FLINK-37881: Drop gosu in favour of Dockerfile USER

avi-sanwal · asanwal · commit 78ac6bb24d2e · 2025-06-02T09:52:56.000+05:30
diff --git a/1.20/scala_2.12-java11-ubuntu/Dockerfile b/1.20/scala_2.12-java11-ubuntu/Dockerfile
@@ -24,25 +24,6 @@ RUN set -ex; \
   apt-get -y install gpg libsnappy1v5 gettext-base libjemalloc-dev; \
   rm -rf /var/lib/apt/lists/*
 
-# Grab gosu for easy step-down from root
-ENV GOSU_VERSION 1.11
-RUN set -ex; \
-  wget -nv -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture)"; \
-  wget -nv -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture).asc"; \
-  export GNUPGHOME="$(mktemp -d)"; \
-  for server in ha.pool.sks-keyservers.net $(shuf -e \
-                          hkp://p80.pool.sks-keyservers.net:80 \
-                          keyserver.ubuntu.com \
-                          hkp://keyserver.ubuntu.com:80 \
-                          pgp.mit.edu) ; do \
-      gpg --batch --keyserver "$server" --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 && break || : ; \
-  done && \
-  gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
-  gpgconf --kill all; \
-  rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
-  chmod +x /usr/local/bin/gosu; \
-  gosu nobody true
-
 # Configure Flink version
 ENV FLINK_TGZ_URL=https://dlcdn.apache.org/flink/flink-1.20.1/flink-1.20.1-bin-scala_2.12.tgz \
     FLINK_ASC_URL=https://downloads.apache.org/flink/flink-1.20.1/flink-1.20.1-bin-scala_2.12.tgz.asc \
@@ -99,6 +80,7 @@ RUN set -ex; \
   fi;
 
 # Configure container
+USER flink
 COPY docker-entrypoint.sh /
 ENTRYPOINT ["/docker-entrypoint.sh"]
 EXPOSE 6123 8081
diff --git a/1.20/scala_2.12-java11-ubuntu/docker-entrypoint.sh b/1.20/scala_2.12-java11-ubuntu/docker-entrypoint.sh
@@ -25,16 +25,9 @@ COMMAND_HISTORY_SERVER="history-server"
 JOB_MANAGER_RPC_ADDRESS=${JOB_MANAGER_RPC_ADDRESS:-$(hostname -f)}
 CONF_FILE_DIR="${FLINK_HOME}/conf"
 
-drop_privs_cmd() {
-    if [ $(id -u) != 0 ]; then
-        # Don't need to drop privs if EUID != 0
-        return
-    elif [ -x /sbin/su-exec ]; then
-        # Alpine
-        echo su-exec flink
-    else
-        # Others
-        echo gosu flink
+check_priv_user() {
+    if [ $(id -u) == 0 ]; then
+        echo "WARNING: Running as root user is not recommended. Please use a non-root user to run Flink."
     fi
 }
 
@@ -146,6 +139,8 @@ maybe_enable_jemalloc() {
     fi
 }
 
+check_priv_user
+
 maybe_enable_jemalloc
 
 copy_plugins_if_required
@@ -163,28 +158,28 @@ elif [ "$1" = "jobmanager" ]; then
 
     echo "Starting Job Manager"
 
-    exec $(drop_privs_cmd) "$FLINK_HOME/bin/jobmanager.sh" start-foreground "${args[@]}"
+    exec "$FLINK_HOME/bin/jobmanager.sh" start-foreground "${args[@]}"
 elif [ "$1" = ${COMMAND_STANDALONE} ]; then
     args=("${args[@]:1}")
 
     echo "Starting Job Manager"
 
-    exec $(drop_privs_cmd) "$FLINK_HOME/bin/standalone-job.sh" start-foreground "${args[@]}"
+    exec "$FLINK_HOME/bin/standalone-job.sh" start-foreground "${args[@]}"
 elif [ "$1" = ${COMMAND_HISTORY_SERVER} ]; then
     args=("${args[@]:1}")
 
     echo "Starting History Server"
 
