[Discuss] Update Helm Chart to Support 2.10 Docker Image

[Michael Marshall <mm...@apache.org>]

Hello Pulsar Community,

With the 2.10.0 release, our Pulsar Docker images default to run as a
non-root user. In order to use the 2.10.0 Docker image with the Apache
Pulsar Helm Chart, we need to merge this PR [0]. If you're able,
please review it. Once merged, I propose that we follow up with a
release so that users wanting to upgrade to 2.10.0 have an upgrade
path.

Thanks,
Michael

[0] https://github.com/apache/pulsar-helm-chart/pull/266

Re: [Discuss] Update Helm Chart to Support 2.10 Docker Image

[Michael Marshall <mm...@apache.org>]

I just merged https://github.com/apache/pulsar-helm-chart/pull/266.
I'll follow up with a proposal that we release a new version of the
helm chart.

Thanks,
Michael

On Thu, May 19, 2022 at 2:13 PM Michael Marshall <mm...@apache.org> wrote:
>
> Hello Pulsar Community,
>
> With the 2.10.0 release, our Pulsar Docker images default to run as a
> non-root user. In order to use the 2.10.0 Docker image with the Apache
> Pulsar Helm Chart, we need to merge this PR [0]. If you're able,
> please review it. Once merged, I propose that we follow up with a
> release so that users wanting to upgrade to 2.10.0 have an upgrade
> path.
>
> Thanks,
> Michael
>
> [0] https://github.com/apache/pulsar-helm-chart/pull/266

Re: [Discuss] Update Helm Chart to Support 2.10 Docker Image

[Neng Lu <fr...@gmail.com>]

Hi Michael,

Thanks for the detailed explanation.

On Thu, May 26, 2022 at 11:08 PM Michael Marshall <mm...@apache.org>
wrote:

> Hi Neng Lu,
>
> I put together a doc [0] that includes some tips for troubleshooting a
> non-root docker image. Some of the details depend on how you're
> deploying Pulsar.
>
> If you can ssh to the host as the root user, you can run `docker exec
> --user 0 ...` to get a shell in the container as the root user.
>
> When running on Kubernetes, you might be able to utilize [1] to gain
> root access to the host node for the pod, and then you can exec into
> the container as the root user, as described in the doc [0]. Or, if
> you don't have any pod security policies, you can set the pod's
> securityContext so that the container runs as the root user.
>
> The final option is to build a custom image with additional tooling.
>
> If you find other helpful resources, feel free to update that doc or
> send a note here, and I'll update the doc.
>
> - Michael
>
> [0]
> https://github.com/apache/pulsar/blob/master/docker/README.md#troubleshooting-non-root-containers
> [1] https://github.com/kvaps/kubectl-node-shell
>
> On Thu, May 26, 2022 at 5:24 PM Neng Lu <fr...@gmail.com> wrote:
> >
> > Hi All,
> >
> > I'm curious to learn once the image is run as non-root, how can we debug
> or
> > investigate production issues inside a running cluster?
> >
> > On Thu, May 19, 2022 at 12:14 PM Michael Marshall <mm...@apache.org>
> > wrote:
> >
> > > Hello Pulsar Community,
> > >
> > > With the 2.10.0 release, our Pulsar Docker images default to run as a
> > > non-root user. In order to use the 2.10.0 Docker image with the Apache
> > > Pulsar Helm Chart, we need to merge this PR [0]. If you're able,
> > > please review it. Once merged, I propose that we follow up with a
> > > release so that users wanting to upgrade to 2.10.0 have an upgrade
> > > path.
> > >
> > > Thanks,
> > > Michael
> > >
> > > [0] https://github.com/apache/pulsar-helm-chart/pull/266
> > >
> >
> >
> > --
> > Best Regards,
> > Neng
>


-- 
Best Regards,
Neng

Re: [Discuss] Update Helm Chart to Support 2.10 Docker Image

[Michael Marshall <mm...@apache.org>]

Hi Neng Lu,

I put together a doc [0] that includes some tips for troubleshooting a
non-root docker image. Some of the details depend on how you're
deploying Pulsar.

If you can ssh to the host as the root user, you can run `docker exec
--user 0 ...` to get a shell in the container as the root user.

When running on Kubernetes, you might be able to utilize [1] to gain
root access to the host node for the pod, and then you can exec into
the container as the root user, as described in the doc [0]. Or, if
you don't have any pod security policies, you can set the pod's
securityContext so that the container runs as the root user.

The final option is to build a custom image with additional tooling.

If you find other helpful resources, feel free to update that doc or
send a note here, and I'll update the doc.

- Michael

[0] https://github.com/apache/pulsar/blob/master/docker/README.md#troubleshooting-non-root-containers
[1] https://github.com/kvaps/kubectl-node-shell

On Thu, May 26, 2022 at 5:24 PM Neng Lu <fr...@gmail.com> wrote:
>
> Hi All,
>
> I'm curious to learn once the image is run as non-root, how can we debug or
> investigate production issues inside a running cluster?
>
> On Thu, May 19, 2022 at 12:14 PM Michael Marshall <mm...@apache.org>
> wrote:
>
> > Hello Pulsar Community,
> >
> > With the 2.10.0 release, our Pulsar Docker images default to run as a
> > non-root user. In order to use the 2.10.0 Docker image with the Apache
> > Pulsar Helm Chart, we need to merge this PR [0]. If you're able,
> > please review it. Once merged, I propose that we follow up with a
> > release so that users wanting to upgrade to 2.10.0 have an upgrade
> > path.
> >
> > Thanks,
> > Michael
> >
> > [0] https://github.com/apache/pulsar-helm-chart/pull/266
> >
>
>
> --
> Best Regards,
> Neng

Re: [Discuss] Update Helm Chart to Support 2.10 Docker Image

[Neng Lu <fr...@gmail.com>]

Hi All,

I'm curious to learn once the image is run as non-root, how can we debug or
investigate production issues inside a running cluster?

On Thu, May 19, 2022 at 12:14 PM Michael Marshall <mm...@apache.org>
wrote:

> Hello Pulsar Community,
>
> With the 2.10.0 release, our Pulsar Docker images default to run as a
> non-root user. In order to use the 2.10.0 Docker image with the Apache
> Pulsar Helm Chart, we need to merge this PR [0]. If you're able,
> please review it. Once merged, I propose that we follow up with a
> release so that users wanting to upgrade to 2.10.0 have an upgrade
> path.
>
> Thanks,
> Michael
>
> [0] https://github.com/apache/pulsar-helm-chart/pull/266
>


-- 
Best Regards,
Neng