github
/
incubator-airflow
зеркало из https://github.com/github/incubator-airflow.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
incubator-airflow/Dockerfile

444 строки
16 KiB
Docker
Исходник Обычный вид История

Add Production Docker image support (#7832)
2020-04-02 20:52:11 +03:00
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# THIS DOCKERFILE IS INTENDED FOR PRODUCTION USE AND DEPLOYMENT.
# NOTE! IT IS ALPHA-QUALITY FOR NOW - WE ARE IN A PROCESS OF TESTING IT
#
#
# This is a multi-segmented image. It actually contains two images:
#
# airflow-build-image - there all airflow dependencies can be installed (and
# built - for those dependencies that require
# build essentials). Airflow is installed there with
# --user switch so that all the dependencies are
# installed to ${HOME}/.local
#
# main - this is the actual production image that is much
# smaller because it does not contain all the build
# essentials. Instead the ${HOME}/.local folder
# is copied from the build-image - this way we have
# only result of installation and we do not need
# all the build essentials. This makes the image
# much smaller.
#
ARG AIRFLOW_VERSION="2.0.0.dev0"
Production images on CI are now built from packages (#12685) So far, the production images of Airflow were using sources when they were built on CI. This PR changes that, to build airflow + providers packages first and install them rather than use sources as installation mechanism. Part of #12261
2020-12-07 01:36:33 +03:00
ARG AIRFLOW_EXTRAS="async,amazon,celery,cncf.kubernetes,docker,dask,elasticsearch,ftp,grpc,hashicorp,http,google,microsoft.azure,mysql,postgres,redis,sendgrid,sftp,slack,ssh,statsd,virtualenv"
Add ADDITIONAL_AIRFLOW_EXTRAS (#9032) * Add build-arg ADDITIONAL_AIRFLOW_EXTRAS * Add ADDITIONAL_AIRFLOW_EXTRAS example and description
2020-05-27 13:58:59 +03:00
ARG ADDITIONAL_AIRFLOW_EXTRAS=""
Add ADDITIONAL_PYTHON_DEPS (#9031) * add build-arg ADDITIONAL_PYTHON_DEPS * Add ADDITIONAL_PYTHON_DEPS example and description Co-authored-by: Fabian Witt <fabian.witt@redheads.de>
2020-05-27 12:52:26 +03:00
ARG ADDITIONAL_PYTHON_DEPS=""
Add Production Docker image support (#7832)
2020-04-02 20:52:11 +03:00
ARG AIRFLOW_HOME=/opt/airflow
ARG AIRFLOW_UID="50000"
ARG AIRFLOW_GID="50000"
ARG CASS_DRIVER_BUILD_CONCURRENCY="8"
ARG PYTHON_BASE_IMAGE="python:3.6-slim-buster"
ARG PYTHON_MAJOR_MINOR_VERSION="3.6"
Pins PIP to 20.2.4 in our Dockerfiles (#12738) Until we make sure that the new resolver in PIP 20.3 works we should pin PIP to 20.2.4. This is hopefully a temporary measure. Part of #12737
2020-12-01 19:39:55 +03:00
ARG PIP_VERSION=20.2.4
Add Production Docker image support (#7832)
2020-04-02 20:52:11 +03:00
##############################################################################################
# This is the build image where we build all dependencies
##############################################################################################
FROM ${PYTHON_BASE_IMAGE} as airflow-build-image
SHELL ["/bin/bash", "-o", "pipefail", "-e", "-u", "-x", "-c"]
ARG PYTHON_BASE_IMAGE
ENV PYTHON_BASE_IMAGE=${PYTHON_BASE_IMAGE}
ARG PYTHON_MAJOR_MINOR_VERSION
ENV PYTHON_MAJOR_MINOR_VERSION=${PYTHON_MAJOR_MINOR_VERSION}
Pins PIP to 20.2.4 in our Dockerfiles (#12738) Until we make sure that the new resolver in PIP 20.3 works we should pin PIP to 20.2.4. This is hopefully a temporary measure. Part of #12737
2020-12-01 19:39:55 +03:00
ARG PIP_VERSION
ENV PIP_VERSION=${PIP_VERSION}
Add Production Docker image support (#7832)
2020-04-02 20:52:11 +03:00
# Make sure noninteractive debian install is used and language variables set
ENV DEBIAN_FRONTEND=noninteractive LANGUAGE=C.UTF-8 LANG=C.UTF-8 LC_ALL=C.UTF-8 \
LC_CTYPE=C.UTF-8 LC_MESSAGES=C.UTF-8
More customizable build process for Docker images (#11176) * Allows more customizations for image building. This is the third (and not last) part of making the Production image more corporate-environment friendly. It's been prepared for the request of one of the big Airflow user (company) that has rather strict security requirements when it comes to preparing and building images. They are committed to synchronizing with the progress of Apache Airflow 2.0 development and making the image customizable so that they can build it using only sources controlled by them internally was one of the important requirements for them. This change adds the possibilty of customizing various steps in the build process: * adding custom scripts to be run before installation of both build image and runtime image. This allows for example to add installing custom GPG keys, and adding custom sources. * customizing the way NodeJS and Yarn are installed in the build image segment - as they might rely on their own way of installation. * adding extra packages to be installed during both build and dev segment build steps. This is crucial to achieve the same size optimizations as the original image. * defining additional environment variables (for example environment variables that indicate acceptance of the EULAs in case of installing proprietary packages that require EULA acceptance - both in the build image and runtime image (again the goal is to keep the image optimized for size) The image build process remains the same when no customization options are specified, but having those options increases flexibility of the image build process in corporate environments. This is part of #11171. This change also fixes some of the issues opened and raised by other users of the Dockerfile. Fixes: #10730 Fixes: #10555 Fixes: #10856 Input from those issues has been taken into account when this change was designed so that the cases described in those issues could be implemented. Example from one of the issue landed as an example way of building highly customized Airflow Image using those customization options. Depends on #11174 * Update IMAGES.rst Co-authored-by: Kamil Breguła <mik-laj@users.noreply.github.com>
2020-09-29 16:30:00 +03:00
# Install curl and gnupg2 - needed for many other installation steps
Add Production Docker image support (#7832)
2020-04-02 20:52:11 +03:00
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
curl \
gnupg2 \
&& apt-get autoremove -yqq --purge \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*
More customizable build process for Docker images (#11176) * Allows more customizations for image building. This is the third (and not last) part of making the Production image more corporate-environment friendly. It's been prepared for the request of one of the big Airflow user (company) that has rather strict security requirements when it comes to preparing and building images. They are committed to synchronizing with the progress of Apache Airflow 2.0 development and making the image customizable so that they can build it using only sources controlled by them internally was one of the important requirements for them. This change adds the possibilty of customizing various steps in the build process: * adding custom scripts to be run before installation of both build image and runtime image. This allows for example to add installing custom GPG keys, and adding custom sources. * customizing the way NodeJS and Yarn are installed in the build image segment - as they might rely on their own way of installation. * adding extra packages to be installed during both build and dev segment build steps. This is crucial to achieve the same size optimizations as the original image. * defining additional environment variables (for example environment variables that indicate acceptance of the EULAs in case of installing proprietary packages that require EULA acceptance - both in the build image and runtime image (again the goal is to keep the image optimized for size) The image build process remains the same when no customization options are specified, but having those options increases flexibility of the image build process in corporate environments. This is part of #11171. This change also fixes some of the issues opened and raised by other users of the Dockerfile. Fixes: #10730 Fixes: #10555 Fixes: #10856 Input from those issues has been taken into account when this change was designed so that the cases described in those issues could be implemented. Example from one of the issue landed as an example way of building highly customized Airflow Image using those customization options. Depends on #11174 * Update IMAGES.rst Co-authored-by: Kamil Breguła <mik-laj@users.noreply.github.com>
2020-09-29 16:30:00 +03:00
ARG DEV_APT_DEPS="\
apt-transport-https \
apt-utils \
build-essential \
ca-certificates \
gnupg \
dirmngr \
freetds-bin \
freetds-dev \
gosu \
krb5-user \
ldap-utils \
libffi-dev \
libkrb5-dev \
libpq-dev \
libsasl2-2 \
libsasl2-dev \
libsasl2-modules \
libssl-dev \
locales \
lsb-release \
nodejs \
openssh-client \
postgresql-client \
python-selinux \
sasl2-bin \
software-properties-common \
sqlite3 \
sudo \
unixodbc \
unixodbc-dev \
yarn"
ENV DEV_APT_DEPS=${DEV_APT_DEPS}
ARG ADDITIONAL_DEV_APT_DEPS=""
ENV ADDITIONAL_DEV_APT_DEPS=${ADDITIONAL_DEV_APT_DEPS}
ARG DEV_APT_COMMAND="\
curl --fail --location https://deb.nodesource.com/setup_10.x | bash - \
&& curl https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - > /dev/null \
&& echo 'deb https://dl.yarnpkg.com/debian/ stable main' > /etc/apt/sources.list.d/yarn.list"
ENV DEV_APT_COMMAND=${DEV_APT_COMMAND}
ARG ADDITIONAL_DEV_APT_COMMAND="echo"
ENV ADDITIONAL_DEV_APT_COMMAND=${ADDITIONAL_DEV_APT_COMMAND}
ARG ADDITIONAL_DEV_ENV_VARS=""
Support additional apt dependencies (#9189) * Add ADDITONAL_DEV_DEPS and ADDITONAL_RUNTIME_DEPS * Add examples for additional apt dev and runtime dependencies * Update comment * Fix typo
2020-06-10 00:05:43 +03:00
