Re: Problem related to volume creation to pgadmin 4 Docker image

Hi Dave,

I tested the ACL command, as you suggested, and it worked when docker
container was turned off, but when I lauched pgadmin, it reset the
folder permissions again.

Could you consider, in future versions, to give access to host user to
//var/lib/pgadmin/storage/ folder?
For example, other files and folders (e.g. sessions and pgadmin4.db)
could be restricted, but storage, as a folder to user files, could have
read and execute permissions in order to host user be able to access it.

Thank you for your help.

Best regards,
Rodrigo

On 22/10/2021 06:31, Dave Page wrote:
> Hi
>
> On Thu, Oct 21, 2021 at 7:51 PM Rodrigo Mariano
> <rodmariano13(at)gmail(dot)com <mailto:rodmariano13(at)gmail(dot)com>> wrote:
>
> Hi Dave,
>
> Which OS do you use? I'm using Ubuntu 18.
>
> macOS, primarily.
>
>
> Nautilus is the file manager to Ubuntu.
>
> Ah, OK.
>
>
> I updated my image to dpage/pgadmin4:6.0 in order to avoid old
> versions. I add a new volume and I executed the chown command
> (i.e. sudo chown -R 5050:5050 <host_directory>).
>
> I tried to add my user to 5050 group, but it did not work, because
> when pgadmin4 Docker container is executed, it allows just 5050
> user to edit the folder and not other ones from the same group
> (i.e. *drwx------*).
>
> *drwx------* is the default permission that pgadmin4 Docker
> container gives to volume it creates, in other words, just 5050
> user can edit the volume data, not other ones, even if that user
> belongs to 5050 group.
>
> OK, now I understand what you mean. Yes, when pgAdmin launches, it'll
> check the directories it needs, and always tries to fix the
> permissions to ensure they're secure (i.e. 0700 permissions).
>
> You might be able to use the extended ACL to work around that, e.g.
>
> setfacl -Rm u:rodrigo:rwX,d:u:rodrigo:rwX <host_directory>
>
> I believe that will recursively give you permissions on the directory
> on the host (assuming your username is rodrigo), and set it up so
> permissions are inherited. You may need to ensure your host filesystem
> is mounted with the 'acl' option.
>
>
> Thank you.
>
> Best regards,
> Rodrigo
>
> On 21/10/2021 10:20, Dave Page wrote:
>>
>>
>> On Thu, Oct 21, 2021 at 1:33 PM Rodrigo Mariano
>> <rodmariano13(at)gmail(dot)com <mailto:rodmariano13(at)gmail(dot)com>> wrote:
>>
>> Hi Dave,
>>
>> /> I've never needed to do that with plain Docker or
>> Kubernetes. I've never used Docker Compose though. /
>>
>> Have you ever tried to create a volume to
>> //var/lib/pgadmin/storage/ folder using newer image versions
>> and you were able to access it via host in the nautilus?
>> Using plain Docker.
>>
>> I have no idea what "the nautilus" is, but yes, I've mapped
>> /var/lib/pgadmin to the host many times (including 30 seconds ago
>> with 6.1), and it works fine. As long as appropriate permissions
>> are set on the directory on the host, I can access it from there
>> as well.
>>
>>
>> If you have, how could I do that?
>>
>> As you suggested, you could add yourself to the 5050 group, and
>> ensure the directory on the host is group readable.
>>
>>
>> I did not have this kind of issue with older versions of
>> pgadmin4 Docker image (e.g. /dpage/pgadmin4:4.15/), this
>> issue has started with recent images that I need to change
>> folder permission to 5050:5050 (e.g. /dpage/pgadmin4:5.4/).
>>
>> 4.15 is very old. We've long since had additional checks in
>> pgAdmin to ensure that we can successfully write to the storage
>> directory, and to stop running the processes in the container as
>> root that was a) quite dangerous and b) could allow it to
>> override permissions on the host. In particular, you're probably
>> hitting the issue mentioned in the callout box at the top of
>> https://www.pgadmin.org/docs/pgadmin4/6.1/release_notes_4_16.html
>> <https://www.pgadmin.org/docs/pgadmin4/6.1/release_notes_4_16.html>
>>
>>
>> Thank you.
