kaysond
commented
10 months ago Oof. Guess the postgres binary won't let you run as root inside the container. That's painful... Guess there would have to be an override there too
Closed kaysond closed 7 months ago
kaysond
commented
10 months ago Oof. Guess the postgres binary won't let you run as root inside the container. That's painful... Guess there would have to be an override there too
tianon
commented
7 months ago Yeah, I'm pretty sure this is an intentional limitation of PostgreSQL itself (so would have to be changed there first), but also isn't a use case we're interested in directly supporting. If PostgreSQL does support running as root and your database is already initialized, you should be able to use --entrypoint to bypass all our logic entirely, and if your database is not already initialized and you need this on a recurring basis, I'd suggest sourcing the entrypoint script and reproducing _main (but without the step-down-from-root logic).
I am trying to run the postgresql using rootless docker with
$PGDATAmounted over NFS. Unfortunately, the entrypoint script tries to do afind -exec chownto thepostgresuser within the container, which when running rootless, gets mapped to a privilege-less user on the host. The command fails, and so the container never starts:https://github.com/docker-library/postgres/blob/2f0ed0c7e8f8b05b294740f150397eec0af8dc50/docker-entrypoint.sh#L56-L60
I'm guessing that restarting the entrypoint as the user will also cause some issues: https://github.com/docker-library/postgres/blob/2f0ed0c7e8f8b05b294740f150397eec0af8dc50/docker-entrypoint.sh#L306-L309
I think it's a good security practice to do the chown and privilege dropping, but it would be nice to have an override for people already running rootless. It could be as simple as changing the conditional to
if [[ "$(id -u)" = '0' && -z "$RUN_AS_ROOT" ]]