-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Explicitly set uid/gid for postgres/postgres #93
Conversation
The values 999:999 are identical to the current user/group id assigned in the containers (tested in postgres:9.4, but should be identical for all versions), but this guarantees that those values will remain the same even if the groupadd/useradd commands were moved elsewhere in the Dockerfile, or a new debian:jessie image was pushed. Tested: core@test-1 ~ $ docker run -v $(pwd):/origin --rm -it debian:jessie bash -c 'groupadd -r postgres --gid=999 && useradd -r -g postgres --uid=999 postgres && mkdir /origin/pg && chown -R postgres:postgres /origin/pg' core@test-1 ~ $ ls -hsal pg/ total 8.0K 4.0K drwxr-xr-x 2 999 999 4.0K Sep 22 12:57 . 4.0K drwxr-xr-x 5 core core 4.0K Sep 22 12:59 .. core@test-1 ~ $ rm -rf pg/ core@test-1 ~ $ docker run -v $(pwd):/origin --rm -it --user=root postgres:9.4 bash -c 'mkdir /origin/pg && chown -R postgres:postgres /origin/pg' core@test-1 ~ $ ls -hsal pg/ total 8.0K 4.0K drwxr-xr-x 2 999 999 4.0K Sep 22 12:59 . 4.0K drwxr-xr-x 5 core core 4.0K Sep 22 12:59 ..
Yes, please! |
Seems fair; LGTM 👍 |
LGTM |
Explicitly set uid/gid for postgres/postgres
- `docker`: 1.8.3, 1.9.0-rc1 - `docker-dev`: 1.8.3 - `drupal`: add PHP zip extension (docker-library/drupal#7) - `httpd`: 2.4.17 - `mariadb`: 5.5.46+maria-1~wheezy - `mongo`: 3.0.7 - `owncloud`: add FPM variants (docker-library/owncloud#28) - `postgres`: explicit uid/gid (docker-library/postgres#93) - `tomcat`: 8.0.28
Will it be better, if you allow to set This can be quite important. Take a look at this example: My dev environment is in Virtualbox machine (runs with Vagrant). Then I run your postgres docker image and map Thus, it turns out that from postgres container's point of view all the database files are owned by So there is a collision. Further more. If you about to run in production multi-tenant containers on a single host, there probably would be better to create separate users on that host for each container and/or tenant to be safe. |
@starkovv It doesn't have any effect on the files if the VM thinks the username is different than what the container has; they each have their own We are looking to improve the entrypoint scripts on all images with regards to the I can't speculate on what would be required for multi-tenant docker hosts, since that is not something docker is designed for (for example, if a user has access to the docker socket, it is equivalent to having root on the machine). |
@yosifkit see your point. Though as my experience there can be issues when mounting volumes from host to container. As I understand, docker does not "proxying" file system uid/gid, so container see exactly that uid/gid as on host. Saying that, if you don't have rw rights on dir/file, then you can't use it normally. As I see, postgres docker image uses Somewhere I saw security notes, and it prescribe not to use root rights for app running inside container. Because it is somehow possible to get control on whole host from inside the container if you have root rights inside the container. Instead you have to use explicit user inside the container with minimum required rights, like sandbox. Above is specially important when you run HTTP-app inside container (rails or something) and expose it to outside world. There is pretty much possibility that you didn't notice some bug, so it really puts your host machine at risk. Correct me where I'm wrong. UPDATE: |
@starkovv correct, the container sees the filesystem uid/gid directly; docker currently doesn't proxy anything on filesystem access because that would be a huge slowdown. (Docker has added user namespace support in the experimental releases: https://github.com/docker/docker/blob/master/experimental/userns.md, http://integratedcode.us/2015/10/13/user-namespaces-have-arrived-in-docker/.) While the postgres container does begin as Yes it is recommended to run your container processes as a non-root user, which is what we accomplish. |
@yosifkit thank you for clarify this. It seems I misunderstood this paragraph:
|
@starkovv, yeah that is confusing 😕; that is about the user within the database, not the unix user 😉. |
