michaeljmarshall commented on pull request #8242:
URL: https://github.com/apache/pulsar/pull/8242#issuecomment-773054002
I finally understand the nuance to this problem, and I am pretty sure I
overstepped when I said that the two platforms were incompatible. There is a
way to make this work for both platforms.
I think some of my confusion came from the actual contents of this PR. The
PR proposes the following:
```Dockerfile
RUN chown -R 0:0 /pulsar \
&& chmod -R g=u /pulsar
```
however, as @fransguelinckx shows, what is actually required is
```Dockerfile
RUN chgrp -R 0 /pulsar && \
chmod -R g=u /pulsar
```
The key nuance here is that members of the root group need to have write
permissions. The user does not have to be root, as the PR proposes. Instead, we
can have the user that owns all of the files be the `pulsar` user and then make
sure that the files are owned by the root group with the proper write
permissions.
That change will work properly for the OpenShift case because the root group
will have sufficient permissions and it will work for the case where we're
running as a non-root user and non-root group as long as the user is the
`pulsar` user (the group won't actually matter, but at least it will be
non-root, which will satisfy the pod security policy).
As an aside, using the `VOLUME` instruction would make sense if everyone
were specifying a volume to mount for `/pulsar/data` and `/pulsar/conf`. As it
is, I don't believe that is the case, which makes it less meaningful. Also, if
the volumes were mounted, they would inherit the host's filesystem permissions,
which would have been one way to override the default behavior of the container.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