More customizable build process for Docker images (#11176) * Allows more customizations for image building. This is the third (and not last) part of making the Production image more corporate-environment friendly. It's been prepared for the request of one of the big Airflow user (company) that has rather strict security requirements when it comes to preparing and building images. They are committed to synchronizing with the progress of Apache Airflow 2.0 development and making the image customizable so that they can build it using only sources controlled by them internally was one of the important requirements for them. This change adds the possibilty of customizing various steps in the build process: * adding custom scripts to be run before installation of both build image and runtime image. This allows for example to add installing custom GPG keys, and adding custom sources. * customizing the way NodeJS and Yarn are installed in the build image segment - as they might rely on their own way of installation. * adding extra packages to be installed during both build and dev segment build steps. This is crucial to achieve the same size optimizations as the original image. * defining additional environment variables (for example environment variables that indicate acceptance of the EULAs in case of installing proprietary packages that require EULA acceptance - both in the build image and runtime image (again the goal is to keep the image optimized for size) The image build process remains the same when no customization options are specified, but having those options increases flexibility of the image build process in corporate environments. This is part of #11171. This change also fixes some of the issues opened and raised by other users of the Dockerfile. Fixes: #10730 Fixes: #10555 Fixes: #10856 Input from those issues has been taken into account when this change was designed so that the cases described in those issues could be implemented. Example from one of the issue landed as an example way of building highly customized Airflow Image using those customization options. Depends on #11174 * Update IMAGES.rst Co-authored-by: Kamil Breguła <mik-laj@users.noreply.github.com>
2020-09-29 16:30:00 +03:00
# Note missing man directories on debian-buster
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863199
Support additional apt dependencies (#9189) * Add ADDITONAL_DEV_DEPS and ADDITONAL_RUNTIME_DEPS * Add examples for additional apt dev and runtime dependencies * Update comment * Fix typo
2020-06-10 00:05:43 +03:00
# Install basic and additional apt dependencies
More customizable build process for Docker images (#11176) * Allows more customizations for image building. This is the third (and not last) part of making the Production image more corporate-environment friendly. It's been prepared for the request of one of the big Airflow user (company) that has rather strict security requirements when it comes to preparing and building images. They are committed to synchronizing with the progress of Apache Airflow 2.0 development and making the image customizable so that they can build it using only sources controlled by them internally was one of the important requirements for them. This change adds the possibilty of customizing various steps in the build process: * adding custom scripts to be run before installation of both build image and runtime image. This allows for example to add installing custom GPG keys, and adding custom sources. * customizing the way NodeJS and Yarn are installed in the build image segment - as they might rely on their own way of installation. * adding extra packages to be installed during both build and dev segment build steps. This is crucial to achieve the same size optimizations as the original image. * defining additional environment variables (for example environment variables that indicate acceptance of the EULAs in case of installing proprietary packages that require EULA acceptance - both in the build image and runtime image (again the goal is to keep the image optimized for size) The image build process remains the same when no customization options are specified, but having those options increases flexibility of the image build process in corporate environments. This is part of #11171. This change also fixes some of the issues opened and raised by other users of the Dockerfile. Fixes: #10730 Fixes: #10555 Fixes: #10856 Input from those issues has been taken into account when this change was designed so that the cases described in those issues could be implemented. Example from one of the issue landed as an example way of building highly customized Airflow Image using those customization options. Depends on #11174 * Update IMAGES.rst Co-authored-by: Kamil Breguła <mik-laj@users.noreply.github.com>
2020-09-29 16:30:00 +03:00
RUN mkdir -pv /usr/share/man/man1 \
Add Production Docker image support (#7832)
2020-04-02 20:52:11 +03:00
&& mkdir -pv /usr/share/man/man7 \
More customizable build process for Docker images (#11176) * Allows more customizations for image building. This is the third (and not last) part of making the Production image more corporate-environment friendly. It's been prepared for the request of one of the big Airflow user (company) that has rather strict security requirements when it comes to preparing and building images. They are committed to synchronizing with the progress of Apache Airflow 2.0 development and making the image customizable so that they can build it using only sources controlled by them internally was one of the important requirements for them. This change adds the possibilty of customizing various steps in the build process: * adding custom scripts to be run before installation of both build image and runtime image. This allows for example to add installing custom GPG keys, and adding custom sources. * customizing the way NodeJS and Yarn are installed in the build image segment - as they might rely on their own way of installation. * adding extra packages to be installed during both build and dev segment build steps. This is crucial to achieve the same size optimizations as the original image. * defining additional environment variables (for example environment variables that indicate acceptance of the EULAs in case of installing proprietary packages that require EULA acceptance - both in the build image and runtime image (again the goal is to keep the image optimized for size) The image build process remains the same when no customization options are specified, but having those options increases flexibility of the image build process in corporate environments. This is part of #11171. This change also fixes some of the issues opened and raised by other users of the Dockerfile. Fixes: #10730 Fixes: #10555 Fixes: #10856 Input from those issues has been taken into account when this change was designed so that the cases described in those issues could be implemented. Example from one of the issue landed as an example way of building highly customized Airflow Image using those customization options. Depends on #11174 * Update IMAGES.rst Co-authored-by: Kamil Breguła <mik-laj@users.noreply.github.com>
2020-09-29 16:30:00 +03:00
&& export ${ADDITIONAL_DEV_ENV_VARS?} \
&& bash -o pipefail -e -u -x -c "${DEV_APT_COMMAND}" \
&& bash -o pipefail -e -u -x -c "${ADDITIONAL_DEV_APT_COMMAND}" \
Add Production Docker image support (#7832)
2020-04-02 20:52:11 +03:00
&& apt-get update \
&& apt-get install -y --no-install-recommends \
More customizable build process for Docker images (#11176) * Allows more customizations for image building. This is the third (and not last) part of making the Production image more corporate-environment friendly. It's been prepared for the request of one of the big Airflow user (company) that has rather strict security requirements when it comes to preparing and building images. They are committed to synchronizing with the progress of Apache Airflow 2.0 development and making the image customizable so that they can build it using only sources controlled by them internally was one of the important requirements for them. This change adds the possibilty of customizing various steps in the build process: * adding custom scripts to be run before installation of both build image and runtime image. This allows for example to add installing custom GPG keys, and adding custom sources. * customizing the way NodeJS and Yarn are installed in the build image segment - as they might rely on their own way of installation. * adding extra packages to be installed during both build and dev segment build steps. This is crucial to achieve the same size optimizations as the original image. * defining additional environment variables (for example environment variables that indicate acceptance of the EULAs in case of installing proprietary packages that require EULA acceptance - both in the build image and runtime image (again the goal is to keep the image optimized for size) The image build process remains the same when no customization options are specified, but having those options increases flexibility of the image build process in corporate environments. This is part of #11171. This change also fixes some of the issues opened and raised by other users of the Dockerfile. Fixes: #10730 Fixes: #10555 Fixes: #10856 Input from those issues has been taken into account when this change was designed so that the cases described in those issues could be implemented. Example from one of the issue landed as an example way of building highly customized Airflow Image using those customization options. Depends on #11174 * Update IMAGES.rst Co-authored-by: Kamil Breguła <mik-laj@users.noreply.github.com>
2020-09-29 16:30:00 +03:00
${DEV_APT_DEPS} \
${ADDITIONAL_DEV_APT_DEPS} \
Add Production Docker image support (#7832)
2020-04-02 20:52:11 +03:00
&& apt-get autoremove -yqq --purge \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*
Conditional MySQL Client installation (#11174) This is the second step of making the Production Docker Image more corporate-environment friendly, by making MySQL client installation optional. Instaling MySQL Client on Debian requires to reach out to oracle deb repositories which might not be approved by security teams when you build the images. Also not everyone needs MySQL client or might want to install their own MySQL client or MariaDB client - from their own repositories. This change makes the installation step separated out to script (with prod/dev installation option). The prod/dev separation is needed because MySQL needs to be installed with dev libraries in the "Build" segment of the image (requiring build essentials etc.) but in "Final" segment of the image only runtime libraries are needed. Part of #11171 Depends on #11173.
