You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by pe...@apache.org on 2021/06/08 05:03:42 UTC
[pulsar] branch branch-2.8 updated: Revert "[Issue 8751] Update Dockerfile for Pulsar and Dashboard to Cr… (#10861)
This is an automated email from the ASF dual-hosted git repository.
penghui pushed a commit to branch branch-2.8
in repository https://gitbox.apache.org/repos/asf/pulsar.git
The following commit(s) were added to refs/heads/branch-2.8 by this push:
new 63126b9 Revert "[Issue 8751] Update Dockerfile for Pulsar and Dashboard to Cr… (#10861)
63126b9 is described below
commit 63126b9d6606863c1b889f75737623e1fa9e1638
Author: Matteo Merli <mm...@apache.org>
AuthorDate: Mon Jun 7 22:02:00 2021 -0700
Revert "[Issue 8751] Update Dockerfile for Pulsar and Dashboard to Cr… (#10861)
This reverts commit 4264a67a84d9a9f4a49cebc591c46b252dcf4e45.
### Motivation
The change https://github.com/apache/pulsar/pull/8796 has broken the Pulsar
Functions running on Kubernetes.
The Pulsar Functions Kubernetes runtime generates a secret and mounts it
using mode `256`. That means the secret is only able to read by the user.
The StatefulSet created by Kubernetes runtime mounts the secrets under the
`root` user. Hence only the root user is able to read the secret. This
results in any functions submitted will fail to read the authentication
information.
Because all the Kubernetes resources generated by the Kubernetes runtime
are hardcoded. There is no easy way to change the security context for the
function statefulsets.
Let's revert this change for 2.8.0, until we can address the issues in the Kubernetes runtime.
(cherry picked from commit 4f556a2ce5b277abbac47cbaf571d4502553f994)
---
docker/pulsar-all/Dockerfile | 16 ++----------
docker/pulsar-standalone/Dockerfile | 3 ---
docker/pulsar/Dockerfile | 29 +++++-----------------
site2/docs/getting-started-docker.md | 5 ----
.../docker-images/latest-version-image/Dockerfile | 22 ++++++----------
.../latest-version-image/conf/bookie.conf | 1 -
.../latest-version-image/conf/broker.conf | 1 -
.../conf/functions_worker.conf | 1 -
.../latest-version-image/conf/global-zk.conf | 1 -
.../latest-version-image/conf/local-zk.conf | 1 -
.../latest-version-image/conf/presto_worker.conf | 3 +--
.../latest-version-image/conf/proxy.conf | 1 -
12 files changed, 17 insertions(+), 67 deletions(-)
diff --git a/docker/pulsar-all/Dockerfile b/docker/pulsar-all/Dockerfile
index 11a67c9..42431fc 100644
--- a/docker/pulsar-all/Dockerfile
+++ b/docker/pulsar-all/Dockerfile
@@ -25,19 +25,7 @@ ARG PULSAR_OFFLOADER_TARBALL
ADD ${PULSAR_IO_DIR} /connectors
ADD ${PULSAR_OFFLOADER_TARBALL} /
RUN mv /apache-pulsar-offloaders-*/offloaders /offloaders
-RUN chmod -R g=u /connectors /offloaders
FROM apachepulsar/pulsar:latest
-
-# Need permission to create directories and update file permissions
-USER root
-
-RUN mkdir /pulsar/connectors /pulsar/offloaders && \
- chown pulsar:root /pulsar/connectors /pulsar/offloaders && \
- chmod g=u /pulsar/connectors /pulsar/offloaders
-
-# Return to pulsar (non root) user
-USER pulsar
-
-COPY --from=pulsar-all --chown=pulsar:0 /connectors /pulsar/connectors
-COPY --from=pulsar-all --chown=pulsar:0 /offloaders /pulsar/offloaders
+COPY --from=pulsar-all /connectors /pulsar/connectors
+COPY --from=pulsar-all /offloaders /pulsar/offloaders
diff --git a/docker/pulsar-standalone/Dockerfile b/docker/pulsar-standalone/Dockerfile
index c7fdad9..777541b 100644
--- a/docker/pulsar-standalone/Dockerfile
+++ b/docker/pulsar-standalone/Dockerfile
@@ -26,9 +26,6 @@ FROM apachepulsar/pulsar-dashboard:latest as dashboard
# Restart from
FROM openjdk:11-jdk
-# Help to make these directories persist between container restarts
-VOLUME ["/pulsar/conf", "/pulsar/data"]
