Re: [Discuss] Update Helm Chart to Support 2.10 Docker Image
I just merged https://github.com/apache/pulsar-helm-chart/pull/266. I'll follow up with a proposal that we release a new version of the helm chart. Thanks, Michael On Thu, May 19, 2022 at 2:13 PM Michael Marshall wrote: > > Hello Pulsar Community, > > With the 2.10.0 release, our Pulsar Docker images default to run as a > non-root user. In order to use the 2.10.0 Docker image with the Apache > Pulsar Helm Chart, we need to merge this PR [0]. If you're able, > please review it. Once merged, I propose that we follow up with a > release so that users wanting to upgrade to 2.10.0 have an upgrade > path. > > Thanks, > Michael > > [0] https://github.com/apache/pulsar-helm-chart/pull/266
Re: [Discuss] Update Helm Chart to Support 2.10 Docker Image
Hi Michael, Thanks for the detailed explanation. On Thu, May 26, 2022 at 11:08 PM Michael Marshall wrote: > Hi Neng Lu, > > I put together a doc [0] that includes some tips for troubleshooting a > non-root docker image. Some of the details depend on how you're > deploying Pulsar. > > If you can ssh to the host as the root user, you can run `docker exec > --user 0 ...` to get a shell in the container as the root user. > > When running on Kubernetes, you might be able to utilize [1] to gain > root access to the host node for the pod, and then you can exec into > the container as the root user, as described in the doc [0]. Or, if > you don't have any pod security policies, you can set the pod's > securityContext so that the container runs as the root user. > > The final option is to build a custom image with additional tooling. > > If you find other helpful resources, feel free to update that doc or > send a note here, and I'll update the doc. > > - Michael > > [0] > https://github.com/apache/pulsar/blob/master/docker/README.md#troubleshooting-non-root-containers > [1] https://github.com/kvaps/kubectl-node-shell > > On Thu, May 26, 2022 at 5:24 PM Neng Lu wrote: > > > > Hi All, > > > > I'm curious to learn once the image is run as non-root, how can we debug > or > > investigate production issues inside a running cluster? > > > > On Thu, May 19, 2022 at 12:14 PM Michael Marshall > > wrote: > > > > > Hello Pulsar Community, > > > > > > With the 2.10.0 release, our Pulsar Docker images default to run as a > > > non-root user. In order to use the 2.10.0 Docker image with the Apache > > > Pulsar Helm Chart, we need to merge this PR [0]. If you're able, > > > please review it. Once merged, I propose that we follow up with a > > > release so that users wanting to upgrade to 2.10.0 have an upgrade > > > path. > > > > > > Thanks, > > > Michael > > > > > > [0] https://github.com/apache/pulsar-helm-chart/pull/266 > > > > > > > > > -- > > Best Regards, > > Neng > -- Best Regards, Neng
Re: [Discuss] Update Helm Chart to Support 2.10 Docker Image
Hi Neng Lu, I put together a doc [0] that includes some tips for troubleshooting a non-root docker image. Some of the details depend on how you're deploying Pulsar. If you can ssh to the host as the root user, you can run `docker exec --user 0 ...` to get a shell in the container as the root user. When running on Kubernetes, you might be able to utilize [1] to gain root access to the host node for the pod, and then you can exec into the container as the root user, as described in the doc [0]. Or, if you don't have any pod security policies, you can set the pod's securityContext so that the container runs as the root user. The final option is to build a custom image with additional tooling. If you find other helpful resources, feel free to update that doc or send a note here, and I'll update the doc. - Michael [0] https://github.com/apache/pulsar/blob/master/docker/README.md#troubleshooting-non-root-containers [1] https://github.com/kvaps/kubectl-node-shell On Thu, May 26, 2022 at 5:24 PM Neng Lu wrote: > > Hi All, > > I'm curious to learn once the image is run as non-root, how can we debug or > investigate production issues inside a running cluster? > > On Thu, May 19, 2022 at 12:14 PM Michael Marshall > wrote: > > > Hello Pulsar Community, > > > > With the 2.10.0 release, our Pulsar Docker images default to run as a > > non-root user. In order to use the 2.10.0 Docker image with the Apache > > Pulsar Helm Chart, we need to merge this PR [0]. If you're able, > > please review it. Once merged, I propose that we follow up with a > > release so that users wanting to upgrade to 2.10.0 have an upgrade > > path. > > > > Thanks, > > Michael > > > > [0] https://github.com/apache/pulsar-helm-chart/pull/266 > > > > > -- > Best Regards, > Neng
Re: [Discuss] Update Helm Chart to Support 2.10 Docker Image
Hi All, I'm curious to learn once the image is run as non-root, how can we debug or investigate production issues inside a running cluster? On Thu, May 19, 2022 at 12:14 PM Michael Marshall wrote: > Hello Pulsar Community, > > With the 2.10.0 release, our Pulsar Docker images default to run as a > non-root user. In order to use the 2.10.0 Docker image with the Apache > Pulsar Helm Chart, we need to merge this PR [0]. If you're able, > please review it. Once merged, I propose that we follow up with a > release so that users wanting to upgrade to 2.10.0 have an upgrade > path. > > Thanks, > Michael > > [0] https://github.com/apache/pulsar-helm-chart/pull/266 > -- Best Regards, Neng
[Discuss] Update Helm Chart to Support 2.10 Docker Image
Hello Pulsar Community, With the 2.10.0 release, our Pulsar Docker images default to run as a non-root user. In order to use the 2.10.0 Docker image with the Apache Pulsar Helm Chart, we need to merge this PR [0]. If you're able, please review it. Once merged, I propose that we follow up with a release so that users wanting to upgrade to 2.10.0 have an upgrade path. Thanks, Michael [0] https://github.com/apache/pulsar-helm-chart/pull/266