka/Dockerfile +++ b/kafka/Dockerfile @@ -84,6 +84,13 @@ chown -R ${STACKABLE_USER_UID}:0 /stackable chmod -R g=u /stackable EOF +# ---------------------------------------- +# Attention: We are changing the group of all files in /stackable directly above +# If you do any file based actions (copying / creating etc.) below this comment you +# absolutely need to make sure that the correct permissions are applied! +# chown ${STACKABLE_USER_UID}:0 +# ---------------------------------------- + USER ${STACKABLE_USER_UID} ENV PATH="${PATH}:/stackable/bin:/stackable/kafka/bin" diff --git a/nifi/Dockerfile b/nifi/Dockerfile index 472be39a5..4fd145c65 100644 --- a/nifi/Dockerfile +++ b/nifi/Dockerfile @@ -129,6 +129,13 @@ chown -R ${STACKABLE_USER_UID}:0 /stackable chmod -R g=u /stackable EOF +# ---------------------------------------- +# Attention: We are changing the group of all files in /stackable directly above +# If you do any file based actions (copying / creating etc.) below this comment you +# absolutely need to make sure that the correct permissions are applied! +# chown ${STACKABLE_USER_UID}:0 +# ---------------------------------------- + USER ${STACKABLE_USER_UID} ENV HOME=/stackable diff --git a/omid/Dockerfile b/omid/Dockerfile index 1c7d14f82..38cec3337 100644 --- a/omid/Dockerfile +++ b/omid/Dockerfile @@ -101,6 +101,13 @@ chown -R ${STACKABLE_USER_UID}:0 /stackable chmod -R g=u /stackable EOF +# ---------------------------------------- +# Attention: We are changing the group of all files in /stackable directly above +# If you do any file based actions (copying / creating etc.) below this comment you +# absolutely need to make sure that the correct permissions are applied! +# chown ${STACKABLE_USER_UID}:0 +# ---------------------------------------- + USER ${STACKABLE_USER_UID} WORKDIR /stackable/omid-tso-server diff --git a/opa/Dockerfile b/opa/Dockerfile index df7695c97..df962061d 100644 --- a/opa/Dockerfile +++ b/opa/Dockerfile @@ -118,6 +118,13 @@ chown -R ${STACKABLE_USER_UID}:0 /stackable chmod -R g=u /stackable EOF +# ---------------------------------------- +# Attention: We are changing the group of all files in /stackable directly above +# If you do any file based actions (copying / creating etc.) below this comment you +# absolutely need to make sure that the correct permissions are applied! +# chown ${STACKABLE_USER_UID}:0 +# ---------------------------------------- + USER ${STACKABLE_USER_UID} WORKDIR /stackable/opa diff --git a/spark-k8s/Dockerfile b/spark-k8s/Dockerfile index 965efdaf3..e68a18721 100644 --- a/spark-k8s/Dockerfile +++ b/spark-k8s/Dockerfile @@ -328,6 +328,13 @@ chown -R ${STACKABLE_USER_UID}:0 /stackable chmod -R g=u /stackable EOF +# ---------------------------------------- +# Attention: We are changing the group of all files in /stackable directly above +# If you do any file based actions (copying / creating etc.) below this comment you +# absolutely need to make sure that the correct permissions are applied! +# chown ${STACKABLE_USER_UID}:0 +# ---------------------------------------- + USER ${STACKABLE_USER_UID} WORKDIR /stackable/spark diff --git a/superset/Dockerfile b/superset/Dockerfile index ed1396083..86f30d0c8 100644 --- a/superset/Dockerfile +++ b/superset/Dockerfile @@ -129,6 +129,13 @@ COPY superset/licenses /licenses COPY --from=builder --chown=${STACKABLE_USER_UID}:0 /stackable/ ${HOME}/ +# ---------------------------------------- +# Attention: We are changing the group of all files in /stackable directly above +# If you do any file based actions (copying / creating etc.) below this comment you +# absolutely need to make sure that the correct permissions are applied! +# chown ${STACKABLE_USER_UID}:0 +# ---------------------------------------- + USER ${STACKABLE_USER_UID} WORKDIR ${HOME} diff --git a/tools/Dockerfile b/tools/Dockerfile index ee8d542cc..d340e19eb 100644 --- a/tools/Dockerfile +++ b/tools/Dockerfile @@ -50,4 +50,11 @@ chown -R ${STACKABLE_USER_UID}:0 /stackable chmod -R g=u /stackable EOF +# ---------------------------------------- +# Attention: We are changing the group of all files in /stackable directly above +# If you do any file based actions (copying / creating etc.) below this comment you +# absolutely need to make sure that the correct permissions are applied! +# chown ${STACKABLE_USER_UID}:0 +# ---------------------------------------- + USER ${STACKABLE_USER_UID} diff --git a/trino-cli/Dockerfile b/trino-cli/Dockerfile index 07ad70ff0..f2e7d6af0 100644 --- a/trino-cli/Dockerfile +++ b/trino-cli/Dockerfile @@ -38,5 +38,12 @@ chown -R ${STACKABLE_USER_UID}:0 /stackable chmod -R g=u /stackable EOF +# ---------------------------------------- +# Attention: We are changing the group of all files in /stackable directly above +# If you do any file based actions (copying / creating etc.) below this comment you +# absolutely need to make sure that the correct permissions are applied! +# chown ${STACKABLE_USER_UID}:0 +# ---------------------------------------- + USER ${STACKABLE_USER_UID} ENTRYPOINT ["java", "-jar", "/stackable/trino-cli/trino-cli-executable.jar"] diff --git a/trino/Dockerfile b/trino/Dockerfile index 08a237d54..97aeca2a0 100644 --- a/trino/Dockerfile +++ b/trino/Dockerfile @@ -186,6 +186,13 @@ chown -R ${STACKABLE_USER_UID}:0 /stackable chmod -R g=u /stackable EOF +# ---------------------------------------- +# Attention: We are changing the group of all files in /stackable directly above +# If you do any file based actions (copying / creating etc.) below this comment you +# absolutely need to make sure that the correct permissions are applied! +# chown ${STACKABLE_USER_UID}:0 +# ---------------------------------------- + USER ${STACKABLE_USER_UID} WORKDIR /stackable/trino-server CMD ["bin/launcher", "run", "--etc-dir=/stackable/conf"] diff --git a/zookeeper/Dockerfile b/zookeeper/Dockerfile index 7bbe342be..1d9302927 100644 --- a/zookeeper/Dockerfile +++ b/zookeeper/Dockerfile @@ -8,11 +8,12 @@ FROM stackable/image/java-devel AS builder ARG PRODUCT ARG JMX_EXPORTER +ARG STACKABLE_USER_UID # Copy patches and JMX config into the builder -COPY --chown=stackable:stackable zookeeper/stackable /stackable +COPY --chown=${STACKABLE_USER_UID}:0 zookeeper/stackable /stackable -USER stackable +USER ${STACKABLE_USER_UID} WORKDIR /stackable # Download ZooKeeper sources from our own repo @@ -65,6 +66,7 @@ FROM stackable/image/java-base ARG PRODUCT ARG RELEASE +ARG STACKABLE_USER_UID LABEL name="Apache ZooKeeper" \ maintainer="info@stackable.tech" \ @@ -79,21 +81,35 @@ RUN microdnf update && \ rpm -qa --qf "%{NAME}-%{VERSION}-%{RELEASE}\n" | sort > /stackable/package_manifest.txt && \ rm -rf /var/cache/yum -USER stackable WORKDIR /stackable # Copy over the ZooKeeper binary folder -COPY --chown=stackable:stackable --from=builder /stackable/apache-zookeeper-${PRODUCT}-bin /stackable/apache-zookeeper-${PRODUCT}-bin/ -COPY --chown=stackable:stackable --from=builder /stackable/jmx /stackable/jmx/ +COPY --chown=${STACKABLE_USER_UID}:0 --from=builder /stackable/apache-zookeeper-${PRODUCT}-bin /stackable/apache-zookeeper-${PRODUCT}-bin/ +COPY --chown=${STACKABLE_USER_UID}:0 --from=builder /stackable/jmx /stackable/jmx/ COPY zookeeper/licenses /licenses # Add link pointing from /stackable/zookeeper to /stackable/apache-zookeeper-${PRODUCT}-bin/ # to preserve the folder name with the version. -RUN ln -s /stackable/apache-zookeeper-${PRODUCT}-bin/ /stackable/zookeeper +RUN < Date: Wed, 23 Oct 2024 09:57:11 +0200 Subject: [PATCH 12/18] Update tools/Dockerfile Co-authored-by: Nick <10092581+NickLarsenNZ@users.noreply.github.com> --- tools/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/Dockerfile b/tools/Dockerfile index d340e19eb..5ba459a1c 100644 --- a/tools/Dockerfile +++ b/tools/Dockerfile @@ -36,7 +36,7 @@ ENV PATH=/stackable/bin:$PATH # Get latest stable version from curl -L -s