This is an automated email from the ASF dual-hosted git repository.
yong pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/master by this push:
new f25b082125e [improve][sec] Add group pulsar and add user pulsar to it
instead of root (#21084)
f25b082125e is described below
commit f25b082125ed35a0c19ee8288910aa68c346d181
Author: Lishen Yao <[email protected]>
AuthorDate: Thu Dec 7 17:12:55 2023 +0800
[improve][sec] Add group pulsar and add user pulsar to it instead of root
(#21084)
### Motivation
Currently, the user pulsar is in the root group, it would be better to use
the non-root group to keep more safety.
### Modifications
- Add group pulsar (GID 10000)
- Add user pulsar (UID 10000) to group pulsar
---
docker/pulsar/Dockerfile | 9 +++++++--
tests/docker-images/java-test-image/Dockerfile | 6 +++---
tests/docker-images/latest-version-image/Dockerfile | 4 ----
3 files changed, 10 insertions(+), 9 deletions(-)
diff --git a/docker/pulsar/Dockerfile b/docker/pulsar/Dockerfile
index 2bd6d402f76..77b4b380ed1 100644
--- a/docker/pulsar/Dockerfile
+++ b/docker/pulsar/Dockerfile
@@ -95,7 +95,12 @@ RUN mkdir /pulsar && chmod g+w /pulsar
ENV PULSAR_ROOT_LOGGER=INFO,CONSOLE
-COPY --from=pulsar /pulsar /pulsar
+RUN groupadd -g 10000 pulsar && \
+ useradd -r -u 10000 -g pulsar pulsar
+
+COPY --from=pulsar --chown=10000:10000 /pulsar /pulsar
+RUN chown pulsar:pulsar /pulsar
+
WORKDIR /pulsar
ARG PULSAR_CLIENT_PYTHON_VERSION
@@ -106,4 +111,4 @@ RUN chmod +x /pulsar/bin/install-pulsar-client.sh
RUN /pulsar/bin/install-pulsar-client.sh
# The UID must be non-zero. Otherwise, it is arbitrary. No logic should rely
on its specific value.
-USER 10000
+USER 10000:10000
diff --git a/tests/docker-images/java-test-image/Dockerfile
b/tests/docker-images/java-test-image/Dockerfile
index 6a9c7d10331..c17b5a90d09 100644
--- a/tests/docker-images/java-test-image/Dockerfile
+++ b/tests/docker-images/java-test-image/Dockerfile
@@ -19,8 +19,8 @@
FROM ubuntu:22.04
-RUN groupadd -g 10001 pulsar
-RUN adduser -u 10000 --gid 10001 --disabled-login --disabled-password --gecos
'' pulsar
+RUN groupadd -g 10000 pulsar && \
+ useradd -r -u 10000 -g pulsar pulsar
ARG PULSAR_TARBALL=target/pulsar-server-distribution-bin.tar.gz
ADD ${PULSAR_TARBALL} /
@@ -76,7 +76,7 @@ COPY target/java-test-functions.jar /pulsar/examples/
ENV PULSAR_ROOT_LOGGER=INFO,CONSOLE
-RUN chown -R pulsar:0 /pulsar && chmod -R g=u /pulsar
+RUN chown -R pulsar:pulsar /pulsar
# cleanup
RUN apt-get -y --purge autoremove \
diff --git a/tests/docker-images/latest-version-image/Dockerfile
b/tests/docker-images/latest-version-image/Dockerfile
index 99672773dcb..602f917700b 100644
--- a/tests/docker-images/latest-version-image/Dockerfile
+++ b/tests/docker-images/latest-version-image/Dockerfile
@@ -40,10 +40,6 @@ FROM apachepulsar/pulsar:latest
# However, any processes exec'ing into the containers will run as root, by
default.
USER root
-# We need to define the user in order for supervisord to work correctly
-# We don't need a user defined in the public docker image, though.
-RUN adduser -u 10000 --gid 0 --disabled-login --disabled-password --gecos ''
pulsar
-
RUN rm -rf /var/lib/apt/lists/* && apt update
RUN apt-get clean && apt-get update && apt-get install -y supervisor vim
procps curl
