Postgres: simplify running as arbitrary user
Hi.
Currently, running the container as an arbitrary user is pretty complicated, involving mounting a customized /etc/passwd and bindmounting any volume the postgres user might need to access so that permissions can be made to match(e.g. /var/run/postgresql must use a bindmount with the right permissions for the arbitrary user).
It would be nice if the entrypoint of the image could make this easier. For example, by passing POSTGRESQL_USER_ID and POSTGRESQL_GROUP_ID environment variables, the entrypoint could take care of changing the postgres uid and gid(using usermod) and changing permissions of relevant directories. This would help reduce deployment complexity for those who require that the container be run with a specific user(e.g. to make data bindmounts accessible on the host).
Thanks!
DrPyser
All 7 comments
If you use the Debian variants, you don't need to do anything with /etc/passwd -- any arbitrary UID will work (the image will use nss_wrapper behind the scenes as necessary to get initdb to allow this).
tianon
on 10 Apr 2020
@tianon Okay, fair enough, thanks! Then I guess my suggestion only applies to the non-debian variants.
DrPyser
on 11 Apr 2020
The best place to track that would be over in #543 (and thus https://gitlab.alpinelinux.org/alpine/aports/issues/6710).
tianon
on 15 Apr 2020
I'm using the debian image and it doesn't work as smoothly as mentioned though. When using custom user permissions the container fails to start up with the following error:
chmod: changing permissions of '/var/lib/postgresql/data': Operation not permitted
chmod: changing permissions of '/var/lib/postgresql/data': Operation not permitted
aardbol
on 10 May 2020
If you are providing a custom user, you must make sure that the given directory also has the correct ownership (and permissions if the owner cannot chmod them).
The postgres process is very particular about permissions on the PGDATA directory.
FATAL: data directory "/var/lib/postgresql/data" has group or world access
Permissions should be u=rwx (0700).
yosifkit
on 11 May 2020
I found a way that works reasonably well. If I override the entrypoint with the following script it changes the internal /etc/passwd file. Something similar could be added to docker-entrypoint.sh.
["sh", "-c", "sed -e '/^postgres/s=^postgres:x:[0-9]*:[0-9]*:=postgres:x:${POSTGRES_UID}:${POSTGRES_GID}:=' -i /etc/passwd; sed -e '/^postgres/s=^postgres:x:[0-9]*:=postgres:x:${POSTGRES_GID}:=' -i /etc/group; exec docker-entrypoint.sh postgres"]
tylerszabo
on 22 Jul 2020
While I'm glad modifying /etc/passwd at runtime works for your use case, we don't consider it acceptable for the official image (so it's a fine workaround for folks to use exactly as you have, and even to embed in a dependent image to make it easier to use, but we won't be adding support for it in docker-entrypoint.sh itself).
tianon
on 22 Jul 2020
Related issues
note89
路
3Comments
orion110217
路
3Comments
bsctl
路
4Comments
rap2hpoutre
路
3Comments
qwang07
路
4Comments
Most helpful comment
I'm using the debian image and it doesn't work as smoothly as mentioned though. When using custom user permissions the container fails to start up with the following error: