Re: Pgadmin python executable requires extended capabilities

Hi

On Mon, Jul 19, 2021 at 8:53 PM Albert Serrallé <
albert(dot)serralle(at)adevinta(dot)com> wrote:

> Hello all,
>
> I'm trying to run pgadmin in a Kubernetes cluster with enforced Pod
> Security Policies. Long story short, in the cluster, *none* of the Linux
> capabilities are allowed.
>
> The Dockerfile enables this for the python exec:
>
> setcap CAP_NET_BIND_SERVICE=+eip /usr/bin/python3.8 && \
>>
>
> So the entrypoint.sh fails at startup time, as soon as it invokes the
> python executable:
>
> /entrypoint.sh: line 70: /venv/bin/python3: Operation not permitted
>
>
> I removed this requirement creating a new Docker image with the following
> definition:
>
> FROM dpage/pgadmin4:5.5
>> USER root
>> RUN setcap -r /usr/bin/python3.8
>> USER pgadmin
>>
>
> And then it boots without problem (using the 5050 port).
>
> Do you think it makes sense to modify the main Dockerfile to avoid this
> problem?
>

If we do that, then we break the container for anyone who is using a
privileged port for the server (e.g. everyone using default settings). I
don't see how we could introduce such a change without causing problems for
such users.

> Is there any other workaround that doesn't require creating a new image?
>

Not that I can think of, I'm afraid.

--
Dave Page
Blog: https://pgsnake.blogspot.com
Twitter: @pgsnake

EDB: https://www.enterprisedb.com