Impossible to run with "--user"

[exhuma]

I'm workin on a shared development box and we usually run with local non-privileged users. Running postgres containers with a persistent volume is quite annoying as the files are owned by root. Other containers can simply be run with --user=<uid>, making this less of a headache.

However, doing this with postgres gives the following:

› docker run --rm --user 1000 postgres:9
The files belonging to this database system will be owned by user "postgres".
This user must also own the server process.

The database cluster will be initialized with locale "en_US.utf8".
The default database encoding has accordingly been set to "UTF8".
The default text search configuration will be set to "english".

Data page checksums are disabled.

fixing permissions on existing directory /var/lib/postgresql/data ... initdb: could not change permissions of directory "/var/lib/postgresql/data": Operation not permitted

[wglambert]

You need to implement the correct permissions on the data directory https://github.com/docker-library/docs/tree/master/postgres#arbitrary---user-notes

The main caveat to note is that postgres doesn't care what UID it runs as (as long as the owner of /var/lib/postgresql/data matches), but initdb does care (and needs the user to exist in /etc/passwd):

First initialize the database

$ docker run -d --rm --name=postgres -v pgdata:/var/lib/postgresql/data postgres:9
83083bc4b0c1efcf7400e1d21c71e27a4a1280d0e41643ee21101bda005c9306

$ docker logs postgres | tail -n 1

WARNING: enabling "trust" authentication for local connections
You can change this by editing pg_hba.conf or using the option -A, or
--auth-local and --auth-host, the next time you run initdb.
****************************************************
WARNING: No password has been set for the database.
         This will allow anyone with access to the
         Postgres port to access your database. In
         Docker's default configuration, this is
         effectively any other container on the same
         system.

         Use "-e POSTGRES_PASSWORD=password" to set
         it in "docker run".
****************************************************
LOG:  database system was shut down at 2019-06-19 18:30:59 UTC
LOG:  MultiXact member wraparound protections are now enabled
LOG:  database system is ready to accept connections
LOG:  autovacuum launcher started

It's initialized so chown it as the --user

$ docker exec postgres chown -R 1000:1000 /var/lib/postgresql/data

Remove it and start it again with the prepared data volume

$ docker rm -f postgres 
postgres

$ docker run -d --rm --name=postgres --user 1000:1000 -v pgdata:/var/lib/postgresql/data postgres:9
a13ce580cecf4ff7acddd10ccc9147d765c7079218a05888bf4d0290dd64ce94

$ docker exec -it postgres bash
I have no name!@a13ce580cecf:/$ id -u && id -g
1000
1000

I have no name!@a13ce580cecf:/$ psql -U postgres
psql (9.6.13)
Type "help" for help.

postgres=#

The image runs by default as 999:999 which is postgres, so the entrypoint can't chown the data directory

$ docker run --rm postgres:9 grep postgres /etc/passwd
postgres:x:999:999::/var/lib/postgresql:/bin/bash

Attaching to its namespace you can see that 999 runs everything

$ docker run --rm --pid=container:postgres1 tianon/network-toolbox ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
999          1  0.1  0.3 287444 23768 ?        Ss   20:14   0:00 postgres
999         53  0.0  0.0 287444  3876 ?        Ss   20:14   0:00 postgres: checkpointer process  
999         54  0.0  0.0 287444  3876 ?        Ss   20:14   0:00 postgres: writer process  
999         55  0.0  0.0 287444  3876 ?        Ss   20:14   0:00 postgres: wal writer process  
999         56  0.0  0.0 287856  6388 ?        Ss   20:14   0:00 postgres: autovacuum launcher process  
999         57  0.0  0.0 142580  2856 ?        Ss   20:14   0:00 postgres: stats collector process  
root        76  0.0  0.0  36636  2788 ?        Rs   20:16   0:00 ps aux

And then in the --user 1000:1000 image

$ docker run --rm --pid=container:postgres tianon/network-toolbox ps aux
USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
1000         1  0.0  0.3 287480 23904 ?        Ss   20:13   0:00 postgres
1000        12  0.0  0.0 287480  3832 ?        Ss   20:13   0:00 postgres: checkpointer process  
1000        13  0.0  0.0 287480  3832 ?        Ss   20:13   0:00 postgres: writer process  
1000        14  0.0  0.0 287480  3832 ?        Ss   20:13   0:00 postgres: wal writer process  
1000        15  0.0  0.0 287880  4836 ?        Ss   20:13   0:00 postgres: autovacuum launcher process  
1000        16  0.0  0.0 142480  3004 ?        Ss   20:13   0:00 postgres: stats collector process  
root        28  9.0  0.0  36636  2816 ?        Rs   20:18   0:00 ps aux

[exhuma]

The link you provided also outlined a solution by mounting /etc/passwd which also solves the problem. This also circumvents another issue we have: The home-folders are on an NFS mount and cannot be chowned to root which was another issue we ran into.

As this is an internal development machine mounting /etc/passwd is "good enough".