>>
>> Best regards,
>> Rodrigo
>>
>>
>> On 21/10/2021 08:36, Dave Page wrote:
>>>
>>>
>>> On Thu, Oct 21, 2021 at 12:27 PM Rodrigo Mariano
>>> <rodmariano13(at)gmail(dot)com <mailto:rodmariano13(at)gmail(dot)com>> wrote:
>>>
>>> Hi Aditya,
>>>
>>> According to the documentation, I need to change user
>>> and group of my host folder to /5050:5050/ through /chown/.
>>>
>>> If my default user and group is /rodrigo:rodrigo/, how
>>> could my default user access a folder that belongs to
>>> another one (i.e. /5050:5050/)?
>>>
>>> The pgAdmin processes in the container run under uid 5050,
>>> gid 5050.
>>>
>>>
>>> As far as I know, I cannot access a folder that belongs
>>> to other user normally.
>>>
>>> Maybe should I add my default user (i.e. /rodrigo/) to
>>> pgadmin group (i.e. /5050/)?
>>>
>>> I've never needed to do that with plain Docker or
>>> Kubernetes. I've never used Docker Compose though.
>>>
>>> If I should, I believe this information could be written
>>> on the documentation.
>>>
>>> Thank you.
>>>
>>> Best regards,
>>> Rodrigo
>>>
>>> On 21/10/2021 02:06, Aditya Toshniwal wrote:
>>>> Hi Rodrigo,
>>>>
>>>> pgAdmin just needs a readable and writable directory.
>>>> pgAdmin cannot change any permission on its own. It
>>>> might be some other ownership issue on your system then.
>>>>
>>>> On Wed, Oct 20, 2021 at 11:29 PM Rodrigo Mariano
>>>> <rodmariano13(at)gmail(dot)com
>>>> <mailto:rodmariano13(at)gmail(dot)com>> wrote:
>>>>
>>>> Hi Aditya,
>>>>
>>>> I did both.
>>>>
>>>> First, I changed the folder permissions to
>>>> 5050:5050 and the Docker container worked, but I
>>>> was not able to get into the folder; the folder is
>>>> locked and I cannot access its subfolders, even
>>>> through terminal. For example:
>>>>
>>>> After that, I tried using default permissions,
>>>> however that error message appeared.
>>>>
>>>> Thank you.
>>>>
>>>> Best regards,
>>>> Rodrigo
>>>>
>>>> On 20/10/2021 10:08, Aditya Toshniwal wrote:
>>>>> Hi Rodrigo,
>>>>>
>>>>> Did you run sudo chown -R 5050:5050
>>>>> ./volumes/pgadmin4 and sudo chown -R 5050:5050
>>>>> ./volumes/pgadmin4_storage As per -
>>>>> https://www.pgadmin.org/docs/pgadmin4/6.0/container_deployment.html#mapped-files-and-directories
>>>>> <https://www.pgadmin.org/docs/pgadmin4/6.0/container_deployment.html#mapped-files-and-directories>
>>>>> ?
>>>>>
>>>>>
>>>>> On Wed, Oct 20, 2021 at 6:14 PM Rodrigo Mariano
>>>>> <rodmariano13(at)gmail(dot)com
>>>>> <mailto:rodmariano13(at)gmail(dot)com>> wrote:
>>>>>
>>>>> Hi Aditya,
>>>>>
>>>>> I tried to create the volume to sub directory
>>>>> as well (i.e.
>>>>> //var/lib/pgadmin/storage/postgres_localhost.com
>>>>> <http://postgres_localhost.com>/), but the
>>>>> same error message appears.
>>>>>
>>>>> I send below the traceback.
>>>>>
>>>>> Thank you for your help.
