base_images: create non-root java base image

airbytehq · Dec 18, 2024 · ab9a80e · ab9a80e
1 parent 4be7f1a
commit ab9a80e
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 14 deletions.
diff --git a/airbyte-ci/connectors/base_images/README.md b/airbyte-ci/connectors/base_images/README.md
@@ -42,7 +42,7 @@ RUN mkdir -p 755 /usr/share/nltk_data
 ### Example for `airbyte/java-connector-base`:
 ```dockerfile
 FROM docker.io/amazoncorretto:21-al2023@sha256:5454cb606e803fce56861fdbc9eab365eaa2ab4f357ceb8c1d56f4f8c8a7bc33
-RUN sh -c set -o xtrace && yum update -y --security && yum install -y tar openssl findutils && yum clean all
+RUN sh -c set -o xtrace && yum update -y --security && yum install -y /usr/sbin/adduser tar openssl findutils && yum clean all && adduser --base-dir /airbyte --uid 1000 --user-group --system airbyte && mkdir --mode 755 /airbyte && mkdir --mode 755 /custom_cache && chown -R airbyte:airbyte /airbyte
 ENV AIRBYTE_SPEC_CMD=/airbyte/javabase.sh --spec
 ENV AIRBYTE_CHECK_CMD=/airbyte/javabase.sh --check
 ENV AIRBYTE_DISCOVER_CMD=/airbyte/javabase.sh --discover
@@ -77,6 +77,7 @@ ENV AIRBYTE_ENTRYPOINT=/airbyte/base.sh
 
 | Version | Published | Docker Image Address | Changelog | 
 |---------|-----------|--------------|-----------|
+|  2.0.0-rc.1 | ✅| docker.io/airbyte/java-connector-base:2.0.0-rc.1@sha256:484b929684b9e4f60d06cde171ee0b8238802cb434403293fcede81c1e73c537 |  Make the java base image non root |
 |  1.0.0 | ✅| docker.io/airbyte/java-connector-base:1.0.0@sha256:be86e5684e1e6d9280512d3d8071b47153698fe08ad990949c8eeff02803201a | Create a base image for our java connectors based on Amazon Corretto. |
 |  1.0.0-rc.4 | ✅| docker.io/airbyte/java-connector-base:1.0.0-rc.4@sha256:be86e5684e1e6d9280512d3d8071b47153698fe08ad990949c8eeff02803201a | Bundle yum calls in a single RUN |
 |  1.0.0-rc.3 | ✅| docker.io/airbyte/java-connector-base:1.0.0-rc.3@sha256:be86e5684e1e6d9280512d3d8071b47153698fe08ad990949c8eeff02803201a |  |

diff --git a/airbyte-ci/connectors/base_images/base_images/java/bases.py b/airbyte-ci/connectors/base_images/base_images/java/bases.py
@@ -14,8 +14,6 @@
 
 
 class AirbyteJavaConnectorBaseImage(bases.AirbyteConnectorBaseImage):
-    # TODO: remove this once we want to build the base image with the airbyte user.
-    USER: Final[str] = "root"
 
     root_image: Final[published_image.PublishedImage] = AMAZON_CORRETTO_21_AL_2023
     repository: Final[str] = "airbyte/java-connector-base"
@@ -41,8 +39,6 @@ def get_container(self, platform: dagger.Platform) -> dagger.Container:
         """
 
         return (
-            # TODO: Call this when we want to build the base image with the airbyte user
-            # self.get_base_container(platform)
             self.dagger_client.container(platform=platform)
             .from_(self.root_image.address)
             # Bundle RUN commands together to reduce the number of layers.
@@ -55,19 +51,26 @@ def get_container(self, platform: dagger.Platform) -> dagger.Container:
                         # tar is equired to untar java connector binary distributions.
                         # openssl is required because we need to ssh and scp sometimes.
                         # findutils is required for xargs, which is shipped as part of findutils.
-                        f"yum install -y tar openssl findutils",
+                        f"yum install -y /usr/sbin/adduser tar openssl findutils",
                         # Remove any dangly bits.
                         "yum clean all",
+                        # Create the user 'airbyte' with the UID 1000 and GID 1000
+                        f"adduser --base-dir {self.AIRBYTE_DIR_PATH} --uid {self.USER_ID} --user-group --system {self.USER}",
+                        # Create the cache airbyte directories and set the right permissions
+                        f"mkdir --mode 755 {self.AIRBYTE_DIR_PATH}",
+                        f"mkdir --mode 755 {self.CACHE_DIR_PATH}",
+                        # Change the owner of the airbyte directory to the user 'airbyte'
+                        f"chown -R {self.USER}:{self.USER} {self.AIRBYTE_DIR_PATH}",
                     ]
                 )
             )
-            .with_workdir("/airbyte")
+            .with_workdir(self.AIRBYTE_DIR_PATH)
             # Copy the datadog java agent jar from the internet.
-            .with_file("dd-java-agent.jar", self.dagger_client.http(self.DD_AGENT_JAR_URL))
+            .with_file("dd-java-agent.jar", self.dagger_client.http(self.DD_AGENT_JAR_URL), owner=self.USER)