-    exec $(drop_privs_cmd) "$FLINK_HOME/bin/historyserver.sh" start-foreground "${args[@]}"
+    exec "$FLINK_HOME/bin/historyserver.sh" start-foreground "${args[@]}"
 elif [ "$1" = "taskmanager" ]; then
     args=("${args[@]:1}")
 
     echo "Starting Task Manager"
 
-    exec $(drop_privs_cmd) "$FLINK_HOME/bin/taskmanager.sh" start-foreground "${args[@]}"
+    exec "$FLINK_HOME/bin/taskmanager.sh" start-foreground "${args[@]}"
 fi
 
 args=("${args[@]}")
 
 # Running command in pass-through mode
-exec $(drop_privs_cmd) "${args[@]}"
+exec "${args[@]}"
diff --git a/1.20/scala_2.12-java17-ubuntu/Dockerfile b/1.20/scala_2.12-java17-ubuntu/Dockerfile
@@ -24,25 +24,6 @@ RUN set -ex; \
   apt-get -y install gpg libsnappy1v5 gettext-base libjemalloc-dev; \
   rm -rf /var/lib/apt/lists/*
 
-# Grab gosu for easy step-down from root
-ENV GOSU_VERSION 1.11
-RUN set -ex; \
-  wget -nv -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture)"; \
-  wget -nv -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture).asc"; \
-  export GNUPGHOME="$(mktemp -d)"; \
-  for server in ha.pool.sks-keyservers.net $(shuf -e \
-                          hkp://p80.pool.sks-keyservers.net:80 \
-                          keyserver.ubuntu.com \
-                          hkp://keyserver.ubuntu.com:80 \
-                          pgp.mit.edu) ; do \
-      gpg --batch --keyserver "$server" --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 && break || : ; \
-  done && \
-  gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
-  gpgconf --kill all; \
-  rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
-  chmod +x /usr/local/bin/gosu; \
-  gosu nobody true
-
 # Configure Flink version
 ENV FLINK_TGZ_URL=https://dlcdn.apache.org/flink/flink-1.20.1/flink-1.20.1-bin-scala_2.12.tgz \
     FLINK_ASC_URL=https://downloads.apache.org/flink/flink-1.20.1/flink-1.20.1-bin-scala_2.12.tgz.asc \
@@ -99,6 +80,7 @@ RUN set -ex; \
   fi;
 
 # Configure container
+USER flink
 COPY docker-entrypoint.sh /
 ENTRYPOINT ["/docker-entrypoint.sh"]
 EXPOSE 6123 8081
diff --git a/1.20/scala_2.12-java17-ubuntu/docker-entrypoint.sh b/1.20/scala_2.12-java17-ubuntu/docker-entrypoint.sh
@@ -25,16 +25,9 @@ COMMAND_HISTORY_SERVER="history-server"
 JOB_MANAGER_RPC_ADDRESS=${JOB_MANAGER_RPC_ADDRESS:-$(hostname -f)}
 CONF_FILE_DIR="${FLINK_HOME}/conf"
 
-drop_privs_cmd() {
-    if [ $(id -u) != 0 ]; then
-        # Don't need to drop privs if EUID != 0
-        return
-    elif [ -x /sbin/su-exec ]; then
-        # Alpine
-        echo su-exec flink
-    else
-        # Others
-        echo gosu flink
+check_priv_user() {
+    if [ $(id -u) == 0 ]; then
+        echo "WARNING: Running as root user is not recommended. Please use a non-root user to run Flink."
     fi
 }
 
@@ -146,6 +139,8 @@ maybe_enable_jemalloc() {
     fi
 }
 
+check_priv_user
+
 maybe_enable_jemalloc
 
 copy_plugins_if_required
@@ -163,28 +158,28 @@ elif [ "$1" = "jobmanager" ]; then
 
     echo "Starting Job Manager"
 
-    exec $(drop_privs_cmd) "$FLINK_HOME/bin/jobmanager.sh" start-foreground "${args[@]}"
+    exec "$FLINK_HOME/bin/jobmanager.sh" start-foreground "${args[@]}"
 elif [ "$1" = ${COMMAND_STANDALONE} ]; then
     args=("${args[@]:1}")
 
     echo "Starting Job Manager"
 
-    exec $(drop_privs_cmd) "$FLINK_HOME/bin/standalone-job.sh" start-foreground "${args[@]}"
+    exec "$FLINK_HOME/bin/standalone-job.sh" start-foreground "${args[@]}"
 elif [ "$1" = ${COMMAND_HISTORY_SERVER} ]; then
     args=("${args[@]:1}")
 
     echo "Starting History Server"
 
-    exec $(drop_privs_cmd) "$FLINK_HOME/bin/historyserver.sh" start-foreground "${args[@]}"
+    exec "$FLINK_HOME/bin/historyserver.sh" start-foreground "${args[@]}"
 elif [ "$1" = "taskmanager" ]; then
     args=("${args[@]:1}")
 
     echo "Starting Task Manager"
 
-    exec $(drop_privs_cmd) "$FLINK_HOME/bin/taskmanager.sh" start-foreground "${args[@]}"
+    exec "$FLINK_HOME/bin/taskmanager.sh" start-foreground "${args[@]}"
 fi
 
 args=("${args[@]}")
 
 # Running command in pass-through mode
-exec $(drop_privs_cmd) "${args[@]}"
+exec "${args[@]}"
diff --git a/1.20/scala_2.12-java8-ubuntu/Dockerfile b/1.20/scala_2.12-java8-ubuntu/Dockerfile
@@ -24,25 +24,6 @@ RUN set -ex; \
   apt-get -y install gpg libsnappy1v5 gettext-base libjemalloc-dev; \
   rm -rf /var/lib/apt/lists/*
 
-# Grab gosu for easy step-down from root
-ENV GOSU_VERSION 1.11
-RUN set -ex; \
-  wget -nv -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture)"; \
-  wget -nv -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture).asc"; \
-  export GNUPGHOME="$(mktemp -d)"; \
-  for server in ha.pool.sks-keyservers.net $(shuf -e \
-                          hkp://p80.pool.sks-keyservers.net:80 \
-                          keyserver.ubuntu.com \
-                          hkp://keyserver.ubuntu.com:80 \
-                          pgp.mit.edu) ; do \
-      gpg --batch --keyserver "$server" --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 && break || : ; \
-  done && \
-  gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
-  gpgconf --kill all; \
-  rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
-  chmod +x /usr/local/bin/gosu; \
-  gosu nobody true
-
 # Configure Flink version
 ENV FLINK_TGZ_URL=https://dlcdn.apache.org/flink/flink-1.20.1/flink-1.20.1-bin-scala_2.12.tgz \
     FLINK_ASC_URL=https://downloads.apache.org/flink/flink-1.20.1/flink-1.20.1-bin-scala_2.12.tgz.asc \
@@ -99,6 +80,7 @@ RUN set -ex; \
   fi;
 
 # Configure container
+USER flink
 COPY docker-entrypoint.sh /
 ENTRYPOINT ["/docker-entrypoint.sh"]
 EXPOSE 6123 8081
diff --git a/1.20/scala_2.12-java8-ubuntu/docker-entrypoint.sh b/1.20/scala_2.12-java8-ubuntu/docker-entrypoint.sh
@@ -25,16 +25,9 @@ COMMAND_HISTORY_SERVER="history-server"
 JOB_MANAGER_RPC_ADDRESS=${JOB_MANAGER_RPC_ADDRESS:-$(hostname -f)}
 CONF_FILE_DIR="${FLINK_HOME}/conf"
 
