> 1. Pulsar configuration is read in only from configuration files in > `/pulsar/conf`. A non root user must be able to update these files to > have run with custom configuration.
About the configurations, I also see similar require like this lately [0]. IMHO, update any configs without redeploy service is a useful feature. I would like post a PIP for this later. Basic idea is like make all configs dynamic by default except `metadataStoreUrl` and all configs are stored under path "/admin/configuration" in metadata store. [0] https://github.com/apache/pulsar/pull/13074 On 2021/12/21 20:16:44 Michael Marshall wrote: > All tests are now passing for this PR [0]. I built the docker image > and pushed it to my personal repository to simplify testing [1] for > anyone interested in verifying the changes. > > I would like our docker image to be as close to immutable as possible. > As far as I can tell, here are the only reasons the image cannot be > immutable: > > 1. Pulsar configuration is read in only from configuration files in > `/pulsar/conf`. A non root user must be able to update these files to > have run with custom configuration. > 2. The Pulsar function worker unpacks nar files to > `/pulsar/download/pulsar_functions` by default. > 3. Pulsar tiered storage writes to `/pulsar` by default when using > filesystem storage. > 4. The Presto SQL worker writes to `/pulsar/lib/presto/` by default. > 5. Pulsar-admin and functions write to `/pulsar/log` by default > (possibly other components too). > > Note that even though bookkeepers and zookeepers write to > `/pulsar/data`, they should be writing to docker volumes, in which > case, the host's file system permissions are all that matter. > > If we can remove any of the above reasons, we can decrease the > privilege in the docker image. > > The PR has more detail. Please take a look. > > Thanks, > Michael > > [0] https://github.com/apache/pulsar/pull/13376 > [1] michaelmarshall/pulsar:2.10.0-SNAPSHOT-1dec8b9 > > > On Fri, Dec 17, 2021 at 12:33 AM Michael Marshall <mmarsh...@apache.org> > wrote: > > > > Hi Pulsar Community, > > > > I opened a PR to make our pulsar and pulsar-all docker images non root > > and OpenShift compliant [0]. As some may remember, we had issues with > > these changes before due to lack of testing. I plan to test thoroughly > > before we merge this PR, and it'd be great to have others test too. I > > published a build of my PR [1]. I also have an issue [2] tracking this > > work. > > > > Please take a look. I hope to make our 2.10 release a non root release! > > > > Thanks, > > Michael > > > > [0] https://github.com/apache/pulsar/pull/13376 > > [1] michaelmarshall/pulsar:2.10.0-SNAPSHOT > > [2] https://github.com/apache/pulsar/issues/11269 >
