Add support for running Trino in OpenShift#29103
Add support for running Trino in OpenShift#29103kouzant wants to merge 2 commits intotrinodb:masterfrom
Conversation
|
Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to cla@trino.io. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla |
Openshift assigns random UIDs to Pods so permissions cannot be based on hard-coded owner and group IDs. However, all containers in Openshift run as group 0. The suggested way is to make all files belong to group 0 and assign the same permissions for the Owner and Group. This way, other Kubernetes flavours work based on Owner permissions while Openshift would work based on Group permissions. Instead of fixing the permissions for each individual COPY change the permissions at the end recursively. This adds a small layer but it is better from a maintenance point of view. Resolves issue trinodb#22281
In Openshift containers run as a randomly assigned UID. That means there is no login username. Some applications or plugins might need the login username. For example Hadoop UserGroupInformation.getLoginUser() would see random UID instead of a username such as trino. This patch installs nss_wrapper which uses LD_PRELOAD to fake the login user for the random UID. UserGroupInformation.getLoginUser() will always return trino regardless the UID. The username is configurable with the environment variable TRINO_USER_NAME which defaults to 'trino'.
kouzant
force-pushed
the
feat/openshift-22281
branch
from
960e0c9 to
28f5344
Compare
|
Thank you for your pull request and welcome to the Trino community. We require contributors to sign our Contributor License Agreement, and we don't seem to have you on file. Continue to work with us on the review and improvements in this PR, and submit the signed CLA to cla@trino.io. Photos, scans, or digitally-signed PDF files are all suitable. Processing may take a few days. The CLA needs to be on file before we merge your changes. For more information, see https://github.com/trinodb/cla |
|
This change is a no-go from my perspective. |
Hi @wendigo would you mind elaborating, what is a no-go? |
|
@kouzant introduces changes that are not testable as we don't have infrastructure to even validate whether this works and won't break in the future. Uses LD_PRELOAD which seems a security risk. Generally, you can build a docker image for openshift on a side given a proper infrastructure to test it. |
|
@wendigo I understand your concern on the lack of testing infrastructure, however I believe project adoption will increase as more people are having issues running Trino on Openshift. As for |
|
@kouzant non-testable code is problematic to support as it can break any time so there is no value in this change given the increased complexity of the docker file |
ebyhr
changed the title
2 participants
Description
Trino images do not currently work in Openshift. The core issue is that Openshift run
Pods/Containers as a random UID while Trino image assumes user 'trino' has specific
permissions on certain directories, for instance
/data/trinoThis PR uses Openshift best practices to make files and directories owned by
trino:0and make the owner and group permissions the same.Additionally, this patch installs
nss_wrapperto fake the Unix login username soit will always appear as 'trino' from applications instead of the random UID.
Release notes