diff --git a/1.20/scala_2.12-java11-ubuntu/Dockerfile b/1.20/scala_2.12-java11-ubuntu/Dockerfile index 0945696..fe34ab7 100644 --- a/1.20/scala_2.12-java11-ubuntu/Dockerfile +++ b/1.20/scala_2.12-java11-ubuntu/Dockerfile @@ -24,25 +24,6 @@ RUN set -ex; \ apt-get -y install gpg libsnappy1v5 gettext-base libjemalloc-dev; \ rm -rf /var/lib/apt/lists/* -# Grab gosu for easy step-down from root -ENV GOSU_VERSION 1.11 -RUN set -ex; \ - wget -nv -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture)"; \ - wget -nv -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture).asc"; \ - export GNUPGHOME="$(mktemp -d)"; \ - for server in ha.pool.sks-keyservers.net $(shuf -e \ - hkp://p80.pool.sks-keyservers.net:80 \ - keyserver.ubuntu.com \ - hkp://keyserver.ubuntu.com:80 \ - pgp.mit.edu) ; do \ - gpg --batch --keyserver "$server" --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 && break || : ; \ - done && \ - gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ - chmod +x /usr/local/bin/gosu; \ - gosu nobody true - # Configure Flink version ENV FLINK_TGZ_URL=https://dlcdn.apache.org/flink/flink-1.20.1/flink-1.20.1-bin-scala_2.12.tgz \ FLINK_ASC_URL=https://downloads.apache.org/flink/flink-1.20.1/flink-1.20.1-bin-scala_2.12.tgz.asc \ @@ -99,6 +80,7 @@ RUN set -ex; \ fi; # Configure container +USER flink COPY docker-entrypoint.sh / ENTRYPOINT ["/docker-entrypoint.sh"] EXPOSE 6123 8081 diff --git a/1.20/scala_2.12-java11-ubuntu/docker-entrypoint.sh b/1.20/scala_2.12-java11-ubuntu/docker-entrypoint.sh index e081109..cf63daa 100755 --- a/1.20/scala_2.12-java11-ubuntu/docker-entrypoint.sh +++ b/1.20/scala_2.12-java11-ubuntu/docker-entrypoint.sh @@ -25,16 +25,9 @@ COMMAND_HISTORY_SERVER="history-server" JOB_MANAGER_RPC_ADDRESS=${JOB_MANAGER_RPC_ADDRESS:-$(hostname -f)} CONF_FILE_DIR="${FLINK_HOME}/conf" -drop_privs_cmd() { - if [ $(id -u) != 0 ]; then - # Don't need to drop privs if EUID != 0 - return - elif [ -x /sbin/su-exec ]; then - # Alpine - echo su-exec flink - else - # Others - echo gosu flink +check_priv_user() { + if [ $(id -u) == 0 ]; then + echo "WARNING: Running as root user is not recommended. Please use a non-root user to run Flink." fi } @@ -146,6 +139,8 @@ maybe_enable_jemalloc() { fi } +check_priv_user + maybe_enable_jemalloc copy_plugins_if_required @@ -163,28 +158,28 @@ elif [ "$1" = "jobmanager" ]; then echo "Starting Job Manager" - exec $(drop_privs_cmd) "$FLINK_HOME/bin/jobmanager.sh" start-foreground "${args[@]}" + exec "$FLINK_HOME/bin/jobmanager.sh" start-foreground "${args[@]}" elif [ "$1" = ${COMMAND_STANDALONE} ]; then args=("${args[@]:1}") echo "Starting Job Manager" - exec $(drop_privs_cmd) "$FLINK_HOME/bin/standalone-job.sh" start-foreground "${args[@]}" + exec "$FLINK_HOME/bin/standalone-job.sh" start-foreground "${args[@]}" elif [ "$1" = ${COMMAND_HISTORY_SERVER} ]; then args=("${args[@]:1}") echo "Starting History Server" - exec $(drop_privs_cmd) "$FLINK_HOME/bin/historyserver.sh" start-foreground "${args[@]}" + exec "$FLINK_HOME/bin/historyserver.sh" start-foreground "${args[@]}" elif [ "$1" = "taskmanager" ]; then args=("${args[@]:1}") echo "Starting Task Manager" - exec $(drop_privs_cmd) "$FLINK_HOME/bin/taskmanager.sh" start-foreground "${args[@]}" + exec "$FLINK_HOME/bin/taskmanager.sh" start-foreground "${args[@]}" fi args=("${args[@]}") # Running command in pass-through mode -exec $(drop_privs_cmd) "${args[@]}" +exec "${args[@]}" diff --git a/1.20/scala_2.12-java17-ubuntu/Dockerfile b/1.20/scala_2.12-java17-ubuntu/Dockerfile index 081d9e8..ec11479 100644 --- a/1.20/scala_2.12-java17-ubuntu/Dockerfile +++ b/1.20/scala_2.12-java17-ubuntu/Dockerfile @@ -24,25 +24,6 @@ RUN set -ex; \ apt-get -y install gpg libsnappy1v5 gettext-base libjemalloc-dev; \ rm -rf /var/lib/apt/lists/* -# Grab gosu for easy step-down from root -ENV GOSU_VERSION 1.11 -RUN set -ex; \ - wget -nv -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture)"; \ - wget -nv -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture).asc"; \ - export GNUPGHOME="$(mktemp -d)"; \ - for server in ha.pool.sks-keyservers.net $(shuf -e \ - hkp://p80.pool.sks-keyservers.net:80 \ - keyserver.ubuntu.com \ - hkp://keyserver.ubuntu.com:80 \ - pgp.mit.edu) ; do \ - gpg --batch --keyserver "$server" --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 && break || : ; \ - done && \ - gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ - chmod +x /usr/local/bin/gosu; \ - gosu nobody true - # Configure Flink version ENV FLINK_TGZ_URL=https://dlcdn.apache.org/flink/flink-1.20.1/flink-1.20.1-bin-scala_2.12.tgz \ FLINK_ASC_URL=https://downloads.apache.org/flink/flink-1.20.1/flink-1.20.1-bin-scala_2.12.tgz.asc \ @@ -99,6 +80,7 @@ RUN set -ex; \ fi; # Configure container +USER flink COPY docker-entrypoint.sh / ENTRYPOINT ["/docker-entrypoint.sh"] EXPOSE 6123 8081 diff --git a/1.20/scala_2.12-java17-ubuntu/docker-entrypoint.sh b/1.20/scala_2.12-java17-ubuntu/docker-entrypoint.sh index e081109..cf63daa 100755 --- a/1.20/scala_2.12-java17-ubuntu/docker-entrypoint.sh +++ b/1.20/scala_2.12-java17-ubuntu/docker-entrypoint.sh @@ -25,16 +25,9 @@ COMMAND_HISTORY_SERVER="history-server" JOB_MANAGER_RPC_ADDRESS=${JOB_MANAGER_RPC_ADDRESS:-$(hostname -f)} CONF_FILE_DIR="${FLINK_HOME}/conf" -drop_privs_cmd() { - if [ $(id -u) != 0 ]; then - # Don't need to drop privs if EUID != 0 - return - elif [ -x /sbin/su-exec ]; then - # Alpine - echo su-exec flink - else - # Others - echo gosu flink +check_priv_user() { + if [ $(id -u) == 0 ]; then + echo "WARNING: Running as root user is not recommended. Please use a non-root user to run Flink." fi } @@ -146,6 +139,8 @@ maybe_enable_jemalloc() { fi } +check_priv_user + maybe_enable_jemalloc copy_plugins_if_required @@ -163,28 +158,28 @@ elif [ "$1" = "jobmanager" ]; then echo "Starting Job Manager" - exec $(drop_privs_cmd) "$FLINK_HOME/bin/jobmanager.sh" start-foreground "${args[@]}" + exec "$FLINK_HOME/bin/jobmanager.sh" start-foreground "${args[@]}" elif [ "$1" = ${COMMAND_STANDALONE} ]; then args=("${args[@]:1}") echo "Starting Job Manager" - exec $(drop_privs_cmd) "$FLINK_HOME/bin/standalone-job.sh" start-foreground "${args[@]}" + exec "$FLINK_HOME/bin/standalone-job.sh" start-foreground "${args[@]}" elif [ "$1" = ${COMMAND_HISTORY_SERVER} ]; then args=("${args[@]:1}") echo "Starting History Server" - exec $(drop_privs_cmd) "$FLINK_HOME/bin/historyserver.sh" start-foreground "${args[@]}" + exec "$FLINK_HOME/bin/historyserver.sh" start-foreground "${args[@]}" elif [ "$1" = "taskmanager" ]; then args=("${args[@]:1}") echo "Starting Task Manager" - exec $(drop_privs_cmd) "$FLINK_HOME/bin/taskmanager.sh" start-foreground "${args[@]}" + exec "$FLINK_HOME/bin/taskmanager.sh" start-foreground "${args[@]}" fi args=("${args[@]}") # Running command in pass-through mode -exec $(drop_privs_cmd) "${args[@]}" +exec "${args[@]}" diff --git a/1.20/scala_2.12-java8-ubuntu/Dockerfile b/1.20/scala_2.12-java8-ubuntu/Dockerfile index 1d4f94f..5892278 100644 --- a/1.20/scala_2.12-java8-ubuntu/Dockerfile +++ b/1.20/scala_2.12-java8-ubuntu/Dockerfile @@ -24,25 +24,6 @@ RUN set -ex; \ apt-get -y install gpg libsnappy1v5 gettext-base libjemalloc-dev; \ rm -rf /var/lib/apt/lists/* -# Grab gosu for easy step-down from root -ENV GOSU_VERSION 1.11 -RUN set -ex; \ - wget -nv -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture)"; \ - wget -nv -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture).asc"; \ - export GNUPGHOME="$(mktemp -d)"; \ - for server in ha.pool.sks-keyservers.net $(shuf -e \ - hkp://p80.pool.sks-keyservers.net:80 \ - keyserver.ubuntu.com \ - hkp://keyserver.ubuntu.com:80 \ - pgp.mit.edu) ; do \ - gpg --batch --keyserver "$server" --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 && break || : ; \ - done && \ - gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ - chmod +x /usr/local/bin/gosu; \ - gosu nobody true - # Configure Flink version ENV FLINK_TGZ_URL=https://dlcdn.apache.org/flink/flink-1.20.1/flink-1.20.1-bin-scala_2.12.tgz \ FLINK_ASC_URL=https://downloads.apache.org/flink/flink-1.20.1/flink-1.20.1-bin-scala_2.12.tgz.asc \ @@ -99,6 +80,7 @@ RUN set -ex; \ fi; # Configure container +USER flink COPY docker-entrypoint.sh / ENTRYPOINT ["/docker-entrypoint.sh"] EXPOSE 6123 8081 diff --git a/1.20/scala_2.12-java8-ubuntu/docker-entrypoint.sh b/1.20/scala_2.12-java8-ubuntu/docker-entrypoint.sh index e081109..cf63daa 100755 --- a/1.20/scala_2.12-java8-ubuntu/docker-entrypoint.sh +++ b/1.20/scala_2.12-java8-ubuntu/docker-entrypoint.sh @@ -25,16 +25,9 @@ COMMAND_HISTORY_SERVER="history-server" JOB_MANAGER_RPC_ADDRESS=${JOB_MANAGER_RPC_ADDRESS:-$(hostname -f)} CONF_FILE_DIR="${FLINK_HOME}/conf" -drop_privs_cmd() { - if [ $(id -u) != 0 ]; then - # Don't need to drop privs if EUID != 0 - return - elif [ -x /sbin/su-exec ]; then - # Alpine - echo su-exec