You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pulsar.apache.org by GitBox <gi...@apache.org> on 2021/12/20 02:49:39 UTC

[GitHub] [pulsar] freeznet commented on a change in pull request #13376: Make Docker images non-root, by default, and OpenShift compliant

freeznet commented on a change in pull request #13376:
URL: https://github.com/apache/pulsar/pull/13376#discussion_r772050638



##########
File path: docker/pulsar/Dockerfile
##########
@@ -33,7 +33,13 @@ COPY scripts/pulsar-zookeeper-ruok.sh /pulsar/bin
 COPY scripts/watch-znode.py /pulsar/bin
 COPY scripts/install-pulsar-client.sh /pulsar/bin
 
-RUN mkdir /pulsar/data
+# In order to support running this docker image as a container on OpenShift
+# the final image needs to give the root group sufficient permission.
+# The file permissions are preserved when copying files from this builder image to the target image.
+RUN chmod -R g+w /pulsar/conf
+RUN mkdir /pulsar/data && chmod -R g+w /pulsar/data
+RUN mkdir /pulsar/logs && chmod -R g+w /pulsar/logs
+RUN chmod -R u-w /pulsar

Review comment:
       the `/pulsar` do not have write permission anymore, so it will cause functions failed to download with default functions_worker configs. Since `downloadDirectory: download/pulsar_functions` and the `/pulsar/download/pulsar_functions` cannot be created by `pulsar` user.
   We should also check other folder permissions for functions as well, like `narExtractionDirectory`.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pulsar.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org