2020-09-27 19:56:58 +03:00
ARG INSTALL_MYSQL_CLIENT="true"
ENV INSTALL_MYSQL_CLIENT=${INSTALL_MYSQL_CLIENT}
Update Dockerfile (#12987) Fix permission issue in Azure DevOps when running the script install_mysql.sh, which prevents the build to succeed /bin/bash: ./scripts/docker/install_mysql.sh: Permission denied The command '/bin/bash -o pipefail -e -u -x -c ./scripts/docker/install_mysql.sh dev' returned a non-zero code: 126 ##[error]The command '/bin/bash -o pipefail -e -u -x -c ./scripts/docker/install_mysql.sh dev' returned a non-zero code: 126 ##[error]The process '/usr/bin/docker' failed with exit code 126
2020-12-10 23:01:49 +03:00
COPY scripts/docker /scripts/docker
Constraints and PIP packages can be installed from local sources (#11382) * Constraints and PIP packages can be installed from local sources This is the final part of implementing #11171 based on feedback from enterprise customers we worked with. They want to have a capability of building the image using binary wheel packages that are locally available and the official Dockerfile. This means that besides the official APT sources the Dockerfile build should not needd GitHub, nor any other external files pulled from outside including PIP repository. This change also includes documentation on how to prepare set of such binaries ready for inspection and review by security teams in Enterprise environment. Such sets of "known-working-binary-whl" files can then be separately committed, tracked and scrutinized in an artifact repository of such an Enterprise. Fixes: #11171 * Update docs/production-deployment.rst
2020-10-10 13:58:09 +03:00
COPY docker-context-files /docker-context-files
Update Dockerfile (#12987) Fix permission issue in Azure DevOps when running the script install_mysql.sh, which prevents the build to succeed /bin/bash: ./scripts/docker/install_mysql.sh: Permission denied The command '/bin/bash -o pipefail -e -u -x -c ./scripts/docker/install_mysql.sh dev' returned a non-zero code: 126 ##[error]The command '/bin/bash -o pipefail -e -u -x -c ./scripts/docker/install_mysql.sh dev' returned a non-zero code: 126 ##[error]The process '/usr/bin/docker' failed with exit code 126
2020-12-10 23:01:49 +03:00
# fix permission issue in Azure DevOps when running the script
RUN chmod a+x /scripts/docker/install_mysql.sh
Conditional MySQL Client installation (#11174) This is the second step of making the Production Docker Image more corporate-environment friendly, by making MySQL client installation optional. Instaling MySQL Client on Debian requires to reach out to oracle deb repositories which might not be approved by security teams when you build the images. Also not everyone needs MySQL client or might want to install their own MySQL client or MariaDB client - from their own repositories. This change makes the installation step separated out to script (with prod/dev installation option). The prod/dev separation is needed because MySQL needs to be installed with dev libraries in the "Build" segment of the image (requiring build essentials etc.) but in "Final" segment of the image only runtime libraries are needed. Part of #11171 Depends on #11173.
2020-09-27 19:56:58 +03:00
RUN ./scripts/docker/install_mysql.sh dev
Add Production Docker image support (#7832)
2020-04-02 20:52:11 +03:00
Improve production image iteration speed (#9162) For a long time the way how entrypoint worked in ci scripts was wrong. The way it worked was convoluted and short of black magic. This did not allow to pass multiple test targets and required separate execute command scripts in Breeze. This is all now straightened out and both production and CI image are always using the right entrypoint by default and we can simply pass parameters to the image as usual without escaping strings. This also allowed to remove some breeze commands and change names of several flags in Breeze to make them more meaningful. Both CI and PROD image have now embedded scripts for log cleaning. History of image releases is added for 1.10.10-* alpha quality images.
2020-06-16 13:36:46 +03:00
ARG AIRFLOW_REPO=apache/airflow
ENV AIRFLOW_REPO=${AIRFLOW_REPO}
ARG AIRFLOW_BRANCH=master
ENV AIRFLOW_BRANCH=${AIRFLOW_BRANCH}
ARG AIRFLOW_EXTRAS
ARG ADDITIONAL_AIRFLOW_EXTRAS=""
ENV AIRFLOW_EXTRAS=${AIRFLOW_EXTRAS}${ADDITIONAL_AIRFLOW_EXTRAS:+,}${ADDITIONAL_AIRFLOW_EXTRAS}
Constraint files are now maintained automatically (#9889) * Constraint files are now maintained automatically * No need to generate requirements when setup.py changes * requirements are kept in separate orphan branches not in main repo * merges to master verify if latest requirements are working and push tested requirements to orphaned branches * we keep history of requirement changes and can label them individually for each version (by constraint-1.10.n tag name) * consistently changed all references to be 'constraints' not 'requirements'
2020-07-20 15:36:03 +03:00
ARG AIRFLOW_CONSTRAINTS_REFERENCE="constraints-master"
Constraints and PIP packages can be installed from local sources (#11382) * Constraints and PIP packages can be installed from local sources This is the final part of implementing #11171 based on feedback from enterprise customers we worked with. They want to have a capability of building the image using binary wheel packages that are locally available and the official Dockerfile. This means that besides the official APT sources the Dockerfile build should not needd GitHub, nor any other external files pulled from outside including PIP repository. This change also includes documentation on how to prepare set of such binaries ready for inspection and review by security teams in Enterprise environment. Such sets of "known-working-binary-whl" files can then be separately committed, tracked and scrutinized in an artifact repository of such an Enterprise. Fixes: #11171 * Update docs/production-deployment.rst
2020-10-10 13:58:09 +03:00
ARG AIRFLOW_CONSTRAINTS_LOCATION="https://raw.githubusercontent.com/apache/airflow/${AIRFLOW_CONSTRAINTS_REFERENCE}/constraints-${PYTHON_MAJOR_MINOR_VERSION}.txt"
ENV AIRFLOW_CONSTRAINTS_LOCATION=${AIRFLOW_CONSTRAINTS_LOCATION}
Constraint files are now maintained automatically (#9889) * Constraint files are now maintained automatically * No need to generate requirements when setup.py changes * requirements are kept in separate orphan branches not in main repo * merges to master verify if latest requirements are working and push tested requirements to orphaned branches * we keep history of requirement changes and can label them individually for each version (by constraint-1.10.n tag name) * consistently changed all references to be 'constraints' not 'requirements'
2020-07-20 15:36:03 +03:00
Docker images are now consistently labelled and a bit smaller (#10387) Extracted from #10368
2020-08-19 03:03:22 +03:00
ENV PATH=${PATH}:/root/.local/bin
RUN mkdir -p /root/.local/bin
Optionally disables PIP cache from GitHub during the build (#11173) This is first step of implementing the corporate-environment friendly way of building images, where in the corporate environment, this might not be possible to install the packages using the GitHub cache initially. Part of #11171
2020-09-27 19:00:03 +03:00
ARG AIRFLOW_PRE_CACHED_PIP_PACKAGES="true"
ENV AIRFLOW_PRE_CACHED_PIP_PACKAGES=${AIRFLOW_PRE_CACHED_PIP_PACKAGES}
The .pypirc file is read from docker-context-files (#11779) If you used context from git repo, the .piprc file was missing and COPY in Dockerfile is not conditional. This change copies the .pypirc conditionally from the docker-context-files folder instead. Also it was needlessly copied in the main image where it is not needed and it was even dangerous to do so.
2020-10-23 18:55:15 +03:00
RUN if [[ -f /docker-context-files/.pypirc ]]; then \
cp /docker-context-files/.pypirc /root/.pypirc; \
fi
Add capability of customising PyPI sources (#11385) * Add capability of customising PyPI sources This change adds capability of customising installation of PyPI modules via custom .pypirc file. This might allow to install dependencies from in-house, vetted registry of PyPI
2020-10-11 07:19:57 +03:00
Pins PIP to 20.2.4 in our Dockerfiles (#12738) Until we make sure that the new resolver in PIP 20.3 works we should pin PIP to 20.2.4. This is hopefully a temporary measure. Part of #12737
2020-12-01 19:39:55 +03:00
RUN pip install --upgrade "pip==${PIP_VERSION}"
Improve production image iteration speed (#9162) For a long time the way how entrypoint worked in ci scripts was wrong. The way it worked was convoluted and short of black magic. This did not allow to pass multiple test targets and required separate execute command scripts in Breeze. This is all now straightened out and both production and CI image are always using the right entrypoint by default and we can simply pass parameters to the image as usual without escaping strings. This also allowed to remove some breeze commands and change names of several flags in Breeze to make them more meaningful. Both CI and PROD image have now embedded scripts for log cleaning. History of image releases is added for 1.10.10-* alpha quality images.