-drop_privs_cmd() {
-    if [ $(id -u) != 0 ]; then
-        # Don't need to drop privs if EUID != 0
-        return
-    elif [ -x /sbin/su-exec ]; then
-        # Alpine
-        echo su-exec flink
-    else
-        # Others
-        echo gosu flink
+check_priv_user() {
+    if [ $(id -u) == 0 ]; then
+        echo "WARNING: Running as root user is not recommended. Please use a non-root user to run Flink."
     fi
 }
 
@@ -146,6 +139,8 @@ maybe_enable_jemalloc() {
     fi
 }
 
+check_priv_user
+
 maybe_enable_jemalloc
 
 copy_plugins_if_required
@@ -163,28 +158,28 @@ elif [ "$1" = "jobmanager" ]; then
 
     echo "Starting Job Manager"
 
-    exec $(drop_privs_cmd) "$FLINK_HOME/bin/jobmanager.sh" start-foreground "${args[@]}"
+    exec "$FLINK_HOME/bin/jobmanager.sh" start-foreground "${args[@]}"
 elif [ "$1" = ${COMMAND_STANDALONE} ]; then
     args=("${args[@]:1}")
 
     echo "Starting Job Manager"
 
-    exec $(drop_privs_cmd) "$FLINK_HOME/bin/standalone-job.sh" start-foreground "${args[@]}"
+    exec "$FLINK_HOME/bin/standalone-job.sh" start-foreground "${args[@]}"
 elif [ "$1" = ${COMMAND_HISTORY_SERVER} ]; then
     args=("${args[@]:1}")
 
     echo "Starting History Server"
 
-    exec $(drop_privs_cmd) "$FLINK_HOME/bin/historyserver.sh" start-foreground "${args[@]}"
+    exec "$FLINK_HOME/bin/historyserver.sh" start-foreground "${args[@]}"
 elif [ "$1" = "taskmanager" ]; then
     args=("${args[@]:1}")
 
     echo "Starting Task Manager"
 
-    exec $(drop_privs_cmd) "$FLINK_HOME/bin/taskmanager.sh" start-foreground "${args[@]}"
+    exec "$FLINK_HOME/bin/taskmanager.sh" start-foreground "${args[@]}"
 fi
 
 args=("${args[@]}")
 
 # Running command in pass-through mode
-exec $(drop_privs_cmd) "${args[@]}"
+exec "${args[@]}"
diff --git a/2.0/scala_2.12-java11-ubuntu/Dockerfile b/2.0/scala_2.12-java11-ubuntu/Dockerfile
@@ -24,25 +24,6 @@ RUN set -ex; \
   apt-get -y install gpg libsnappy1v5 gettext-base libjemalloc-dev; \
   rm -rf /var/lib/apt/lists/*
 
-# Grab gosu for easy step-down from root
-ENV GOSU_VERSION 1.11
-RUN set -ex; \
-  wget -nv -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture)"; \
-  wget -nv -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture).asc"; \
-  export GNUPGHOME="$(mktemp -d)"; \
-  for server in ha.pool.sks-keyservers.net $(shuf -e \
-                          hkp://p80.pool.sks-keyservers.net:80 \
-                          keyserver.ubuntu.com \
-                          hkp://keyserver.ubuntu.com:80 \
-                          pgp.mit.edu) ; do \
-      gpg --batch --keyserver "$server" --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 && break || : ; \
-  done && \
-  gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
-  gpgconf --kill all; \
-  rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
-  chmod +x /usr/local/bin/gosu; \
-  gosu nobody true
-
 # Configure Flink version
 ENV FLINK_TGZ_URL=https://dlcdn.apache.org/flink/flink-2.0.0/flink-2.0.0-bin-scala_2.12.tgz \
     FLINK_ASC_URL=https://downloads.apache.org/flink/flink-2.0.0/flink-2.0.0-bin-scala_2.12.tgz.asc \
@@ -90,6 +71,7 @@ RUN set -ex; \
     "-rmKV" "taskmanager.host=localhost";
 
