-
Notifications
You must be signed in to change notification settings - Fork 220
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Pulsar proxy fails to start with pulsar Docker image that uses non-root user #110
Comments
I proposed the following solution in apache/pulsar#8796 (comment). It's copied here:
I'm happy to discuss alternatives. |
@sijie and @lhotari - what are your thoughts here? It'd be good to solve this soon so that it doesn't affect end users when we release 2.8.0 soon. I see a couple options.
|
In thinking more about this more, we have a problem for our users that upgrade to 2.8.0 from any previous version of pulsar. The persistent data written by prior bookie and zookeeper pods will be owned by the root user, not the new Solution 1 (mentioned above) is not sufficient to prevent breaking clusters during upgrade. We need to either run bookie and zookeeper containers as the root user by default and have users opt in to running them as non-root containers, or we need to solve the upgrade problem in the chart. Perhaps we can solve this by providing an optional init container that properly changes file system ownership for the bookie/zookeeper pods. Given that our users have already been running the containers as the root user, I don't see any conflict in using a privileged init container just this once. Whatever path we choose, I would like to try to give new users a rootless deployment by default. I am not familiar with how helm manages upgrades versus new deployments, but perhaps there is a way to have conditional logic that branches on upgrade vs new deployment? |
@michaeljmarshall Helm has a built-in variable that can tell you whether it is doing an install or an upgrade. For example, you can do something like this:
Alternatively, you can use Helm Hooks. |
* Fix configMap key value template * Add fix for bookeeper and autorecovery configMaps
Setting the proxy port to 8080 can resolve this issue. |
Fixed. |
Problem
There's a permission issue in pulsar-proxy when using a Docker image that uses a non-root user.
The 2.8.0-SNAPSHOT Pulsar docker images use a non-root user. This change was made in apache/pulsar#8796 .
Since the default configuration uses port 80 and now when the default user is "pulsar", it cannot bind to port 80.
This is the error log in pulsar-proxy-0 pod:
The problem goes away after changing the port to 8080 in values.yaml:
The text was updated successfully, but these errors were encountered: