Skip to content

Permissions in docker-entrypoint.sh #321

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
iamtiagodev opened this issue Aug 2, 2017 · 3 comments
Closed

Permissions in docker-entrypoint.sh #321

iamtiagodev opened this issue Aug 2, 2017 · 3 comments

Comments

@iamtiagodev
Copy link

I'm trying to execute a simple script, but it seems I don't have enough permissions with postgres user, specially to create folders. Shouldn't the entrypoint script be executed as root? So it can be possible to do anything with my scripts?

The idea around this is to automatically add .sql files to the init folder, but I don't want to edit the Dockerfile and place a COPY each time I have a new sql file to execute.

This is a simple example to illustrate the problem, the real init.sh is supposed to copy files from a Volume to the right folder, but the copy doesn't have enough permissions, just like the mkdir in the example bellow:

Dockerfile

FROM postgres:9.5
....

COPY ./init.sh /docker-entrypoint-initdb.d/
RUN chmod +x /docker-entrypoint-initdb.d/init.sh

init.sh

#!/bin/bash
whoami
mkdir /somefolder

Result

/usr/local/bin/docker-entrypoint.sh: running /docker-entrypoint-initdb.d/init.sh
postgres
mkdir: cannot create directory ‘/somefolder’: Permission denied
@yosifkit
Copy link
Member

yosifkit commented Aug 3, 2017

We did discuss this when we moved to allow the container to run as (semi) arbitrary users: #253 (comment) and have a note in the docs:

Additionally, as of #253, these initialization scripts are run as the postgres user (or as the "semi-arbitrary user" specified with the --user flag to docker run; see the section titled "Arbitrary --user Notes" for more details).

- Docker Hub (and source)

Is there a reason you don't just COPY *.sql /docker-entrypoint-initdb.d/ or docker run -v /sql/scripts/:/docker-entrypoint-initdb.d/ ...? In either case you'll need to ensure that whatever user the postgres container runs as has permissions to access the files.

Just a reminder that any scripts or sql files in /docker-entrypoint-initdb.d/ will only be run if there is no database (usually the first start of the container). Also, if you modify the contents of /docker-entrypoint-initdb.d/ while the entrypoint is looping over the files in there, it will not pick up any new files.

As long as it doesn't need postgres running, perhaps your script just needs to run before the entrypoint? Just end your script with exec "$@".

FROM postgres:9.5
....
COPY ./init.sh /usr/local/bin/
# some docker storage backends fail on this kind of layer, so should probably chmod it in git instead
RUN chmod +x /usr/local/bin/init.sh

ENTRYPOINT ["init.sh"]
CMD ["docker-entrypoint.sh", "postgres"]

@iamtiagodev
Copy link
Author

iamtiagodev commented Aug 3, 2017
edited
Loading

Hello @yosifkit,

first of all thank you for your support!

The COPY *.sql /docker-entrypoint-initdb.d/ isn't a solution since I want to build a global image and use it in different compose files, and for each specific implementation, it is required to import different SQL files that should be passed on runtime and not on image build. I have some mechanisms for copy_in files.

Thank you for this

Just a reminder that any scripts or sql files in /docker-entrypoint-initdb.d/ will only be run if there is no database

The whole idea was to move/delete files after being used, so a restart wouldn't trigger the same behavior. Since this only happens once, I can import them directly from the volume, so I ended up doing this in the init.sh:

for file in /tmp/sql/*; do
   psql db_name -f "/tmp/sql/${file##*}"
done

I think you can close this issue. But, in my humble opinion, I don't think the entrypoint scripts and SQL files should run within a user with so few permissions. Maybe right before starting the postgres, u could login as postgres user. I understand the security constraints, but, at the end of the day I can do a docker exec -it container_id /bin/bash with a root user.

@robertdecaire robertdecaire mentioned this issue Jun 17, 2022
Closed
@PrudyvusP PrudyvusP mentioned this issue Nov 17, 2023
Merged
@ascheucher-shopify-partner
Copy link

ascheucher-shopify-partner commented Feb 17, 2024
edited
Loading

Anybody interested in solving this thing by mounting a directory and not relying onto COPY or ADD, this might be useful. Also as documentation for my future self.

Given we have a init.d directory, with one or more init scripts, we can do following dance:

# get the user ID of the user running the process
docker top eremite-postgresql-16
# was 999 for the process postgres

# get the user name
docker exec -it eremite-postgresql-16 /bin/bash
cat /etc/passwd | grep 999

# got the line for the user postgres for the group id 
cat /etc/group | grep postgres

# hence, this is what we want: 999:999

exit

sudo chown 999:999 initdb.d/*
chmod u+x initdb.d/*

Enjoy :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@yosifkit @iamtiagodev @ascheucher-shopify-partner