From: | Dave Page <dpage(at)pgadmin(dot)org> |
---|---|
To: | Ashesh Vashi <ashesh(dot)vashi(at)enterprisedb(dot)com> |
Cc: | Albert Serrallé <albert(dot)serralle(at)adevinta(dot)com>, "pgadmin-support lists(dot)postgresql(dot)org" <pgadmin-support(at)lists(dot)postgresql(dot)org> |
Subject: | Re: Pgadmin python executable requires extended capabilities |
Date: | 2021-07-20 08:33:21 |
Message-ID: | CA+OCxowKTeyz0Fb9Q8wOO6D=sCL5HetkZVh1t90dpo-iULbAtw@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgadmin-support |
On Tue, Jul 20, 2021 at 9:30 AM Ashesh Vashi <ashesh(dot)vashi(at)enterprisedb(dot)com>
wrote:
>
>
>
> On Tue, Jul 20, 2021 at 1:43 PM Dave Page <dpage(at)pgadmin(dot)org> wrote:
>
>> Hi
>>
>> On Mon, Jul 19, 2021 at 8:53 PM Albert Serrallé <
>> albert(dot)serralle(at)adevinta(dot)com> wrote:
>>
>>> Hello all,
>>>
>>> I'm trying to run pgadmin in a Kubernetes cluster with enforced Pod
>>> Security Policies. Long story short, in the cluster, *none* of the
>>> Linux capabilities are allowed.
>>>
>>> The Dockerfile enables this for the python exec:
>>>
>>> setcap CAP_NET_BIND_SERVICE=+eip /usr/bin/python3.8 && \
>>>>
>>>
>>> So the entrypoint.sh fails at startup time, as soon as it invokes the
>>> python executable:
>>>
>>> /entrypoint.sh: line 70: /venv/bin/python3: Operation not permitted
>>>
>>>
>>> I removed this requirement creating a new Docker image with the
>>> following definition:
>>>
>>> FROM dpage/pgadmin4:5.5
>>>> USER root
>>>> RUN setcap -r /usr/bin/python3.8
>>>> USER pgadmin
>>>>
>>>
>>> And then it boots without problem (using the 5050 port).
>>>
>>> Do you think it makes sense to modify the main Dockerfile to avoid this
>>> problem?
>>>
>>
>> If we do that, then we break the container for anyone who is using a
>> privileged port for the server (e.g. everyone using default settings). I
>> don't see how we could introduce such a change without causing problems for
>> such users.
>>
> Two separate containers can help.
>
Sure, but that requires more testing and more builds to maintain. If this
were a common request, I would be inclined to re-prioritise the resources
to handle the additional work, however resources are thin (as always), and
it doesn't make sense in response to a single request (with apologies to
Albert of course).
--
Dave Page
Blog: https://pgsnake.blogspot.com
Twitter: @pgsnake
From | Date | Subject | |
---|---|---|---|
Next Message | Albert Serrallé | 2021-07-20 11:40:50 | Re: Pgadmin python executable requires extended capabilities |
Previous Message | Ashesh Vashi | 2021-07-20 08:30:28 | Re: Pgadmin python executable requires extended capabilities |