Line `host all all all md5` not appended when using `POSTGRES_PASSWORD_FILE`

[pawamoy]

When setting the password with the direct POSTGRES_PASSWORD environment variable, everything works fine: I am able to connect to the database and create tables and stuff.

However, with the exact same docker-compose configuration, but using POSTGRES_PASSWORD_FILE instead (pointing to bind-mounted read-only file inside the container), then trying to connect to the database ends up with the no pg_hba.conf entry for host error.

I created both versions and looked at the configuration in $PGDATA/pg_hba.conf, and the one using POSTGRES_PASSWORD_FILE is missing the host all all all md5 line.

Here is a repository to reproduce, and here is the related DBA StackExchange post.

If I understand correctly the docker-entrypoint.sh script, the configuration should not change depending on the use of POSTGRES_PASSWORD or POSTGRES_PASSWORD_FILE. The file_env function simply fills the first one thanks to the second:

postgres/10/docker-entrypoint.sh

Lines 8 to 24 in 1805adb

	file_env() {
	local var="$1"
	local fileVar="${var}_FILE"
	local def="${2:-}"
	if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
	echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
	exit 1
	fi
	local val="$def"
	if [ "${!var:-}" ]; then
	val="${!var}"
	elif [ "${!fileVar:-}" ]; then
	val="$(< "${!fileVar}")"
	fi
	export "$var"="$val"
	unset "$fileVar"
	}

Then the host all all all md5 should be appended in this block:

postgres/10/docker-entrypoint.sh

Lines 65 to 92 in 1805adb

	file_env 'POSTGRES_PASSWORD'
	if [ "$POSTGRES_PASSWORD" ]; then
	pass="PASSWORD '$POSTGRES_PASSWORD'"
	authMethod=md5
	else
	# The - option suppresses leading tabs but *not* spaces. :)
	cat >&2 <<-'EOWARN'
	****************************************************
	WARNING: No password has been set for the database.
	This will allow anyone with access to the
	Postgres port to access your database. In
	Docker's default configuration, this is
	effectively any other container on the same
	system.
	Use "-e POSTGRES_PASSWORD=password" to set
	it in "docker run".
	****************************************************
	EOWARN
	pass=
	authMethod=trust
	fi
	{
	echo
	echo "host all all all $authMethod"
	} >> "$PGDATA/pg_hba.conf"

Am I missing something or is it really unwanted behavior?

[tianon]

I can't seem to reproduce a failure as described here:

$ docker pull postgres:10
10: Pulling from library/postgres
Digest: sha256:d5787305ec0a3b9a24d0108cb5fdbb4befbd809f85639bf04aa1941138df9701
Status: Image is up to date for postgres:10

$ echo db-password > test

$ docker run -dit --name pg -v "$PWD/test":/passfile:ro -e POSTGRES_PASSWORD_FILE=/passfile postgres:10
bf1bfe8dd0fc92a4e36a9f1b75033aa012f610cb7c4f8897324f56fbf23c4aee

$ docker logs --tail=1 pg
2018-04-25 17:53:48.244 UTC [1] LOG:  database system is ready to accept connections

$ docker run -it --rm --link pg postgres:10 psql -h pg -U postgres
Password for user postgres: 
psql (10.3 (Debian 10.3-1.pgdg90+1))
Type "help" for help.

postgres=# SELECT 1;
 ?column? 
----------
        1
(1 row)

postgres=# 

[pawamoy]

Well, I was not able to reproduce either on another machine. Also now on the problematic machine, the configuration without _FILE results in the same error... I don't understand what's wrong on this machine... I'm gonna try to investigate further but I think it's not an issue with this repository.

Thanks for trying it out @tianon

[pawamoy]

So if I remove the set -e line for the docker-entrypoint.sh script, everything works fine, which leads me to think that the entry point exits too early when I start the postgres container, missing to append the host all all all md5 line.

[pawamoy]

Got it. It was a permission issue.

database_1   | /usr/local/bin/docker-entrypoint.sh: line 19: /run/secrets/db_pass: Permission denied

My password file had -rw------- pawamoy pawamoy permissions. I added r for group and others, as well as r-x for group and others on its parent directory. That fixed the issue.

[pawamoy]

Additional details:

Since I'm binding sensitive files inside the container, setting read/execution permission for others is not very secure.

Instead, I now change the group ownership of the sensitive files to the ID of the user inside the container. In that case, the user is postgres, and that user is created with ID 999 in the Dockerfile.

In fact, it makes sense because Docker on my system is installed with that same ID 999 (is it like this for everybody?). So docker-postgres is actually doing a good job setting the ID of their postgres user to 999 because that way you can simply give ownership to docker on your system host, and that will be converted to postgres ownership in the container.

Is this the standard / logical way of doing things?

[yosifkit]

It is not something that we tried to orchestrate. Matching the uid of your host docker user is just a coincidence. Initially we just created the user and it happened to be 999, but it was improved to keep it 999 in the future so we don't break users:

postgres/Dockerfile-debian.template

Line 15 in 01cf838

RUN groupadd -r postgres --gid=999 && useradd -r -g postgres --uid=999 postgres