Entrypoint¶
If you are using the default entrypoint of the production image, there are a few actions that are automatically performed when the container starts. In some cases, you can pass environment variables to the image to trigger some of that behaviour.
The variables that control the “execution” behaviour start with _AIRFLOW
to distinguish them
from the variables used to build the image starting with AIRFLOW
.
Allowing arbitrary user to run the container¶
Airflow image is Open-Shift compatible, which means that you can start it with random user ID and the
group id 0
(root
). If you want to run the image with user different than Airflow, you MUST set
GID of the user to 0
. In case you try to use different group, the entrypoint exits with error.
OpenShift randomly assigns UID when it starts the container, but you can utilise this flexible UID
also in case of running the image manually. This might be useful for example in case you want to
mount dag
and logs
folders from host system on Linux, in which case the UID should be set
the same ID as your host user.
This can be achieved in various ways - you can change USER when you extend or customize the image or
you can dynamically pass the user to docker run
command, by adding --user
flag in one of
those formats (See Docker Run reference for details):
`
[ user | user:group | uid | uid:gid | user:gid | uid:group ]
`
In case of Docker Compose environment it can be changed via user:
entry in the docker-compose.yaml
.
See Docker compose reference
for details. In our Quickstart Guide using Docker-Compose, the UID can be passed via the
AIRFLOW_UID
variable as described in
Initializing docker compose environment.
The user can be any UID. In case UID is different than the default
airflow
(UID=50000), the user will be automatically created when entering the container.
In order to accommodate a number of external libraries and projects, Airflow will automatically create
such an arbitrary user in (/etc/passwd) and make its home directory point to /home/airflow
.
Many of 3rd-party libraries and packages require home directory of the user to be present, because they
need to write some cache information there, so such a dynamic creation of a user is necessary.
Such arbitrary user has to be able to write to certain directories that needs write access, and since
it is not advised to allow write access to “other” for security reasons, the OpenShift
guidelines introduced the concept of making all such folders have the 0
(root
) group id (GID).
All the directories that need write access in the Airflow production image have GID set to 0 (and
they are writable for the group). We are following that concept and all the directories that need
write access follow that.
The GID=0 is set as default for the airflow
user, so any directories it creates have GID set to 0
by default. The entrypoint sets umask
to be 0002
- this means that any directories created by
the user have also “group write” access for group 0
- they will be writable by other users with
root
group. Also whenever any “arbitrary” user creates a folder (for example in a mounted volume), that
folder will have a “group write” access and GID=0
, so that execution with another, arbitrary user
will still continue to work, even if such directory is mounted by another arbitrary user later.
The umask
setting, however, only works for runtime of the container - it is not used during building of
the image. If you would like to extend the image and add your own packages, you should remember to add
umask 0002
in front of your docker command - this way the directories created by any installation
that need group access will also be writable for the group. This can be done for example this way:
RUN umask 0002; \ do_something; \ do_otherthing;
You can read more about it in the “Support arbitrary user ids” chapter in the Openshift best practices.
Waits for Airflow DB connection¶
The entrypoint is waiting for a connection to the database independent of the database engine. This allows us to increase the stability of the environment.
Waiting for connection involves executing airflow db check
command, which means that a select 1 as is_alive;
statement
is executed. Then it loops until the command will be successful.
It tries CONNECTION_CHECK_MAX_COUNT
times and sleeps CONNECTION_CHECK_SLEEP_TIME
between checks
To disable check, set CONNECTION_CHECK_MAX_COUNT=0
.
Waits for Celery broker connection¶
In case CeleryExecutor is used, and one of the scheduler
, celery
commands are used the entrypoint will wait until the Celery broker DB connection is available.
The script detects backend type depending on the URL schema and assigns default port numbers if not specified
in the URL. Then it loops until connection to the host/port specified can be established
It tries CONNECTION_CHECK_MAX_COUNT
times and sleeps CONNECTION_CHECK_SLEEP_TIME
between checks.
To disable check, set CONNECTION_CHECK_MAX_COUNT=0
.
Supported schemes:
amqp(s)://
(rabbitmq) - default port 5672redis://
- default port 6379postgres://
- default port 5432mysql://
- default port 3306
Waiting for connection involves checking if a matching port is open. The host information is derived from the Airflow configuration.