2020-06-16 13:36:46 +03:00
# In case of Production build image segment we want to pre-install master version of airflow
Fix case of GitHub (#11398)
2020-10-21 15:32:41 +03:00
# dependencies from GitHub so that we do not have to always reinstall it from the scratch.
Optionally disables PIP cache from GitHub during the build (#11173) This is first step of implementing the corporate-environment friendly way of building images, where in the corporate environment, this might not be possible to install the packages using the GitHub cache initially. Part of #11171
2020-09-27 19:00:03 +03:00
RUN if [[ ${AIRFLOW_PRE_CACHED_PIP_PACKAGES} == "true" ]]; then \
Conditional MySQL Client installation (#11174) This is the second step of making the Production Docker Image more corporate-environment friendly, by making MySQL client installation optional. Instaling MySQL Client on Debian requires to reach out to oracle deb repositories which might not be approved by security teams when you build the images. Also not everyone needs MySQL client or might want to install their own MySQL client or MariaDB client - from their own repositories. This change makes the installation step separated out to script (with prod/dev installation option). The prod/dev separation is needed because MySQL needs to be installed with dev libraries in the "Build" segment of the image (requiring build essentials etc.) but in "Final" segment of the image only runtime libraries are needed. Part of #11171 Depends on #11173.
2020-09-27 19:56:58 +03:00
if [[ ${INSTALL_MYSQL_CLIENT} != "true" ]]; then \
AIRFLOW_EXTRAS=${AIRFLOW_EXTRAS/mysql,}; \
fi; \
pip install --user \
"https://github.com/${AIRFLOW_REPO}/archive/${AIRFLOW_BRANCH}.tar.gz#egg=apache-airflow[${AIRFLOW_EXTRAS}]" \
Use AIRFLOW_CONSTRAINTS_LOCATION when passed during docker build (#12604) Previously, even though this was passed during docker build it was ignored. This commit fixes it
2020-11-25 10:43:47 +03:00
--constraint "${AIRFLOW_CONSTRAINTS_LOCATION}" \
Fixes unneeded docker-context-files added in CI (#12534) We do not need to add docker-context-files in CI before we run first "cache" PIP installation. Adding it might cause the effect that the cache will always be invalidated in case someone has a file added there before building and pushing the image. This PR fixes the problem by adding docker-context files later in the Dockerfile and changing the constraints location used in the "cache" step to always use the github constraints in this case. Closes #12509
2020-11-21 21:21:43 +03:00
&& pip uninstall --yes apache-airflow; \
Optionally disables PIP cache from GitHub during the build (#11173) This is first step of implementing the corporate-environment friendly way of building images, where in the corporate environment, this might not be possible to install the packages using the GitHub cache initially. Part of #11171
2020-09-27 19:00:03 +03:00
fi
Improve production image iteration speed (#9162) For a long time the way how entrypoint worked in ci scripts was wrong. The way it worked was convoluted and short of black magic. This did not allow to pass multiple test targets and required separate execute command scripts in Breeze. This is all now straightened out and both production and CI image are always using the right entrypoint by default and we can simply pass parameters to the image as usual without escaping strings. This also allowed to remove some breeze commands and change names of several flags in Breeze to make them more meaningful. Both CI and PROD image have now embedded scripts for log cleaning. History of image releases is added for 1.10.10-* alpha quality images.
2020-06-16 13:36:46 +03:00
Docker image build include now releses 1.10.10 version (#8234) It also installs properly on Mac as well as it auto-detects if yarn prod is needed - based on presence of proper package.json in either www or www_rbac which makes it simpler for remote installations.
2020-04-10 16:07:15 +03:00
ARG AIRFLOW_SOURCES_FROM="."
ENV AIRFLOW_SOURCES_FROM=${AIRFLOW_SOURCES_FROM}
Add Production Docker image support (#7832)
2020-04-02 20:52:11 +03:00
ARG AIRFLOW_SOURCES_TO="/opt/airflow"
ENV AIRFLOW_SOURCES_TO=${AIRFLOW_SOURCES_TO}
COPY ${AIRFLOW_SOURCES_FROM} ${AIRFLOW_SOURCES_TO}
ARG CASS_DRIVER_BUILD_CONCURRENCY
ENV CASS_DRIVER_BUILD_CONCURRENCY=${CASS_DRIVER_BUILD_CONCURRENCY}
ARG AIRFLOW_VERSION
ENV AIRFLOW_VERSION=${AIRFLOW_VERSION}
Additional python extras and deps can be set in breeze (#9035) Closes #8604 Closes #8866
2020-05-27 18:09:11 +03:00
ARG ADDITIONAL_PYTHON_DEPS=""
Add ADDITIONAL_PYTHON_DEPS (#9031) * add build-arg ADDITIONAL_PYTHON_DEPS * Add ADDITIONAL_PYTHON_DEPS example and description Co-authored-by: Fabian Witt <fabian.witt@redheads.de>
2020-05-27 12:52:26 +03:00
ENV ADDITIONAL_PYTHON_DEPS=${ADDITIONAL_PYTHON_DEPS}
Add Production Docker image support (#7832)
2020-04-02 20:52:11 +03:00
ARG AIRFLOW_INSTALL_SOURCES="."
ENV AIRFLOW_INSTALL_SOURCES=${AIRFLOW_INSTALL_SOURCES}
ARG AIRFLOW_INSTALL_VERSION=""
ENV AIRFLOW_INSTALL_VERSION=${AIRFLOW_INSTALL_VERSION}
Production images on CI are now built from packages (#12685) So far, the production images of Airflow were using sources when they were built on CI. This PR changes that, to build airflow + providers packages first and install them rather than use sources as installation mechanism. Part of #12261
2020-12-07 01:36:33 +03:00
ARG INSTALL_FROM_DOCKER_CONTEXT_FILES=""
ENV INSTALL_FROM_DOCKER_CONTEXT_FILES=${INSTALL_FROM_DOCKER_CONTEXT_FILES}
Constraints and PIP packages can be installed from local sources (#11382) * Constraints and PIP packages can be installed from local sources This is the final part of implementing #11171 based on feedback from enterprise customers we worked with. They want to have a capability of building the image using binary wheel packages that are locally available and the official Dockerfile. This means that besides the official APT sources the Dockerfile build should not needd GitHub, nor any other external files pulled from outside including PIP repository. This change also includes documentation on how to prepare set of such binaries ready for inspection and review by security teams in Enterprise environment. Such sets of "known-working-binary-whl" files can then be separately committed, tracked and scrutinized in an artifact repository of such an Enterprise. Fixes: #11171 * Update docs/production-deployment.rst
2020-10-10 13:58:09 +03:00
Production images on CI are now built from packages (#12685) So far, the production images of Airflow were using sources when they were built on CI. This PR changes that, to build airflow + providers packages first and install them rather than use sources as installation mechanism. Part of #12261
2020-12-07 01:36:33 +03:00
ARG INSTALL_FROM_PYPI="true"
ENV INSTALL_FROM_PYPI=${INSTALL_FROM_PYPI}
Adds capability of installing wheel packages in CI image (#11527) The production image had the capability of installing images from wheels (for security teams/air-gaped systems). This capability might also be useful when building CI image espeically when we are installing separately core and providers packages and we do not yet have provider packages available in PyPI. This is an intermediate step to implement #11490
2020-10-15 16:19:18 +03:00
Allows to build production images for 1.10.2 and 1.10.1 Airflow (#10983) Airflow below 1.10.2 required SLUGIFY_USES_TEXT_UNIDECODE env variable to be set to yes. Our production Dockerfile and Breeze supports building images for any version of airflow >= 1.10.1 but it failed on 1.10.2 and 1.10.1 because this variable was not set. You can now set the variable when building image manually and Breeze does it automatically if image is 1.10.1 or 1.10.2 Fixes #10974
2020-09-17 15:25:34 +03:00
ARG SLUGIFY_USES_TEXT_UNIDECODE=""
ENV SLUGIFY_USES_TEXT_UNIDECODE=${SLUGIFY_USES_TEXT_UNIDECODE}
Fixes ROVIDERS -> PROVIDERS typo in Dockerfile (#11738) There was a typo in the original file when review was made in the #11529 but apparently this typo was still left in one place and as the result, providers have not been installed in the master Dockerfile. Fixes #11695
2020-10-22 12:02:14 +03:00
ARG INSTALL_PROVIDERS_FROM_SOURCES="true"
Behaviour to install all airflow providers added (#11529) In Airflow 2.0 we decided to split Airlow into separate providers. this means that when you prepare core airflow package, providers are not installed by default. This is not very convenient for local development though and for docker images built from sources, where you would like to install all providers by default. A new INSTALL_ALL_AIRFLOW_PROVIDERS environment variable controls this behaviour now. It is is set to "true", all packages including provider packages are installed. If missing or set to false, only the core provider package is installed. For Breeze, the default is set to "true", as for those cases you want to install all providers in your environment. Similarly if you build the production image from sources. However when you build image using github tag or pip package, you should specify appropriate extras to install the required provider packages. Note that if you install Airflow via 'pip install .' from sources in local virtualenv, provider packages are not going to be installed unless you set INSTALL_ALL_AIRFLOW_PROVIDERS to "true". Fixes #11489
2020-10-17 12:16:28 +03:00
ENV INSTALL_PROVIDERS_FROM_SOURCES=${INSTALL_PROVIDERS_FROM_SOURCES}
Add Production Docker image support (#7832)
2020-04-02 20:52:11 +03:00
WORKDIR /opt/airflow
Conditional MySQL Client installation (#11174) This is the second step of making the Production Docker Image more corporate-environment friendly, by making MySQL client installation optional. Instaling MySQL Client on Debian requires to reach out to oracle deb repositories which might not be approved by security teams when you build the images. Also not everyone needs MySQL client or might want to install their own MySQL client or MariaDB client - from their own repositories. This change makes the installation step separated out to script (with prod/dev installation option). The prod/dev separation is needed because MySQL needs to be installed with dev libraries in the "Build" segment of the image (requiring build essentials etc.) but in "Final" segment of the image only runtime libraries are needed. Part of #11171 Depends on #11173.
