simplify running as arbitrary user

[DrPyser]

Hi.

Currently, running the container as an arbitrary user is pretty complicated, involving mounting a customized /etc/passwd and bindmounting any volume the postgres user might need to access so that permissions can be made to match(e.g. /var/run/postgresql must use a bindmount with the right permissions for the arbitrary user).

It would be nice if the entrypoint of the image could make this easier. For example, by passing POSTGRESQL_USER_ID and POSTGRESQL_GROUP_ID environment variables, the entrypoint could take care of changing the postgres uid and gid(using usermod) and changing permissions of relevant directories. This would help reduce deployment complexity for those who require that the container be run with a specific user(e.g. to make data bindmounts accessible on the host).

Thanks!

[tianon]

If you use the Debian variants, you don't need to do anything with /etc/passwd -- any arbitrary UID will work (the image will use nss_wrapper behind the scenes as necessary to get initdb to allow this).

[DrPyser]

@tianon Okay, fair enough, thanks! Then I guess my suggestion only applies to the non-debian variants.

[tianon]

The best place to track that would be over in #543 (and thus https://gitlab.alpinelinux.org/alpine/aports/issues/6710).

[aardbol]

I'm using the debian image and it doesn't work as smoothly as mentioned though. When using custom user permissions the container fails to start up with the following error:

chmod: changing permissions of '/var/lib/postgresql/data': Operation not permitted
chmod: changing permissions of '/var/lib/postgresql/data': Operation not permitted

[yosifkit]

If you are providing a custom user, you must make sure that the given directory also has the correct ownership (and permissions if the owner cannot chmod them).

postgres/docker-entrypoint.sh

Line 40 in 9f564c2

chmod 700 "$PGDATA"

The postgres process is very particular about permissions on the PGDATA directory.

FATAL: data directory "/var/lib/postgresql/data" has group or world access
Permissions should be u=rwx (0700).

- #110

[tylerszabo]

I found a way that works reasonably well. If I override the entrypoint with the following script it changes the internal /etc/passwd file. Something similar could be added to docker-entrypoint.sh.

["sh", "-c", "sed -e '/^postgres/s=^postgres:x:[0-9]*:[0-9]*:=postgres:x:${POSTGRES_UID}:${POSTGRES_GID}:=' -i /etc/passwd; sed -e '/^postgres/s=^postgres:x:[0-9]*:=postgres:x:${POSTGRES_GID}:=' -i /etc/group; exec docker-entrypoint.sh postgres"]

[tianon]

While I'm glad modifying /etc/passwd at runtime works for your use case, we don't consider it acceptable for the official image (so it's a fine workaround for folks to use exactly as you have, and even to embed in a dependent image to make it easier to use, but we won't be adding support for it in docker-entrypoint.sh itself).

[Niour]

I am accessing the cli with:
docker run -it --network someNetwork --rm --user root -e POSTGRES_PASSWORD=mysecretpassword postgresLocalImage psql -h postgreLocalImage -U username -W

[tianon]

Closing for now -- if/when https://gitlab.alpinelinux.org/alpine/aports/issues/6710 sees some movement, we'll reconsider. 👍