Skip to content

Running as non-default user results in permission error on lock file #264

Closed
@jch-gh

Description

@jch-gh

I'm attempting to run the latest 9.6 container (have also tried the alpine container with the same result) with a non-default user. The data files are all created correctly by initdb, but the server itself never starts due to permission problems on /var/run/postgresql.

Using the following command to start the container:

sudo docker run --name app-pg -e POSTGRES_PASSWORD=<secret> \
          -e POSTGRES_DB=postgres -e PGDATA=/var/lib/postgresql/data/pgdata \
          --user "$(id -u appuser):$(id -g appuser)" \
          -v /volume1/docker/volumes/app_data/pgdata:/var/lib/postgresql/data/pgdata \
          -v /etc/passwd:/etc/passwd:ro -d\
          postgres:9.6

The following output is generated:

The files belonging to this database system will be owned by user "appuser".
This user must also own the server process.

The database cluster will be initialized with locale "en_US.utf8".
The default database encoding has accordingly been set to "UTF8".
The default text search configuration will be set to "english".

Data page checksums are disabled.

fixing permissions on existing directory /var/lib/postgresql/data/pgdata ... ok
creating subdirectories ... ok
selecting default max_connections ... 100
selecting default shared_buffers ... 128MB
selecting dynamic shared memory implementation ... posix
creating configuration files ... ok
running bootstrap script ... ok
performing post-bootstrap initialization ... ok
syncing data to disk ... ok

Success. You can now start the database server using:

    pg_ctl -D /var/lib/postgresql/data/pgdata -l logfile start


WARNING: enabling "trust" authentication for local connections
You can change this by editing pg_hba.conf or using the option -A, or
--auth-local and --auth-host, the next time you run initdb.
waiting for server to start....FATAL:  could not create lock file "/var/run/postgresql/.s.PGSQL.5432.lock": Permission denied
LOG:  database system is shut down
 stopped waiting
pg_ctl: could not start server

It would seem that while the data piece of allowing arbitrary users is working, the section of the Dockerfile at https://github.com/docker-library/postgres/blob/master/9.6/Dockerfile#L57 still requires postgres user or group, which cannot be assumed to exist on the host. Possible solution would be to make the directory world accessible, but I'm admittedly not positive what the security ramifications of doing so would be (though I suspect it's minimal given this is all inside the container)

Or...I could just be doing something wrong. Any suggestions?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions