You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pulsar.apache.org by mm...@apache.org on 2022/05/26 04:34:40 UTC

[pulsar] branch branch-2.10 updated: [Fix][Docker] Add write permissions to /pulsar subdirectories to enable running as non-root user (#15769)

This is an automated email from the ASF dual-hosted git repository.

mmarshall pushed a commit to branch branch-2.10
in repository https://gitbox.apache.org/repos/asf/pulsar.git


The following commit(s) were added to refs/heads/branch-2.10 by this push:
     new 131dc164682 [Fix][Docker] Add write permissions to /pulsar subdirectories to enable running as non-root user (#15769)
131dc164682 is described below

commit 131dc1646823e1c0f97ba0a7967678097e39da76
Author: Adrian Paul <dr...@users.noreply.github.com>
AuthorDate: Thu May 26 14:23:40 2022 +1000

    [Fix][Docker] Add write permissions to /pulsar subdirectories to enable running as non-root user (#15769)
    
    Fixes #15230
    
    ### Motivation
    
    The Quickstart/[Getting Started in Docker](https://pulsar.apache.org/docs/next/getting-started-docker) example does not work with Pulsar 2.10.0:
    ```shell
    docker run -it -p 6650:6650  -p 8080:8080 --mount source=pulsardata,target=/pulsar/data --mount source=pulsarconf,target=/pulsar/conf apachepulsar/pulsar:2.10.0 bin/pulsar standalone
    ```
    When you run the command, you get a permissions error:
    ```
    ERROR org.apache.pulsar.PulsarStandaloneStarter - Failed to start pulsar service.
    java.nio.file.AccessDeniedException: /pulsar/data/standalone
    ```
    
    This is because the Docker image is running as a non-root user but does not have permissions to write to the volume being mounted at `/pulsar/data`
    
    I think this issue is an important concern because it frustrates prospective/new Pulsar users (like me!) with their first impression of trying the project
    
    ### Modifications
    - Previously the Docker image was adding write permissions (for the root group) to the `/pulsar/conf` directory
    - This PR updates that RUN instruction with a shell script loop that creates and sets write permissions on the following directories:
      - `/pulsar/conf`
      - `/pulsar/data`
      - `/pulsar/download`
      - `/pulsar/logs`
    
    ### Verifying this change
    
    This change is a trivial rework / code cleanup without any test coverage.
    - It can be verified by running the Getting Started in Docker example code listed above, which currently fails with Pulsar 2.10.0
    
    ### Does this pull request potentially affect one of the following parts:
    
      - Dependencies (does it add or upgrade a dependency): no
      - The public API: no
      - The schema: no
      - The default values of configurations: no
      - The wire protocol: no
      - The rest endpoints: no
      - The admin cli options: no
      - Anything that affects deployment: yes
        - This PR updates the Docker image by creating empty, writeable subdirectories (`data`, `download`, `logs`) inside of `/pulsar` that did not previously exist to enable mounting of volumes that will be writeable by a non-root user at run-time. Potentially this may affect users who were relying on these directories not existing, however I'd contend that the image is broken for new users who are trying out Pulsar for the first time.
    
    ### Documentation
    
    Check the box below or label this PR directly.
    
    Need to update docs?
    - [ ] `doc-required`
    - [X] `no-need-doc`
      - This PR fixes an issue that is already covered by existing "Getting Started in Docker" documentation, it does not require any updates to the existing documentation.
    - [ ] `doc`
    - [ ] `doc-added`
    
    (cherry picked from commit 6e417de43766d5aa8e283c7feeaac8cb9a46eb64)
---
 docker/pulsar/Dockerfile | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/docker/pulsar/Dockerfile b/docker/pulsar/Dockerfile
index 1a19220d455..b15cb827b9f 100644
--- a/docker/pulsar/Dockerfile
+++ b/docker/pulsar/Dockerfile
@@ -33,10 +33,14 @@ COPY scripts/pulsar-zookeeper-ruok.sh /pulsar/bin
 COPY scripts/watch-znode.py /pulsar/bin
 COPY scripts/install-pulsar-client.sh /pulsar/bin
 
-# In order to support running this docker image as a container on OpenShift
-# the final image needs to give the root group sufficient permission.
+# The final image needs to give the root group sufficient permission for Pulsar components
+# to write to specific directories within /pulsar
 # The file permissions are preserved when copying files from this builder image to the target image.
-RUN chmod -R g+w /pulsar/conf
+RUN for SUBDIRECTORY in conf data download logs; do \
+     [ -d /pulsar/$SUBDIRECTORY ] || mkdir /pulsar/$SUBDIRECTORY; \
+     chmod -R g+w /pulsar/$SUBDIRECTORY; \
+     done
+
 # Presto writes logs to this directory (at least during tests), so we need to give the process permission
 # to create those log directories. This should be removed when presto is removed.
 RUN chmod g+w /pulsar/lib/presto