fix: permission denied in the docker image

docker/Dockerfile

@@ -17,6 +17,39 @@
 # under the License.
 #
 
+FROM alpine:3.20 as bk-dist
+
+ARG BK_VERSION=4.17.1
+ARG DISTRO_NAME=bookkeeper-server-${BK_VERSION}-bin
+ARG DISTRO_URL=https://archive.apache.org/dist/bookkeeper/bookkeeper-${BK_VERSION}/${DISTRO_NAME}.tar.gz
+
+RUN apk update && apk add gpg gpg-agent wget \
+        && cd /opt \
+        && wget -q "${DISTRO_URL}" \
+        && wget -q "${DISTRO_URL}.asc" \
+        && wget -q "${DISTRO_URL}.sha512" \
+        && sha512sum -c ${DISTRO_NAME}.tar.gz.sha512 \
+        && wget -q https://dist.apache.org/repos/dist/release/bookkeeper/KEYS \
+        && gpg --import KEYS \
+        && gpg --batch --verify "$DISTRO_NAME.tar.gz.asc" "$DISTRO_NAME.tar.gz" \
+        && tar -xzf "$DISTRO_NAME.tar.gz" \
+        && mv bookkeeper-server-${BK_VERSION}/ /opt/bookkeeper/ \
+        && rm -rf "$DISTRO_NAME.tar.gz" "$DISTRO_NAME.tar.gz.asc" "$DISTRO_NAME.tar.gz.sha512";
+
+COPY scripts /opt/bookkeeper/scripts
+
+RUN for SUBDIRECTORY in conf logs data; do \
+     mkdir -p /opt/bookkeeper/$SUBDIRECTORY; \
+     chmod -R ug+rwx /opt/bookkeeper/$SUBDIRECTORY; \
+     chown -R 10000:0 /opt/bookkeeper/$SUBDIRECTORY; \
+     done
+
+RUN for SUBDIRECTORY in scripts bin; do \
+     chmod -R g+rx /opt/bookkeeper/$SUBDIRECTORY; \
+     done
+
+RUN chmod -R o+rx /opt/bookkeeper
+
 FROM eclipse-temurin:17 as jre-build
 
 # Create a custom Java runtime
@@ -48,43 +81,39 @@ ENV DEBIAN_FRONTEND=noninteractive
 ARG UBUNTU_MIRROR=http://archive.ubuntu.com/ubuntu/
 ARG UBUNTU_SECURITY_MIRROR=http://security.ubuntu.com/ubuntu/
 
-# Download Apache Bookkeeper, untar and clean up
 RUN set -x \
     && sed -i -e "s|http://archive\.ubuntu\.com/ubuntu/|${UBUNTU_MIRROR:-http://archive.ubuntu.com/ubuntu/}|g" \
      -e "s|http://security\.ubuntu\.com/ubuntu/|${UBUNTU_SECURITY_MIRROR:-http://security.ubuntu.com/ubuntu/}|g" /etc/apt/sources.list \
     && echo 'Acquire::http::Timeout "30";\nAcquire::http::ConnectionAttemptDelayMsec "2000";\nAcquire::https::Timeout "30";\nAcquire::https::ConnectionAttemptDelayMsec "2000";\nAcquire::ftp::Timeout "30";\nAcquire::ftp::ConnectionAttemptDelayMsec "2000";\nAcquire::Retries "15";' > /etc/apt/apt.conf.d/99timeout_and_retries \
-    && adduser "${BK_USER}" \
     && apt-get update \
     && apt-get install -y ca-certificates apt-transport-https \
     && apt-get install -y --no-install-recommends python3 pip \
     && ln -s /usr/bin/python3 /usr/bin/python \
-    && apt-get install -y --no-install-recommends gpg gpg-agent wget sudo \
+    && apt-get install -y --no-install-recommends wget sudo \
     && apt-get -y --purge autoremove \
     && apt-get autoclean \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/* \
-    && mkdir -pv /opt \
-    && cd /opt \
-    && wget -q "${DISTRO_URL}" \
-    && wget -q "${DISTRO_URL}.asc" \
-    && wget -q "${DISTRO_URL}.sha512" \
-    && sha512sum -c ${DISTRO_NAME}.tar.gz.sha512 \
-    && wget https://dist.apache.org/repos/dist/release/bookkeeper/KEYS \
-    && gpg --import KEYS \
-    && gpg --batch --verify "$DISTRO_NAME.tar.gz.asc" "$DISTRO_NAME.tar.gz" \
-    && tar -xzf "$DISTRO_NAME.tar.gz" \
-    && mv bookkeeper-server-${BK_VERSION}/ /opt/bookkeeper/ \
-    && rm -rf "$DISTRO_NAME.tar.gz" "$DISTRO_NAME.tar.gz.asc" "$DISTRO_NAME.tar.gz.sha512" \
     && pip install zk-shell
 