>>>>>
>>>>> Best regards,
>>>>> Rodrigo
>>>>>
>>>>> -
>>>>>
>>>>> Traceback (most recent call last):
>>>>>   File
>>>>> "/venv/lib/python3.8/site-packages/gunicorn/arbiter.py",
>>>>> line 589, in spawn_worker
>>>>> worker.init_process()
>>>>>   File
>>>>> "/venv/lib/python3.8/site-packages/gunicorn/workers/gthread.py",
>>>>> line 92, in init_process
>>>>> super().init_process()
>>>>>   File
>>>>> "/venv/lib/python3.8/site-packages/gunicorn/workers/base.py",
>>>>> line 134, in init_process
>>>>>     self.load_wsgi()
>>>>>   File
>>>>> "/venv/lib/python3.8/site-packages/gunicorn/workers/base.py",
>>>>> line 146, in load_wsgi
>>>>>     self.wsgi = self.app.wsgi()
>>>>>   File
>>>>> "/venv/lib/python3.8/site-packages/gunicorn/app/base.py",
>>>>> line 67, in wsgi
>>>>>     self.callable = self.load()
>>>>>   File
>>>>> "/venv/lib/python3.8/site-packages/gunicorn/app/wsgiapp.py",
>>>>> line 58, in load
>>>>>     return self.load_wsgiapp()
>>>>>   File
>>>>> "/venv/lib/python3.8/site-packages/gunicorn/app/wsgiapp.py",
>>>>> line 48, in load_wsgiapp
>>>>>     return util.import_app(self.app_uri)
>>>>>   File
>>>>> "/venv/lib/python3.8/site-packages/gunicorn/util.py",
>>>>> line 359, in import_app
>>>>>     mod = importlib.import_module(module)
>>>>>   File
>>>>> "/usr/lib/python3.8/importlib/__init__.py",
>>>>> line 127, in import_module
>>>>>     return
>>>>> _bootstrap._gcd_import(name[level:], package,
>>>>> level)
>>>>>   File "<frozen importlib._bootstrap>", line
>>>>> 1014, in _gcd_import
>>>>>   File "<frozen importlib._bootstrap>", line
>>>>> 991, in _find_and_load
>>>>>   File "<frozen importlib._bootstrap>", line
>>>>> 975, in _find_and_load_unlocked
>>>>>   File "<frozen importlib._bootstrap>", line
>>>>> 671, in _load_unlocked
>>>>>   File "<frozen
>>>>> importlib._bootstrap_external>", line 848, in
>>>>> exec_module
>>>>>   File "<frozen importlib._bootstrap>", line
>>>>> 219, in _call_with_frames_removed
>>>>>   File "/pgadmin4/run_pgadmin.py", line 4, in
>>>>> <module>
>>>>>     from pgAdmin4 import app
>>>>>   File "/pgadmin4/pgAdmin4.py", line 98, in
>>>>> <module>
>>>>>     app = create_app()
>>>>>   File "/pgadmin4/pgadmin/__init__.py", line
>>>>> 441, in create_app
>>>>> paths.init_app(app)
>>>>>   File "/pgadmin4/pgadmin/utils/paths.py",
>>>>> line 103, in init_app
>>>>>     raise InternalServerError(
>>>>> werkzeug.exceptions.InternalServerError: 500
>>>>> Internal Server Error: The user does not have
>>>>> permission to read and write to the specified
>>>>> storage directory.
>>>>>
>>>>> On 20/10/2021 09:08, Aditya Toshniwal wrote:
>>>>>> Hi Rodrigo,
>>>>>>
>>>>>> /var/lib/pgadmin/storage is the base
>>>>>> directory. A sub directory for each user will
>>>>>> be created for storing user files.
>>>>>>
>>>>>> On Wed, Oct 20, 2021 at 5:10 PM Rodrigo
>>>>>> Mariano <rodmariano13(at)gmail(dot)com
>>>>>> <mailto:rodmariano13(at)gmail(dot)com>> wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I'm having a trouble related to pgadmin 4
>>>>>> Docker image
>>>>>> <https://hub.docker.com/r/dpage/pgadmin4>
>>>>>> <https://hub.docker.com/r/dpage/pgadmin4>.
>>>>>>
>>>>>> I would like to create a volume to
>>>>>> //var/lib/pgadmin/storage/ folder, in
>>>>>> order to access backup files created by
>>>>>> pgadmin 4 interface, however error
>>>>>> messages about permission denied are
>>>>>> raised, for example:
>>>>>>
>>>>>> werkzeug.exceptions.InternalServerError:
>>>>>> 500 Internal Server Error: The user does
>>>>>> not have permission to read and write to
>>>>>> the specified storage directory.
>>>>>>
>>>>>> Is there a way to create this volume?
>>>>>>
>>>>>> I had to use a command to change user and
>>>>>> group of my volume to 5050:5050 (i.e.
