[Docker Images] Default Pulsar docker images to run as a non-root user
See original GitHub issueIs your feature request related to a problem? Please describe. Update the Pulsar docker images to run as a non root user by default.
Describe the solution you’d like The right solution will meet the following requirements:
- Pulsar docker images run as a non root user by default.
- Pulsar docker images are able to run on OpenShift (a platform with stricter requirements than basic kubernetes)
- Mainly, we’ll need to make sure that the root group has sufficient permissions to write to all necessary directories/files.
- Additionally, someone mentioned to me that they had trouble writing to a persistent file after restarting a Pulsar docker image on OpenShift. We should make sure the solution includes the ability to restart pulsar components successfully.
- The Pulsar helm chart includes an easy way for end users to upgrade without any breaking changes.
- We will likely be able to make use of the kubernetes feature that will
chown
persistent volumes to the configuredfsGroup
. However, I’m uncertain how this works on OpenShift, so I will need to research this a bit more.
- We will likely be able to make use of the kubernetes feature that will
- The non root user and the root group only receive write permissions where necessary for each pulsar component to run.
Additionally, I think we should produce images that are minimal. Making minimal containers means that we won’t include debug tools in them. This will make it harder to debug, but more importantly, it increases the security of the container by removing possible attack vectors. Note that it is trivial for developers to extend our docker images to add any debug tool they would like to use. This prevents us from having to curate and maintain a list of extra tools in the docker image.
Test criteria There are several important test cases to cover.
- Make sure we’re able to upgrade and downgrade pulsar components (mainly all of the ones utilizing persistent storage). Do this using the official Apache Pulsar helm chart.
- Test the image on OpenShift. I plan to use a local OpenShift cluster on my Mac, but perhaps someone would be able to validate our docker images on a real cluster.
- Be sure to include test cases for function workers. (They were one of the missed cases before that led https://github.com/apache/pulsar/pull/8796 to get reverted in https://github.com/apache/pulsar/pull/10861).
- Test the
chown
feature for volumes in kubernetes. Make sure that managed kubernetes offerings from the major cloud providers actually support thischown
feature. (I mention it because I’m not sure if this is an add-on or a native feature within the kubelet.)
Please let me know if you have any additional test cases you’d like to see covered.
Communication Communicate this change on the mailing list to ensure that the community has time to test the new docker images before we begin the release process.
Describe alternatives you’ve considered The main alternative here is whether or not the docker image should contain debugging tools. Otherwise, I think the community has generally accepted this feature, as is.
Additional context I plan to contribute this fix later this month.
Relevant PRs and Issues: https://github.com/apache/pulsar/pull/10861, https://github.com/apache/pulsar/issues/8751, https://github.com/apache/pulsar/pull/8242, https://github.com/apache/pulsar/pull/10815
Issue Analytics
- State:
- Created 2 years ago
- Comments:13 (8 by maintainers)
Top GitHub Comments
Awesome that’s great news @michaeljmarshall yeah we have our own Mirror where we’ve done manual changes to the Dockerfile but are excited to have a version coming where we won’t have to do that anymore. Thanks for your leadership on this!
The last requirement for completing non-root feature support is updating the helm chart. Here is the PR to make the non-root docker image fully supported in the Pulsar ecosystem: https://github.com/apache/pulsar-helm-chart/pull/266.