Harbor: Change directory permissions in harbor-db data directory

Created on 4 Jul 2019  Â·  22Comments  Â·  Source: goharbor/harbor

Expected behavior and actual behavior:
The goharbor/harbor-db:v1.8.0 docker image doesn't fix the data directory permissions in the docker-entrypoint.sh. Postgres refuse to start if the permission are not set to 0700.

Steps to reproduce the problem:

  • Create a data directory: mkdir /tmp/test-db && chmod 0775 /tmp/test-db
  • launch service one time: docker run -it -v /tmp/test-db:/var/lib/postgresql/data goharbor/harbor-db:v1.8.0
  • stop service
  • Change permission again: chmod 0775 /tmp/test-db
  • launch service another time: docker run -it -v /tmp/test-db:/var/lib/postgresql/data goharbor/harbor-db:v1.8.0
$ mkdir /tmp/test-db && chmod 0775 /tmp/test-db
$ docker run -it -v /tmp/test-db:/var/lib/postgresql/data goharbor/harbor-db:v1.8.0
The files belonging to this database system will be owned by user "postgres".
This user must also own the server process.
[…]
fixing permissions on existing directory /var/lib/postgresql/data ... ok
creating subdirectories ... ok
[…]
^C^C
$ chmod 0775 /tmp/test-db
$ docker run -it -v /tmp/test-db:/var/lib/postgresql/data goharbor/harbor-db:v1.8.0
FATAL:  data directory "/var/lib/postgresql/data" has group or world access
DETAIL:  Permissions should be u=rwx (0700).

Versions:
Please specify the versions of following systems.

  • harbor version: [1.8.0]
  • docker engine version: [18.09.6]
  • docker-compose version: [1.22.0]

Additional context:
I agree, in normal situation changing the data directory permission is a bit silly, but it's extracted from a global environment, were our volumes are mounted using rexray and the rexray configuration is to present volumes using permission 0775.

I would notice that docker-entrypoint.sh form the original postgres image is doing some permissions fix on startup.

https://github.com/docker-library/postgres/blob/87b15b6c65ba985ac958e7b35ba787422113066e/docker-entrypoint.sh#L32-L55

Could we have the same behavior, please?

$ mkdir /tmp/test-db && chmod 0775 /tmp/test-db
$ sudo docker run -it -v /tmp/test-db:/var/lib/postgresql/data postgres
The files belonging to this database system will be owned by user "postgres".
This user must also own the server process.

The database cluster will be initialized with locale "en_US.utf8".
The default database encoding has accordingly been set to "UTF8".
The default text search configuration will be set to "english".

Data page checksums are disabled.

fixing permissions on existing directory /var/lib/postgresql/data ... ok
[…]
^C
$ chmod 0775 /tmp/test-db
$ sudo docker run -it -v /tmp/test-db:/var/lib/postgresql/data postgres
2019-07-04 14:44:28.164 UTC [1] LOG:  listening on IPv4 address "0.0.0.0", port 5432
2019-07-04 14:44:28.164 UTC [1] LOG:  listening on IPv6 address "::", port 5432
2019-07-04 14:44:28.224 UTC [1] LOG:  listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
2019-07-04 14:44:28.306 UTC [23] LOG:  database system was shut down at 2019-07-04 14:44:13 UTC
2019-07-04 14:44:28.334 UTC [1] LOG:  database system is ready to accept connections
^C2019-07-04 14:44:31.447 UTC [1] LOG:  received fast shutdown request
2019-07-04 14:44:31.535 UTC [1] LOG:  aborting any active transactions
2019-07-04 14:44:31.538 UTC [1] LOG:  background worker "logical replication launcher" (PID 29) exited with exit code 1
2019-07-04 14:44:31.538 UTC [24] LOG:  shutting down
2019-07-04 14:44:31.699 UTC [1] LOG:  database system is shut down
arehelm-chart
Source
picture kumy

Most helpful comment

I experienced this too. Was using Rook-Ceph with a RBD PV. Here was the fix to the chart I have. Let me know if you want this as a pull request.

diff -ur harbor-helm/templates/database/database-ss.yaml harbor/templates/database/database-ss.yaml
--- harbor-helm/templates/database/database-ss.yaml 2020-03-02 14:53:24.875936204 -0500
+++ harbor/templates/database/database-ss.yaml  2020-03-02 14:45:01.624118519 -0500
@@ -34,7 +34,7 @@
         image: {{ .Values.database.internal.initContainerImage.repository }}:{{ .Values.database.internal.initContainerImage.tag }}
         imagePullPolicy: {{ .Values.imagePullPolicy }}
         command: ["/bin/sh"]
-        args: ["-c", "chown -R 999:999 /var/lib/postgresql/data"]
+        args: ["-c", "chown -R 999:999 /var/lib/postgresql/data; chmod 0700 /var/lib/postgresql/data"]
         volumeMounts:
         - name: database-data
           mountPath: /var/lib/postgresql/data
picture chris-mccoy on 2 Mar 2020
👍7