https://dl.k8s.io/release/stable.txt RUN < Date: Wed, 23 Oct 2024 09:57:42 +0200 Subject: [PATCH 13/18] Update superset/Dockerfile Co-authored-by: Nick <10092581+NickLarsenNZ@users.noreply.github.com> --- superset/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/superset/Dockerfile b/superset/Dockerfile index 86f30d0c8..fd80d0a7f 100644 --- a/superset/Dockerfile +++ b/superset/Dockerfile @@ -121,7 +121,7 @@ rm -rf /var/cache/yum # All files and folders owned by root group to support running as arbitrary users. # This is best practice as all container users will belong to the root group (0). -chown -R ${STACKABLE_USER_UID}:0 /stackable +chown -R "${STACKABLE_USER_UID}:0" /stackable chmod -R g=u /stackable EOF From 04c9942ddb06854d5aa7c86afe47f8780c6f1e1c Mon Sep 17 00:00:00 2001 From: Lars Francke Date: Wed, 23 Oct 2024 09:58:31 +0200 Subject: [PATCH 14/18] Update tools/Dockerfile Co-authored-by: Nick <10092581+NickLarsenNZ@users.noreply.github.com> --- tools/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/Dockerfile b/tools/Dockerfile index 5ba459a1c..c13ce644a 100644 --- a/tools/Dockerfile +++ b/tools/Dockerfile @@ -40,7 +40,7 @@ curl "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kube -o /stackable/bin/kubectl chmod +x /stackable/bin/kubectl -curl https://github.com/stedolan/jq/releases/download/jq-${JQ_VERSION}/jq-linux64 \ +curl "https://github.com/stedolan/jq/releases/download/jq-${JQ_VERSION}/jq-linux64" \ -o /stackable/bin/jq chmod +x /stackable/bin/jq From 6c1bdd18dc77a4f569ca70ef10343eb5c2337d6a Mon Sep 17 00:00:00 2001 From: Lars Francke Date: Wed, 23 Oct 2024 09:58:37 +0200 Subject: [PATCH 15/18] Update trino-cli/Dockerfile Co-authored-by: Nick <10092581+NickLarsenNZ@users.noreply.github.com> --- trino-cli/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/trino-cli/Dockerfile b/trino-cli/Dockerfile index f2e7d6af0..ff16dc375 100644 --- a/trino-cli/Dockerfile +++ b/trino-cli/Dockerfile @@ -29,7 +29,7 @@ COPY --chown=${STACKABLE_USER_UID}:0 trino-cli/licenses /licenses WORKDIR /stackable/trino-cli RUN < Date: Wed, 23 Oct 2024 09:58:43 +0200 Subject: [PATCH 16/18] Update trino-cli/Dockerfile Co-authored-by: Nick <10092581+NickLarsenNZ@users.noreply.github.com> --- trino-cli/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/trino-cli/Dockerfile b/trino-cli/Dockerfile index ff16dc375..a61398d69 100644 --- a/trino-cli/Dockerfile +++ b/trino-cli/Dockerfile @@ -30,7 +30,7 @@ WORKDIR /stackable/trino-cli RUN < Date: Wed, 23 Oct 2024 09:58:48 +0200 Subject: [PATCH 17/18] Update superset/Dockerfile Co-authored-by: Nick <10092581+NickLarsenNZ@users.noreply.github.com> --- superset/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/superset/Dockerfile b/superset/Dockerfile index fd80d0a7f..47015798b 100644 --- a/superset/Dockerfile +++ b/superset/Dockerfile @@ -114,7 +114,7 @@ microdnf install \ openldap-clients \ openssl-libs \ openssl-pkcs11 \ - python${PYTHON} + "python${PYTHON}" microdnf clean all rm -rf /var/cache/yum From 985a3bed5ff7629b143b3f96ed536963fab93e88 Mon Sep 17 00:00:00 2001 From: Lars Francke Date: Wed, 23 Oct 2024 10:06:35 +0200 Subject: [PATCH 18/18] Fix CHANGELOG --- CHANGELOG.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e2b3d4f07..44d4f2bfb 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -31,7 +31,8 @@ All notable changes to this project will be documented in this file. - Enable [Docker build checks](https://docs.docker.com/build/checks/) ([#872]). - java: migrate to temurin jdk/jre ([#894]). - tools: bump kubectl to `1.31.1` and jq to `1.7.1` ([#896]). -- Make username, user id, group id configurable, use numeric ids everywhere, change group of all files to 0 ([#849], [#890], [#897]).- ci: Bump `stackabletech/actions` to 0.0.6 ([#901]). +- Make username, user id, group id configurable, use numeric ids everywhere, change group of all files to 0 ([#849], [#890], [#897]). +- ci: Bump `stackabletech/actions` to 0.0.6 ([#901]). ### Removed