postgres and initdb not working inside docker

2022-05-26 Thread Roffild 

postgres and initdb not working inside docker.

chmod 755 always for a mounted volume inside docker.

=

From: Roffild 
Subject: fix chmod inside docker


diff --git a/src/backend/utils/init/miscinit.c 
b/src/backend/utils/init/miscinit.c

index 30f0f19dd5..adf3218cf9 100644
--- a/src/backend/utils/init/miscinit.c
+++ b/src/backend/utils/init/miscinit.c
@@ -373,7 +373,7 @@ checkDataDir(void)
  */
 #if !defined(WIN32) && !defined(__CYGWIN__)
 if (stat_buf.st_mode & PG_MODE_MASK_GROUP)
-        ereport(FATAL,
+        ereport(WARNING,
(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
              errmsg("data directory \"%s\" has invalid permissions",
                     DataDir),

Re: postgres and initdb not working inside docker

2022-05-27 Thread Roffild 

Only in an ideal world are all standards observed...

Docker has different standards inside.

$ ls -l /home/neo/
drwxr-xr-x2 pgsql  pgsql   8192 May 27 10:37 data
drwxr-sr-x2 pgsql  pgsql   4096 May 24 09:35 data2

/home/pgsql/data - mounted volume.

Therefore, the permissions have changed to drwxr-xr-x

$ mkdir /home/pgsql/data/pgtest
$ ls -l /home/pgsql/data
drwxr-xr-x2 pgsql  pgsql  0 May 27 11:08 pgtest

$ chmod 700 /home/pgsql/data/pgtest
$ ls -l /home/pgsql/data
drwxr-xr-x2 pgsql  pgsql  0 May 27 11:08 pgtest

Oops...

If it's a regular "data2" folder and there is no "read_only: true" flag 
for the container:

$ mkdir /home/pgsql/data2/pgtest
$ chmod 700 /home/pgsql/data2/pgtest
$ ls -l /home/pgsql/data2
drwx--2 pgsql  pgsql   4096 May 27 11:19 pgtest


Roffild writes:

postgres and initdb not working inside docker.
chmod 755 always for a mounted volume inside docker.


This patch will never be accepted.  You don't need it if you take the
standard advice[1] that the Postgres data directory should not itself
be a mount point.  Instead, make a subdirectory in the mounted volume,
and that can have the ownership and permissions that the server expects.

regards, tom lane

[1] https://www.postgresql.org/message-id/12168.1312921709%40sss.pgh.pa.us

Re: postgres and initdb not working inside docker

2022-05-28 Thread Roffild 

Add --disable-check-permissions to ./configure

After applying the patch, run "autoheader -f ; autoconf"

This patch fixes an issue inside Docker and will not affect other builds.diff --git a/configure.ac b/configure.ac
index 3f0077696b..d093fb88dd 100644
--- a/configure.ac
+++ b/configure.ac
@@ -749,14 +749,6 @@ PGAC_ARG_BOOL(enable, cassert, no, [enable assertion 
checks (for debugging)],
  [Define to 1 to build with assertion checks. 
(--enable-cassert)])])
 
 
-#
-# Disable file permission checks
-#
-PGAC_ARG_BOOL(enable, check-permissions, yes, [disable file permission checks 
(for Docker)],
-  [AC_DEFINE([ENABLE_CHECK_PERMISSIONS], 1,
- [Define to 1 to build with permission checks. 
(--disable-check-permissions)])])
-
-
 #
 # Include directories
 #
diff --git a/src/backend/utils/init/miscinit.c 
b/src/backend/utils/init/miscinit.c
index bcd56cc7cb..ec6a61594a 100644
--- a/src/backend/utils/init/miscinit.c
+++ b/src/backend/utils/init/miscinit.c
@@ -351,7 +351,7 @@ checkDataDir(void)
 *
 * XXX can we safely enable this check on Windows?
 */
-#if defined(ENABLE_CHECK_PERMISSIONS) && !defined(WIN32) && 
!defined(__CYGWIN__)
+#if !defined(WIN32) && !defined(__CYGWIN__)
if (stat_buf.st_uid != geteuid())
ereport(FATAL,

