[Issue 8751] Update Dockerfile for Pulsar and Dashboard to Create and Use pulsar User (nonroot user)

[michaeljmarshall]

Fixes #8751

Motivation

Pulsar does not need to run as the root user. This PR updates the pulsar and the pulsar dashboard images to make them run as a new pulsar user (user 1000 10000 and group 10001). This change increases the security of pulsar images.

Modifications

Update two Dockerfiles to create a pulsar user, chown the appropriate directories, and then use that user by default.

Verifying this change

• Make sure that the change passes the CI checks.

I manually verified that the docker images run with the correct user and file permissions. As this is my first commit, I'm not familiar with pulsar testing. Are there tests that run against the produced docker images? If so, then there is likely no further testing needed.

Does this pull request potentially affect one of the following parts:

If yes was chosen, please highlight the changes

• Dependencies (does it add or upgrade a dependency): no
• The public API: no
• The schema: no
• The default values of configurations: no
• The wire protocol: no
• The rest endpoints: no
• The admin cli options: no
• Anything that affects deployment: yes
  In order to deploy this new docker container, users will need to update the journal and ledgers directories on the host to be owned by user 1000 10000 and group 1000 10001.

Documentation

Documentation will be required for this change because users will need to set up their hosts differently to properly give permission to user 1000 10000 and group 1000 10001 in order to allow the container to write to the appropriate host volumes. However, I'd like to see if this approach is accepted before adding documentation.

[michaeljmarshall]

I pushed updates to use the user's id instead of name, and I pushed an update to properly chown the added directories in the pulsar-all Dockerfile. After fully building the project tonight, I noticed that the pulsar-standalone image still runs as the root user and that all of its directories are owned by root or by postgres. That docker image looks a bit more complicated than the pulsar and pulsar-all images, so I am going to refrain from updating that Dockerfile.

[michaeljmarshall]

This PR would also fix issue #7210.

[michaeljmarshall]

I pushed a commit to clean up my initial commit and to try to make the tests pass.

Note: I removed the RUN chown -R pulsar:pulsar /pulsar line from the Dockerfile in favor of "chowning" directories and files as they are created because it added about 350 mb to the produced image (credit to @devoncrouse for pointing out that optimization).

[sijie]

@addisonj ^^

[michaeljmarshall]

I haven't yet had the time to dig into the tests to understand why they're failing. I think I'll be able to look into it later this week--although, I am new to the project, so any direction as to where things might be failing would be greatly appreciated.

[sijie]

@michaeljmarshall when the docker image is used in Kubernetes, the helm chart will mount the disks to /pulsar/data. Does it change the permission?

[michaeljmarshall]

Kubernetes will not change the file system permissions by default. If the volume is owned by root, the container will also view the mounted volume as owned by root, which would be a problem for the container produced from this docker image.

In Linux, the mounted volume will need to be writable by user 1000. I'm not certain how Docker users map to host users in other operating systems.

Here is the Kubernetes documentation on permissions and pods. It looks like there has been active development in the mounted volume permission domain.

I'm not sure how the pulsar project handles this type of change. Given that administrators of pulsar clusters should have access to the nodes running pulsar, it seems reasonable to me that those administrators could change the ownership of the relevant directories before upgrading to the next version of pulsar. The current containers would have root permissions, and would be able to write to directories/files owned by user 1000, so a rolling upgrade could still be achieved.

Is there any precedent for this type of change? I would really like to get this into the 2.8.0 release, so that we can increase the security of pulsar containers and I can stop maintaining my own fork of the project. However, I also recognize the importance of carefully releasing major changes to a project.

As I mentioned in my initial PR description, it might be relevant to provide migration documentation, but I'm not sure where to put it.

[michaeljmarshall]

@sijie - after thinking about this, I think it might be helpful, and possibly necessary, to make a corresponding update to the helm chart to allow end users to choose how the container is run in kubernetes. Because docker allows an end user to choose the user that a container runs with, it is trivial for end users to run the container as root until they're able to update the host file system to have the appropriate permissions for the /puslar/conf and /pulsar/data directories. Let me know what you think.

[sijie]

I haven't yet had the time to dig into the tests to understand why they're failing.

That's probably related to flaky test environment. Can you try to rebase your branch to latest master to include some of recent fixes around tests?

[michaeljmarshall]

@sijie - I rebased and pushed, but it looks like the tests still failed. I'll try to take a closer look at the tests tomorrow.

