Allow arbitrary --user values (mostly) #253

Merged
merged 1 commit into from Jan 19, 2017

Conversation

Projects
None yet
3 participants
@tianon
Member

tianon commented Jan 19, 2017

One special case is that initdb requires the current user to exist in /etc/passwd, but running PostgreSQL itself does not require that.

As discussed over in #93 (comment).

See also docker-library/rabbitmq#60, docker-library/cassandra#48, docker-library/mongo#81, docker-library/redis#48, docker-library/mysql#161, docker-library/mariadb#59, docker-library/percona#21, and docker-library/ghost#54.

Closes #46
Closes #116
Closes #206
Closes #251
Ref #28

Allow arbitrary --user values (mostly)
One special case is that `initdb` _requires_ the current user to exist in `/etc/passwd`, but running PostgreSQL itself does not require that.
@tianon

This comment has been minimized.

Show comment
Hide comment
@tianon

tianon Jan 19, 2017

Member
$ docker run -it --rm --user 1000:1000 postgres
initdb: could not look up effective user ID 1000: user does not exist

$ docker run -it --rm --user www-data postgres
The files belonging to this database system will be owned by user "www-data".
This user must also own the server process.
...

$ docker run -it --rm --user "$(id -u):$(id -g)" -v /etc/passwd:/etc/passwd:ro postgres
The files belonging to this database system will be owned by user "tianon".
This user must also own the server process.
...

$ dir="$(mktemp -d)"
$ docker run -it --rm -v "$dir":/var/lib/postgresql/data postgres
... (let initialization finish, then stop the server)
$ sudo chown -R 1000:1000 "$dir"
$ docker run -it --rm -v "$dir":/var/lib/postgresql/data --user 1000:1000 postgres
LOG:  database system was shut down at 2017-01-19 23:06:31 UTC
LOG:  MultiXact member wraparound protections are now enabled
LOG:  database system is ready to accept connections
LOG:  autovacuum launcher started
Member

tianon commented Jan 19, 2017

$ docker run -it --rm --user 1000:1000 postgres
initdb: could not look up effective user ID 1000: user does not exist

$ docker run -it --rm --user www-data postgres
The files belonging to this database system will be owned by user "www-data".
This user must also own the server process.
...

$ docker run -it --rm --user "$(id -u):$(id -g)" -v /etc/passwd:/etc/passwd:ro postgres
The files belonging to this database system will be owned by user "tianon".
This user must also own the server process.
...

$ dir="$(mktemp -d)"
$ docker run -it --rm -v "$dir":/var/lib/postgresql/data postgres
... (let initialization finish, then stop the server)
$ sudo chown -R 1000:1000 "$dir"
$ docker run -it --rm -v "$dir":/var/lib/postgresql/data --user 1000:1000 postgres
LOG:  database system was shut down at 2017-01-19 23:06:31 UTC
LOG:  MultiXact member wraparound protections are now enabled
LOG:  database system is ready to accept connections
LOG:  autovacuum launcher started
@tianon

This comment has been minimized.

Show comment
Hide comment
@tianon

tianon Jan 19, 2017

Member

The following comment from docker-library/mysql#161 (comment) also applies here:

I think the main difference is that the initdb.d scripts will no longer be run as root; not sure if that will break too many users.

Member

tianon commented Jan 19, 2017

The following comment from docker-library/mysql#161 (comment) also applies here:

I think the main difference is that the initdb.d scripts will no longer be run as root; not sure if that will break too many users.

@yosifkit

This comment has been minimized.

Show comment
Hide comment
@yosifkit

yosifkit Jan 19, 2017

Member

With regards to my comment of it breaking people that are taking advantage of being root while in initdb.d scripts, I would point out that the change was pushed to mysql on May 17, 2016 and to mariadb and percona on May 18. 2016 and there has yet to be an issue reported about it.

Member

yosifkit commented Jan 19, 2017

With regards to my comment of it breaking people that are taking advantage of being root while in initdb.d scripts, I would point out that the change was pushed to mysql on May 17, 2016 and to mariadb and percona on May 18. 2016 and there has yet to be an issue reported about it.

@yosifkit yosifkit merged commit 00706ec into docker-library:master Jan 19, 2017

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

@yosifkit yosifkit deleted the infosiftr:any-user branch Jan 19, 2017

@yosifkit

This comment has been minimized.

Show comment
Hide comment
@yosifkit

yosifkit Jan 19, 2017

Member

We'll probably want to add some docs about the limitations observed here.

Member

yosifkit commented Jan 19, 2017

We'll probably want to add some docs about the limitations observed here.

@tianon

This comment has been minimized.

Show comment
Hide comment

tianon added a commit to infosiftr/stackbrew that referenced this pull request Jan 20, 2017

Update docker-library images
- `bash`: 4.4.7
- `golang`: 1.8rc2
- `haproxy`: add Lua support (docker-library/haproxy#38)
- `postgres`: (mostly) arbitrary `--user` support (docker-library/postgres#253)
- `python`: 3.4.6

@tianon tianon referenced this pull request in docker-library/official-images Jan 20, 2017

Merged

Update docker-library images #2553

mcanevet added a commit to camptocamp/docker-postgres-cluster-conf that referenced this pull request Jan 25, 2017

@jasonmp85 jasonmp85 referenced this pull request in citusdata/docker Feb 10, 2017

Merged

Address breakages from recent PostgreSQL update #17

@shane-axiom

This comment has been minimized.

Show comment
Hide comment
@shane-axiom

shane-axiom Feb 28, 2017

FWIW this did cause an issue for us, as a .pgpass file provided in a volume mounted to /root/.pgpass suddenly stopped working. It took a while to figure out why with inconsistent behavior between various postgres:9.6 images cached on different workstations/servers. Easy fix once we figured out what was going on, but it wasn't immediately obvious.

The How to extend this image section in the docs stll doesn't explicitly say that *.sh scripts will be run by the postgres user by default, that might help.

FWIW this did cause an issue for us, as a .pgpass file provided in a volume mounted to /root/.pgpass suddenly stopped working. It took a while to figure out why with inconsistent behavior between various postgres:9.6 images cached on different workstations/servers. Easy fix once we figured out what was going on, but it wasn't immediately obvious.

The How to extend this image section in the docs stll doesn't explicitly say that *.sh scripts will be run by the postgres user by default, that might help.

@tianon

This comment has been minimized.

Show comment
Hide comment
@tianon

tianon Feb 28, 2017

Member

Excellent idea, thanks @shane-axiom ❤️

I've filed a PR at docker-library/docs#848 👍

Member

tianon commented Feb 28, 2017

Excellent idea, thanks @shane-axiom ❤️

I've filed a PR at docker-library/docs#848 👍

eemeli added a commit to worldcon75/api that referenced this pull request Mar 1, 2017

@tianon tianon referenced this pull request Mar 22, 2017

Closed

Gosu not working #269

@sarath-mec sarath-mec referenced this pull request in randerzander/docker-hdp Mar 29, 2017

Closed

getting error for sed #6

mwiencek added a commit to metabrainz/musicbrainz-server that referenced this pull request May 11, 2017

@tianon tianon referenced this pull request in docker-solr/docker-solr Aug 29, 2017

Open

issue126 allow arbitrary users #130

@tianon tianon referenced this pull request in docker-library/official-images Dec 21, 2017

Merged

Bumping vault version to 0.9.1 #3832

@tianon tianon referenced this pull request in docker-library/official-images Jan 4, 2018

Open

Create a new official image for fluentd #3724

4 of 9 tasks complete

@tianon tianon referenced this pull request in docker-library/official-images Mar 19, 2018

Merged

Release new versions of Neo4j #4136

@thaJeztah thaJeztah referenced this pull request in moby/moby Apr 16, 2018

Closed

Overlay dirs without sticky bit #36855

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment