Add an entrypoint to spark-operator for handling non-root users #189
Conversation
In order to use the spark-on-k8s-operator on a platform where a user is assigned based on a security context (OpenShift), the /etc/passwd file needs to be modified in an entrypoint like it is in the standard Apache Spark 2.3 image to support an assigned user. Also, to avoid overriding the entrypoint, the command in spark-operator.yaml should be left defaulted but the args still passed. The /etc/passwd file will be unchanged for a root user since root is already in the file.
|
@liyinan926 please take a look. I've been playing with the spark-on-k8s-operator on OpenShift and I think this is a transparent change to make it work there |
|
I'm wondering if there is any clever way we can use the spark upstream's |
|
@erikerlandson that's a good point It has a from "gcr.io/ynli-k8s/spark:v2.3.0", which would have the spark entrypoint. The only trouble I see is that the spark entrypoint rejects commands it doesn't recognize. We just need the preamble and then to run the operator. |
Instead of hardwiring the command in /entrypoint in the image, just pass /usr/bin/spark-operator as the initial arg to retain full flexibility from the yaml file.
| @@ -0,0 +1,37 @@ | |||
| #!/bin/bash | |||
| # | |||
There was a problem hiding this comment.
nit: missing Copyright 2018 Google LLC in the license header.
There was a problem hiding this comment.
Sorry for the delay. This snippet was cut directly from the Apache Spark distribution standard entrypoint.sh, the only difference is an exec after the copied portion.There is no Copyright in the original, can we / should we really add one? https://github.com/apache/spark/blob/master/resource-managers/kubernetes/docker/src/main/dockerfiles/spark/entrypoint.sh
There was a problem hiding this comment.
We can ignore this for now.
| RUN go generate && go build -o /usr/bin/spark-operator | ||
|
|
||
|
|
||
| FROM gcr.io/ynli-k8s/spark:v2.3.0 |
There was a problem hiding this comment.
This will also require an image built using the Dockerfile in the latest spark/master to pick up apache/spark#21572, right?
There was a problem hiding this comment.
Not the OP, but to get at least examples working on the newest release of Openshift (besides this pull request) spark/master entrypoint requires (which newest version does):
set +e
uidentry=$(getent passwd $myuid)
set -eThis and granting write access to spark working directory should make it work.
|
We have similar code running fine on Openshift will contribute it here and push forward this PR as it is useful. @yuchaoran2011 ^^ |
|
This is covered by #343. |
5 participants
In order to use the spark-on-k8s-operator on a platform where a user
is assigned based on a security context (OpenShift), the /etc/passwd
file needs to be modified in an entrypoint like it is in the standard
Apache Spark 2.3 image to support an assigned user (note that it
won't be changed for a root user). Change the spark-operator.yaml to
call the entrypoint and pass /usr/bin/spark-operator as the first argument.