-
# Note that the libpq-dev package is needed here in order to install
# the required python psycopg2 package (for postgresql) later
RUN apt-get update \
diff --git a/docker/pulsar/Dockerfile b/docker/pulsar/Dockerfile
index b22181f..96da0d2 100644
--- a/docker/pulsar/Dockerfile
+++ b/docker/pulsar/Dockerfile
@@ -17,8 +17,7 @@
# under the License.
#
-# First create a stage with the Pulsar tarball, the scripts, the python client,
-# the cpp client, and the data directory. Then ensure correct file permissions.
+# First create a stage with just the Pulsar tarball and scripts
FROM busybox as pulsar
ARG PULSAR_TARBALL
@@ -34,24 +33,13 @@ COPY scripts/pulsar-zookeeper-ruok.sh /pulsar/bin
COPY scripts/watch-znode.py /pulsar/bin
COPY scripts/install-pulsar-client-37.sh /pulsar/bin
-COPY target/python-client/ /pulsar/pulsar-client
-
RUN mkdir /pulsar/data
-# In order to support running this docker image as a container on OpenShift
-# the final image needs to give the root group enough permission.
-# The file permissions are maintained when copied into the target image.
-RUN chmod -R g=u /pulsar
-
### Create 2nd stage from OpenJDK image
### and add Python dependencies (for Pulsar functions)
FROM openjdk:11-jdk-slim
-# Create the pulsar group and user to make docker container run as a non root user by default
-RUN groupadd -g 10001 pulsar
-RUN adduser -u 10000 --gid 10001 --disabled-login --disabled-password --gecos '' pulsar
-
# Install some utilities
RUN apt-get update \
&& apt-get install -y netcat dnsutils less procps iputils-ping \
@@ -66,21 +54,16 @@ RUN python3.7 get-pip.py
RUN update-alternatives --install /usr/bin/python python /usr/bin/python3 10
-# The pulsar directory is staged correctly in the first stage, above.
-# The chown and chmod ensure proper permissions for running as a non root user and non root group
-# as well as running on OpenShift with a random user that is part of the root group
-RUN mkdir /pulsar && chown pulsar:0 /pulsar && chmod g=u /pulsar
-COPY --from=pulsar --chown=pulsar:0 /pulsar /pulsar
-
RUN echo networkaddress.cache.ttl=1 >> $JAVA_HOME/conf/security/java.security
+ADD target/python-client/ /pulsar/pulsar-client
+
+VOLUME ["/pulsar/conf", "/pulsar/data"]
ENV PULSAR_ROOT_LOGGER=INFO,CONSOLE
+
+COPY --from=pulsar /pulsar /pulsar
WORKDIR /pulsar
-# This script is intentionally run as the root user to make the dependencies
-# available to the root user and the pulsar user
RUN /pulsar/bin/install-pulsar-client-37.sh
-# Switch to the pulsar user to ensure container defaults to run as a non root user
-USER pulsar
diff --git a/site2/docs/getting-started-docker.md b/site2/docs/getting-started-docker.md
index f8f6a38..56cff28 100644
--- a/site2/docs/getting-started-docker.md
+++ b/site2/docs/getting-started-docker.md
@@ -27,11 +27,6 @@ and follow the instructions for your OS.
A few things to note about this command:
* The data, metadata, and configuration are persisted on Docker volumes in order to not start "fresh" every
time the container is restarted. For details on the volumes you can use `docker volume inspect <sourcename>`
- * The pulsar docker image runs as user 10000, by default. In order for the pulsar process to
- access the mounted volumes, the host volumes (`pulsardata` and `pulsarconf` in this example)
- must give user 10000 read and write permissions. Alternatively, you can specify the user to run with and then make sure
- that the host volume gives that user read and write permissions. Otherwise, the process will fail due to insufficient
- permissions.
