public inbox for [email protected]
help / color / mirror / Atom feedFrom: Dave Page <[email protected]>
To: pgadmin-hackers <[email protected]>
Cc: Syed Fahar Abbas <[email protected]>
Cc: Akshay Joshi <[email protected]>
Subject: RM4939 - Running in the container as non-root user
Date: Tue, 3 Dec 2019 21:51:35 -0500
Message-ID: <CA+OCxoyhqSNoNzGA55qAb0HkjDr5v8vp78yWB-sLD2nYG-EpJQ@mail.gmail.com> (raw)
The attached patch fixes $SUBJECT. I'm a little concerned about upgrades
though, mostly when using mapped storage or session data. Fahar, can you
test such scenarios please?
Patch review is also needed please :-)
--
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake
EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company
Attachments:
[application/octet-stream] RM_4939.diff (2.9K, 3-RM_4939.diff)
download | inline diff:
diff --git a/Dockerfile b/Dockerfile
index 2f7da8ca8..6be2f6f47 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -160,7 +160,9 @@ RUN apk add --no-cache --virtual \
apk add \
postfix \
postgresql-client \
- postgresql-libs && \
+ postgresql-libs \
+ shadow \
+ libcap && \
pip install --upgrade pip && \
pip install --no-cache-dir -r requirements.txt && \
pip install --no-cache-dir gunicorn==19.9.0 && \
@@ -177,6 +179,17 @@ COPY pkg/docker/entrypoint.sh /entrypoint.sh
# Precompile and optimize python code to save time and space on startup
RUN python -O -m compileall -x node_modules /pgadmin4
+RUN groupadd -g 5050 pgadmin && \
+ useradd -r -u 5050 -g pgadmin pgadmin && \
+ mkdir -p /var/lib/pgadmin && \
+ chown pgadmin:pgadmin /var/lib/pgadmin && \
+ mkdir -p /var/log/pgadmin && \
+ chown pgadmin:pgadmin /var/log/pgadmin && \
+ touch /pgadmin4/config_distro.py && \
+ chown pgadmin:pgadmin /pgadmin4/config_distro.py && \
+ setcap CAP_NET_BIND_SERVICE=+eip /usr/local/bin/python3.7
+USER pgadmin
+
# Finish up
VOLUME /var/lib/pgadmin
EXPOSE 80 443
diff --git a/docs/en_US/release_notes_4_16.rst b/docs/en_US/release_notes_4_16.rst
index 8e8612075..9086c5391 100644
--- a/docs/en_US/release_notes_4_16.rst
+++ b/docs/en_US/release_notes_4_16.rst
@@ -13,6 +13,7 @@ New features
| `Issue #4435 <https://redmine.postgresql.org/issues/4435>`_ - Allow drag and drop functionality for all the nodes under the database node, excluding collection nodes.
| `Issue #4711 <https://redmine.postgresql.org/issues/4711>`_ - Use a 'play' icon for the Execute Query button in the Query Tool for greater consistency with other applications.
| `Issue #4773 <https://redmine.postgresql.org/issues/4773>`_ - Added role="status" attribute to all the status messages for accessibility.
+| `Issue #4939 <https://redmine.postgresql.org/issues/4939>`_ - Run pgAdmin in the container as a non-root user (pgadmin, UID: 5050)
| `Issue #4944 <https://redmine.postgresql.org/issues/4944>`_ - Allow Gunicorn logs in the container to be directed to a file specified through GUNICORN_ACCESS_LOGFILE.
Housekeeping
diff --git a/pkg/docker/entrypoint.sh b/pkg/docker/entrypoint.sh
index 070aa5579..47d14bf2d 100755
--- a/pkg/docker/entrypoint.sh
+++ b/pkg/docker/entrypoint.sh
@@ -1,9 +1,10 @@
#!/bin/sh
-# Create config_distro.py. This has some default config, as well as anything
+# Populate config_distro.py. This has some default config, as well as anything
# provided by the user through the PGADMIN_CONFIG_* environment variables.
-# Only write the file on first launch.
-if [ ! -f /pgadmin4/config_distro.py ]; then
+# Only update the file on first launch. The empty file is created during the
+# container build so it can have the required ownership.
+if [ `wc -m /pgadmin4/config_distro.py | awk '{ print $1 }'` = "0" ]; then
cat << EOF > /pgadmin4/config_distro.py
HELP_PATH = '../../docs'
DEFAULT_BINARY_PATHS = {
view thread (5+ messages) latest in thread
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected], [email protected]
Subject: Re: RM4939 - Running in the container as non-root user
In-Reply-To: <CA+OCxoyhqSNoNzGA55qAb0HkjDr5v8vp78yWB-sLD2nYG-EpJQ@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox