From d225926e067b98dd0fe6f88966281b20e5e1f985 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micka=C3=ABl=20Can=C3=A9vet?= Date: Mon, 22 Jan 2018 15:34:36 +0100 Subject: [PATCH] Improve arbitrary user run on OpenShift With this patch, the image is compatible with OpenShift as it will generate a valid /etc/passwd at runtime for initdb. --- 10/Dockerfile | 2 ++ 10/alpine/Dockerfile | 2 ++ 10/alpine/docker-entrypoint.sh | 5 +++++ 10/docker-entrypoint.sh | 5 +++++ 9.3/Dockerfile | 2 ++ 9.3/alpine/Dockerfile | 2 ++ 9.3/alpine/docker-entrypoint.sh | 5 +++++ 9.3/docker-entrypoint.sh | 5 +++++ 9.4/Dockerfile | 2 ++ 9.4/alpine/Dockerfile | 2 ++ 9.4/alpine/docker-entrypoint.sh | 5 +++++ 9.4/docker-entrypoint.sh | 5 +++++ 9.5/Dockerfile | 2 ++ 9.5/alpine/Dockerfile | 2 ++ 9.5/alpine/docker-entrypoint.sh | 5 +++++ 9.5/docker-entrypoint.sh | 5 +++++ 9.6/Dockerfile | 2 ++ 9.6/alpine/Dockerfile | 2 ++ 9.6/alpine/docker-entrypoint.sh | 5 +++++ 9.6/docker-entrypoint.sh | 5 +++++ docker-entrypoint.sh | 5 +++++ 21 files changed, 75 insertions(+) diff --git a/10/Dockerfile b/10/Dockerfile index d34cca049a..38e28099f5 100644 --- a/10/Dockerfile +++ b/10/Dockerfile @@ -129,5 +129,7 @@ COPY docker-entrypoint.sh /usr/local/bin/ RUN ln -s usr/local/bin/docker-entrypoint.sh / # backwards compat ENTRYPOINT ["docker-entrypoint.sh"] +RUN chmod g=u /etc/passwd + EXPOSE 5432 CMD ["postgres"] diff --git a/10/alpine/Dockerfile b/10/alpine/Dockerfile index d09b4c5554..e6a1c55f7b 100644 --- a/10/alpine/Dockerfile +++ b/10/alpine/Dockerfile @@ -146,5 +146,7 @@ COPY docker-entrypoint.sh /usr/local/bin/ RUN ln -s usr/local/bin/docker-entrypoint.sh / # backwards compat ENTRYPOINT ["docker-entrypoint.sh"] +RUN chmod g=u /etc/passwd + EXPOSE 5432 CMD ["postgres"] diff --git a/10/alpine/docker-entrypoint.sh b/10/alpine/docker-entrypoint.sh index ffd2ed501c..1ba718ecec 100755 --- a/10/alpine/docker-entrypoint.sh +++ b/10/alpine/docker-entrypoint.sh @@ -28,6 +28,11 @@ if [ "${1:0:1}" = '-' ]; then fi # allow the container to be started with `--user` +if ! whoami &> /dev/null; then + if [ -w /etc/passwd ]; then + echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd + fi +fi if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then mkdir -p "$PGDATA" chown -R postgres "$PGDATA" diff --git a/10/docker-entrypoint.sh b/10/docker-entrypoint.sh index a30e6f759a..ad6df34a8d 100755 --- a/10/docker-entrypoint.sh +++ b/10/docker-entrypoint.sh @@ -28,6 +28,11 @@ if [ "${1:0:1}" = '-' ]; then fi # allow the container to be started with `--user` +if ! whoami &> /dev/null; then + if [ -w /etc/passwd ]; then + echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd + fi +fi if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then mkdir -p "$PGDATA" chown -R postgres "$PGDATA" diff --git a/9.3/Dockerfile b/9.3/Dockerfile index 6e12de772c..67b0459c6b 100644 --- a/9.3/Dockerfile +++ b/9.3/Dockerfile @@ -130,5 +130,7 @@ COPY docker-entrypoint.sh /usr/local/bin/ RUN ln -s usr/local/bin/docker-entrypoint.sh / # backwards compat ENTRYPOINT ["docker-entrypoint.sh"] +RUN chmod g=u /etc/passwd + EXPOSE 5432 CMD ["postgres"] diff --git a/9.3/alpine/Dockerfile b/9.3/alpine/Dockerfile index d307280f28..47df26b089 100644 --- a/9.3/alpine/Dockerfile +++ b/9.3/alpine/Dockerfile @@ -173,5 +173,7 @@ COPY docker-entrypoint.sh /usr/local/bin/ RUN ln -s usr/local/bin/docker-entrypoint.sh / # backwards compat ENTRYPOINT ["docker-entrypoint.sh"] +RUN chmod g=u /etc/passwd + EXPOSE 5432 CMD ["postgres"] diff --git a/9.3/alpine/docker-entrypoint.sh b/9.3/alpine/docker-entrypoint.sh index 4bc72cb6b4..3e8a193d7a 100755 --- a/9.3/alpine/docker-entrypoint.sh +++ b/9.3/alpine/docker-entrypoint.sh @@ -28,6 +28,11 @@ if [ "${1:0:1}" = '-' ]; then fi # allow the container to be started with `--user` +if ! whoami &> /dev/null; then + if [ -w /etc/passwd ]; then + echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd + fi +fi if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then mkdir -p "$PGDATA" chown -R postgres "$PGDATA" diff --git a/9.3/docker-entrypoint.sh b/9.3/docker-entrypoint.sh index c96fea538d..e31ad1990b 100755 --- a/9.3/docker-entrypoint.sh +++ b/9.3/docker-entrypoint.sh @@ -28,6 +28,11 @@ if [ "${1:0:1}" = '-' ]; then fi # allow the container to be started with `--user` +if ! whoami &> /dev/null; then + if [ -w /etc/passwd ]; then + echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd + fi +fi if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then mkdir -p "$PGDATA" chown -R postgres "$PGDATA" diff --git a/9.4/Dockerfile b/9.4/Dockerfile index 171997f54a..1ff74ce1dd 100644 --- a/9.4/Dockerfile +++ b/9.4/Dockerfile @@ -130,5 +130,7 @@ COPY docker-entrypoint.sh /usr/local/bin/ RUN ln -s usr/local/bin/docker-entrypoint.sh / # backwards compat ENTRYPOINT ["docker-entrypoint.sh"] +RUN chmod g=u /etc/passwd + EXPOSE 5432 CMD ["postgres"] diff --git a/9.4/alpine/Dockerfile b/9.4/alpine/Dockerfile index 59fd13ab55..0789a80f87 100644 --- a/9.4/alpine/Dockerfile +++ b/9.4/alpine/Dockerfile @@ -146,5 +146,7 @@ COPY docker-entrypoint.sh /usr/local/bin/ RUN ln -s usr/local/bin/docker-entrypoint.sh / # backwards compat ENTRYPOINT ["docker-entrypoint.sh"] +RUN chmod g=u /etc/passwd + EXPOSE 5432 CMD ["postgres"] diff --git a/9.4/alpine/docker-entrypoint.sh b/9.4/alpine/docker-entrypoint.sh index 4bc72cb6b4..3e8a193d7a 100755 --- a/9.4/alpine/docker-entrypoint.sh +++ b/9.4/alpine/docker-entrypoint.sh @@ -28,6 +28,11 @@ if [ "${1:0:1}" = '-' ]; then fi # allow the container to be started with `--user` +if ! whoami &> /dev/null; then + if [ -w /etc/passwd ]; then + echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd + fi +fi if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then mkdir -p "$PGDATA" chown -R postgres "$PGDATA" diff --git a/9.4/docker-entrypoint.sh b/9.4/docker-entrypoint.sh index c96fea538d..e31ad1990b 100755 --- a/9.4/docker-entrypoint.sh +++ b/9.4/docker-entrypoint.sh @@ -28,6 +28,11 @@ if [ "${1:0:1}" = '-' ]; then fi # allow the container to be started with `--user` +if ! whoami &> /dev/null; then + if [ -w /etc/passwd ]; then + echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd + fi +fi if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then mkdir -p "$PGDATA" chown -R postgres "$PGDATA" diff --git a/9.5/Dockerfile b/9.5/Dockerfile index d0e15f2a15..a961a6a9da 100644 --- a/9.5/Dockerfile +++ b/9.5/Dockerfile @@ -130,5 +130,7 @@ COPY docker-entrypoint.sh /usr/local/bin/ RUN ln -s usr/local/bin/docker-entrypoint.sh / # backwards compat ENTRYPOINT ["docker-entrypoint.sh"] +RUN chmod g=u /etc/passwd + EXPOSE 5432 CMD ["postgres"] diff --git a/9.5/alpine/Dockerfile b/9.5/alpine/Dockerfile index eb839928cf..2f35e0bbfd 100644 --- a/9.5/alpine/Dockerfile +++ b/9.5/alpine/Dockerfile @@ -146,5 +146,7 @@ COPY docker-entrypoint.sh /usr/local/bin/ RUN ln -s usr/local/bin/docker-entrypoint.sh / # backwards compat ENTRYPOINT ["docker-entrypoint.sh"] +RUN chmod g=u /etc/passwd + EXPOSE 5432 CMD ["postgres"] diff --git a/9.5/alpine/docker-entrypoint.sh b/9.5/alpine/docker-entrypoint.sh index 4bc72cb6b4..3e8a193d7a 100755 --- a/9.5/alpine/docker-entrypoint.sh +++ b/9.5/alpine/docker-entrypoint.sh @@ -28,6 +28,11 @@ if [ "${1:0:1}" = '-' ]; then fi # allow the container to be started with `--user` +if ! whoami &> /dev/null; then + if [ -w /etc/passwd ]; then + echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd + fi +fi if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then mkdir -p "$PGDATA" chown -R postgres "$PGDATA" diff --git a/9.5/docker-entrypoint.sh b/9.5/docker-entrypoint.sh index c96fea538d..e31ad1990b 100755 --- a/9.5/docker-entrypoint.sh +++ b/9.5/docker-entrypoint.sh @@ -28,6 +28,11 @@ if [ "${1:0:1}" = '-' ]; then fi # allow the container to be started with `--user` +if ! whoami &> /dev/null; then + if [ -w /etc/passwd ]; then + echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd + fi +fi if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then mkdir -p "$PGDATA" chown -R postgres "$PGDATA" diff --git a/9.6/Dockerfile b/9.6/Dockerfile index 644953e10c..a584fa20f0 100644 --- a/9.6/Dockerfile +++ b/9.6/Dockerfile @@ -130,5 +130,7 @@ COPY docker-entrypoint.sh /usr/local/bin/ RUN ln -s usr/local/bin/docker-entrypoint.sh / # backwards compat ENTRYPOINT ["docker-entrypoint.sh"] +RUN chmod g=u /etc/passwd + EXPOSE 5432 CMD ["postgres"] diff --git a/9.6/alpine/Dockerfile b/9.6/alpine/Dockerfile index 7b9a27b321..8e100b804d 100644 --- a/9.6/alpine/Dockerfile +++ b/9.6/alpine/Dockerfile @@ -146,5 +146,7 @@ COPY docker-entrypoint.sh /usr/local/bin/ RUN ln -s usr/local/bin/docker-entrypoint.sh / # backwards compat ENTRYPOINT ["docker-entrypoint.sh"] +RUN chmod g=u /etc/passwd + EXPOSE 5432 CMD ["postgres"] diff --git a/9.6/alpine/docker-entrypoint.sh b/9.6/alpine/docker-entrypoint.sh index 4bc72cb6b4..3e8a193d7a 100755 --- a/9.6/alpine/docker-entrypoint.sh +++ b/9.6/alpine/docker-entrypoint.sh @@ -28,6 +28,11 @@ if [ "${1:0:1}" = '-' ]; then fi # allow the container to be started with `--user` +if ! whoami &> /dev/null; then + if [ -w /etc/passwd ]; then + echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd + fi +fi if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then mkdir -p "$PGDATA" chown -R postgres "$PGDATA" diff --git a/9.6/docker-entrypoint.sh b/9.6/docker-entrypoint.sh index c96fea538d..e31ad1990b 100755 --- a/9.6/docker-entrypoint.sh +++ b/9.6/docker-entrypoint.sh @@ -28,6 +28,11 @@ if [ "${1:0:1}" = '-' ]; then fi # allow the container to be started with `--user` +if ! whoami &> /dev/null; then + if [ -w /etc/passwd ]; then + echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd + fi +fi if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then mkdir -p "$PGDATA" chown -R postgres "$PGDATA" diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index a30e6f759a..ad6df34a8d 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -28,6 +28,11 @@ if [ "${1:0:1}" = '-' ]; then fi # allow the container to be started with `--user` +if ! whoami &> /dev/null; then + if [ -w /etc/passwd ]; then + echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd + fi +fi if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then mkdir -p "$PGDATA" chown -R postgres "$PGDATA"