             # Copy base.sh from the git repo.
-            .with_file("base.sh", self.dagger_client.http(self.BASE_SCRIPT_URL))
+            .with_file("base.sh", self.dagger_client.http(self.BASE_SCRIPT_URL), owner=self.USER)
             # Copy javabase.sh from the git repo.
-            .with_file("javabase.sh", self.dagger_client.http(self.JAVA_BASE_SCRIPT_URL))
+            .with_file("javabase.sh", self.dagger_client.http(self.JAVA_BASE_SCRIPT_URL), owner=self.USER)
             # Set a bunch of env variables used by base.sh.
             .with_env_variable("AIRBYTE_SPEC_CMD", "/airbyte/javabase.sh --spec")
             .with_env_variable("AIRBYTE_CHECK_CMD", "/airbyte/javabase.sh --check")
@@ -76,6 +79,7 @@ def get_container(self, platform: dagger.Platform) -> dagger.Container:
             .with_env_variable("AIRBYTE_WRITE_CMD", "/airbyte/javabase.sh --write")
             .with_env_variable("AIRBYTE_ENTRYPOINT", "/airbyte/base.sh")
             .with_entrypoint(["/airbyte/base.sh"])
+            .with_user(self.USER)
         )
 
     async def run_sanity_checks(self, platform: dagger.Platform):
@@ -86,7 +90,7 @@ async def run_sanity_checks(self, platform: dagger.Platform):
         Args:
             platform (dagger.Platform): The platform on which the sanity checks should run.
         """
-        container = self.get_container(platform)
+        container = await self.get_container(platform)
         await base_sanity_checks.check_user_can_read_dir(container, self.USER, self.AIRBYTE_DIR_PATH)
         await base_sanity_checks.check_user_can_write_dir(container, self.USER, self.AIRBYTE_DIR_PATH)
         await base_sanity_checks.check_file_exists(container, "/airbyte/dd-java-agent.jar")

diff --git a/airbyte-ci/connectors/base_images/base_images/sanity_checks.py b/airbyte-ci/connectors/base_images/base_images/sanity_checks.py
@@ -142,7 +142,7 @@ async def check_user_can_read_dir(container: dagger.Container, user: str, dir_pa
     try:
         await container.with_exec(["touch", f"{dir_path}/foo.txt"]).with_user(user).with_exec(["cat", f"{dir_path}/foo.txt"])
     except dagger.ExecError:
-        raise errors.SanityCheckError(f"{dir_path} is not readable by the {user}.")
+        raise errors.SanityCheckError(f"{dir_path} is not readable by {user}.")
 
 
 async def check_user_cant_write_dir(container: dagger.Container, user: str, dir_path: str):
@@ -160,7 +160,7 @@ async def check_user_cant_write_dir(container: dagger.Container, user: str, dir_
         await container.with_user(user).with_exec(["touch", f"{dir_path}/foo.txt"])
     except dagger.ExecError:
         return
-    raise errors.SanityCheckError(f"{dir_path} is writable by the {user}.")
+    raise errors.SanityCheckError(f"{dir_path} is writable by {user}.")
 
 
 async def check_user_can_write_dir(container: dagger.Container, user: str, dir_path: str):

diff --git a/airbyte-ci/connectors/base_images/generated/changelogs/airbyte_java_connector_base.json b/airbyte-ci/connectors/base_images/generated/changelogs/airbyte_java_connector_base.json
@@ -1,4 +1,9 @@
 [
+  {
+    "version": "2.0.0-rc.1",
+    "changelog_entry": " Make the java base image non root",
+    "dockerfile_example": "FROM docker.io/amazoncorretto:21-al2023@sha256:5454cb606e803fce56861fdbc9eab365eaa2ab4f357ceb8c1d56f4f8c8a7bc33\nRUN sh -c set -o xtrace && yum update -y --security && yum install -y /usr/sbin/adduser tar openssl findutils && yum clean all && adduser --base-dir /airbyte --uid 1000 --user-group --system airbyte && mkdir --mode 755 /airbyte && mkdir --mode 755 /custom_cache && chown -R airbyte:airbyte /airbyte\nENV AIRBYTE_SPEC_CMD=/airbyte/javabase.sh --spec\nENV AIRBYTE_CHECK_CMD=/airbyte/javabase.sh --check\nENV AIRBYTE_DISCOVER_CMD=/airbyte/javabase.sh --discover\nENV AIRBYTE_READ_CMD=/airbyte/javabase.sh --read\nENV AIRBYTE_WRITE_CMD=/airbyte/javabase.sh --write\nENV AIRBYTE_ENTRYPOINT=/airbyte/base.sh"
+  },
   {
     "version": "1.0.0",
     "changelog_entry": "Create a base image for our java connectors based on Amazon Corretto.",

diff --git a/airbyte-ci/connectors/base_images/pyproject.toml b/airbyte-ci/connectors/base_images/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "airbyte-connectors-base-images"
-version = "1.4.0"
+version = "1.5.0"
 description = "This package is used to generate and publish the base images for Airbyte Connectors."
 authors = ["Augustin Lafanechere <[email protected]>"]
 readme = "README.md"