> Do we need `Support Arbitrary User IDs` in pulsar docker image to allow > root group r/w `/pulsar` ?
The list of directories that the pulsar process needs to write to is listed here [0]. In order for the image to work on OpenShift out of the box, we need to follow the referenced documentation. I asked if you know of specific security concerns because I do not see a reason to drop OpenShift unless there are known reasons to avoid running as a member root group. > It seems that some other opensource projects use specific uid and gid, e.g. While some may use this pattern, there are others that do not. Notably, the Bitnami docker images, including ones for rabbitmq and kafka, run as user 1001 and as members of the root group. I use Bitnami as a reference because they produce many docker images for open source [1] projects and have a focus on security. Their documentation explains the importance of non-root images and also explains how they conform to the OpenShift requirements [2]. I interpret this as validation of the pattern. Thanks, Michael [0] https://github.com/apache/pulsar/blob/eded9f107c49f8a3b4450bb2e548ae5a71fa1d78/docker/pulsar/Dockerfile#L86-L92 [1] https://github.com/bitnami/containers/ [2] https://docs.bitnami.com/tutorials/bitnami-best-practices-hardening-containers/#use-arbitrary-uuids On Tue, Aug 29, 2023 at 10:18 PM asn <yaa...@gmail.com> wrote: > > Hi Michael, > > Do we need `Support Arbitrary User IDs` in pulsar docker image to allow > root group r/w `/pulsar` ? > > It seems that some other opensource projects use specific uid and gid, e.g. > > https://github.com/docker-library/mysql/blob/master/8.0/Dockerfile.debian#L84 > https://github.com/docker-library/postgres/blob/master/16/bullseye/Dockerfile#L10 > > > Michael Marshall <mmarsh...@apache.org> 于2023年8月29日周二 21:42写道: > > > Hi yaasln, > > > > What are the security concerns related to the user being a member of > > the root group? I used the root group when making the docker image run > > as a non root user because that follows the OpenShift guidelines [0]. > > > > Thanks, > > Michael > > > > [0] > > https://docs.openshift.com/container-platform/3.11/creating_images/guidelines.html#openshift-specific-guidelines > > > > > > On Tue, Aug 29, 2023 at 5:33 AM asn <yaa...@gmail.com> wrote: > > > > > > Hi dev, > > > > > > Currently, pulsar image uses root group default. To make the image more > > > safe, we can add a group `pulsar`, and then add the default user `pulsar` > > > into this group. > > > > > > The change is located at https://github.com/apache/pulsar/pull/21084 > > > > > > > > > Thanks! > > > > > > yaalsn > > > > > -- > asn