2020-09-27 19:56:58 +03:00
# remove mysql from extras if client is not installed
RUN if [[ ${INSTALL_MYSQL_CLIENT} != "true" ]]; then \
AIRFLOW_EXTRAS=${AIRFLOW_EXTRAS/mysql,}; \
fi; \
Production images on CI are now built from packages (#12685) So far, the production images of Airflow were using sources when they were built on CI. This PR changes that, to build airflow + providers packages first and install them rather than use sources as installation mechanism. Part of #12261
2020-12-07 01:36:33 +03:00
if [[ ${INSTALL_FROM_PYPI} == "true" ]]; then \
Constraints and PIP packages can be installed from local sources (#11382) * Constraints and PIP packages can be installed from local sources This is the final part of implementing #11171 based on feedback from enterprise customers we worked with. They want to have a capability of building the image using binary wheel packages that are locally available and the official Dockerfile. This means that besides the official APT sources the Dockerfile build should not needd GitHub, nor any other external files pulled from outside including PIP repository. This change also includes documentation on how to prepare set of such binaries ready for inspection and review by security teams in Enterprise environment. Such sets of "known-working-binary-whl" files can then be separately committed, tracked and scrutinized in an artifact repository of such an Enterprise. Fixes: #11171 * Update docs/production-deployment.rst
2020-10-10 13:58:09 +03:00
pip install --user "${AIRFLOW_INSTALL_SOURCES}[${AIRFLOW_EXTRAS}]${AIRFLOW_INSTALL_VERSION}" \
--constraint "${AIRFLOW_CONSTRAINTS_LOCATION}"; \
Adds capability of installing wheel packages in CI image (#11527) The production image had the capability of installing images from wheels (for security teams/air-gaped systems). This capability might also be useful when building CI image espeically when we are installing separately core and providers packages and we do not yet have provider packages available in PyPI. This is an intermediate step to implement #11490
2020-10-15 16:19:18 +03:00
fi; \
if [[ -n "${ADDITIONAL_PYTHON_DEPS}" ]]; then \
pip install --user ${ADDITIONAL_PYTHON_DEPS} --constraint "${AIRFLOW_CONSTRAINTS_LOCATION}"; \
fi; \
Production images on CI are now built from packages (#12685) So far, the production images of Airflow were using sources when they were built on CI. This PR changes that, to build airflow + providers packages first and install them rather than use sources as installation mechanism. Part of #12261
2020-12-07 01:36:33 +03:00
if [[ ${INSTALL_FROM_DOCKER_CONTEXT_FILES} == "true" ]]; then \
Adds capability of installing wheel packages in CI image (#11527) The production image had the capability of installing images from wheels (for security teams/air-gaped systems). This capability might also be useful when building CI image espeically when we are installing separately core and providers packages and we do not yet have provider packages available in PyPI. This is an intermediate step to implement #11490
2020-10-15 16:19:18 +03:00
if ls /docker-context-files/*.whl 1> /dev/null 2>&1; then \
Production images on CI are now built from packages (#12685) So far, the production images of Airflow were using sources when they were built on CI. This PR changes that, to build airflow + providers packages first and install them rather than use sources as installation mechanism. Part of #12261
2020-12-07 01:36:33 +03:00
pip install --user --no-deps /docker-context-files/*.{whl,tar.gz}; \
Adds capability of installing wheel packages in CI image (#11527) The production image had the capability of installing images from wheels (for security teams/air-gaped systems). This capability might also be useful when building CI image espeically when we are installing separately core and providers packages and we do not yet have provider packages available in PyPI. This is an intermediate step to implement #11490
2020-10-15 16:19:18 +03:00
fi ; \
fi; \
find /root/.local/ -name '*.pyc' -print0 | xargs -0 rm -r || true ; \
find /root/.local/ -type d -name '__pycache__' -print0 | xargs -0 rm -r || true
Add Production Docker image support (#7832)
2020-04-02 20:52:11 +03:00
Make Production Dockerfile OpenShift-compatible (#9545) OpenShift (and other Kubernetes platforms) often use the approach that they start containers with random user and root group. This is described in the https://docs.openshift.com/container-platform/3.7/creating_images/guidelines.html All the files created by the "airflow" user are now belonging to 'root' group and the root group has the same access to those files as the Airflow user. Additionally, the random user gets automatically added /etc/passwd entry which is name 'default'. The name of the user can be set by setting the USER_NAME variable when starting the container. Closes #9248 Closes #8706
2020-06-27 15:29:55 +03:00
RUN AIRFLOW_SITE_PACKAGE="/root/.local/lib/python${PYTHON_MAJOR_MINOR_VERSION}/site-packages/airflow"; \
Docker image build include now releses 1.10.10 version (#8234) It also installs properly on Mac as well as it auto-detects if yarn prod is needed - based on presence of proper package.json in either www or www_rbac which makes it simpler for remote installations.
2020-04-10 16:07:15 +03:00
if [[ -f "${AIRFLOW_SITE_PACKAGE}/www_rbac/package.json" ]]; then \
Pin Hadolint to version released 2020.04.20 (#8485)
2020-04-21 14:33:11 +03:00
WWW_DIR="${AIRFLOW_SITE_PACKAGE}/www_rbac"; \
Docker image build include now releses 1.10.10 version (#8234) It also installs properly on Mac as well as it auto-detects if yarn prod is needed - based on presence of proper package.json in either www or www_rbac which makes it simpler for remote installations.
2020-04-10 16:07:15 +03:00
elif [[ -f "${AIRFLOW_SITE_PACKAGE}/www/package.json" ]]; then \
Pin Hadolint to version released 2020.04.20 (#8485)
2020-04-21 14:33:11 +03:00
WWW_DIR="${AIRFLOW_SITE_PACKAGE}/www"; \
Docker image build include now releses 1.10.10 version (#8234) It also installs properly on Mac as well as it auto-detects if yarn prod is needed - based on presence of proper package.json in either www or www_rbac which makes it simpler for remote installations.
2020-04-10 16:07:15 +03:00
fi; \
Pin Hadolint to version released 2020.04.20 (#8485)
2020-04-21 14:33:11 +03:00
if [[ ${WWW_DIR:=} != "" ]]; then \
yarn --cwd "${WWW_DIR}" install --frozen-lockfile --no-cache; \
yarn --cwd "${WWW_DIR}" run prod; \
rm -rf "${WWW_DIR}/node_modules"; \
Remove package.json and yarn.lock from the prod image (#9814) Closes #9810
2020-07-14 17:34:21 +03:00
rm -vf "${WWW_DIR}"/{package.json,yarn.lock,.eslintignore,.eslintrc,.stylelintignore,.stylelintrc,compile_assets.sh,webpack.config.js} ;\
Add Production Docker image support (#7832)
2020-04-02 20:52:11 +03:00
fi
Make Production Dockerfile OpenShift-compatible (#9545) OpenShift (and other Kubernetes platforms) often use the approach that they start containers with random user and root group. This is described in the https://docs.openshift.com/container-platform/3.7/creating_images/guidelines.html All the files created by the "airflow" user are now belonging to 'root' group and the root group has the same access to those files as the Airflow user. Additionally, the random user gets automatically added /etc/passwd entry which is name 'default'. The name of the user can be set by setting the USER_NAME variable when starting the container. Closes #9248 Closes #8706
2020-06-27 15:29:55 +03:00
# make sure that all directories and files in .local are also group accessible
RUN find /root/.local -executable -print0 | xargs --null chmod g+x && \
find /root/.local -print0 | xargs --null chmod g+rw
Docker images are now consistently labelled and a bit smaller (#10387) Extracted from #10368
2020-08-19 03:03:22 +03:00
ARG BUILD_ID
ENV BUILD_ID=${BUILD_ID}
ARG COMMIT_SHA
ENV COMMIT_SHA=${COMMIT_SHA}
Apply labels to Docker images in a single instruction (#12931) * Apply labels to Docker images in a single instruction While looking at the build logs for something else I noticed this oddity at the end of the CI logs: ``` Tue, 08 Dec 2020 21:20:19 GMT Step 125/135 : LABEL org.apache.airflow.distro="debian" ... Tue, 08 Dec 2020 21:21:14 GMT Step 133/135 : LABEL org.apache.airflow.commitSha=${COMMIT_SHA} Tue, 08 Dec 2020 21:21:14 GMT ---> Running in 1241a5f6cdb7 Tue, 08 Dec 2020 21:21:21 GMT Removing intermediate container 1241a5f6cdb7 ``` Applying all the labels took 1m2s! Hopefully applying these in a single layer/command should speed things up. A less extreme example still took 43s ``` Tue, 08 Dec 2020 20:44:40 GMT Step 125/135 : LABEL org.apache.airflow.distro="debian" ... Tue, 08 Dec 2020 20:45:18 GMT Step 133/135 : LABEL org.apache.airflow.commitSha=${COMMIT_SHA} Tue, 08 Dec 2020 20:45:18 GMT ---> Running in dc601207dbcb Tue, 08 Dec 2020 20:45:23 GMT Removing intermediate container dc601207dbcb Tue, 08 Dec 2020 20:45:23 GMT ---> 5aae5dd0f702 ``` * Update Dockerfile
2020-12-09 08:19:38 +03:00
LABEL org.apache.airflow.distro="debian" \
org.apache.airflow.distro.version="buster" \
org.apache.airflow.module="airflow" \
org.apache.airflow.component="airflow" \
org.apache.airflow.image="airflow-build-image" \
org.apache.airflow.buildImage.buildId=${BUILD_ID} \
org.apache.airflow.buildImage.commitSha=${COMMIT_SHA}
Docker images are now consistently labelled and a bit smaller (#10387) Extracted from #10368
2020-08-19 03:03:22 +03:00
Add Production Docker image support (#7832)
2020-04-02 20:52:11 +03:00
##############################################################################################