Executing commands¶
If first argument equals to “bash” - you are dropped to a bash shell or you can executes bash command if you specify extra arguments. For example:
docker run -it apache/airflow:2.7.3-python3.8 bash -c "ls -la"
total 16
drwxr-xr-x 4 airflow root 4096 Jun 5 18:12 .
drwxr-xr-x 1 root root 4096 Jun 5 18:12 ..
drwxr-xr-x 2 airflow root 4096 Jun 5 18:12 dags
drwxr-xr-x 2 airflow root 4096 Jun 5 18:12 logs
If first argument is equal to python
- you are dropped in python shell or python commands are executed if
you pass extra parameters. For example:
> docker run -it apache/airflow:2.7.3-python3.8 python -c "print('test')"
test
If first argument equals to “airflow” - the rest of the arguments is treated as an airflow command to execute. Example:
docker run -it apache/airflow:2.7.3-python3.8 airflow webserver
If there are any other arguments - they are simply passed to the “airflow” command
> docker run -it apache/airflow:2.7.3-python3.8 help
usage: airflow [-h] GROUP_OR_COMMAND ...
positional arguments:
GROUP_OR_COMMAND
Groups:
celery Celery components
config View configuration
connections Manage connections
dags Manage DAGs
db Database operations
jobs Manage jobs
kubernetes Tools to help run the KubernetesExecutor
pools Manage pools
providers Display providers
roles Manage roles
tasks Manage tasks
users Manage users
variables Manage variables
Commands:
cheat-sheet Display cheat sheet
info Show information about current Airflow and environment
kerberos Start a Kerberos ticket renewer
plugins Dump information about loaded plugins
rotate-fernet-key
Rotate encrypted connection credentials and variables
scheduler Start a scheduler instance
sync-perm Update permissions for existing roles and optionally DAGs
version Show the version
webserver Start a Airflow webserver instance
optional arguments:
-h, --help show this help message and exit
Execute custom code before the Airflow entrypoint¶
If you want to execute some custom code before Airflow’s entrypoint you can by using
a custom script and calling Airflow’s entrypoint as the
last exec
instruction in your custom one. However, you have to remember to use dumb-init
in the same
way as it is used with Airflow’s entrypoint, otherwise you might have problems with proper signal
propagation (See the next chapter).
FROM airflow:2.7.1
COPY my_entrypoint.sh /
ENTRYPOINT ["/usr/bin/dumb-init", "--", "/my_entrypoint.sh"]
Your entrypoint might for example modify or add variables on the fly. For example the below entrypoint sets max count of DB checks from the first parameter passed as parameter of the image execution (A bit useless example but should give the reader an example of how you could use it).
#!/bin/bash
export CONNECTION_CHECK_MAX_COUNT=${1}
shift
exec /entrypoint "${@}"
Make sure Airflow’s entrypoint is run with exec /entrypoint "${@}"
as the last command in your
custom entrypoint. This way signals will be properly propagated and arguments will be passed
to the entrypoint as usual (you can use shift
as above if you need to pass some extra
arguments. Note that passing secret values this way or storing secrets inside the image is a bad
idea from security point of view - as both image and parameters to run the image with are accessible
to anyone who has access to logs of your Kubernetes or image registry.
Also be aware that code executed before Airflow’s entrypoint should not create any files or directories inside the container and everything might not work the same way when it is executed. Before Airflow entrypoint is executed, the following functionalities are not available:
umask is not set properly to allow
group
write accessuser is not yet created in
/etc/passwd
if an arbitrary user is used to run the imagethe database and brokers might not be available yet
Adding custom image behaviour¶
The Airflow image executes a lot of steps in the entrypoint, and sets the right environment, but you might want to run additional code after the entrypoint creates the user, sets the umask, sets variables and checks that database is running.
Rather than running regular commands - scheduler
, webserver
you can run custom script that
you can embed into the image. You can even execute the usual components of airflow -
scheduler
, webserver
in your custom script when you finish your custom setup.
Similarly to custom entrypoint, it can be added to the image by extending it.
FROM airflow:2.7.0
COPY my_after_entrypoint_script.sh /
Build your image and then you can run this script by running the command:
docker build . --pull --tag my-image:0.0.1
docker run -it my-image:0.0.1 bash -c "/my_after_entrypoint_script.sh"
Signal propagation¶
Airflow uses dumb-init
to run as “init” in the entrypoint. This is in order to propagate
signals and reap child processes properly. This means that the process that you run does not have
to install signal handlers to work properly and be killed when the container is gracefully terminated.
The behaviour of signal propagation is configured by DUMB_INIT_SETSID
variable which is set to
1
by default - meaning that the signals will be propagated to the whole process group, but you can
set it to 0
to enable single-child
behaviour of dumb-init
which only propagates the
signals to only single child process.
The table below summarizes DUMB_INIT_SETSID
possible values and their use cases.
Variable value |
Use case |
1 (default) |
Propagates signals to all processes in the process group of the main process running in the container. If you run your processes via |
0 |
Propagates signals to the main process only. This is useful if your main process handles signals gracefully.
