michaeljmarshall commented on a change in pull request #13376:
URL: https://github.com/apache/pulsar/pull/13376#discussion_r773580954
##########
File path: docker/pulsar/Dockerfile
##########
@@ -69,4 +83,8 @@ ENV PULSAR_ROOT_LOGGER=INFO,CONSOLE
COPY --from=pulsar /pulsar /pulsar
WORKDIR /pulsar
-RUN /pulsar/bin/install-pulsar-client.sh
\ No newline at end of file
+# This script is intentionally run as the root user to make the dependencies
available for all UIDs.
+RUN /pulsar/bin/install-pulsar-client.sh
+
+# The UID must be non-zero. Otherwise, it is arbitrary. No logic should rely
on its specific value.
+USER 10000
Review comment:
Debugging can be challenging, especially because a non-root user does
not have the privilege to download packages. The bitnami blog I referenced has
some documentation on their experience debugging non root containers:
https://engineering.bitnami.com/articles/running-non-root-containers-on-openshift.html.
Depending on your environment, there are several concrete options. In
kubernetes, you can set the pod's `securityContext` to `runAsUser: 0`, if you
really need to run it as root. If you have access to the docker container's
host, you should be able to `exec` into the container as the root user. We
could also produce a "debug" image that contains additional debug tools.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