# This is the actual Airflow image - much smaller than the build one. We copy
# installed Airflow and all it's dependencies from the build image to make it smaller.
##############################################################################################
FROM ${PYTHON_BASE_IMAGE} as main
SHELL ["/bin/bash", "-o", "pipefail", "-e", "-u", "-x", "-c"]
ARG AIRFLOW_UID
ARG AIRFLOW_GID
Apply labels to Docker images in a single instruction (#12931) * Apply labels to Docker images in a single instruction While looking at the build logs for something else I noticed this oddity at the end of the CI logs: ``` Tue, 08 Dec 2020 21:20:19 GMT Step 125/135 : LABEL org.apache.airflow.distro="debian" ... Tue, 08 Dec 2020 21:21:14 GMT Step 133/135 : LABEL org.apache.airflow.commitSha=${COMMIT_SHA} Tue, 08 Dec 2020 21:21:14 GMT ---> Running in 1241a5f6cdb7 Tue, 08 Dec 2020 21:21:21 GMT Removing intermediate container 1241a5f6cdb7 ``` Applying all the labels took 1m2s! Hopefully applying these in a single layer/command should speed things up. A less extreme example still took 43s ``` Tue, 08 Dec 2020 20:44:40 GMT Step 125/135 : LABEL org.apache.airflow.distro="debian" ... Tue, 08 Dec 2020 20:45:18 GMT Step 133/135 : LABEL org.apache.airflow.commitSha=${COMMIT_SHA} Tue, 08 Dec 2020 20:45:18 GMT ---> Running in dc601207dbcb Tue, 08 Dec 2020 20:45:23 GMT Removing intermediate container dc601207dbcb Tue, 08 Dec 2020 20:45:23 GMT ---> 5aae5dd0f702 ``` * Update Dockerfile
2020-12-09 08:19:38 +03:00
LABEL org.apache.airflow.distro="debian" \
org.apache.airflow.distro.version="buster" \
org.apache.airflow.module="airflow" \
org.apache.airflow.component="airflow" \
org.apache.airflow.image="airflow" \
org.apache.airflow.uid="${AIRFLOW_UID}" \
org.apache.airflow.gid="${AIRFLOW_GID}"
Add Production Docker image support (#7832)
2020-04-02 20:52:11 +03:00
ARG PYTHON_BASE_IMAGE
ENV PYTHON_BASE_IMAGE=${PYTHON_BASE_IMAGE}
ARG AIRFLOW_VERSION
ENV AIRFLOW_VERSION=${AIRFLOW_VERSION}
# Make sure noninteractive debian install is used and language variables set
ENV DEBIAN_FRONTEND=noninteractive LANGUAGE=C.UTF-8 LANG=C.UTF-8 LC_ALL=C.UTF-8 \
LC_CTYPE=C.UTF-8 LC_MESSAGES=C.UTF-8
Pins PIP to 20.2.4 in our Dockerfiles (#12738) Until we make sure that the new resolver in PIP 20.3 works we should pin PIP to 20.2.4. This is hopefully a temporary measure. Part of #12737
2020-12-01 19:39:55 +03:00
ARG PIP_VERSION
ENV PIP_VERSION=${PIP_VERSION}
More customizable build process for Docker images (#11176) * Allows more customizations for image building. This is the third (and not last) part of making the Production image more corporate-environment friendly. It's been prepared for the request of one of the big Airflow user (company) that has rather strict security requirements when it comes to preparing and building images. They are committed to synchronizing with the progress of Apache Airflow 2.0 development and making the image customizable so that they can build it using only sources controlled by them internally was one of the important requirements for them. This change adds the possibilty of customizing various steps in the build process: * adding custom scripts to be run before installation of both build image and runtime image. This allows for example to add installing custom GPG keys, and adding custom sources. * customizing the way NodeJS and Yarn are installed in the build image segment - as they might rely on their own way of installation. * adding extra packages to be installed during both build and dev segment build steps. This is crucial to achieve the same size optimizations as the original image. * defining additional environment variables (for example environment variables that indicate acceptance of the EULAs in case of installing proprietary packages that require EULA acceptance - both in the build image and runtime image (again the goal is to keep the image optimized for size) The image build process remains the same when no customization options are specified, but having those options increases flexibility of the image build process in corporate environments. This is part of #11171. This change also fixes some of the issues opened and raised by other users of the Dockerfile. Fixes: #10730 Fixes: #10555 Fixes: #10856 Input from those issues has been taken into account when this change was designed so that the cases described in those issues could be implemented. Example from one of the issue landed as an example way of building highly customized Airflow Image using those customization options. Depends on #11174 * Update IMAGES.rst Co-authored-by: Kamil Breguła <mik-laj@users.noreply.github.com>
2020-09-29 16:30:00 +03:00
# Install curl and gnupg2 - needed for many other installation steps
RUN apt-get update \
&& apt-get install -y --no-install-recommends \
curl \
gnupg2 \
&& apt-get autoremove -yqq --purge \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*
ARG RUNTIME_APT_DEPS="\
apt-transport-https \
apt-utils \
ca-certificates \
curl \
dumb-init \
freetds-bin \
gnupg \
gosu \
krb5-user \
ldap-utils \
libffi6 \
libsasl2-2 \
libsasl2-modules \
libssl1.1 \
locales \
lsb-release \
netcat \
openssh-client \
postgresql-client \
rsync \
sasl2-bin \
sqlite3 \
sudo \
unixodbc"
ENV RUNTIME_APT_DEPS=${RUNTIME_APT_DEPS}
ARG ADDITIONAL_RUNTIME_APT_DEPS=""
ENV ADDITIONAL_RUNTIME_APT_DEPS=${ADDITIONAL_RUNTIME_APT_DEPS}
ARG RUNTIME_APT_COMMAND="echo"
ENV RUNTIME_APT_COMMAND=${RUNTIME_APT_COMMAND}
ARG ADDITIONAL_RUNTIME_APT_COMMAND=""
ENV ADDITIONAL_RUNTIME_APT_COMMAND=${ADDITIONAL_RUNTIME_APT_COMMAND}
ARG ADDITIONAL_RUNTIME_ENV_VARS=""
Add Production Docker image support (#7832)
2020-04-02 20:52:11 +03:00
# Note missing man directories on debian-buster
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863199
Support additional apt dependencies (#9189) * Add ADDITONAL_DEV_DEPS and ADDITONAL_RUNTIME_DEPS * Add examples for additional apt dev and runtime dependencies * Update comment * Fix typo
2020-06-10 00:05:43 +03:00
# Install basic and additional apt dependencies
Add Production Docker image support (#7832)
2020-04-02 20:52:11 +03:00
RUN mkdir -pv /usr/share/man/man1 \
&& mkdir -pv /usr/share/man/man7 \
More customizable build process for Docker images (#11176) * Allows more customizations for image building. This is the third (and not last) part of making the Production image more corporate-environment friendly. It's been prepared for the request of one of the big Airflow user (company) that has rather strict security requirements when it comes to preparing and building images. They are committed to synchronizing with the progress of Apache Airflow 2.0 development and making the image customizable so that they can build it using only sources controlled by them internally was one of the important requirements for them. This change adds the possibilty of customizing various steps in the build process: * adding custom scripts to be run before installation of both build image and runtime image. This allows for example to add installing custom GPG keys, and adding custom sources. * customizing the way NodeJS and Yarn are installed in the build image segment - as they might rely on their own way of installation. * adding extra packages to be installed during both build and dev segment build steps. This is crucial to achieve the same size optimizations as the original image. * defining additional environment variables (for example environment variables that indicate acceptance of the EULAs in case of installing proprietary packages that require EULA acceptance - both in the build image and runtime image (again the goal is to keep the image optimized for size) The image build process remains the same when no customization options are specified, but having those options increases flexibility of the image build process in corporate environments. This is part of #11171. This change also fixes some of the issues opened and raised by other users of the Dockerfile. Fixes: #10730 Fixes: #10555 Fixes: #10856 Input from those issues has been taken into account when this change was designed so that the cases described in those issues could be implemented. Example from one of the issue landed as an example way of building highly customized Airflow Image using those customization options. Depends on #11174 * Update IMAGES.rst Co-authored-by: Kamil Breguła <mik-laj@users.noreply.github.com>
2020-09-29 16:30:00 +03:00
&& export ${ADDITIONAL_RUNTIME_ENV_VARS?} \
&& bash -o pipefail -e -u -x -c "${RUNTIME_APT_COMMAND}" \
&& bash -o pipefail -e -u -x -c "${ADDITIONAL_RUNTIME_APT_COMMAND}" \
Add Production Docker image support (#7832)
2020-04-02 20:52:11 +03:00
&& apt-get update \
&& apt-get install -y --no-install-recommends \