-WORKDIR /opt/bookkeeper
-
+# JDK
 ENV JAVA_HOME=/opt/java/openjdk
 ENV PATH="$PATH:$JAVA_HOME/bin"
 COPY --from=jre-build /javaruntime $JAVA_HOME
 
-COPY scripts /opt/bookkeeper/scripts
-RUN chmod +x -R /opt/bookkeeper/scripts/
+# BK
+ENV ZK_dataDir=${BK_HOME}/data/zookeeper/data
+ENV ZK_dataLogDir=${BK_HOME}/data/zookeeper/txlog
+ENV BK_DATA_DIR=${BK_HOME}/data
+ENV BK_journalDirectory=${BK_HOME}/data/journal
+ENV BK_ledgerDirectories=${BK_HOME}/data/ledgers
+ENV ZK_SHELL_HOME=${BK_HOME}/data
+COPY --from=bk-dist /opt/bookkeeper ${BK_HOME}
+
+WORKDIR ${BK_HOME}
+
+RUN adduser "${BK_USER}" -u 10000 --gid 0 --home ${BK_HOME} --no-create-home --disabled-password
+USER 10000
 
 ENTRYPOINT [ "/bin/bash", "/opt/bookkeeper/scripts/entrypoint.sh" ]
 CMD ["bookie"]

docker/scripts/common.sh

@@ -44,6 +44,8 @@ export BK_dlogRootPath=${BK_dlogRootPath:-"${BK_CLUSTER_ROOT_PATH}/distributedlo
 # stream storage
 export BK_NUM_STORAGE_CONTAINERS=${BK_NUM_STORAGE_CONTAINERS:-"32"}
 export BK_STREAM_STORAGE_ROOT_PATH=${BK_STREAM_STORAGE_ROOT_PATH:-"/stream"}
+# zk-shell
+export ZK_SHELL_HOME=${ZK_SHELL_HOME:-"${HOME}"}
 
 echo "Environment Vars for bookie:"
 echo ""

docker/scripts/init_bookie.sh

@@ -21,25 +21,29 @@
 # */
 source ${SCRIPTS_DIR}/common.sh
 
+function run_zk_shell() {
+    HOME=${ZK_SHELL_HOME} zk-shell "$@"
+}
+
 function wait_for_zookeeper() {
     echo "wait for zookeeper"
-    until zk-shell --run-once "ls /" ${BK_zkServers}; do sleep 5; done
+    until run_zk_shell --run-once "ls /" ${BK_zkServers}; do sleep 5; done
 }
 
 function create_zk_root() {
     if [ "x${BK_CLUSTER_ROOT_PATH}" != "x" ]; then
         echo "create the zk root dir for bookkeeper at '${BK_CLUSTER_ROOT_PATH}'"
-        zk-shell --run-once "create ${BK_CLUSTER_ROOT_PATH} '' false false true" ${BK_zkServers}
+        run_zk_shell --run-once "create ${BK_CLUSTER_ROOT_PATH} '' false false true" ${BK_zkServers}
     fi
 }
 
 function init_cluster() {
-    zk-shell --run-once "ls ${BK_zkLedgersRootPath}/available/readonly" ${BK_zkServers}
+    run_zk_shell --run-once "ls ${BK_zkLedgersRootPath}/available/readonly" ${BK_zkServers}
     if [ $? -eq 0 ]; then
         echo "Cluster metadata already exists"
     else
         # Create an ephemeral zk node `bkInitLock` for use as a lock.
-        lock=`zk-shell --run-once "create ${BK_CLUSTER_ROOT_PATH}/bkInitLock '' true false false" ${BK_zkServers}`
+        lock=`run_zk_shell --run-once "create ${BK_CLUSTER_ROOT_PATH}/bkInitLock '' true false false" ${BK_zkServers}`
         if [ -z "$lock" ]; then
             echo "znodes do not exist in Zookeeper for Bookkeeper. Initializing a new Bookkeekeper cluster in Zookeeper."
             /opt/bookkeeper/bin/bookkeeper shell initnewcluster
@@ -57,7 +61,7 @@ function init_cluster() {
             while [ ${tenSeconds} -lt 100 ]
             do
                 sleep 10
-                zk-shell --run-once "ls ${BK_zkLedgersRootPath}/available/readonly" ${BK_zkServers}
+                run_zk_shell --run-once "ls ${BK_zkLedgersRootPath}/available/readonly" ${BK_zkServers}
                 if [ $? -eq 0 ]; then
                     echo "Waited $tenSeconds * 10 seconds. Successfully listed ''${BK_zkLedgersRootPath}/available/readonly'"
                     break