>>>>>> /sudo chown -R 5050:5050 pgadmin4/), but
>>>>>> now I'm not able to get into the folder
>>>>>> anymore, even when I try creating a
>>>>>> volume to //var/lib/pgadmin/storage/
>>>>>> folder directly.
>>>>>>
>>>>>> I send below my Docker compose file with
>>>>>> default values.
>>>>>>
>>>>>> Thank you in advance.
>>>>>>
>>>>>> Best regards,
>>>>>> Rodrigo
>>>>>>
>>>>>> -
>>>>>>
>>>>>> /docker-compose.yml/
>>>>>>
>>>>>> version: '3'
>>>>>>
>>>>>> services:
>>>>>> cdsr_postgis:
>>>>>> container_name: cdsr_postgis
>>>>>>     image: kartoza/postgis:11.0-2.5
>>>>>>     restart: on-failure
>>>>>> environment:
>>>>>>       - POSTGRES_USER=postgres
>>>>>>       - POSTGRES_PASS=postgres
>>>>>>       - ALLOW_IP_RANGE=0.0.0.0/0
>>>>>> <http://0.0.0.0/0>
>>>>>>       -
>>>>>> POSTGRES_MULTIPLE_EXTENSIONS=postgis,hstore,postgis_topology,pgrouting
>>>>>>     volumes:
>>>>>>       -
>>>>>> ./volumes/postgresql:/var/lib/postgresql
>>>>>>     networks:
>>>>>>       - cdsr
>>>>>>     ports:
>>>>>>       - 6000:5432
>>>>>>
>>>>>> cdsr_pgadmin4:
>>>>>> container_name: cdsr_pgadmin4
>>>>>>     image: dpage/pgadmin4:5.4
>>>>>>     restart: on-failure
>>>>>> environment:
>>>>>>       -
>>>>>> PGADMIN_DEFAULT_EMAIL=postgres(at)localhost(dot)com
>>>>>> <mailto:PGADMIN_DEFAULT_EMAIL=postgres(at)localhost(dot)com>
>>>>>>       - PGADMIN_DEFAULT_PASSWORD=postgres
>>>>>>     volumes:
>>>>>>       # to fix permission bugs:
>>>>>>       # sudo chown -R 5050:5050 pgadmin4
>>>>>>       - ./volumes/pgadmin4:/var/lib/pgadmin
>>>>>>       -
>>>>>> ./volumes/pgadmin4_storage:/var/lib/pgadmin/storage
>>>>>>     networks:
>>>>>>       - cdsr
>>>>>> depends_on:
>>>>>>       - cdsr_postgis
>>>>>>     ports:
>>>>>>       - 6001:80
>>>>>>
>>>>>> networks:
>>>>>>   cdsr:
>>>>>>     driver: bridge
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Thanks,
>>>>>> Aditya Toshniwal
>>>>>> pgAdmin Hacker | Software Architect |
>>>>>> *edbpostgres.com* <http://edbpostgres.com>
>>>>>> "Don't Complain about Heat, Plant a TREE"
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Thanks,
>>>>> Aditya Toshniwal
>>>>> pgAdmin Hacker | Software Architect |
>>>>> *edbpostgres.com* <http://edbpostgres.com>
>>>>> "Don't Complain about Heat, Plant a TREE"
>>>>
>>>>
>>>>
>>>> --
>>>> Thanks,
>>>> Aditya Toshniwal
>>>> pgAdmin Hacker | Software Architect | *edbpostgres.com*
>>>> <http://edbpostgres.com>
>>>> "Don't Complain about Heat, Plant a TREE"
>>>
>>>
>>>
>>> --
>>> Dave Page
>>> Blog: https://pgsnake.blogspot.com
>>> <https://pgsnake.blogspot.com>
>>> Twitter: @pgsnake
>>>
>>> EDB: https://www.enterprisedb.com <https://www.enterprisedb.com>
>>>
>>
>>
>> --
>> Dave Page
>> Blog: https://pgsnake.blogspot.com <https://pgsnake.blogspot.com>
>> Twitter: @pgsnake
>>
>> EDB: https://www.enterprisedb.com <https://www.enterprisedb.com>
>>
>
>
> --
> Dave Page
> Blog: https://pgsnake.blogspot.com <https://pgsnake.blogspot.com>
> Twitter: @pgsnake
>
> EDB: https://www.enterprisedb.com <https://www.enterprisedb.com>
>