More customizable build process for Docker images (#11176) * Allows more customizations for image building. This is the third (and not last) part of making the Production image more corporate-environment friendly. It's been prepared for the request of one of the big Airflow user (company) that has rather strict security requirements when it comes to preparing and building images. They are committed to synchronizing with the progress of Apache Airflow 2.0 development and making the image customizable so that they can build it using only sources controlled by them internally was one of the important requirements for them. This change adds the possibilty of customizing various steps in the build process: * adding custom scripts to be run before installation of both build image and runtime image. This allows for example to add installing custom GPG keys, and adding custom sources. * customizing the way NodeJS and Yarn are installed in the build image segment - as they might rely on their own way of installation. * adding extra packages to be installed during both build and dev segment build steps. This is crucial to achieve the same size optimizations as the original image. * defining additional environment variables (for example environment variables that indicate acceptance of the EULAs in case of installing proprietary packages that require EULA acceptance - both in the build image and runtime image (again the goal is to keep the image optimized for size) The image build process remains the same when no customization options are specified, but having those options increases flexibility of the image build process in corporate environments. This is part of #11171. This change also fixes some of the issues opened and raised by other users of the Dockerfile. Fixes: #10730 Fixes: #10555 Fixes: #10856 Input from those issues has been taken into account when this change was designed so that the cases described in those issues could be implemented. Example from one of the issue landed as an example way of building highly customized Airflow Image using those customization options. Depends on #11174 * Update IMAGES.rst Co-authored-by: Kamil Breguła <mik-laj@users.noreply.github.com>
2020-09-29 16:30:00 +03:00
${RUNTIME_APT_DEPS} \
${ADDITIONAL_RUNTIME_APT_DEPS} \
Add Production Docker image support (#7832)
2020-04-02 20:52:11 +03:00
&& apt-get autoremove -yqq --purge \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*
Conditional MySQL Client installation (#11174) This is the second step of making the Production Docker Image more corporate-environment friendly, by making MySQL client installation optional. Instaling MySQL Client on Debian requires to reach out to oracle deb repositories which might not be approved by security teams when you build the images. Also not everyone needs MySQL client or might want to install their own MySQL client or MariaDB client - from their own repositories. This change makes the installation step separated out to script (with prod/dev installation option). The prod/dev separation is needed because MySQL needs to be installed with dev libraries in the "Build" segment of the image (requiring build essentials etc.) but in "Final" segment of the image only runtime libraries are needed. Part of #11171 Depends on #11173.
2020-09-27 19:56:58 +03:00
ARG INSTALL_MYSQL_CLIENT="true"
ENV INSTALL_MYSQL_CLIENT=${INSTALL_MYSQL_CLIENT}
Update Dockerfile (#12987) Fix permission issue in Azure DevOps when running the script install_mysql.sh, which prevents the build to succeed /bin/bash: ./scripts/docker/install_mysql.sh: Permission denied The command '/bin/bash -o pipefail -e -u -x -c ./scripts/docker/install_mysql.sh dev' returned a non-zero code: 126 ##[error]The command '/bin/bash -o pipefail -e -u -x -c ./scripts/docker/install_mysql.sh dev' returned a non-zero code: 126 ##[error]The process '/usr/bin/docker' failed with exit code 126
2020-12-10 23:01:49 +03:00
COPY scripts/docker /scripts/docker
# fix permission issue in Azure DevOps when running the script
RUN chmod a+x /scripts/docker/install_mysql.sh
Conditional MySQL Client installation (#11174) This is the second step of making the Production Docker Image more corporate-environment friendly, by making MySQL client installation optional. Instaling MySQL Client on Debian requires to reach out to oracle deb repositories which might not be approved by security teams when you build the images. Also not everyone needs MySQL client or might want to install their own MySQL client or MariaDB client - from their own repositories. This change makes the installation step separated out to script (with prod/dev installation option). The prod/dev separation is needed because MySQL needs to be installed with dev libraries in the "Build" segment of the image (requiring build essentials etc.) but in "Final" segment of the image only runtime libraries are needed. Part of #11171 Depends on #11173.
2020-09-27 19:56:58 +03:00
RUN ./scripts/docker/install_mysql.sh prod
Add Production Docker image support (#7832)
2020-04-02 20:52:11 +03:00
ENV AIRFLOW_UID=${AIRFLOW_UID}
ENV AIRFLOW_GID=${AIRFLOW_GID}
Make Production Dockerfile OpenShift-compatible (#9545) OpenShift (and other Kubernetes platforms) often use the approach that they start containers with random user and root group. This is described in the https://docs.openshift.com/container-platform/3.7/creating_images/guidelines.html All the files created by the "airflow" user are now belonging to 'root' group and the root group has the same access to those files as the Airflow user. Additionally, the random user gets automatically added /etc/passwd entry which is name 'default'. The name of the user can be set by setting the USER_NAME variable when starting the container. Closes #9248 Closes #8706
2020-06-27 15:29:55 +03:00
ENV AIRFLOW__CORE__LOAD_EXAMPLES="false"
ARG AIRFLOW_USER_HOME_DIR=/home/airflow
ENV AIRFLOW_USER_HOME_DIR=${AIRFLOW_USER_HOME_DIR}
Add Production Docker image support (#7832)
2020-04-02 20:52:11 +03:00
RUN addgroup --gid "${AIRFLOW_GID}" "airflow" && \
adduser --quiet "airflow" --uid "${AIRFLOW_UID}" \
Make Production Dockerfile OpenShift-compatible (#9545) OpenShift (and other Kubernetes platforms) often use the approach that they start containers with random user and root group. This is described in the https://docs.openshift.com/container-platform/3.7/creating_images/guidelines.html All the files created by the "airflow" user are now belonging to 'root' group and the root group has the same access to those files as the Airflow user. Additionally, the random user gets automatically added /etc/passwd entry which is name 'default'. The name of the user can be set by setting the USER_NAME variable when starting the container. Closes #9248 Closes #8706
2020-06-27 15:29:55 +03:00
--gid "${AIRFLOW_GID}" \
--home "${AIRFLOW_USER_HOME_DIR}"
Add Production Docker image support (#7832)
2020-04-02 20:52:11 +03:00
ARG AIRFLOW_HOME
ENV AIRFLOW_HOME=${AIRFLOW_HOME}
Make Production Dockerfile OpenShift-compatible (#9545) OpenShift (and other Kubernetes platforms) often use the approach that they start containers with random user and root group. This is described in the https://docs.openshift.com/container-platform/3.7/creating_images/guidelines.html All the files created by the "airflow" user are now belonging to 'root' group and the root group has the same access to those files as the Airflow user. Additionally, the random user gets automatically added /etc/passwd entry which is name 'default'. The name of the user can be set by setting the USER_NAME variable when starting the container. Closes #9248 Closes #8706
2020-06-27 15:29:55 +03:00
# Make Airflow files belong to the root group and are accessible. This is to accomodate the guidelines from
# OpenShift https://docs.openshift.com/enterprise/3.0/creating_images/guidelines.html
Add Production Docker image support (#7832)
2020-04-02 20:52:11 +03:00
RUN mkdir -pv "${AIRFLOW_HOME}"; \
mkdir -pv "${AIRFLOW_HOME}/dags"; \
mkdir -pv "${AIRFLOW_HOME}/logs"; \
Make Production Dockerfile OpenShift-compatible (#9545) OpenShift (and other Kubernetes platforms) often use the approach that they start containers with random user and root group. This is described in the https://docs.openshift.com/container-platform/3.7/creating_images/guidelines.html All the files created by the "airflow" user are now belonging to 'root' group and the root group has the same access to those files as the Airflow user. Additionally, the random user gets automatically added /etc/passwd entry which is name 'default'. The name of the user can be set by setting the USER_NAME variable when starting the container. Closes #9248 Closes #8706
2020-06-27 15:29:55 +03:00
chown -R "airflow:root" "${AIRFLOW_USER_HOME_DIR}" "${AIRFLOW_HOME}"; \
find "${AIRFLOW_HOME}" -executable -print0 | xargs --null chmod g+x && \
find "${AIRFLOW_HOME}" -print0 | xargs --null chmod g+rw
Add Production Docker image support (#7832)
2020-04-02 20:52:11 +03:00
Make Production Dockerfile OpenShift-compatible (#9545) OpenShift (and other Kubernetes platforms) often use the approach that they start containers with random user and root group. This is described in the https://docs.openshift.com/container-platform/3.7/creating_images/guidelines.html All the files created by the "airflow" user are now belonging to 'root' group and the root group has the same access to those files as the Airflow user. Additionally, the random user gets automatically added /etc/passwd entry which is name 'default'. The name of the user can be set by setting the USER_NAME variable when starting the container. Closes #9248 Closes #8706
2020-06-27 15:29:55 +03:00
COPY --chown=airflow:root --from=airflow-build-image /root/.local "${AIRFLOW_USER_HOME_DIR}/.local"
Improve production image iteration speed (#9162) For a long time the way how entrypoint worked in ci scripts was wrong. The way it worked was convoluted and short of black magic. This did not allow to pass multiple test targets and required separate execute command scripts in Breeze. This is all now straightened out and both production and CI image are always using the right entrypoint by default and we can simply pass parameters to the image as usual without escaping strings. This also allowed to remove some breeze commands and change names of several flags in Breeze to make them more meaningful. Both CI and PROD image have now embedded scripts for log cleaning. History of image releases is added for 1.10.10-* alpha quality images.
