@@ -114,13 +114,15 @@ RUN python3 -m venv /stackable/app \
114114 && if [ -n "$AUTHLIB" ]; then pip install Authlib==${AUTHLIB}; fi && \
115115 pip install --no-cache-dir /tmp/opa_authorizer-0.1.0-py3-none-any.whl
116116
117+ COPY --from=statsd_exporter-builder /statsd_exporter/statsd_exporter /stackable/statsd_exporter
117118COPY superset/stackable/patches /patches
118- RUN /patches/apply_patches.sh ${PRODUCT}
119-
120- WORKDIR /stackable
121- RUN source /stackable/app/bin/activate && cyclonedx-py environment --schema-version 1.5 --outfile app/superset-${PRODUCT}.cdx.json
122119
123- COPY --from=statsd_exporter-builder /statsd_exporter/statsd_exporter /stackable/statsd_exporter
120+ RUN <<EOF
121+ /patches/apply_patches.sh ${PRODUCT}
122+ cd /stackable
123+ source /stackable/app/bin/activate && cyclonedx-py environment --schema-version 1.5 --outfile app/superset-${PRODUCT}.cdx.json
124+ chmod --recursive g=u /stackable
125+ EOF
124126
125127# Final image
126128FROM stackable/image/vector
@@ -131,12 +133,12 @@ ARG RELEASE
131133ARG STACKABLE_USER_UID
132134
133135LABEL name="Apache Superset" \
134- 135- vendor="Stackable GmbH" \
136- version="${PRODUCT}" \
137- release="${RELEASE}" \
138- summary="The Stackable image for Apache Superset." \
139- description="This image is deployed by the Stackable Operator for Apache Superset."
136+ 137+ vendor="Stackable GmbH" \
138+ version="${PRODUCT}" \
139+ release="${RELEASE}" \
140+ summary="The Stackable image for Apache Superset." \
141+ description="This image is deployed by the Stackable Operator for Apache Superset."
140142
141143ENV FLASK_APP="superset.app:create_app()" \
142144 FLASK_ENV="production" \
@@ -145,6 +147,10 @@ ENV FLASK_APP="superset.app:create_app()" \
145147ENV PATH="${HOME}/app/bin:${PATH}" \
146148 PYTHONPATH="${HOME}/app/pythonpath"
147149
150+ COPY superset/licenses /licenses
151+
152+ COPY --from=builder --chown=${STACKABLE_USER_UID}:0 /stackable/ ${HOME}/
153+
148154RUN <<EOF
149155microdnf update
150156microdnf install \
@@ -157,22 +163,23 @@ microdnf install \
157163
158164microdnf clean all
159165rm -rf /var/cache/yum
160-
161- # All files and folders owned by root group to support running as arbitrary users.
162- # This is best practice as all container users will belong to the root group (0).
163- chown -R "${STACKABLE_USER_UID}:0" /stackable
164- chmod -R g=u /stackable
165166EOF
166167
167- COPY superset/licenses /licenses
168+ # ----------------------------------------
169+ # Checks
170+ # This section is to run final checks to ensure the created final images
171+ # adhere to several minimal requirements like:
172+ # - check file permissions and ownerships
173+ # ----------------------------------------
168174
169- COPY --from=builder --chown=${STACKABLE_USER_UID}:0 /stackable/ ${HOME}/
175+ # Check that permissions and ownership in ${HOME} are set correctly
176+ # This will fail and stop the build if any mismatches are found.
177+ RUN <<EOF
178+ /bin/check-permissions-ownership.sh ${HOME} ${STACKABLE_USER_UID} 0
179+ EOF
170180
171181# ----------------------------------------
172- # Attention: We are changing the group of all files in /stackable directly above
173- # If you do any file based actions (copying / creating etc.) below this comment you
174- # absolutely need to make sure that the correct permissions are applied!
175- # chown ${STACKABLE_USER_UID}:0
182+ # Attention: Do not perform any file based actions (copying/creating etc.) below this comment because the permissions would not be checked.
176183# ----------------------------------------
177184
178185USER ${STACKABLE_USER_UID}
0 commit comments