A good example is warm shutdown of Celery workers. The For Airflow’s Celery worker, you should set the variable to 0
and either use |
Additional quick test options¶
The options below are mostly used for quick testing the image - for example with quick-start docker-compose or when you want to perform a local test with new packages added. They are not supposed to be run in the production environment as they add additional overhead for execution of additional commands. Those options in production should be realized either as maintenance operations on the database or should be embedded in the custom image used (when you want to add new packages).
Upgrading Airflow DB¶
If you set _AIRFLOW_DB_MIGRATE
variable to a non-empty value, the entrypoint will run
the airflow db migrate
command right after verifying the connection. You can also use this
when you are running airflow with internal SQLite database (default) to upgrade the db and create
admin users at entrypoint, so that you can start the webserver immediately. Note - using SQLite is
intended only for testing purpose, never use SQLite in production as it has severe limitations when it
comes to concurrency.
Creating admin user¶
The entrypoint can also create webserver user automatically when you enter it. you need to set
_AIRFLOW_WWW_USER_CREATE
to a non-empty value in order to do that. This is not intended for
production, it is only useful if you would like to run a quick test with the production image.
You need to pass at least password to create such user via _AIRFLOW_WWW_USER_PASSWORD
or
_AIRFLOW_WWW_USER_PASSWORD_CMD
similarly like for other *_CMD
variables, the content of
the *_CMD
will be evaluated as shell command and its output will be set as password.
User creation will fail if none of the PASSWORD
variables are set - there is no default for
password for security reasons.
Parameter |
Default |
Environment variable |
---|---|---|
username |
admin |
|
password |
|
|
firstname |
Airflow |
|
lastname |
Admin |
|
|
||
role |
Admin |
|
In case the password is specified, the user will be attempted to be created, but the entrypoint will not fail if the attempt fails (this accounts for the case that the user is already created).
You can, for example start the webserver in the production image with initializing the internal SQLite
database and creating an admin/admin
Admin user with the following command:
docker run -it -p 8080:8080 \
--env "_AIRFLOW_DB_MIGRATE=true" \
--env "_AIRFLOW_WWW_USER_CREATE=true" \
--env "_AIRFLOW_WWW_USER_PASSWORD=admin" \
apache/airflow:2.7.3-python3.8 webserver
docker run -it -p 8080:8080 \
--env "_AIRFLOW_DB_MIGRATE=true" \
--env "_AIRFLOW_WWW_USER_CREATE=true" \
--env "_AIRFLOW_WWW_USER_PASSWORD_CMD=echo admin" \
apache/airflow:2.7.3-python3.8 webserver
The commands above perform initialization of the SQLite database, create admin user with admin password
and Admin role. They also forward local port 8080
to the webserver port and finally start the webserver.
Installing additional requirements¶
Warning
Installing requirements this way is a very convenient method of running Airflow, very useful for testing and debugging. However, do not be tricked by its convenience. You should never, ever use it in production environment. We have deliberately chose to make it a development/test dependency and we print a warning, whenever it is used. There is an inherent security-related issue with using this method in production. Installing the requirements this way can happen at literally any time - when your containers get restarted, when your machines in K8S cluster get restarted. In a K8S Cluster those events can happen literally any time. This opens you up to a serious vulnerability where your production environment might be brought down by a single dependency being removed from PyPI - or even dependency of your dependency. This means that you put your production service availability in hands of 3rd-party developers. At any time, any moment including weekends and holidays those 3rd party developers might bring your production Airflow instance down, without you even knowing it. This is a serious vulnerability that is similar to the infamous leftpad problem. You can fully protect against this case by building your own, immutable custom image, where the dependencies are baked in. You have been warned.
Installing additional requirements can be done by specifying _PIP_ADDITIONAL_REQUIREMENTS
variable.
The variable should contain a list of requirements that should be installed additionally when entering
the containers. Note that this option slows down starting of Airflow as every time any container starts
it must install new packages and it opens up huge potential security vulnerability when used in production
(see below). Therefore this option should only be used for testing. When testing is finished,
you should create your custom image with dependencies baked in.
Example:
docker run -it -p 8080:8080 \
--env "_PIP_ADDITIONAL_REQUIREMENTS=lxml==4.6.3 charset-normalizer==1.4.1" \
--env "_AIRFLOW_DB_MIGRATE=true" \
--env "_AIRFLOW_WWW_USER_CREATE=true" \
--env "_AIRFLOW_WWW_USER_PASSWORD_CMD=echo admin" \
apache/airflow:2.7.3-python3.8 webserver
This method is only available starting from Docker image of Airflow 2.1.1 and above.