flink - else - # Others - echo gosu flink +check_priv_user() { + if [ $(id -u) == 0 ]; then + echo "WARNING: Running as root user is not recommended. Please use a non-root user to run Flink." fi } @@ -146,6 +139,8 @@ maybe_enable_jemalloc() { fi } +check_priv_user + maybe_enable_jemalloc copy_plugins_if_required @@ -163,28 +158,28 @@ elif [ "$1" = "jobmanager" ]; then echo "Starting Job Manager" - exec $(drop_privs_cmd) "$FLINK_HOME/bin/jobmanager.sh" start-foreground "${args[@]}" + exec "$FLINK_HOME/bin/jobmanager.sh" start-foreground "${args[@]}" elif [ "$1" = ${COMMAND_STANDALONE} ]; then args=("${args[@]:1}") echo "Starting Job Manager" - exec $(drop_privs_cmd) "$FLINK_HOME/bin/standalone-job.sh" start-foreground "${args[@]}" + exec "$FLINK_HOME/bin/standalone-job.sh" start-foreground "${args[@]}" elif [ "$1" = ${COMMAND_HISTORY_SERVER} ]; then args=("${args[@]:1}") echo "Starting History Server" - exec $(drop_privs_cmd) "$FLINK_HOME/bin/historyserver.sh" start-foreground "${args[@]}" + exec "$FLINK_HOME/bin/historyserver.sh" start-foreground "${args[@]}" elif [ "$1" = "taskmanager" ]; then args=("${args[@]:1}") echo "Starting Task Manager" - exec $(drop_privs_cmd) "$FLINK_HOME/bin/taskmanager.sh" start-foreground "${args[@]}" + exec "$FLINK_HOME/bin/taskmanager.sh" start-foreground "${args[@]}" fi args=("${args[@]}") # Running command in pass-through mode -exec $(drop_privs_cmd) "${args[@]}" +exec "${args[@]}" diff --git a/2.0/scala_2.12-java11-ubuntu/Dockerfile b/2.0/scala_2.12-java11-ubuntu/Dockerfile index 4f13c73..809a68a 100644 --- a/2.0/scala_2.12-java11-ubuntu/Dockerfile +++ b/2.0/scala_2.12-java11-ubuntu/Dockerfile @@ -24,25 +24,6 @@ RUN set -ex; \ apt-get -y install gpg libsnappy1v5 gettext-base libjemalloc-dev; \ rm -rf /var/lib/apt/lists/* -# Grab gosu for easy step-down from root -ENV GOSU_VERSION 1.11 -RUN set -ex; \ - wget -nv -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture)"; \ - wget -nv -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture).asc"; \ - export GNUPGHOME="$(mktemp -d)"; \ - for server in ha.pool.sks-keyservers.net $(shuf -e \ - hkp://p80.pool.sks-keyservers.net:80 \ - keyserver.ubuntu.com \ - hkp://keyserver.ubuntu.com:80 \ - pgp.mit.edu) ; do \ - gpg --batch --keyserver "$server" --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 && break || : ; \ - done && \ - gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ - chmod +x /usr/local/bin/gosu; \ - gosu nobody true - # Configure Flink version ENV FLINK_TGZ_URL=https://dlcdn.apache.org/flink/flink-2.0.0/flink-2.0.0-bin-scala_2.12.tgz \ FLINK_ASC_URL=https://downloads.apache.org/flink/flink-2.0.0/flink-2.0.0-bin-scala_2.12.tgz.asc \ @@ -90,6 +71,7 @@ RUN set -ex; \ "-rmKV" "taskmanager.host=localhost"; # Configure container +USER flink COPY docker-entrypoint.sh / ENTRYPOINT ["/docker-entrypoint.sh"] EXPOSE 6123 8081 diff --git a/2.0/scala_2.12-java11-ubuntu/docker-entrypoint.sh