[michaeljmarshall]

Of the 14 failed checks, there are 3 unique errors being logged. The first two seem like symptoms of an earlier failures. Here are the stages being run, and the errors output:

run integration tests -> Failed to execute goal org.apache.maven.plugins:maven-surefire-plugin:3.0.0-M3:test (default-test) on project integration: There are test failures.

build pulsar image -> Failed to execute goal com.spotify:dockerfile-maven-plugin:1.4.13:build (default) on project pulsar-docker-image: Execution default of goal com.spotify:dockerfile-maven-plugin:1.4.13:build failed: Could not acquire image ID or digest following build -> [Help 1]

run unit test 'OTHER' -> Error: TestOpenAndWriteSink(org.apache.pulsar.io.rabbitmq.sink.RabbitMQSinkTest) Time elapsed: 0.01 s <<< FAILURE! java.net.ConnectException: Connection refused (Connection refused)

@sijie - any chance that the run unit test 'OTHER' failure is related to a flaky test? If not, perhaps something I changed is affecting that test. (Here is that failing check.)

[sijie]

@michaeljmarshall It seems that all integration tests failed. It seems that it is related to this change. I am trying it locally.

[michaeljmarshall]

I had missed a \ in my previous commit, and that caused an error while running the docker build step. After fixing that, as well as a permissions issue on creating directories, it looks like there are some additional issues during container initialization where pulsar tries to create or write to files not in the /pulsar directory. I'll look into this soon and add a new commit to fix it.

[michaeljmarshall]

After digging into this morning's test failures, I can see that the tests failed because we're using supervisord to spawn the pulsar processes (broker, bookie, etc.) and our configuration script needed permission to edit supervisord configuration files. My latest commit updates the docker image used to run tests (pulsar-test-latest-version) so that the container runs as the root user, supervisord runs as root, and supervisord will spawn pulsar components as the pulsar user.

I am slightly concerned that this approach requires configuration in multiple places (each of the pulsar component conf files) to maintain the correctness of the tests. Given that new components are likely rare, I think it should be simple enough to maintain, but I want to call this risk out. The risk is that a new test could accidentally run as root and work because it somehow relies on running as root.

[michaeljmarshall]

This latest commit includes a fix to make the pulsar python client available to the root and the pulsar user. This is necessary for pulsar functions and was exposed by the pulsar function integration tests, which currently run as the root user in the pulsar-test-latest-version docker container (this image defaults to run as root).

I think we should convert the pulsar function tests to run as the pulsar user. I'll look at adding that to a later commit.

These test failures (related to problems running as root vs pulsar) raise an important question about backwards compatibility and the published docker images. I think it adds value to let the container run as either the root user or the pulsar user to allow for end users to transition to the non-root version. As such, this commit installs the pulsar python client so that it's available to the root and pulsar.

However, I don't think it is necessary to run tests as the root user because it is unlikely that the root user will have any other problems. Based on a limited understanding of the tests, the pulsar functions are likely one of the only processes that rely on python, making it the only process that use the pip dependencies. It'd be great to have some perspective from people more familiar with the project and any other edge cases in different deployments.

[michaeljmarshall]

Rebased my branch with master.

[michaeljmarshall]

Based on a recent blogpost, https://github.com/hexops/dockerfile#do-not-use-a-uid-below-10000, I decided to change the pulsar user id to 10000 and the group id to 10001 in this most recent commit. Further, I added some documentation for the getting started with docker.

[michaeljmarshall]

@sijie - on this previous commit, it looks like the tests that failed only failed due to timeouts. On the commit before the latest one, the only test failure was from a maven issue that was unrelated to my change. At this point, it seems to me that the underlying change is valid, but I'm wondering if there is any chance that I'm running into flaky tests. If you think it's likely a problem with my changes, is there anyone who can help me troubleshoot these test failures? I'm happy to keep digging, but I think it might be more productive if I can get some guidance. Thanks!

[sijie]

@michaeljmarshall the integration tests passed. so that means your change is good. Other failures are flaky tests. I will rebase your branch to latest master (as there are some fixes in master to improve tests).

[michaeljmarshall]

@sijie - thanks for the insight. I just rebased and pushed my branch.

[sijie]

/pulsarbot run-failure-checks

[michaeljmarshall]

After discussion in #8242 and some additional research, I found a better way to meet all requirements to build this image to run with a non root user. I have the solution half implemented and will need to do some testing to make sure it looks as I expect before I add another commit.

[michaeljmarshall]

Rebased to see if any of the recent test improvements help make this PR pass tests.

[sijie]

@michaeljmarshall Thank you for your contribution!

[eolivelli]

@michaeljmarshall after this commit I am no more able to build the Docker image locally

cd docker
mvn package -Pdocker  

[INFO] --- exec-maven-plugin:1.6.0:exec (build-pulsar-clients-python-35) @ pulsar-docker-image ---
--------- Build Python wheel for 3.7 -- cp37-cp37m
Using image: apachepulsar/pulsar-build:manylinux-cp37-cp37m
bash: /pulsar/pulsar-client-cpp/docker/build-wheel-file-within-docker.sh: No such file or directory
[ERROR] Command execution failed.
org.apache.commons.exec.ExecuteException: Process exited with an error: 127 (Exit value: 127)
    at org.apache.commons.exec.DefaultExecutor.executeInternal (DefaultExecutor.java:404)
    at org.apache.commons.exec.DefaultExecutor.execute (DefaultExecutor.java:166)
    at org.codehaus.mojo.exec.ExecMojo.executeCommandLine (ExecMojo.java:804)
    at org.codehaus.mojo.exec.ExecMojo.executeCommandLine (ExecMojo.java:751)
    at org.codehaus.mojo.exec.ExecMojo.execute (ExecMojo.java:313)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:210)

Are you able to build it locally ?

[eolivelli]

The error is not due to this patch, I reproduce it on previous commits.
There must be something wrong in my env.
Sorry for the noise

[lhotari]

Today I started running some tests for 2.8.0-SNAPSHOT images. There's a permission issue in pulsar-proxy since the default configuration uses port 80 and now when the default user is "pulsar", it cannot bind to port 80.

This is the error log in pulsar-proxy-0 pod:

14:38:21.477 [main] ERROR org.apache.pulsar.proxy.server.ProxyServiceStarter - Failed to start pulsar proxy service. error msg Failed to start HTTP server on ports [80]
java.io.IOException: Failed to start HTTP server on ports [80]
at org.apache.pulsar.proxy.server.WebServer.start(WebServer.java:246) ~[org.apache.pulsar-pulsar-proxy-2.8.0-SNAPSHOT.jar:2.8.0-SNAPSHOT]
at org.apache.pulsar.proxy.server.ProxyServiceStarter.<init>(ProxyServiceStarter.java:177) [org.apache.pulsar-pulsar-proxy-2.8.0-SNAPSHOT.jar:2.8.0-SNAPSHOT]
at org.apache.pulsar.proxy.server.ProxyServiceStarter.main(ProxyServiceStarter.java:186) [org.apache.pulsar-pulsar-proxy-2.8.0-SNAPSHOT.jar:2.8.0-SNAPSHOT]
Caused by: java.net.SocketException: Permission denied
at sun.nio.ch.Net.bind0(Native Method) ~[?:1.8.0_282]
at sun.nio.ch.Net.bind(Net.java:461) ~[?:1.8.0_282]
at sun.nio.ch.Net.bind(Net.java:453) ~[?:1.8.0_282]
at sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.java:222) ~[?:1.8.0_282]
at sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.java:85) ~[?:1.8.0_282]
at org.eclipse.jetty.server.ServerConnector.openAcceptChannel(ServerConnector.java:345) ~[org.eclipse.jetty-jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120]
at org.eclipse.jetty.server.ServerConnector.open(ServerConnector.java:310) ~[org.eclipse.jetty-jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120]
at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:80) ~[org.eclipse.jetty-jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120]
at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:234) ~[org.eclipse.jetty-jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120]
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73) ~[org.eclipse.jetty-jetty-util-9.4.35.v20201120.jar:9.4.35.v20201120]
at org.eclipse.jetty.server.Server.doStart(Server.java:401) ~[org.eclipse.jetty-jetty-server-9.4.35.v20201120.jar:9.4.35.v20201120]
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73) ~[org.eclipse.jetty-jetty-util-9.4.35.v20201120.jar:9.4.35.v20201120]
at org.apache.pulsar.proxy.server.WebServer.start(WebServer.java:224) ~[org.apache.pulsar-pulsar-proxy-2.8.0-SNAPSHOT.jar:2.8.0-SNAPSHOT]
... 2 more
2021-03-19 02:38:21,480 [sun.misc.Launcher$AppClassLoader@7ef20235] error Uncaught exception in thread main: java.io.IOException: Failed to start HTTP server on ports [80]

The problem goes away after changing the port to 8080 in values.yaml:

proxy:
  ports:
    http: 8080

@michaeljmarshall @sijie I wonder how to address this breaking change in pulsar-helm-chart?

[michaeljmarshall]

@lhotari - good catch. I think the easiest way to prevent a breaking change in the helm chart is to default to using the root user in the helm chart's deployment for the pulsar proxy. We could then add a configuration that allows users to opt in to running that container as a non root user.

Essentially, we need to default a pulsar proxy pod's security context to the following:

  securityContext:
    runAsUser: 0
    runAsGroup: 0

I believe all other pulsar containers should still be able to run as the non root user.

(I am assuming that we want to prevent breaking changes here as the 2.8.0 release is only a minor version bump.)

[lhotari]

@michaeljmarshall @sijie I reported the issue as apache/pulsar-helm-chart#110 in pulsar-helm-chart so that it gets tracked.