postgres containers don't work in rootless podman

[praiskup]

$ podman run -e POSTGRESQL_ADMIN_PASSWORD=adsf --rm -ti docker.io/centos/postgresql-10-centos7
The files belonging to this database system will be owned by user "postgres".
This user must also own the server process.

The database cluster will be initialized with locale "en_US.utf8".
The default database encoding has accordingly been set to "UTF8".
The default text search configuration will be set to "english".

Data page checksums are disabled.

fixing permissions on existing directory /var/lib/pgsql/data/userdata ... ok
creating subdirectories ... ok
selecting default max_connections ... 100
selecting default shared_buffers ... 128MB
selecting dynamic shared memory implementation ... posix
creating configuration files ... ok
running bootstrap script ... ok
performing post-bootstrap initialization ... ok
syncing data to disk ... ok

WARNING: enabling "trust" authentication for local connections
You can change this by editing pg_hba.conf or using the option -A, or
--auth-local and --auth-host, the next time you run initdb.

Success. You can now start the database server using:

    pg_ctl -D /var/lib/pgsql/data/userdata -l logfile start

waiting for server to start....2019-08-10 08:04:44.644 UTC [35] LOG:  could not set permissions of file "/var/run/postgresql/.s.PGSQL.5432": No such device or address
2019-08-10 08:04:44.644 UTC [35] WARNING:  could not create Unix-domain socket in directory "/var/run/postgresql"
2019-08-10 08:04:44.649 UTC [35] LOG:  could not set permissions of file "/tmp/.s.PGSQL.5432": No such device or address
2019-08-10 08:04:44.649 UTC [35] WARNING:  could not create Unix-domain socket in directory "/tmp"
2019-08-10 08:04:44.649 UTC [35] FATAL:  could not create any Unix-domain sockets
2019-08-10 08:04:44.650 UTC [35] LOG:  database system is shut down
 stopped waiting
pg_ctl: could not start server
Examine the log output.

Seems like /tmp is not tmpfs, but fuse.overlayfs -> and bind() there doesn't create socket file.

$ rpm -q podman buildah runc container-selinux
podman-1.4.4-4.fc30.x86_64
buildah-1.9.2-2.fc30.x86_64
runc-1.0.0-93.dev.gitb9b6cc6.fc30.x86_64
container-selinux-2.111.0-1.fc30.noarch

[pkubatrh]

@pkubatrh to take a look as this is stil an issue (at least with changing the user to non-default)

[pkubatrh]

Works fine with both default user and specified user in a rootless podman environment.

When running through rootless podman with --user 1000 --userns=keep-id it fails with:

podman run --rm -ti --user 1000 --userns=keep-id -e POSTGRESQL_ADMIN_PASSWORD=lol  registry.redhat.io/rhel8/postgresql-13
Warning: Can't detect number of CPU cores from cgroups
The files belonging to this database system will be owned by user "pkubat".
This user must also own the server process.

The database cluster will be initialized with locale "en_US.utf8".
The default database encoding has accordingly been set to "UTF8".
The default text search configuration will be set to "english".

Data page checksums are disabled.

fixing permissions on existing directory /var/lib/pgsql/data/userdata ... ok
creating subdirectories ... ok
selecting dynamic shared memory implementation ... posix
selecting default max_connections ... 100
selecting default shared_buffers ... 128MB
selecting default time zone ... Etc/UTC
creating configuration files ... ok
running bootstrap script ... ok
performing post-bootstrap initialization ... ok
syncing data to disk ... ok

initdb: warning: enabling "trust" authentication for local connections
You can change this by editing pg_hba.conf or using the option -A, or
--auth-local and --auth-host, the next time you run initdb.

Success. You can now start the database server using:

    pg_ctl -D /var/lib/pgsql/data/userdata -l logfile start

waiting for server to start....2023-02-22 11:27:52.767 UTC [28] LOG:  redirecting log output to logging collector process
2023-02-22 11:27:52.767 UTC [28] HINT:  Future log output will appear in directory "log".
 done
server started
/var/run/postgresql:5432 - accepting connections
=> sourcing /usr/share/container-scripts/postgresql/start/set_passwords.sh ...
psql: error: FATAL:  role "postgres" does not exist

[pkubatrh]

What we are doing is https://github.com/sclorg/postgresql-container/blob/master/src/root/usr/share/container-scripts/postgresql/common.sh#L181
We are only checking for the existence of the postgres user and the id -u user, but the use of --userns=keep-id introduced the host user into the /etc/passwd which does not get ignored when copying over the file. Hence we end up with two users having the same user id.

Likely can just ignore id -un as well to not get into that situation.