b/2.0/scala_2.12-java11-ubuntu/docker-entrypoint.sh index e081109..cf63daa 100755 --- a/2.0/scala_2.12-java11-ubuntu/docker-entrypoint.sh +++ b/2.0/scala_2.12-java11-ubuntu/docker-entrypoint.sh @@ -25,16 +25,9 @@ COMMAND_HISTORY_SERVER="history-server" JOB_MANAGER_RPC_ADDRESS=${JOB_MANAGER_RPC_ADDRESS:-$(hostname -f)} CONF_FILE_DIR="${FLINK_HOME}/conf" -drop_privs_cmd() { - if [ $(id -u) != 0 ]; then - # Don't need to drop privs if EUID != 0 - return - elif [ -x /sbin/su-exec ]; then - # Alpine - echo su-exec flink - else - # Others - echo gosu flink +check_priv_user() { + if [ $(id -u) == 0 ]; then + echo "WARNING: Running as root user is not recommended. Please use a non-root user to run Flink." fi } @@ -146,6 +139,8 @@ maybe_enable_jemalloc() { fi } +check_priv_user + maybe_enable_jemalloc copy_plugins_if_required @@ -163,28 +158,28 @@ elif [ "$1" = "jobmanager" ]; then echo "Starting Job Manager" - exec $(drop_privs_cmd) "$FLINK_HOME/bin/jobmanager.sh" start-foreground "${args[@]}" + exec "$FLINK_HOME/bin/jobmanager.sh" start-foreground "${args[@]}" elif [ "$1" = ${COMMAND_STANDALONE} ]; then args=("${args[@]:1}") echo "Starting Job Manager" - exec $(drop_privs_cmd) "$FLINK_HOME/bin/standalone-job.sh" start-foreground "${args[@]}" + exec "$FLINK_HOME/bin/standalone-job.sh" start-foreground "${args[@]}" elif [ "$1" = ${COMMAND_HISTORY_SERVER} ]; then args=("${args[@]:1}") echo "Starting History Server" - exec $(drop_privs_cmd) "$FLINK_HOME/bin/historyserver.sh" start-foreground "${args[@]}" + exec "$FLINK_HOME/bin/historyserver.sh" start-foreground "${args[@]}" elif [ "$1" = "taskmanager" ]; then args=("${args[@]:1}") echo "Starting Task Manager" - exec $(drop_privs_cmd) "$FLINK_HOME/bin/taskmanager.sh" start-foreground "${args[@]}" + exec "$FLINK_HOME/bin/taskmanager.sh" start-foreground "${args[@]}" fi args=("${args[@]}") # Running command in pass-through mode -exec $(drop_privs_cmd) "${args[@]}" +exec "${args[@]}" diff --git a/2.0/scala_2.12-java17-ubuntu/Dockerfile b/2.0/scala_2.12-java17-ubuntu/Dockerfile index a3ecbfd..6a34b2c 100644 --- a/2.0/scala_2.12-java17-ubuntu/Dockerfile +++ b/2.0/scala_2.12-java17-ubuntu/Dockerfile @@ -24,25 +24,6 @@ RUN set -ex; \ apt-get -y install gpg libsnappy1v5 gettext-base libjemalloc-dev; \ rm -rf /var/lib/apt/lists/* -# Grab gosu for easy step-down from root -ENV GOSU_VERSION 1.11 -RUN set -ex; \ - wget -nv -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture)"; \ - wget -nv -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture).asc"; \ - export GNUPGHOME="$(mktemp -d)"; \ - for server in ha.pool.sks-keyservers.net $(shuf -e \ - hkp://p80.pool.sks-keyservers.net:80 \ - keyserver.ubuntu.com \ - hkp://keyserver.ubuntu.com:80 \ - pgp.mit.edu) ; do \ - gpg --batch --keyserver "$server" --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 && break || : ; \ - done && \ - gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ - chmod +x /usr/local/bin/gosu; \ - gosu nobody true - # Configure Flink version ENV FLINK_TGZ_URL=https://dlcdn.apache.org/flink/flink-2.0.0/flink-2.0.0-bin-scala_2.12.tgz \ FLINK_ASC_URL=https://downloads.apache.org/flink/flink-2.0.0/flink-2.0.0-bin-scala_2.12.tgz.asc \ @@ -90,6 +71,7 @@ RUN set -ex; \ "-rmKV" "taskmanager.host=localhost"; # Configure container +USER flink COPY docker-entrypoint.sh / ENTRYPOINT ["/docker-entrypoint.sh"] EXPOSE 6123 8081 diff --git a/2.0/scala_2.12-java17-ubuntu/docker-entrypoint.sh b/2.0/scala_2.12-java17-ubuntu/docker-entrypoint.sh index e081109..cf63daa 100755 --- a/2.0/scala_2.12-java17-ubuntu/docker-entrypoint.sh +++ b/2.0/scala_2.12-java17-ubuntu/docker-entrypoint.sh @@ -25,16 +25,9 @@ COMMAND_HISTORY_SERVER="history-server" JOB_MANAGER_RPC_ADDRESS=${JOB_MANAGER_RPC_ADDRESS:-$(hostname -f)} CONF_FILE_DIR="${FLINK_HOME}/conf" -drop_privs_cmd() { - if [ $(id -u) != 0 ]; then - # Don't need to drop privs if EUID != 0 - return - elif [ -x /sbin/su-exec ]; then - # Alpine - echo su-exec flink - else - # Others - echo gosu flink +check_priv_user() { + if [ $(id -u) == 0 ]; then + echo "WARNING: Running as root user is not recommended. Please use a non-root user to run Flink." fi } @@ -146,6 +139,8 @@ maybe_enable_jemalloc() { fi } +check_priv_user + maybe_enable_jemalloc copy_plugins_if_required @@ -163,28 +158,28 @@ elif [ "$1" = "jobmanager" ]; then echo "Starting Job Manager" - exec $(drop_privs_cmd) "$FLINK_HOME/bin/jobmanager.sh" start-foreground "${args[@]}" + exec "$FLINK_HOME/bin/jobmanager.sh" start-foreground "${args[@]}" elif [ "$1" = ${COMMAND_STANDALONE} ]; then args=("${args[@]:1}") echo "Starting Job Manager" - exec $(drop_privs_cmd) "$FLINK_HOME/bin/standalone-job.sh" start-foreground "${args[@]}" + exec "$FLINK_HOME/bin/standalone-job.sh" start-foreground "${args[@]}" elif [ "$1" = ${COMMAND_HISTORY_SERVER} ]; then args=("${args[@]:1}") echo "Starting History Server" - exec $(drop_privs_cmd) "$FLINK_HOME/bin/historyserver.sh" start-foreground "${args[@]}" + exec "$FLINK_HOME/bin/historyserver.sh" start-foreground "${args[@]}" elif [ "$1" = "taskmanager" ]; then args=("${args[@]:1}") echo "Starting Task Manager" - exec $(drop_privs_cmd) "$FLINK_HOME/bin/taskmanager.sh" start-foreground "${args[@]}" + exec "$FLINK_HOME/bin/taskmanager.sh" start-foreground "${args[@]}" fi args=("${args[@]}") # Running command in pass-through mode -exec $(drop_privs_cmd) "${args[@]}" +exec "${args[@]}" diff --git a/2.0/scala_2.12-java21-ubuntu/Dockerfile b/2.0/scala_2.12-java21-ubuntu/Dockerfile index 22cb42b..c989ffb 100644 --- a/2.0/scala_2.12-java21-ubuntu/Dockerfile +++ b/2.0/scala_2.12-java21-ubuntu/Dockerfile @@ -24,25 +24,6 @@ RUN set -ex; \ apt-get -y install gpg libsnappy1v5 gettext-base libjemalloc-dev; \ rm -rf /var/lib/apt/lists/* -# Grab gosu for easy step-down from root -ENV GOSU_VERSION 1.11 -RUN set -ex; \ - wget -nv -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture)"; \ - wget -nv -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture).asc"; \ - export GNUPGHOME="$(mktemp -d)"; \ - for server in ha.pool.sks-keyservers.net $(shuf -e \ - hkp://p80.pool.sks-keyservers.net:80 \ - keyserver.ubuntu.com \ - hkp://keyserver.ubuntu.com:80 \ - pgp.mit.edu) ; do \ - gpg --batch --keyserver "$server" --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 && break || : ; \ - done && \ - gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ - chmod +x /usr/local/bin/gosu; \ - gosu nobody true - # Configure Flink version ENV FLINK_TGZ_URL=https://dlcdn.apache.org/flink/flink-2.0.0/flink-2.0.0-bin-scala_2.12.tgz \ FLINK_ASC_URL=https://downloads.apache.org/flink/flink-2.0.0/flink-2.0.0-bin-scala_2.12.tgz.asc \ @@ -90,6 +71,7 @@ RUN set -ex; \ "-rmKV" "taskmanager.host=localhost"; # Configure container +USER flink COPY docker-entrypoint.sh / ENTRYPOINT ["/docker-entrypoint.sh"] EXPOSE 6123 8081 diff --git a/2.0/scala_2.12-java21-ubuntu/docker-entrypoint.sh b/2.0/scala_2.12-java21-ubuntu/docker-entrypoint.sh index e081109..cf63daa 100755 --- a/2.0/scala_2.12-java21-ubuntu/docker-entrypoint.sh +++ b/2.0/scala_2.12-java21-ubuntu/docker-entrypoint.sh @@ -25,16 +25,9 @@ COMMAND_HISTORY_SERVER="history-server" JOB_MANAGER_RPC_ADDRESS=${JOB_MANAGER_RPC_ADDRESS:-$(hostname -f)} CONF_FILE_DIR="${FLINK_HOME}/conf" -drop_privs_cmd() { - if [ $(id -u) != 0 ]; then - # Don't need to drop privs if EUID != 0 - return - elif [ -x /sbin/su-exec ]; then - # Alpine - echo su-exec flink - else - # Others - echo gosu flink +check_priv_user() { + if [ $(id -u) == 0 ]; then + echo "WARNING: Running as root user is not recommended. Please use a non-root user to run Flink." fi } @@ -146,6 +139,8 @@ maybe_enable_jemalloc() { fi } +check_priv_user + maybe_enable_jemalloc copy_plugins_if_required @@ -163,28 +158,28 @@ elif [ "$1" = "jobmanager" ]; then echo "Starting Job Manager" - exec $(drop_privs_cmd) "$FLINK_HOME/bin/jobmanager.sh" start-foreground "${args[@]}" + exec "$FLINK_HOME/bin/jobmanager.sh" start-foreground "${args[@]}" elif [ "$1" = ${COMMAND_STANDALONE} ]; then args=("${args[@]:1}") echo "Starting Job Manager" - exec $(drop_privs_cmd) "$FLINK_HOME/bin/standalone-job.sh" start-foreground "${args[@]}" + exec "$FLINK_HOME/bin/standalone-job.sh" start-foreground "${args[@]}" elif [ "$1" = ${COMMAND_HISTORY_SERVER} ]; then args=("${args[@]:1}") echo "Starting History Server" - exec $(drop_privs_cmd) "$FLINK_HOME/bin/historyserver.sh" start-foreground "${args[@]}" + exec "$FLINK_HOME/bin/historyserver.sh" start-foreground "${args[@]}" elif [ "$1" = "taskmanager" ]; then args=("${args[@]:1}") echo "Starting Task Manager" - exec $(drop_privs_cmd) "$FLINK_HOME/bin/taskmanager.sh" start-foreground "${args[@]}" + exec "$FLINK_HOME/bin/taskmanager.sh" start-foreground "${args[@]}" fi args=("${args[@]}") # Running command in pass-through mode -exec $(drop_privs_cmd) "${args[@]}" +exec "${args[@]}"