Source to image

[dhodovsk]

No description provided.

[pkubatrh]

This call should also be added to run-postgresql-slave

[pkubatrh]

I would restate a bit differently since right now it seems a bit confusing. Something along the lines of:

The postgresql.conf configuration file contained in this folder is used instead of the default configuration when postgresql is started

[praiskup]

This sounds bad to me. Shouldn't we again rather only "include" (additional?) configuration file into the default postgresql.conf?

[pkubatrh]

@praiskup Please take a look as well

[pkubatrh]

I wonder... Would this work for the Fedora version out of the box as well?

[praiskup]

Is --asemble-user root realistically useable in openshift? Shouldn't we rather avoid root user at all?

[dhodovsk]

User root is in this solution is used only for building the image using s2i. When the built container is run, it is under postgre user who is only in group postgre.

[praiskup]

So is this really commonly enabled feature in OpenShift, so we can make it a "general" requirement? It seems to be pretty dangerous to get root access, even during the build..

[dhodovsk]

Other possibility is to add postgres user to root group (as is done e.g in mysql https://github.com/sclorg/mysql-container/blob/master/root-common/usr/libexec/container-setup#L58) but I can't help, it doesn't feel right. I think this issue deserves more discussion. @praiskup @hhorak what do you think?

[praiskup]

To better understand, what exactly is the 'root' needed for?

[dhodovsk]

Actually, that is really good question! The problem with missing write permission (that caused failed s2i builds) on /opt/app-root/src is now managed in Dockerfiles with https://github.com/sclorg/postgresql-container/pull/208/files#diff-4040b6e79b7069db62e62fee9e5c3532R72. fix-permissions might fail, but the build finishes successfully. Thank you for making this comment and standing your ground! :)

[praiskup]

This example configuration file should be few-lines long only (this file is actually generated at postgresql build-time, and as such it would get staled very soon) and do something real.. and be included into the maint postgresql.conf file, or possibly transitively included through the configuration generated by our scripts...

[dhodovsk]

@pkubatrh yes, it should also work with fedora, but I ran into a problem with python2 package:

Steps to reproduce:

$ docker run -it registry.fedoraproject.org/f25/s2i-base:latest bash
bash-4.3# dnf install -y python2
Fedora 25 - x86_64                                                        80 MB/s |  50 MB     00:00    
Fedora 25 - x86_64 - Updates                                              73 MB/s |  24 MB     00:00    
Last metadata expiration check: 0:00:06 ago on Fri Nov 24 08:51:08 2017.
Package python-2.7.13-2.fc25.x86_64 is already installed, skipping.
Dependencies resolved.
Nothing to do.
Complete!
bash-4.3# rpm -V python2
package python2 is not installed

Do you know something about this? Could you, please, help me resolve this so I can rebase and apply s2i also to fedora image?

[pkubatrh]

@dhodovsk What exactly is the issue? Python 2.7 is installed, only the package is not named python2, just python (old style naming).

In any case the postgresql image should not be based on s2i-base at all. It is an oversight that is already fixed in master. It should be based on s2i-core, which is unfortunately not yet built. (sclorg/s2i-base-container#144)

[dhodovsk]

@pkubatrh the issue occurred while verifying INSTALED_PKGS - https://github.com/sclorg/postgresql-container/blob/master/latest/Dockerfile.fedora#L51. It works with registry.fedoraproject.org/fedora:26 but not with registry.fedoraproject.org/f25/s2i-base:latest bash. I don't know the python background in fedora but it seemed interesting. Anyway I built fedora s2i-core locally and used it in fedora image with s2i here and it went ok.

[praiskup]

Can this be symlink to /usr/bin/run-postgresql?

[dhodovsk]

@praiskup please review discussed changes, there is another example of handling permissions for ${APP_DATA} here: https://github.com/sclorg/varnish-container/blob/master/4/Dockerfile#L46

[praiskup]

Missing newline.

[praiskup]

Could we name it init only, or init-hooks?

[praiskup]

chmod -R og+rwx should be probably used too

[praiskup]

I meant chmod -R ug+rwx.

[praiskup]

typo :1 suffix

[praiskup]

Should slave call these hooks?

[pkubatrh]

I asked for it to be added because I thought even slaves want to have their configuration files extendible. But looking at pg_basebackup documentation it seems that the slaves will get the master's configurations files along with everything else, so it might not be needed after all.

[praiskup]

More it seems to me that the password change method is newly called for slave, too.

[praiskup]

Probably editor mis-config (missing newline).

[praiskup]

for conf in "$extending_cfg_dir"/*.conf; do

[praiskup]

Nit, but echo would be also OK and a bit more readable.

[praiskup]

Thanks, it is close now :-) could we please add s2i test-cases? Mariadb can be used for inspiration.

[omron93]

This file needs to be updated to use init-hook and start-hook directories.

[dhodovsk]

The requested changes has been applied; now also to Dockerfile.template and versions 9.5 and 9.4.

[pkubatrh]

do we need write permissions actually?

For the source files under /opt/app-root/src? One use case that comes to mind is easier debugging of the built image without the need to have it rebuilt with new sources

[omron93]

do we really need to run fix-permission during assemble run?

We need to add/ensure g+r for root group. To be able to run this image under random UID (~group is 0)... So I think yes.

[dhodovsk]

So based on comments above, fix-permission wasn't changed in latest rebase and is called during assemble. Postgres user is added to root group in Dockerfile to be able to perform the operations.

[praiskup]

This doesn't work on my system. You probably want usermod -a -G root postgres.
I don't think removal of chmod was correct, because default umask should be 0022 -> which means that group get's only r-x permissions.

[pkubatrh]

[test-openshift]

[praiskup]

Still no comment about s/start-hook/postgresql-start-hook/. Mariadb has mysql-cfg, mysql-init and mysql-pre-init. Shouldn't we have the namespaced hook directory, too?

[praiskup]

What about:
Being also in supplemental group 0, postgres user can by default change the group
ownership of files in $APP_DATA to postgres:root (by fix-permissions script in assemble
script). This group ownership change is needed because the s2i-built image is run under
arbitrary user uid (but gid=0).

[praiskup]

I still have the two questions:

• is the write permissions needed in case of postgresql?
• could we just drop chown/chmod and use fix-permissions above (where the data ownership is changed)?

[hhorak]

I think fix-permissions should be enough, at least it looks like it's enough for mysql: https://github.com/sclorg/mysql-container/blob/master/root-common/usr/libexec/container-setup#L57

[hhorak]

two typos: "permissiond" and "assemblng"

[hhorak]

@dhodovsk @praiskup It's hard to see whether there is still anything to be fixed. From a quick look, it seems things like 's/init/postgresql-init/ands/start-hook/postgresql-start-hook/` are still to be addressed...

[praiskup]

I would prefer to have that hooks namespaced, yes.

[dhodovsk]

@praiskup Is it now ok?

[praiskup]

Seems to be, small nit with the docs.

[praiskup]

Meh, github fights against me. This should be either dropped, or at least you should mention that only *.conf files are sourced.

[praiskup]

[test-openshift]

[praiskup]

lgtm

[pkubatrh]

Merging, thanks!