Ricardo,
Thanks for the reply.
I like the solution of providing username in /etc/passwd via an entrypoint.sh, the only problem is this entrypoint.sh is provided in another repo or any other repo that uses this UBI-hive.
According to my use case where it uses hive-metastore to store table schema and partitions info for Trino, I’m using the entrypoint.sh solution now, I wonder if it’s a good idea to provide such entrypoint.sh within the image itself, or at least
document it that it needs to provide a username for the java process or it won’t function.
This Message Is From an External Sender
This message came from outside your organization.
Hello Ke,
Can you share your use-case for the ubi-hive image? What problem are you facing?
When creating images to run on top of OpenShift, we follow some guidelines[1] to improve security in the deployments. Explicitly assigning a username is not a good practice because of the random UIDs that can be assigned to the container running
on OpenShift, and thus adding an entry in /etc/passwd from an entrypoint script is the solution for processes that need a name assigned to a UID. Due to this, I think your change won't be accepted by the ubi-hive developers. That being said, though we use
their image with Trino, they are not part of the ODH community.
Hope that helps.
--
Ricardo Martinelli De Oliveira
Senior Software Engineer, AI CoE
Red
Hat Brazil
Av. Brigadeiro Faria Lima, 3900
8th floor