trino icon indicating copy to clipboard operation
trino copied to clipboard

Published 20 hours ago verified publisher icon trinodb

trinodb/trino container image does not work out-of-the-box with OpenShift (e.g. running the container as an arbitrary/random user ID)

Open joshuagrisham-karolinska opened this issue 1 year ago • 1 comments

When using the provided trinodb/trino container image directly in OpenShift, there are a few issues that need to be stumbled through before it can start to work properly.

As far as I understand it, in a nut-shell, OpenShift normally works by assigning a dynamic range of UIDs to each namespace (or project, as they call it) and then each container is started with a user which has a unique UID number, and that the user is by default a member of the root group within the container (but is not the actual root user, mind). There is also a policy which blocks if you try to set runAsUser/runAsGroup in the securityContext to anything which is outside of your namespace's assigned number range (which is exactly what the Trino Helm chart does today -- I will create a separate issue just for this part of chart over on that project 😎 ).

Here is more info on this from the OpenShift docs: https://docs.openshift.com/container-platform/4.15/openshift_images/create-images.html#use-uid_create-images

There are some "hacks"/"hoops" you can jump through (see https://cookbook.openshift.org/users-and-role-based-access-control/how-can-i-enable-an-image-to-run-as-a-set-user-id.html) to get around this, but it is a bit of a complicated process and is often frowned upon by cluster administrators. So I think it would be better if the Trino image could just run out-of-the box on OpenShift, instead!

For now I have created my own Dockerfile which works around this by essentially just copying the Trino stuff out of the trinodb/trino image and running it in its own ubi9 minimal image instead where all of the content is owned by root:root and giving the root group write access to the /data/trino folder.

Here is an example of my Dockerfile which basically does this; it was taken as a copy of https://github.com/trinodb/trino/blob/449/core/docker/Dockerfile and adjusted a bit per the comments.

# Rebuild Trino image but just allow user to be UBI9's default user so that it will work in OpenShift
# Original Trino Dockerfile: https://github.com/trinodb/trino/blob/master/core/docker/Dockerfile
# How Container User IDs should be handled in OpenShift: https://docs.openshift.com/container-platform/4.15/openshift_images/create-images.html#use-uid_create-images

FROM docker.io/trinodb/trino:449 AS trino

# Use ubi9 minimal as it's more secure
# (but lock the current latest version instead of using "latest" just to reduce unforseen issues; this can and should be adjusted as new versions are built and tested)
FROM registry.access.redhat.com/ubi9/ubi-minimal:9.4-949.1716471857

## Set JAVA_HOME based on what is installed in Trino
## This will need to be updated as changes are made to trinodb/trino
#ARG JDK_VERSION
#ENV JAVA_HOME="/usr/lib/jvm/jdk-${JDK_VERSION}"
ENV JAVA_HOME="/usr/lib/jvm/jdk-jdk-22.0.1+8"

ENV PATH=$PATH:$JAVA_HOME/bin
ENV CATALOG_MANAGEMENT=static
COPY --from=trino $JAVA_HOME $JAVA_HOME

RUN \
    set -xeu && \
    microdnf update -y && \
    microdnf install -y tar less python3 shadow-utils && \
    update-alternatives --install /usr/bin/python python /usr/bin/python3 1 && \
    mkdir -p /usr/lib/trino /data/trino && \
    chmod -R g=u /data/trino && \
    microdnf clean all

## removed these lines since we will use the existing ubi9 user
#    groupadd trino --gid 1000 && \
#    useradd trino --uid 1000 --gid 1000 --create-home && \
#    chown -R "trino:trino" /usr/lib/trino /data/trino

## remove these and just copy all of this from the Trino image
#ARG TRINO_VERSION
#COPY --chown=trino:trino trino-cli-${TRINO_VERSION}-executable.jar /usr/bin/trino
#COPY --chown=trino:trino trino-server-${TRINO_VERSION} /usr/lib/trino
#COPY --chown=trino:trino default/etc /etc/trino
#COPY --chown=trino:trino --from=jvmkill /libjvmkill.so /usr/lib/trino/bin

## and instead copy them all in under root
COPY --from=trino --chown=root:root /usr/bin/trino /usr/bin/trino
COPY --from=trino --chown=root:root /usr/lib/trino /usr/lib/trino
COPY --from=trino --chown=root:root /etc/trino /etc/trino

EXPOSE 8080
CMD ["/usr/lib/trino/bin/run-trino"]
HEALTHCHECK --interval=10s --timeout=5s --start-period=10s \
  CMD /usr/lib/trino/bin/health-check

I am not sure 100% what the "right" way to do this is, but just that pretty much anything from Red Hat seems to "just work" (thinking of things like Quarkus-related images, Keycloak, etc) so maybe some better inspiration could be taken from some of those images? But in theory I do not think it would be so many changes to make it so that trinodb/trino can play nicely out-of-the-box with many different container runtimes (Docker, Podman, vanilla Kubernetes, OpenShift, etc ?).

joshuagrisham-karolinska avatar Jun 05 '24 15:06 joshuagrisham-karolinska