2020-06-16 13:36:46 +03:00
The entrypoints in Docker Image should be owned by Airflow (#10853) Since we are running the airflow image as airflow user, the entrypoint and clear-logs scripts should also be set as airflow. This had no impact if you actually run this as root user or when your group was root (which was recommended).
2020-09-12 11:54:25 +03:00
COPY --chown=airflow:root scripts/in_container/prod/entrypoint_prod.sh /entrypoint
COPY --chown=airflow:root scripts/in_container/prod/clean-logs.sh /clean-logs
Improve production image iteration speed (#9162) For a long time the way how entrypoint worked in ci scripts was wrong. The way it worked was convoluted and short of black magic. This did not allow to pass multiple test targets and required separate execute command scripts in Breeze. This is all now straightened out and both production and CI image are always using the right entrypoint by default and we can simply pass parameters to the image as usual without escaping strings. This also allowed to remove some breeze commands and change names of several flags in Breeze to make them more meaningful. Both CI and PROD image have now embedded scripts for log cleaning. History of image releases is added for 1.10.10-* alpha quality images.
2020-06-16 13:36:46 +03:00
RUN chmod a+x /entrypoint /clean-logs
Add Production Docker image support (#7832)
2020-04-02 20:52:11 +03:00
Pins PIP to 20.2.4 in our Dockerfiles (#12738) Until we make sure that the new resolver in PIP 20.3 works we should pin PIP to 20.2.4. This is hopefully a temporary measure. Part of #12737
2020-12-01 19:39:55 +03:00
RUN pip install --upgrade "pip==${PIP_VERSION}"
Make Production Dockerfile OpenShift-compatible (#9545) OpenShift (and other Kubernetes platforms) often use the approach that they start containers with random user and root group. This is described in the https://docs.openshift.com/container-platform/3.7/creating_images/guidelines.html All the files created by the "airflow" user are now belonging to 'root' group and the root group has the same access to those files as the Airflow user. Additionally, the random user gets automatically added /etc/passwd entry which is name 'default'. The name of the user can be set by setting the USER_NAME variable when starting the container. Closes #9248 Closes #8706
2020-06-27 15:29:55 +03:00
# Make /etc/passwd root-group-writeable so that user can be dynamically added by OpenShift
# See https://github.com/apache/airflow/issues/9248
RUN chmod g=u /etc/passwd
Add Production Docker image support (#7832)
2020-04-02 20:52:11 +03:00
Make Production Dockerfile OpenShift-compatible (#9545) OpenShift (and other Kubernetes platforms) often use the approach that they start containers with random user and root group. This is described in the https://docs.openshift.com/container-platform/3.7/creating_images/guidelines.html All the files created by the "airflow" user are now belonging to 'root' group and the root group has the same access to those files as the Airflow user. Additionally, the random user gets automatically added /etc/passwd entry which is name 'default'. The name of the user can be set by setting the USER_NAME variable when starting the container. Closes #9248 Closes #8706
2020-06-27 15:29:55 +03:00
ENV PATH="${AIRFLOW_USER_HOME_DIR}/.local/bin:${PATH}"
Gunicorn works better if temporary folder uses tmpfs (#9534) This is discussed in the documentation of gunicorn. You can find more information here: https://docs.gunicorn.org/en/stable/faq.html#how-do-i-avoid-gunicorn-excessively-blocking-in-os-fchmod Since we are using docker, we always have shared memory available (at least 64MB). Closes #9379
2020-06-26 17:41:21 +03:00
ENV GUNICORN_CMD_ARGS="--worker-tmp-dir /dev/shm"
Add Production Docker image support (#7832)
2020-04-02 20:52:11 +03:00
WORKDIR ${AIRFLOW_HOME}
Expose Airflow Webserver Port in Production Docker Image (#8228)
2020-04-15 14:05:02 +03:00
EXPOSE 8080
Make Production Dockerfile OpenShift-compatible (#9545) OpenShift (and other Kubernetes platforms) often use the approach that they start containers with random user and root group. This is described in the https://docs.openshift.com/container-platform/3.7/creating_images/guidelines.html All the files created by the "airflow" user are now belonging to 'root' group and the root group has the same access to those files as the Airflow user. Additionally, the random user gets automatically added /etc/passwd entry which is name 'default'. The name of the user can be set by setting the USER_NAME variable when starting the container. Closes #9248 Closes #8706
2020-06-27 15:29:55 +03:00
USER ${AIRFLOW_UID}
Docker images are now consistently labelled and a bit smaller (#10387) Extracted from #10368
2020-08-19 03:03:22 +03:00
ARG BUILD_ID
ENV BUILD_ID=${BUILD_ID}
ARG COMMIT_SHA
ENV COMMIT_SHA=${COMMIT_SHA}
Apply labels to Docker images in a single instruction (#12931) * Apply labels to Docker images in a single instruction While looking at the build logs for something else I noticed this oddity at the end of the CI logs: ``` Tue, 08 Dec 2020 21:20:19 GMT Step 125/135 : LABEL org.apache.airflow.distro="debian" ... Tue, 08 Dec 2020 21:21:14 GMT Step 133/135 : LABEL org.apache.airflow.commitSha=${COMMIT_SHA} Tue, 08 Dec 2020 21:21:14 GMT ---> Running in 1241a5f6cdb7 Tue, 08 Dec 2020 21:21:21 GMT Removing intermediate container 1241a5f6cdb7 ``` Applying all the labels took 1m2s! Hopefully applying these in a single layer/command should speed things up. A less extreme example still took 43s ``` Tue, 08 Dec 2020 20:44:40 GMT Step 125/135 : LABEL org.apache.airflow.distro="debian" ... Tue, 08 Dec 2020 20:45:18 GMT Step 133/135 : LABEL org.apache.airflow.commitSha=${COMMIT_SHA} Tue, 08 Dec 2020 20:45:18 GMT ---> Running in dc601207dbcb Tue, 08 Dec 2020 20:45:23 GMT Removing intermediate container dc601207dbcb Tue, 08 Dec 2020 20:45:23 GMT ---> 5aae5dd0f702 ``` * Update Dockerfile
2020-12-09 08:19:38 +03:00
LABEL org.apache.airflow.distro="debian" \
org.apache.airflow.distro.version="buster" \
org.apache.airflow.module="airflow" \
org.apache.airflow.component="airflow" \
org.apache.airflow.image="airflow" \
org.apache.airflow.uid="${AIRFLOW_UID}" \
org.apache.airflow.gid="${AIRFLOW_GID}" \
org.apache.airflow.mainImage.buildId=${BUILD_ID} \
org.apache.airflow.mainImage.commitSha=${COMMIT_SHA}
Docker images are now consistently labelled and a bit smaller (#10387) Extracted from #10368
2020-08-19 03:03:22 +03:00
Add Production Docker image support (#7832)
2020-04-02 20:52:11 +03:00
ENTRYPOINT ["/usr/bin/dumb-init", "--", "/entrypoint"]
Fix subcommand error when running production image without argument (#8415) Co-authored-by: Liang Hao <liahao@tesla.com>
2020-04-17 15:47:23 +03:00
CMD ["--help"]