search

langflow-ai / langflow

Langflow is a low-code app builder for RAG and multi-agent AI applications. It’s Python-based and agnostic to any model, API, or database.
http://www.langflow.org
MIT License
32.09k stars 3.95k forks source link

Alembic logging to insecure location #4235

Open devinbost opened 2 hours ago

devinbost commented 2 hours ago

Bug Description

Alembic is logging to /app/.venv/lib/python3.12/site-packages/langflow/alembic/alembic.log

In a secure environment, the site-packages directory should be read-only.

When starting in such an environment, I get the following stack trace:

% kubectl logs pod/langflow-0
LF_CHART_EXTERNALDB_DRIVER is set, using external database at langflow-ide-postgresql-service
Starting Langflow v1.0.18...
[10/22/24 10:56:01] ERROR    2024-10-22 10:56:01 - ERROR    - utils utils.py:127
                             - [Errno 30] Read-only file system:
                             '/app/.venv/lib/python3.12/site-packag
                             es/langflow/alembic/alembic.log'
                    ERROR    2024-10-22 10:56:01 - ERROR    - main - main.py:101
                             [Errno 30] Read-only file system:
                             '/app/.venv/lib/python3.12/site-package
                             s/langflow/alembic/alembic.log'
                    ERROR    2024-10-22 10:56:01 - ERROR    -   __init__.py:1762
                             __init__ - Traceback (most recent
                             call last):
                               File
                             "/app/.venv/lib/python3.12/site-pa
                             ckages/starlette/routing.py", line
                             732, in lifespan
                                 async with
                             self.lifespan_context(app) as
                             maybe_state:
                               File
                             "/usr/local/lib/python3.12/context
                             lib.py", line 210, in __aenter__
                                 return await anext(self.gen)
                                        ^^^^^^^^^^^^^^^^^^^^^
                               File
                             "/app/.venv/lib/python3.12/site-pa
                             ckages/langflow/main.py", line 91,
                             in lifespan
                                 initialize_services(fix_migrat
                             ion=fix_migration,
                             socketio_server=socketio_server)
                               File
                             "/app/.venv/lib/python3.12/site-pa
                             ckages/langflow/services/utils.py"
                             , line 168, in initialize_services
                                 raise exc
                               File
                             "/app/.venv/lib/python3.12/site-pa
                             ckages/langflow/services/utils.py"
                             , line 166, in initialize_services
                                 initialize_database(fix_migrat
                             ion=fix_migration)
                               File
                             "/app/.venv/lib/python3.12/site-pa
                             ckages/langflow/services/database/
                             utils.py", line 128, in
                             initialize_database
                                 raise exc
                               File
                             "/app/.venv/lib/python3.12/site-pa
                             ckages/langflow/services/database/
                             utils.py", line 108, in
                             initialize_database
                                 database_service.run_migration
                             s(fix=fix_migration)
                               File
                             "/app/.venv/lib/python3.12/site-pa
                             ckages/langflow/services/database/
                             service.py", line 176, in
                             run_migrations
                                 with open(self.script_location
                             / "alembic.log", "w") as buffer:
                                      ^^^^^^^^^^^^^^^^^^^^^^^^^
                             ^^^^^^^^^^^^^^^^^^^^^^
                             OSError: [Errno 30] Read-only file
                             system:
                             '/app/.venv/lib/python3.12/site-pa
                             ckages/langflow/alembic/alembic.lo
                             g'

                    ERROR    2024-10-22 10:56:01 - ERROR    -   __init__.py:1762
                             __init__ - Application startup
                             failed. Exiting.
[10/22/24 10:56:02] ERROR    2024-10-22 10:56:02 - ERROR    -   __init__.py:1762
                             __init__ - Worker (pid:32) exited
                             with code 3
                    ERROR    2024-10-22 10:56:02 - ERROR    -   __init__.py:1762
                             __init__ - Shutting down: Master
                    ERROR    2024-10-22 10:56:02 - ERROR    -   __init__.py:1762
                             __init__ - Reason: Worker failed
                             to boot.

Reproduction

Deploy LangFlow into an OpenShift environment where the securityContext includes readOnlyRootFilesystem: true and runAsNonRoot: true. More complete example available here: https://github.com/langflow-ai/langflow-helm-charts/pull/15/files

Expected behavior

It should be possible to set this log path via an environment variable. If at least it was a directory instead of a file, I could use a bind-mount to override it, but when I bind-mount /app/.venv/lib/python3.12/site-pa ckages/langflow/alembic/, it breaks the library since other files are present in that directory. Not sure how to proceed. I'm hoping this is something we can fix in our implementation, rather than needing the upstream repo to change, since this is blocking deployment for a customer.

Who can help?

No response

Operating System

OpenShift 4.14

Langflow Version

1.0.18

Python Version

3.10

Screenshot

No response

Flow File

No response

dosubot[bot] commented 2 hours ago

To address the issue of Alembic logging to a read-only location, you can modify the logging configuration to allow the log path to be set via an environment variable. This would enable you to redirect logs to a writable location without needing to modify the upstream repository.

Here's a potential approach to implement this:

  1. Modify the Alembic Configuration: Update the Alembic configuration to use an environment variable for the log file path. You can do this by editing the alembic.ini file to include a section that reads the log path from an environment variable.

  2. Set the Environment Variable: In your deployment configuration (e.g., Kubernetes or OpenShift), set the environment variable to point to a writable directory. This could be a directory outside the read-only filesystem, such as a mounted volume.

  3. Update the Code: If necessary, update the code where the Alembic logging is configured to check for the environment variable and use it to set the log file path.

This approach allows you to configure the log path dynamically based on your deployment environment, avoiding the need to write to a read-only filesystem. If you need further customization, you might consider reviewing the changes proposed in the GitHub pull request for additional ideas on handling logging in a read-only environment.

To continue talking to Dosu, mention @dosu.

devinbost commented 1 hour ago

When I bind-mount the entire alembic directory, I unsurprisingly get this error:

[10/22/24 12:07:46] ERROR    2024-10-22 12:07:46 - ERROR    -     service.py:196
                             service - Error initializing
                             alembic: Can't find Python file
                             /app/.venv/lib/python3.12/site-packa
                             ges/langflow/alembic/env.py