From: | Dave Page <dpage(at)pgadmin(dot)org> |
---|---|
To: | Albert Serrallé <albert(dot)serralle(at)adevinta(dot)com> |
Cc: | "pgadmin-support lists(dot)postgresql(dot)org" <pgadmin-support(at)lists(dot)postgresql(dot)org> |
Subject: | Re: Pgadmin python executable requires extended capabilities |
Date: | 2021-07-20 08:12:45 |
Message-ID: | CA+OCxoxR2xrGx8=XXcwW6rOVQbrbBMpy9EapUw=SaA7qKfGR-w@mail.gmail.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgadmin-support |
Hi
On Mon, Jul 19, 2021 at 8:53 PM Albert Serrallé <
albert(dot)serralle(at)adevinta(dot)com> wrote:
> Hello all,
>
> I'm trying to run pgadmin in a Kubernetes cluster with enforced Pod
> Security Policies. Long story short, in the cluster, *none* of the Linux
> capabilities are allowed.
>
> The Dockerfile enables this for the python exec:
>
> setcap CAP_NET_BIND_SERVICE=+eip /usr/bin/python3.8 && \
>>
>
> So the entrypoint.sh fails at startup time, as soon as it invokes the
> python executable:
>
> /entrypoint.sh: line 70: /venv/bin/python3: Operation not permitted
>
>
> I removed this requirement creating a new Docker image with the following
> definition:
>
> FROM dpage/pgadmin4:5.5
>> USER root
>> RUN setcap -r /usr/bin/python3.8
>> USER pgadmin
>>
>
> And then it boots without problem (using the 5050 port).
>
> Do you think it makes sense to modify the main Dockerfile to avoid this
> problem?
>
If we do that, then we break the container for anyone who is using a
privileged port for the server (e.g. everyone using default settings). I
don't see how we could introduce such a change without causing problems for
such users.
> Is there any other workaround that doesn't require creating a new image?
>
Not that I can think of, I'm afraid.
--
Dave Page
Blog: https://pgsnake.blogspot.com
Twitter: @pgsnake
From | Date | Subject | |
---|---|---|---|
Next Message | Albert Serrallé | 2021-07-20 08:29:18 | Re: Pgadmin python executable requires extended capabilities |
Previous Message | Albert Serrallé | 2021-07-19 19:52:55 | Pgadmin python executable requires extended capabilities |