 # Configure container
+USER flink
 COPY docker-entrypoint.sh /
 ENTRYPOINT ["/docker-entrypoint.sh"]
 EXPOSE 6123 8081
diff --git a/2.0/scala_2.12-java11-ubuntu/docker-entrypoint.sh b/2.0/scala_2.12-java11-ubuntu/docker-entrypoint.sh
@@ -25,16 +25,9 @@ COMMAND_HISTORY_SERVER="history-server"
 JOB_MANAGER_RPC_ADDRESS=${JOB_MANAGER_RPC_ADDRESS:-$(hostname -f)}
 CONF_FILE_DIR="${FLINK_HOME}/conf"
 
-drop_privs_cmd() {
-    if [ $(id -u) != 0 ]; then
-        # Don't need to drop privs if EUID != 0
-        return
-    elif [ -x /sbin/su-exec ]; then
-        # Alpine
-        echo su-exec flink
-    else
-        # Others
-        echo gosu flink
+check_priv_user() {
+    if [ $(id -u) == 0 ]; then
+        echo "WARNING: Running as root user is not recommended. Please use a non-root user to run Flink."
     fi
 }
 
@@ -146,6 +139,8 @@ maybe_enable_jemalloc() {
     fi
 }
 
+check_priv_user
+
 maybe_enable_jemalloc
 
 copy_plugins_if_required
@@ -163,28 +158,28 @@ elif [ "$1" = "jobmanager" ]; then
 
     echo "Starting Job Manager"
 
-    exec $(drop_privs_cmd) "$FLINK_HOME/bin/jobmanager.sh" start-foreground "${args[@]}"
+    exec "$FLINK_HOME/bin/jobmanager.sh" start-foreground "${args[@]}"
 elif [ "$1" = ${COMMAND_STANDALONE} ]; then
     args=("${args[@]:1}")
 
     echo "Starting Job Manager"
 
-    exec $(drop_privs_cmd) "$FLINK_HOME/bin/standalone-job.sh" start-foreground "${args[@]}"
+    exec "$FLINK_HOME/bin/standalone-job.sh" start-foreground "${args[@]}"
 elif [ "$1" = ${COMMAND_HISTORY_SERVER} ]; then
     args=("${args[@]:1}")
 
     echo "Starting History Server"
 
-    exec $(drop_privs_cmd) "$FLINK_HOME/bin/historyserver.sh" start-foreground "${args[@]}"
+    exec "$FLINK_HOME/bin/historyserver.sh" start-foreground "${args[@]}"
 elif [ "$1" = "taskmanager" ]; then
     args=("${args[@]:1}")
 
     echo "Starting Task Manager"
 
-    exec $(drop_privs_cmd) "$FLINK_HOME/bin/taskmanager.sh" start-foreground "${args[@]}"
+    exec "$FLINK_HOME/bin/taskmanager.sh" start-foreground "${args[@]}"
 fi
 
 args=("${args[@]}")
 
 # Running command in pass-through mode
-exec $(drop_privs_cmd) "${args[@]}"
+exec "${args[@]}"
diff --git a/2.0/scala_2.12-java17-ubuntu/Dockerfile b/2.0/scala_2.12-java17-ubuntu/Dockerfile
diff --git a/2.0/scala_2.12-java17-ubuntu/docker-entrypoint.sh b/2.0/scala_2.12-java17-ubuntu/docker-entrypoint.sh
diff --git a/2.0/scala_2.12-java21-ubuntu/Dockerfile b/2.0/scala_2.12-java21-ubuntu/Dockerfile
diff --git a/2.0/scala_2.12-java21-ubuntu/docker-entrypoint.sh b/2.0/scala_2.12-java21-ubuntu/docker-entrypoint.sh
