[fix][broker] Support running docker container with gid != 0

[lhotari]

Motivation

Currently Pulsar's docker image must be run with gid=0. There are environments where the group id 0 is prohibited by default. One example is Tanzu Kubernetes Grid <=1.24 where a default Pod Security Policy called vmware-system-restricted is used. That PSP contains this type of rule:

supplementalGroups:
  rule: MustRunAs
  ranges:
    - min: 1
      max: 65535
runAsUser:
  rule: MustRunAsNonRoot
fsGroup:
  rule: MustRunAs
  ranges:
    - min: 1
      max: 65535

In this case, it's not possible to use Pulsar's docker image since Pulsar needs write access to a few directories.

Modifications

change the owner of the writable directories to user id 10000.

This will allow Tanzu to work with this type of securityContext for each Pulsar component (Broker, Zookeeper, Bookkeeper)

  securityContext:
    runAsNonRoot: true
    runAsGroup: 10001
    fsGroup: 10001
    runAsUser: 10000

Workaround

Before this fix is included, it's possible to create an overlay image where the ownership is modified for the required directories

Dockerfile

ARG IMAGE=apachepulsar/pulsar-all
ARG TAG=3.0.2
FROM ${IMAGE}:${TAG}
USER 0
RUN for SUBDIRECTORY in conf data download logs; do \
     chown -R 10000:0 /pulsar/$SUBDIRECTORY; \
     done
USER 10000

sample of building and pushing a patched image:

docker build -t lhotari/pulsar-all-user10000:3.0.2 .
docker push lhotari/pulsar-all-user10000:3.0.2

Documentation

• doc
• doc-required
• doc-not-needed
• doc-complete

[michaeljmarshall]

LGTM

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (0b6bd70) 73.57% compared to head (912d41e) 73.65%.

Additional details and impacted files

@@             Coverage Diff              @@
##             master   #22081      +/-   ##
============================================
+ Coverage     73.57%   73.65%   +0.07%     
- Complexity    32553    32583      +30     
============================================
  Files          1874     1874              
  Lines        139252   139252              
  Branches      15260    15260              
============================================
+ Hits         102451   102560     +109     
+ Misses        28877    28782      -95     
+ Partials       7924     7910      -14     

Flag	Coverage Δ
inttests	24.67% <ø> (-0.16%)	⬇️
systests	24.42% <ø> (-0.04%)	⬇️
unittests	72.90% <ø> (+0.07%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

see 80 files with indirect coverage changes

[lhotari]

Good way to reproduce the issue with the current container (before applying this fix):

❯ docker run --user 10000:10001 -e advertisedAddress=foobar --rm -it apachepulsar/pulsar:3.0.2  sh \
-c "bin/apply-config-from-env.py conf/standalone.conf && bin/pulsar standalone"
[conf/standalone.conf] Applying config advertisedAddress = foobar
Traceback (most recent call last):
  File "/pulsar/bin/apply-config-from-env.py", line 104, in <module>
    f = open(conf_filename, 'w')
PermissionError: [Errno 13] Permission denied: 'conf/standalone.conf'

[lhotari]

I created a separate issue about the issue with readOnlyRootFilesystem, #22088.