All 22 comments

I have the same problem with 1.8.1 on Win10. Postgresql logs:

Jul 31 05:27:55 172.26.0.1 postgresql[1929]: initdb: could not fsync file "/var/lib/postgresql/data/pg_tblspc": Invalid argument
Jul 31 05:27:55 172.26.0.1 postgresql[1929]: 
Jul 31 05:27:55 172.26.0.1 postgresql[1929]: WARNING: enabling "trust" authentication for local connections
Jul 31 05:27:55 172.26.0.1 postgresql[1929]: You can change this by editing pg_hba.conf or using the option -A, or
Jul 31 05:27:55 172.26.0.1 postgresql[1929]: --auth-local and --auth-host, the next time you run initdb.
Jul 31 05:27:55 172.26.0.1 postgresql[1929]: syncing data to disk ... ok
Jul 31 05:27:55 172.26.0.1 postgresql[1929]: 
Jul 31 05:27:55 172.26.0.1 postgresql[1929]: Success. You can now start the database server using:
Jul 31 05:27:55 172.26.0.1 postgresql[1929]: 
Jul 31 05:27:55 172.26.0.1 postgresql[1929]:     pg_ctl -D /var/lib/postgresql/data -l logfile start
Jul 31 05:27:55 172.26.0.1 postgresql[1929]: 
Jul 31 05:27:55 172.26.0.1 postgresql[1929]: root
Jul 31 05:27:55 172.26.0.1 postgresql[1929]: waiting for server to start....FATAL:  data directory "/var/lib/postgresql/data" has wrong ownership
Jul 31 05:27:55 172.26.0.1 postgresql[1929]: HINT:  The server must be started by the user that owns the data directory.
Jul 31 05:27:56 172.26.0.1 postgresql[1929]:  stopped waiting
Jul 31 05:27:56 172.26.0.1 postgresql[1929]: pg_ctl: could not start server
Jul 31 05:27:56 172.26.0.1 postgresql[1929]: Examine the log output.
Jul 31 05:27:59 172.26.0.1 postgresql[1929]: FATAL:  data directory "/var/lib/postgresql/data" has wrong ownership
Jul 31 05:27:59 172.26.0.1 postgresql[1929]: HINT:  The server must be started by the user that owns the data directory.
Jul 31 05:28:01 172.26.0.1 postgresql[1929]: FATAL:  data directory "/var/lib/postgresql/data" has wrong ownership
navono picture navono on 31 Jul 2019

I think this issue will be fixed in #8362

ninjadq picture ninjadq on 21 Aug 2019

Thanks @ninjadq but I can't find in the referenced PR where you chmod 0700 the postgres data directory like done in official postgres docker image. Are your sure this is fixed?

https://github.com/docker-library/postgres/blob/87b15b6c65ba985ac958e7b35ba787422113066e/docker-entrypoint.sh#L54

kumy picture kumy on 21 Aug 2019

https://github.com/docker/for-win/issues/445

navono picture navono on 21 Aug 2019

Is still cannot find the chown $POSTGRES_USER / chmod 0700 in entrypoint as done by the official postgres image.

@ninjadq @reasonerjt may this issue be reopened please?

kumy picture kumy on 21 Oct 2019
👍5

Indeed, this does not work correctly with the vanilla harbor helm chart.

baadc0de picture baadc0de on 24 Oct 2019
👍6

This is still not fixed with image goharbor/harbor-db:v1.9.3

 FATAL:  data directory "/var/lib/postgresql/data" has group or world access
 DETAIL:  Permissions should be u=rwx (0700).

@ninjadq please reopen

kumy picture kumy on 12 Dec 2019
👍3

Also I'm wondering what's different in this image compared to the postgresql official ones? Is it safe to switch to them?

kumy picture kumy on 12 Dec 2019

the problem does still exist. The init container changes the owner but not the permissions to 0700.

sadoMasupilami picture sadoMasupilami on 24 Feb 2020

Since december, we've switched to official postgres image - seems without issues…

kumy picture kumy on 24 Feb 2020

I experienced this too. Was using Rook-Ceph with a RBD PV. Here was the fix to the chart I have. Let me know if you want this as a pull request.

diff -ur harbor-helm/templates/database/database-ss.yaml harbor/templates/database/database-ss.yaml
--- harbor-helm/templates/database/database-ss.yaml 2020-03-02 14:53:24.875936204 -0500
+++ harbor/templates/database/database-ss.yaml  2020-03-02 14:45:01.624118519 -0500
@@ -34,7 +34,7 @@
         image: {{ .Values.database.internal.initContainerImage.repository }}:{{ .Values.database.internal.initContainerImage.tag }}
         imagePullPolicy: {{ .Values.imagePullPolicy }}
         command: ["/bin/sh"]
-        args: ["-c", "chown -R 999:999 /var/lib/postgresql/data"]
+        args: ["-c", "chown -R 999:999 /var/lib/postgresql/data; chmod 0700 /var/lib/postgresql/data"]
         volumeMounts:
         - name: database-data
           mountPath: /var/lib/postgresql/data
chris-mccoy picture chris-mccoy on 2 Mar 2020
👍7

I experienced this too. Was using Rook-Ceph with a RBD PV. Here was the fix to the chart I have. Let me know if you want this as a pull request.

diff -ur harbor-helm/templates/database/database-ss.yaml harbor/templates/database/database-ss.yaml
--- harbor-helm/templates/database/database-ss.yaml   2020-03-02 14:53:24.875936204 -0500
+++ harbor/templates/database/database-ss.yaml    2020-03-02 14:45:01.624118519 -0500
@@ -34,7 +34,7 @@
         image: {{ .Values.database.internal.initContainerImage.repository }}:{{ .Values.database.internal.initContainerImage.tag }}
         imagePullPolicy: {{ .Values.imagePullPolicy }}
         command: ["/bin/sh"]
-        args: ["-c", "chown -R 999:999 /var/lib/postgresql/data"]
+        args: ["-c", "chown -R 999:999 /var/lib/postgresql/data; chmod 0700 /var/lib/postgresql/data"]
         volumeMounts:
         - name: database-data
           mountPath: /var/lib/postgresql/data

Please pull this. It solves my problem

funky81 picture funky81 on 19 Apr 2020
👍5

could you please reopen this issue or just implement this fix?

sadoMasupilami picture sadoMasupilami on 20 Apr 2020
👍5

jbrandli:12182-Postgresql-init-should-change-directory-permissions-in-harbor-db-data-directory

jbrandli picture jbrandli on 9 Jun 2020

@ninjadq @reasonerjt I see that the docker official postgres image includes a command to change the ownership of the data directory, is it possible we fix the issue in the same way for both OSS Harbor and Harbor chart https://github.com/docker-library/postgres/blob/master/13/docker-entrypoint.sh#L40?

Maybe this is another solution? Not sure about that, need to do more investigation.

Related Harbor chart issues:
https://github.com/goharbor/harbor-helm/issues/444
https://github.com/goharbor/harbor-helm/issues/363
https://github.com/goharbor/harbor-helm/pull/613
https://github.com/goharbor/harbor-helm/pull/493

ywk253100 picture ywk253100 on 22 Jun 2020

While you're investigating any chance we could implement the workaround above? It's a major pain and this workaround is trivial and addresses the issue for users. It's been a year of dealing with this

kav picture kav on 15 Jul 2020
👍3

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

stale[bot] picture stale[bot] on 17 Oct 2020
👎2

I'm trying not to find this incredibly frustrating as I know it's just a bot, but a less than one line change has been proposed for an issue open a year and a quarter and would resolve this issue for everyone. Four months ago @ywk253100 needed to do more investigation. And we still have no resolution just a bot closing an incredibly frequently occurring issue...

kav picture kav on 18 Oct 2020
👍2

I totally agree, it's annoying that we have to patch postgres statefulset after each helm upgrade..

zolij picture zolij on 24 Oct 2020
👍1

https://github.com/goharbor/harbor-helm/pull/771

chris-mccoy picture chris-mccoy on 25 Oct 2020

Currently the database container runs as non-root user, this is why there is no such command chmod 0700 in the init script.
But the same operation is done in the prepare script https://github.com/goharbor/harbor/blob/v2.1.0/make/photon/prepare/utils/db.py#L13 which runs when installing Harbor by docker-compose.

For the Harbor chart, please refer to https://github.com/goharbor/harbor-helm/issues/444#issuecomment-728789140 for more detail

ywk253100 picture ywk253100 on 17 Nov 2020

For any further discussion about the issue in Harbor chart, let's continue in the harbor chart repo https://github.com/goharbor/harbor-helm/issues/444.

I'm closing this one. Thanks for all the feedback

ywk253100 picture ywk253100 on 17 Nov 2020
👎1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

protochron picture protochron  Â·  3Comments
272909106 picture 272909106  Â·  4Comments
Poil picture Poil  Â·  3Comments
reasonerjt picture reasonerjt  Â·  3Comments
cedvan picture cedvan  Â·  3Comments