(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
@@ -371,7 +371,7 @@ checkDataDir(void)
 * be proper support for Unix-y file permissions.  Need to think of a
 * reasonable check to apply on Windows.
 */
-#if defined(ENABLE_CHECK_PERMISSIONS) && !defined(WIN32) && 
!defined(__CYGWIN__)
+#if !defined(WIN32) && !defined(__CYGWIN__)
if (stat_buf.st_mode & PG_MODE_MASK_GROUP)
ereport(FATAL,

(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),

Re: postgres and initdb not working inside docker

2022-05-28 Thread Roffild 

Fix


Looks like you generated the patch backwards, it's removing the lines you
propose to add.diff --git a/configure.ac b/configure.ac
index d093fb88dd..3f0077696b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -749,6 +749,14 @@ PGAC_ARG_BOOL(enable, cassert, no, [enable assertion 
checks (for debugging)],
  [Define to 1 to build with assertion checks. 
(--enable-cassert)])])
 
 
+#
+# Disable file permission checks
+#
+PGAC_ARG_BOOL(enable, check-permissions, yes, [disable file permission checks 
(for Docker)],
+  [AC_DEFINE([ENABLE_CHECK_PERMISSIONS], 1,
+ [Define to 1 to build with permission checks. 
(--disable-check-permissions)])])
+
+
 #
 # Include directories
 #
diff --git a/src/backend/utils/init/miscinit.c 
b/src/backend/utils/init/miscinit.c
index ec6a61594a..bcd56cc7cb 100644
--- a/src/backend/utils/init/miscinit.c
+++ b/src/backend/utils/init/miscinit.c
@@ -351,7 +351,7 @@ checkDataDir(void)
 *
 * XXX can we safely enable this check on Windows?
 */
-#if !defined(WIN32) && !defined(__CYGWIN__)
+#if defined(ENABLE_CHECK_PERMISSIONS) && !defined(WIN32) && 
!defined(__CYGWIN__)
if (stat_buf.st_uid != geteuid())
ereport(FATAL,

(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
@@ -371,7 +371,7 @@ checkDataDir(void)
 * be proper support for Unix-y file permissions.  Need to think of a
 * reasonable check to apply on Windows.
 */
-#if !defined(WIN32) && !defined(__CYGWIN__)
+#if defined(ENABLE_CHECK_PERMISSIONS) && !defined(WIN32) && 
!defined(__CYGWIN__)
if (stat_buf.st_mode & PG_MODE_MASK_GROUP)
ereport(FATAL,

(errcode(ERRCODE_OBJECT_NOT_IN_PREREQUISITE_STATE),
diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in
index cdd742cb55..df44393855 100644
--- a/src/include/pg_config.h.in
+++ b/src/include/pg_config.h.in
@@ -45,6 +45,10 @@
 /* Define to the file name extension of dynamically-loadable modules. */
 #undef DLSUFFIX
 
+/* Define to 1 to build with permission checks. (--disable-check-permissions)
+   */
+#undef ENABLE_CHECK_PERMISSIONS
+
 /* Define to build with GSSAPI support. (--with-gssapi) */
 #undef ENABLE_GSS

Re: postgres and initdb not working inside docker

2022-05-28 Thread Roffild 
Docker is now the DevOps standard. It's easier to build an image for 
Docker and run the site with one command.


But the volume mount has a limitation with chmod 755. I don't want to 
write the database directly to the container.


The container is isolated from everything. Therefore, checking the file 
permissions inside the container is meaningless. And writing to the 
container is also a "security hole".


The world has changed! And the old standards don't work...

28.05.2022 18:49, Tom Lane:

Lacks documentation, too.  But it doesn't matter, because we are not
going to accept such a "feature".  The OP has offered no justification
why this is necessary (and no, he's not the first who's ever used
Postgres inside Docker).  Introducing a security hole that goes
against twenty-five years of deliberate project policy is going to
require a heck of a lot better-reasoned argument than "there's an
issue inside Docker".