Postgres: Permissions in docker-entrypoint.sh

Created on 2 Aug 2017  Â·  2Comments  Â·  Source: docker-library/postgres

I'm trying to execute a simple script, but it seems I don't have enough permissions with postgres user, specially to create folders. Shouldn't the entrypoint script be executed as root? So it can be possible to do anything with my scripts?

The idea around this is to automatically add .sql files to the init folder, but I don't want to edit the Dockerfile and place a COPY each time I have a new sql file to execute.

This is a simple example to illustrate the problem, the real init.sh is supposed to copy files from a Volume to the right folder, but the copy doesn't have enough permissions, just like the mkdir in the example bellow:

Dockerfile

FROM postgres:9.5
....

COPY ./init.sh /docker-entrypoint-initdb.d/
RUN chmod +x /docker-entrypoint-initdb.d/init.sh

init.sh

#!/bin/bash
whoami
mkdir /somefolder

Result

/usr/local/bin/docker-entrypoint.sh: running /docker-entrypoint-initdb.d/init.sh
postgres
mkdir: cannot create directory ‘/somefolder’: Permission denied
picture duozhasht

Most helpful comment

We did discuss this when we moved to allow the container to run as (semi) arbitrary users: https://github.com/docker-library/postgres/pull/253#issuecomment-273927792 and have a note in the docs:

Additionally, as of docker-library/postgres#253, these initialization scripts are run as the postgres user (or as the "semi-arbitrary user" specified with the --user flag to docker run; see the section titled "Arbitrary --user Notes" for more details).

- Docker Hub (and source)

Is there a reason you don't just COPY *.sql /docker-entrypoint-initdb.d/ or docker run -v /sql/scripts/:/docker-entrypoint-initdb.d/ ...? In either case you'll need to ensure that whatever user the postgres container runs as has permissions to access the files.

Just a reminder that any scripts or sql files in /docker-entrypoint-initdb.d/ will only be run if there is no database (usually the first start of the container). Also, if you modify the contents of /docker-entrypoint-initdb.d/ while the entrypoint is looping over the files in there, it will not pick up any new files.

As long as it doesn't need postgres running, perhaps your script just needs to run before the entrypoint? Just end your script with exec "$@".

FROM postgres:9.5
....
COPY ./init.sh /usr/local/bin/
# some docker storage backends fail on this kind of layer, so should probably chmod it in git instead
RUN chmod +x /usr/local/bin/init.sh

ENTRYPOINT ["init.sh"]
CMD ["docker-entrypoint.sh", "postgres"]
picture yosifkit on 3 Aug 2017
👍7

All 2 comments

We did discuss this when we moved to allow the container to run as (semi) arbitrary users: https://github.com/docker-library/postgres/pull/253#issuecomment-273927792 and have a note in the docs:

Additionally, as of docker-library/postgres#253, these initialization scripts are run as the postgres user (or as the "semi-arbitrary user" specified with the --user flag to docker run; see the section titled "Arbitrary --user Notes" for more details).

- Docker Hub (and source)

Is there a reason you don't just COPY *.sql /docker-entrypoint-initdb.d/ or docker run -v /sql/scripts/:/docker-entrypoint-initdb.d/ ...? In either case you'll need to ensure that whatever user the postgres container runs as has permissions to access the files.

Just a reminder that any scripts or sql files in /docker-entrypoint-initdb.d/ will only be run if there is no database (usually the first start of the container). Also, if you modify the contents of /docker-entrypoint-initdb.d/ while the entrypoint is looping over the files in there, it will not pick up any new files.

As long as it doesn't need postgres running, perhaps your script just needs to run before the entrypoint? Just end your script with exec "$@".

FROM postgres:9.5
....
COPY ./init.sh /usr/local/bin/
# some docker storage backends fail on this kind of layer, so should probably chmod it in git instead
RUN chmod +x /usr/local/bin/init.sh

ENTRYPOINT ["init.sh"]
CMD ["docker-entrypoint.sh", "postgres"]
yosifkit picture yosifkit on 3 Aug 2017
👍7

Hello @yosifkit,

first of all thank you for your support!

The COPY *.sql /docker-entrypoint-initdb.d/ isn't a solution since I want to build a global image and use it in different compose files, and for each specific implementation, it is required to import different SQL files that should be passed on runtime and not on image build. I have some mechanisms for copy_in files.

Thank you for this

Just a reminder that any scripts or sql files in /docker-entrypoint-initdb.d/ will only be run if there is no database

The whole idea was to move/delete files after being used, so a restart wouldn't trigger the same behavior. Since this only happens once, I can import them directly from the volume, so I ended up doing this in the init.sh:

for file in /tmp/sql/*; do
   psql db_name -f "/tmp/sql/${file##*}"
done

I think you can close this issue. But, in my humble opinion, I don't think the entrypoint scripts and SQL files should run within a user with so few permissions. Maybe right before starting the postgres, u could login as postgres user. I understand the security constraints, but, at the end of the day I can do a docker exec -it container_id /bin/bash with a root user.

duozhasht picture duozhasht on 3 Aug 2017
👍5
Was this page helpful?
0 / 5 - 0 ratings

Related issues

AnatoliyTishaevTR picture AnatoliyTishaevTR  Â·  3Comments
greaber picture greaber  Â·  4Comments
roks0n picture roks0n  Â·  4Comments
phanikumarp picture phanikumarp  Â·  3Comments
andrewvo148 picture andrewvo148  Â·  3Comments