Re: [PR] Pulsar non root docker image

2022-01-20 Thread Michael Marshall
> I am not sure if the fix in > https://github.com/apache/pulsar/commit/04b5da0f95794259694cc781e8960b7e52fac06b > is sufficient. Are you able to describe your concerns so that I can address them? That commit resolves the upgrade issue because the secret is readable by any user in the container. S

Re: [PR] Pulsar non root docker image

2022-01-12 Thread Sijie Guo
I am not sure if the fix in https://github.com/apache/pulsar/commit/04b5da0f95794259694cc781e8960b7e52fac06b is sufficient. I would like to see there is at least one integration test that covers running functions on k8s to ensure we don't break the basic stuff. - Sijie On Fri, Jan 7, 2022 at 9:5

Re: [PR] Pulsar non root docker image

2022-01-07 Thread Michael Marshall
> Is Functions being verified? I discussed this a bit in PR 13376's description and comments, please let me know if you have additional questions. I haven't done any extra verification. Note that since [0] is in both 2.8.x and 2.9.x, the upgrade scenario that led us to revert the first non-root w

Re: [PR] Pulsar non root docker image

2022-01-06 Thread Sijie Guo
Is Functions being verified? - Sijie On Wed, Jan 5, 2022 at 11:26 AM Michael Marshall wrote: > PR 13376 is ready for review, PTAL. > > What approach should we take regarding docker image size? > I propose providing a minimal image along with documentation > on how to add your own debugging tool

Re: [PR] Pulsar non root docker image

2022-01-05 Thread Michael Marshall
PR 13376 is ready for review, PTAL. What approach should we take regarding docker image size? I propose providing a minimal image along with documentation on how to add your own debugging tools. Is that sufficient? I'd like to include this feature in 2.10.0. Note that you can test the new docker

Re: [PR] Pulsar non root docker image

2021-12-22 Thread Michael Marshall
Thanks for raising this important topic, Enrico. > Basically if you are running as non root, you cannot add tools on demand, > so we need to add basic tools, like netstat/vim/unzip otherwise when > you have a problem you are trapped. I agree that running as a non root user presents challenges

Re: [PR] Pulsar non root docker image

2021-12-21 Thread Enrico Olivelli
Michael, I would like to add this item to the list https://github.com/apache/pulsar/pull/10815 Basically if you are running as non root, you cannot add tools on demand, so we need to add basic tools, like netstat/vim/unzip otherwise when you have a problem you are trapped. there are ways to

Re: [PR] Pulsar non root docker image

2021-12-21 Thread Haiting Jiang
> 1. Pulsar configuration is read in only from configuration files in > `/pulsar/conf`. A non root user must be able to update these files to > have run with custom configuration. About the configurations, I also see similar require like this lately [0]. IMHO, update any configs without redeploy

Re: [PR] Pulsar non root docker image

2021-12-21 Thread Michael Marshall
All tests are now passing for this PR [0]. I built the docker image and pushed it to my personal repository to simplify testing [1] for anyone interested in verifying the changes. I would like our docker image to be as close to immutable as possible. As far as I can tell, here are the only reasons

[PR] Pulsar non root docker image

2021-12-16 Thread Michael Marshall
Hi Pulsar Community, I opened a PR to make our pulsar and pulsar-all docker images non root and OpenShift compliant [0]. As some may remember, we had issues with these changes before due to lack of testing. I plan to test thoroughly before we merge this PR, and it'd be great to have others test to