@yosifkit got it just 30 minutes ago )) |
I am a trying to use the postrgres image, and have the following issue with the 999 gid : I can usually get ownership of my docker-created files and folders with I mount a (host) mailDB folder as a volume $PWD/mailDB:/var/lib/postgresql/data I have two issues :
Beeing quite the beginner in unix access control, docker and postgres, I'm not sure where and how I should modify my system. @yosifkit "Yes it is recommended to run your container processes as a non-root user, which is what we accomplish." Do you ? Yet, when launched, the container totally gosu's through the host-owned filesystem and shuts even the user that cloned the empty database mounted folder. I am totally not a pro but that sounds pretty root to me. Let's drop CHOWN :
So, your design currently forbids me to use a crucial security container limitation by implementing a highly discussable one. entrypoint.sh : mkdir -p "$PGDATA"
chmod 700 "$PGDATA"
chown -R postgres "$PGDATA"
chmod g+s /run/postgresql
chown -R postgres /run/postgresql For me, it's more dangerous to let a public image container with unneeded capabilities running wild, than to have the wrong user id. Why 999 ? dockerfile : RUN groupadd -r postgres --gid=999 && useradd -r -g postgres --uid=999 postgres Is there any benefit to this arbitrary group id and user id definitions ? Is postgresql in any way requiring that the user is "postgres" or is it an opinionated implementation ? As for my case, the docker user group is most important and only me has an access to docker. I don't really care that files from the postgresql container are created as owned by postgres or docker. If anyone gets a docker level access to my machine, I, and virtually anyone else using docker is as toasted as letting root access to the server.
PS : |
@Kallikrein: This PR only made the change to explicitly specify the
As for your suggestions that the image should allow the operator to override the While this area definitely has some pain points (some of which I've also experienced), it's likely that the discussion in this already-merged PR will be overlooked, and there's several different topics raised in this thread. |
I don't really feel comfortable with opening an issue, since I'm a total beginner in most fields concerned. I will tinker with postgres and try to create my own image for now, and might come back when I can be less vague and propose more concrete descriptions. |
- `docker`: 1.8.3, 1.9.0-rc1 - `docker-dev`: 1.8.3 - `drupal`: add PHP zip extension (docker-library/drupal#7) - `httpd`: 2.4.17 - `mariadb`: 5.5.46+maria-1~wheezy - `mongo`: 3.0.7 - `owncloud`: add FPM variants (docker-library/owncloud#28) - `postgres`: explicit uid/gid (docker-library/postgres#93) - `tomcat`: 8.0.28
I think "hard-coding" anything in a Docker container is very presumptuous, especially when simply making the values environment variables would have allowed for overriding. Now, I'm forced to roll my own which now becomes a maintenance issue. Seems like a lot of folks on this thread seems to feel the same. |
Looks like we need to evaluate whether PostgreSQL can support using an arbitrary user. Some PRs that implemented this in other images, for reference:
|
Any idea when those PRs will happen? |
I'm playing with it right now to gauge whether it's even feasible; running into the following issue right off that we'll have to find some way to work around: $ docker run -it --rm --user 1000:1000 48cfc7ec2d9b
initdb: could not look up effective user ID 1000: user does not exist |
https://github.com/postgres/postgres/blob/1d25779284fe1ba08ecd57e647292a9deb241376/src/bin/initdb/initdb.c#L3307-L3309 is the culprit -- doesn't appear to have any kind of escape hatch to avoid that call to |
Ok, |
See #253. |
The values 999:999 are identical to the current user/group id assigned
in the containers (tested in postgres:9.4, but should be identical for
all versions), but this guarantees that those values will remain the
same even if the
groupadd
/useradd
commands were moved elsewhere in theDockerfile, or a new version of
debian:jessie
image was pushed.Testing