michaeljmarshall commented on a change in pull request #8796:
URL: https://github.com/apache/pulsar/pull/8796#discussion_r551707216
##########
File path: docker/pulsar/Dockerfile
##########
@@ -53,21 +55,25 @@ RUN python3.7 get-pip.py
RUN update-alternatives --install /usr/bin/python python /usr/bin/python3 10
-ADD target/python-client/ /pulsar/pulsar-client
-ADD target/cpp-client/ /pulsar/cpp-client
+ADD --chown=pulsar:pulsar target/python-client/ /pulsar/pulsar-client
+ADD --chown=pulsar:pulsar target/cpp-client/ /pulsar/cpp-client
RUN echo networkaddress.cache.ttl=1 >>
$JAVA_HOME/jre/lib/security/java.security
RUN apt-get update \
&& apt install -y /pulsar/cpp-client/*.deb \
&& apt-get clean \
+ && chown -R pulsar:pulsar /pulsar/cpp-client/
&& rm -rf /var/lib/apt/lists/*
+# Start using the pulsar user to ensure container defaults to run as non root
user
+USER pulsar
+
+# Directories will have correct permission because we switched to the pulsar
user
+RUN mkdir /pulsar/conf /pulsar/data
Review comment:
@sijie - after thinking about this, I think it might be helpful, and
possibly necessary, to make a corresponding update to the helm chart to allow
end users to choose how the container is run in kubernetes. Because docker
allows an end user to choose the user that a container runs with, it is trivial
for end users to run the container as root until they're able to update the
host file system to have the appropriate permissions for the `/puslar/conf` and
`/pulsar/data` directories. Let me know what you think.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
