Skip to content

Conversation

@rock-007
Copy link

Fixes #517

Background

The DB components fail to start when trying to start as non root user.

Change Summary

I have added group and user as postgres and set the permissions as raised by "mathieu-benoit" in the ticket ref:517

Testing Procedure

Related PRs or Issues

#517

@rock-007 rock-007 requested review from a team and yoshi-approver as code owners July 25, 2024 09:10
@google-cla
Copy link

google-cla bot commented Jul 25, 2024

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

@rock-007 rock-007 force-pushed the bug/fixing-root-privilage-issue branch from 6a188ac to c45df33 Compare July 25, 2024 09:21
@bourgeoisor
Copy link
Member

/gcbrun

@bourgeoisor
Copy link
Member

Hi @rock-007, have you tested this locally? The Docker image doesn't build.

docker build failure: The command '/bin/sh -c addgroup -S postgres && adduser -S postgres -G postgres' returned a non-zero code

@rock-007
Copy link
Author

Hi @rock-007, have you tested this locally? The Docker image doesn't build.

docker build failure: The command '/bin/sh -c addgroup -S postgres && adduser -S postgres -G postgres' returned a non-zero code

Hi @bourgeoisor
I had the impression that user and group doesn't exist for Postgres, but they are so I have amended the logic accordingly and pushed another commit.
It is now building fine locally, and I don't see anything obvious while running the Docker image.

Comment on lines 20 to 21
RUN if ! getent group postgres > /dev/null; then addgroup -S postgres; fi && \
if ! getent passwd postgres > /dev/null; then adduser -S postgres -G postgres; fi
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Container images should have deterministic build steps. Either these groups / bindings exist, or they don't. We should need conditional checks.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

removed the conditional check.

@bourgeoisor
Copy link
Member

/gcbrun

@bourgeoisor
Copy link
Member

This PR would need changes to the k8s YAML too, e.g. https://github.com/GoogleCloudPlatform/bank-of-anthos/pull/855/files

@rock-007
Copy link
Author

/gcbrun

@rock-007
Copy link
Author

This PR would need changes to the k8s YAML too, e.g. https://github.com/GoogleCloudPlatform/bank-of-anthos/pull/855/files

Done.

- mountPath: /var/lib/postgresql/data
name: postgresdb
subPath: postgres
securityContext:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a start but it's also missing security contexts to prevent all access to root:

        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop:
              - all
          privileged: false
          readOnlyRootFilesystem: true

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have added these now to the ledger-db.yaml file.

@bourgeoisor
Copy link
Member

/gcbrun

@bourgeoisor
Copy link
Member

/gcbrun

Comment on lines +19 to +23
# Change ownership of the necessary directories
RUN chown -R postgres:postgres /var/lib/postgresql /var/run/postgresql

# Set thte correct permissions
RUN chmod -R 0700 /var/lib/postgresql/data && chmod -R 0755 /var/run/postgresql
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mathieu-benoit do you think that's all that was needed? Seems too good to be true but maybe I'm overthinking it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Components should not require root to run

3 participants