commit | 99a0d180b87227c9b2fe54c93a4754d96748b58a | [log] [tgz] |
---|---|---|
author | Michael Marshall <mmarshall@apache.org> | Thu Feb 17 06:51:39 2022 -0600 |
committer | penghui <penghui@apache.org> | Thu Feb 17 20:52:36 2022 +0800 |
tree | 5cded8123a1cf6263510e8ed8fc7c8ac5f32221e | |
parent | 9711525e186577e65c925af0be838bfa3a3251df [diff] |
Make Docker images non-root, by default, and OpenShift compliant (#13376) Master Issue: https://github.com/apache/pulsar/issues/11269 ### Motivation In order to increase the overall security of our Pulsar docker images, they should default to run as the non-root user. While updating these permissions, I make sure to comply with the OpenShift spec so the docker image can run on that platform out of the box. Once we finalize these changes, we will need to update the Apache Pulsar Helm chart to make sure that deployments take advantage of this feature. We'll use the `fsGroup` to make sure that k8s sets the appropriate file system permissions for the zookeeper, bookkeeper, and function pods. ### Modifications * Default to run as UID 10000. As noted in the `Dockerfile`, this UID is arbitrary. No logic should rely on this id. * Update filesystem permissions so that the group user has sufficient write permission. The group user is 0 (root). * Remove unnecessary write access. * The `/pulsar/{conf,data,logs}` directories and their members must be writable by the root group. I don't know of any other directories that need to be written to. Note that the `bin/pulsar-admin` too creates a log file in the `/pulsar/logs` directory. Please let me know if there are any additional * Note also that the executable file permissions are already set in our git repo. Those permissions are inherited by the docker image when we run the `COPY` directive in the `Dockerfile`. * There are no changes to the function worker in the k8s runtime. We do not need them because we already merged https://github.com/apache/pulsar/commit/04b5da0f95794259694cc781e8960b7e52fac06b. * Add note to `conf/bkenv.sh`, as it is a `.sh` script that is not executable (and doesn't need to be). * Update test docker image and `supervisord` configuration. Note: it's unclear to me how the OpenShift spec handles restarts. I know that the UID is arbitrary. It's possible that the umask needs to be switched from `022` to `002`. Setting the umask in the docker image does not persist for consumers of the image, so this would need to be set in a helm chart. ### Verifying this change You can access a test image built with these changes here: `michaelmarshall/pulsar:2.10.0-SNAPSHOT`. I have already run some manual tests like `bin/pulsar standalone` in the container. I still need to deploy an actual cluster to verify that all of the unique components work correctly. Because we already merged https://github.com/apache/pulsar/commit/04b5da0f95794259694cc781e8960b7e52fac06b, the upgrade scenarios are already simplified. If this change is in 2.10.0, that means 2.8 and 2.9 will be compatible for certain function worker upgrade scenarios. I wrote test criteria in https://github.com/apache/pulsar/issues/11269. I'll need to follow up on that criteria using my newly build image. I should be able to look closer at this tomorrow. We'll also need tests to pass, as I modified some tests with this PR. ### References The following links were useful in understanding how to make these changes: * https://engineering.bitnami.com/articles/running-non-root-containers-on-openshift.html * https://cloud.redhat.com/blog/a-guide-to-openshift-and-uids ### Does this pull request potentially affect one of the following parts: This PR updates our Docker images in a breaking way. It could result in bookkeepers, zookeepers, or functions with insufficient permissions. We will mitigate these permissions by updating the helm chart. These changes are easily overridden by extending the docker image. In k8s, you can use the pod's `securityContext` to override the user or group. (cherry picked from commit f7f861988780578e2ba102ce4e22fa8841c13e3b)
Pulsar is a distributed pub-sub messaging platform with a very flexible messaging model and an intuitive client API.
Learn more about Pulsar at https://pulsar.apache.org
This repository is the main repository of Apache Pulsar. Pulsar PMC also maintains other repositories for components in the Pulsar ecosystem, including connectors, adapters, and other language clients.
Requirements:
Compile and install:
$ mvn install -DskipTests
Compile and install individual module
$ mvn -pl module-name (e.g: pulsar-broker) install -DskipTests
mvn install -Pcore-modules,-main -DskipTests
Run Unit Tests:
$ mvn test
Run Individual Unit Test:
$ mvn -pl module-name (e.g: pulsar-client) test -Dtest=unit-test-name (e.g: ConsumerBuilderImplTest)
Run Selected Test packages:
$ mvn test -pl module-name (for example, pulsar-broker) -Dinclude=org/apache/pulsar/**/*.java
Start standalone Pulsar service:
$ bin/pulsar standalone
Check https://pulsar.apache.org for documentation and examples.
Docker images must be built with Java 8 for branch-2.7
or previous branches because of issue 8445. Java 11 is the recommended JDK version in master
/branch-2.8
.
This builds the docker images apachepulsar/pulsar-all:latest
and apachepulsar/pulsar:latest
.
mvn clean install -DskipTests mvn package -Pdocker,-main -am -pl docker/pulsar-all -DskipTests
After the images are built, they can be tagged and pushed to your custom repository. Here's an example of a bash script that tags the docker images with the current version and git revision and pushes them to localhost:32000/apachepulsar
.
image_repo_and_project=localhost:32000/apachepulsar pulsar_version=$(mvn initialize help:evaluate -Dexpression=project.version -pl . -q -DforceStdout) gitrev=$(git rev-parse HEAD | colrm 10) tag="${pulsar_version}-${gitrev}" echo "Using tag $tag" docker tag apachepulsar/pulsar-all:latest ${image_repo_and_project}/pulsar-all:$tag docker push ${image_repo_and_project}/pulsar-all:$tag docker tag apachepulsar/pulsar:latest ${image_repo_and_project}/pulsar:$tag docker push ${image_repo_and_project}/pulsar:$tag
Apache Pulsar is using lombok so you have to ensure your IDE setup with required plugins.
Open Project Settings.
Click File -> Project Structure -> Project Settings -> Project.
Select the JDK version.
From the JDK version drop-down list, select Download JDK... or choose an existing recent Java 11 JDK version.
In the download dialog, select version 11. You can pick a version from many vendors. Unless you have a specific preference, choose Eclipse Temurin (AdoptOpenJDK (Hotspot)).
Open Maven Importing Settings dialog by going to Settings -> Build, Execution, Deployment -> Build Tools -> Maven -> Importing.
Choose Use Project JDK for JDK for Importer setting. This uses the Java 11 JDK for running Maven when importing the project to IntelliJ. Some of the configuration in the Maven build is conditional based on the JDK version. Incorrect configuration gets chosen when the “JDK for Importer” isn't the same as the “Project JDK”.
Validate that the JRE setting in Maven -> Runner dialog is set to Use Project JDK.
Open Annotation Processors Settings dialog box by going to Settings -> Build, Execution, Deployment -> Compiler -> Annotation Processors.
Select the following buttons:
Set the generated source directories to be equal to the Maven directories:
Click OK.
Install the lombok plugin in intellij.
Open Code Style Settings dialog box by going to Settings -> Editor -> Code Style.
Click on the :gear: symbol -> Import scheme -> Intellij IDEA code style XML
Pick the file ${pulsar_dir}/src/idea-code-style.xml
On the dialog box that opens, click OK.
Ensure the scheme you just created is selected in Scheme dropdown then click OK.
Install the Checkstyle-IDEA plugin.
Open Checkstyle Settings dialog box by going to Settings -> Tools -> Checkstyle.
Set Checkstyle version to 8.37.
Set Scan scope to Only Java sources (including tests).
Click + button in the Configuration section to open a dialog to choose the checkfile file.
Activate the configuration you just added by toggling the corresponding box.
Click OK.
When working on the Pulsar core modules in IntelliJ, reduce the number of active projects in IntelliJ to speed up IDE actions and reduce unrelated IDE warnings.
Run the “Generate Sources and Update Folders For All Projects” action from the Maven UI toolbar. You can also find the action by the name in the IntelliJ “Search Everywhere” window that gets activated by pressing the Shift key twice. Running the action takes about 10 minutes for all projects. This is faster when the “core-modules” profile is the only active profile.
In the case of compilation errors with missing Protobuf classes, ensure to run the “Generate Sources and Update Folders For All Projects” action.
All of the Pulsar source code doesn't compile properly in IntelliJ and there are compilation errors.
mvn test -Dtest=TestClassName
command.The above steps have all been performed, but a test still won't run.
mvn clean install -DskipTests
on the command line.Follow the instructions here to configure your Eclipse setup.
Refer to the docs README.
Name | Scope | |||
---|---|---|---|---|
users@pulsar.apache.org | User-related discussions | Subscribe | Unsubscribe | Archives |
dev@pulsar.apache.org | Development-related discussions | Subscribe | Unsubscribe | Archives |
Pulsar slack channel at https://apache-pulsar.slack.com/
You can self-register at https://apache-pulsar.herokuapp.com/
Licensed under the Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
This distribution includes cryptographic software. The country in which you currently reside may have restrictions on the import, possession, use, and/or re-export to another country, of encryption software. BEFORE using any encryption software, please check your country's laws, regulations and policies concerning the import, possession, or use, and re-export of encryption software, to see if this is permitted. See http://www.wassenaar.org/ for more information.
The U.S. Government Department of Commerce, Bureau of Industry and Security (BIS), has classified this software as Export Commodity Control Number (ECCN) 5D002.C.1, which includes information security software using or performing cryptographic functions with asymmetric algorithms. The form and manner of this Apache Software Foundation distribution makes it eligible for export under the License Exception ENC Technology Software Unrestricted (TSU) exception (see the BIS Export Administration Regulations, Section 740.13) for both object code and source code.
The following provides more details on the included cryptographic software: Pulsar uses the SSL library from Bouncy Castle written by http://www.bouncycastle.org.