michaeljmarshall opened a new pull request #8796:
URL: https://github.com/apache/pulsar/pull/8796
<!--
### Contribution Checklist
- Name the pull request in the form "[Issue XYZ][component] Title of the
pull request", where *XYZ* should be replaced by the actual issue number.
Skip *Issue XYZ* if there is no associated github issue for this pull
request.
Skip *component* if you are unsure about which is the best component.
E.g. `[docs] Fix typo in produce method`.
- Fill out the template below to describe the changes contributed by the
pull request. That will give reviewers the context they need to do the review.
- Each pull request should address only one issue, not mix up code from
multiple issues.
- Each commit in the pull request has a meaningful commit message
- Once all items of the checklist are addressed, remove the above text and
this checklist, leaving only the filled out template below.
**(The sections below can be removed for hotfixes of typos)**
-->
Fixes #8751
### Motivation
Pulsar does not need to run as the root user. This PR updates the pulsar and
the pulsar dashboard images to make them run as a new `pulsar` user (user
1000). This change increases the security of pulsar images.
### Modifications
Update two `Dockerfile`s to create a pulsar user, chown the appropriate
directories, and then use that user by default.
### Verifying this change
- [ ] Make sure that the change passes the CI checks.
I manually verified that the docker images run with the correct user and
file permissions. As this is my first commit, I'm not familiar with pulsar
testing. Are there tests that run against the produced docker images? If so,
then there is likely no further testing needed.
### Does this pull request potentially affect one of the following parts:
*If `yes` was chosen, please highlight the changes*
- Dependencies (does it add or upgrade a dependency): no
- The public API: no
- The schema: no
- The default values of configurations: no
- The wire protocol: no
- The rest endpoints: no
- The admin cli options: no
- Anything that affects deployment: yes
In order to deploy this new docker container, users will need to update
the `journal` and `ledgers` directories on the host to be owned by user `1000`
and group `1000`.
### Documentation
Documentation will be required for this change because users will need to
set up their hosts differently to properly give permission to user 1000 and
group 1000 in order to allow the container to write to the appropriate host
volumes. However, I'd like to see if this approach is accepted before adding
documentation.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