* For Docker on Windows make sure to configure it to use Linux containers
If you start Pulsar successfully, you will see `INFO`-level log messages like this:
diff --git a/tests/docker-images/latest-version-image/Dockerfile b/tests/docker-images/latest-version-image/Dockerfile
index 4711e9b..242ae47 100644
--- a/tests/docker-images/latest-version-image/Dockerfile
+++ b/tests/docker-images/latest-version-image/Dockerfile
@@ -55,12 +55,6 @@ FROM apachepulsar/pulsar-all:latest as pulsar-all
########################################
FROM apachepulsar/pulsar:latest
-# Switch to run as the root user to simplify building container and then running
-# supervisord. Each of the pulsar components are spawned by supervisord and their
-# process configuration files specify that the process will be run as the "pulsar" user
-# However, any processes exec'ing into the containers will run as root, by default.
-USER root
-
RUN rm -rf /var/lib/apt/lists/* && apt update
RUN apt-get clean && apt-get update && apt-get install -y supervisor vim procps curl
@@ -99,15 +93,15 @@ COPY target/java-test-functions.jar /pulsar/examples/
COPY --from=pulsar-function-go /go/bin /pulsar/examples/go-examples
# Include all offloaders
-COPY --from=pulsar-all --chown=pulsar:0 /pulsar/offloaders /pulsar/offloaders
+COPY --from=pulsar-all /pulsar/offloaders /pulsar/offloaders
# Include only the connectors needed by integration tests
-COPY --from=pulsar-all --chown=pulsar:0 /pulsar/connectors/pulsar-io-cassandra-*.nar /pulsar/connectors/
-COPY --from=pulsar-all --chown=pulsar:0 /pulsar/connectors/pulsar-io-debezium-*.nar /pulsar/connectors/
-COPY --from=pulsar-all --chown=pulsar:0 /pulsar/connectors/pulsar-io-elastic-*.nar /pulsar/connectors/
-COPY --from=pulsar-all --chown=pulsar:0 /pulsar/connectors/pulsar-io-hdfs*.nar /pulsar/connectors/
-COPY --from=pulsar-all --chown=pulsar:0 /pulsar/connectors/pulsar-io-jdbc-postgres-*.nar /pulsar/connectors/
-COPY --from=pulsar-all --chown=pulsar:0 /pulsar/connectors/pulsar-io-kafka-*.nar /pulsar/connectors/
-COPY --from=pulsar-all --chown=pulsar:0 /pulsar/connectors/pulsar-io-rabbitmq-*.nar /pulsar/connectors/
+COPY --from=pulsar-all /pulsar/connectors/pulsar-io-cassandra-*.nar /pulsar/connectors/
+COPY --from=pulsar-all /pulsar/connectors/pulsar-io-debezium-*.nar /pulsar/connectors/
+COPY --from=pulsar-all /pulsar/connectors/pulsar-io-elastic-*.nar /pulsar/connectors/
+COPY --from=pulsar-all /pulsar/connectors/pulsar-io-hdfs*.nar /pulsar/connectors/
+COPY --from=pulsar-all /pulsar/connectors/pulsar-io-jdbc-postgres-*.nar /pulsar/connectors/
+COPY --from=pulsar-all /pulsar/connectors/pulsar-io-kafka-*.nar /pulsar/connectors/
+COPY --from=pulsar-all /pulsar/connectors/pulsar-io-rabbitmq-*.nar /pulsar/connectors/
CMD bash
diff --git a/tests/docker-images/latest-version-image/conf/bookie.conf b/tests/docker-images/latest-version-image/conf/bookie.conf
index 97d2c72..f65a37c 100644
--- a/tests/docker-images/latest-version-image/conf/bookie.conf
+++ b/tests/docker-images/latest-version-image/conf/bookie.conf
@@ -24,4 +24,3 @@ stdout_logfile=/var/log/pulsar/bookie.log
directory=/pulsar
environment=PULSAR_MEM="-Xmx128M -XX:MaxDirectMemorySize=512M",PULSAR_GC="-XX:+UseG1GC"
command=/pulsar/bin/pulsar bookie
-user=pulsar
diff --git a/tests/docker-images/latest-version-image/conf/broker.conf b/tests/docker-images/latest-version-image/conf/broker.conf
index bfcf601..f8bf8e7 100644
--- a/tests/docker-images/latest-version-image/conf/broker.conf
+++ b/tests/docker-images/latest-version-image/conf/broker.conf
@@ -24,5 +24,4 @@ stdout_logfile=/var/log/pulsar/broker.log
directory=/pulsar
environment=PULSAR_MEM="-Xmx128M",PULSAR_GC="-XX:+UseG1GC"
command=/pulsar/bin/pulsar broker
-user=pulsar
diff --git a/tests/docker-images/latest-version-image/conf/functions_worker.conf b/tests/docker-images/latest-version-image/conf/functions_worker.conf
index a023c1e..3610b03 100644
--- a/tests/docker-images/latest-version-image/conf/functions_worker.conf
+++ b/tests/docker-images/latest-version-image/conf/functions_worker.conf
@@ -24,5 +24,4 @@ stdout_logfile=/var/log/pulsar/functions_worker.log
directory=/pulsar
environment=PULSAR_MEM="-Xmx128M",PULSAR_GC="-XX:+UseG1GC"
command=/pulsar/bin/pulsar functions-worker
-user=pulsar
diff --git a/tests/docker-images/latest-version-image/conf/global-zk.conf b/tests/docker-images/latest-version-image/conf/global-zk.conf
index 6503f5f..bf56c5b 100644
--- a/tests/docker-images/latest-version-image/conf/global-zk.conf
+++ b/tests/docker-images/latest-version-image/conf/global-zk.conf
@@ -24,5 +24,4 @@ stdout_logfile=/var/log/pulsar/global-zk.log
directory=/pulsar
environment=PULSAR_MEM="-Xmx128M",PULSAR_GC="-XX:+UseG1GC"
command=/pulsar/bin/pulsar configuration-store
-user=pulsar
diff --git a/tests/docker-images/latest-version-image/conf/local-zk.conf b/tests/docker-images/latest-version-image/conf/local-zk.conf
index 1c98a6b..5768193 100644
--- a/tests/docker-images/latest-version-image/conf/local-zk.conf
+++ b/tests/docker-images/latest-version-image/conf/local-zk.conf
@@ -24,5 +24,4 @@ stdout_logfile=/var/log/pulsar/local-zk.log
directory=/pulsar
environment=PULSAR_MEM="-Xmx128M",PULSAR_GC="-XX:+UseG1GC"
command=/pulsar/bin/pulsar zookeeper
-user=pulsar
diff --git a/tests/docker-images/latest-version-image/conf/presto_worker.conf b/tests/docker-images/latest-version-image/conf/presto_worker.conf
index 6846ca2..28e3c36 100644
--- a/tests/docker-images/latest-version-image/conf/presto_worker.conf
+++ b/tests/docker-images/latest-version-image/conf/presto_worker.conf
@@ -23,5 +23,4 @@ redirect_stderr=true
stdout_logfile=/var/log/pulsar/presto_worker.log
directory=/pulsar
environment=PULSAR_MEM="-Xmx128M",PULSAR_GC="-XX:+UseG1GC"
-command=/pulsar/bin/pulsar sql-worker start
-user=pulsar
\ No newline at end of file
+command=/pulsar/bin/pulsar sql-worker start
\ No newline at end of file
diff --git a/tests/docker-images/latest-version-image/conf/proxy.conf b/tests/docker-images/latest-version-image/conf/proxy.conf
index 1bed5a1..8bc1a53 100644
--- a/tests/docker-images/latest-version-image/conf/proxy.conf
+++ b/tests/docker-images/latest-version-image/conf/proxy.conf
@@ -24,5 +24,4 @@ stdout_logfile=/var/log/pulsar/proxy.log
directory=/pulsar
environment=PULSAR_MEM="-Xmx128M",PULSAR_GC="-XX:+UseG1GC"
command=/pulsar/bin/pulsar proxy
-user=pulsar