KAFKA-16373: KIP-1028: Addressing Docker Official Images PR Comments for JVM, Native and Docker Official Images #16664
Conversation
docker/version_keys.py
Outdated
| @@ -0,0 +1,5 @@ | |||
| version_keys = { | |||
There was a problem hiding this comment.
Can we use json file instead. I don't think we should be creating a separate python file for this
There was a problem hiding this comment.
I used a python file for 2 main reasons
- Simple json file has the overhead of opening the JSON file and loading its contents into a Python object, and use it further (boils down to the same as using a python dict)
- Secondly, if for unsupported versions, we might want to remove GPG_KEYS, working with python dicts would be much simpler for any automation script we add.
LMK if these sound valid justifications for using a python dict as a new python file.
There was a problem hiding this comment.
I think we should use json if we are using a separate file. It's just a more standard way of maintaining data like this imo. Overhead would be minimal imo.
There was a problem hiding this comment.
This change has been made
docker/jvm/Dockerfile
Outdated
| wget -nv -O KEYS https://downloads.apache.org/kafka/KEYS; \ | ||
| gpg --import KEYS; \ | ||
| for server in ha.pool.sks-keyservers.net $(shuf -e \ | ||
| hkp://p80.pool.sks-keyservers.net:80 \ |
There was a problem hiding this comment.
Can we try using https://downloads.apache.org/kafka/KEYS for verification
There was a problem hiding this comment.
This change does not work for all versions, so reverting to the original server list approach.
There was a problem hiding this comment.
Can we confirm that the list of key servers is going to cover all the GPG keys created in future? If not can we have a mechanism for the RM to add their GPG key server, if it's not present in the list.
There was a problem hiding this comment.
Sure, we will add this to the documentation as part of the release process.
docker/jvm/Dockerfile
Outdated
| wget -nv -O KEYS https://downloads.apache.org/kafka/KEYS; \ | ||
| gpg --import KEYS; \ | ||
| for server in ha.pool.sks-keyservers.net $(shuf -e \ | ||
| hkp://p80.pool.sks-keyservers.net:80 \ |
There was a problem hiding this comment.
Can we try using https://downloads.apache.org/kafka/KEYS for verification
There was a problem hiding this comment.
This change does not work for all versions, so reverting to the original server list approach.
There was a problem hiding this comment.
The guys from docker hub official won't like external download dependencies - we had that discussion for Storm a few months ago. We workaround that for Apache Storm here: https://github.com/apache/storm-docker/blob/master/automation/create-key-section.sh and here https://github.com/apache/storm-docker/blob/master/2.6.3-jre17/Dockerfile#L40 - might also an option for Kafka ;-)
There was a problem hiding this comment.
Hi @rzo1 ! Thanks for these suggestions!
A few small queries here:
The guys from docker hub official won't like external download dependencies
By this you mean that they wont approve of something along the lines of
wget -nv -O KEYS https://downloads.apache.org/kafka/KEYS; \
gpg --import KEYS;
correct?
We did receive a comment from the Dockerhub folks regarding this (see Point 5 here).
So we went along and changed the above approach. Now we pass the GPG_KEY as an argument/environment variable, and then use something along the lines of this.
I went through the approach followed by Storm, and that seems like a great way to approach this too. However, for Kafka, there are a lot of existing keys that are returned (see attached image), which might just inflate the length of the Dockerfile (hence we decided with the arg/env approach).
In your experience, do you think the modified approach (here, here and here) would be liked by the Dockerhub folks, or with the discussion you had for Storm, do you anticipate any issue in this approach too?
Thanks a lot again!
Krish.
There was a problem hiding this comment.
I think they will just complain, if they don't like it :-) - for Storm, we had one iteration.
docker/version_keys.py
Outdated
| @@ -0,0 +1,5 @@ | |||
| version_keys = { | |||
There was a problem hiding this comment.
- maybe rename to version_gpg_keys
- missing license
- Can we add comment to the file about the format of this file.
There was a problem hiding this comment.
Thanks for the review @omkreddy .
- Renamed this to version_gpg_keys, the name now better reflects what the file stands for.
2, 3: Sorry, missed out on adding these! Added the same to the scripts.
Thanks!
|
This PR is being marked as stale since it has not had any activity in 90 days. If you If you are having difficulty finding a reviewer, please reach out on the [mailing list](https://kafka.apache.org/contact). If this PR is no longer valid or desired, please feel free to close it. If no activity occurs in the next 30 days, it will be automatically closed. |
|
This PR is to be kept open as Docker Official Image PR is waiting on review from Dockerhub folks. |
This PR aims to add address the comments added via the docker hub folks regarding the JVM based Docker Official Image for Apache Kafka introduced in the following KIP - https://cwiki.apache.org/confluence/display/KAFKA/KIP-1028%3A+Docker+Official+Image+for+Apache+Kafka . The comments by the dockerhub folks can be found here .
This PR:
Addresses comments 1,3,4,5,6,7,8,9 mentioned in the above link.
NOTE: The changes have been made to both the JVM docker images introduced via KIP-975 as well as the GraalVM docer images introduced via KIP-974. This ensures that the docker hub suggested best practices will now be used for both the OSS sponsored images as well as the Docker Official Images.
Gist:
Post this PR:
Committer Checklist (excluded from commit message)