On Tue, Jul 20, 2021 at 9:30 AM Ashesh Vashi <ashesh.va...@enterprisedb.com> wrote:
> > > > On Tue, Jul 20, 2021 at 1:43 PM Dave Page <dp...@pgadmin.org> wrote: > >> Hi >> >> On Mon, Jul 19, 2021 at 8:53 PM Albert Serrallé < >> albert.serra...@adevinta.com> wrote: >> >>> Hello all, >>> >>> I'm trying to run pgadmin in a Kubernetes cluster with enforced Pod >>> Security Policies. Long story short, in the cluster, *none* of the >>> Linux capabilities are allowed. >>> >>> The Dockerfile enables this for the python exec: >>> >>> setcap CAP_NET_BIND_SERVICE=+eip /usr/bin/python3.8 && \ >>>> >>> >>> So the entrypoint.sh fails at startup time, as soon as it invokes the >>> python executable: >>> >>> /entrypoint.sh: line 70: /venv/bin/python3: Operation not permitted >>> >>> >>> I removed this requirement creating a new Docker image with the >>> following definition: >>> >>> FROM dpage/pgadmin4:5.5 >>>> USER root >>>> RUN setcap -r /usr/bin/python3.8 >>>> USER pgadmin >>>> >>> >>> And then it boots without problem (using the 5050 port). >>> >>> Do you think it makes sense to modify the main Dockerfile to avoid this >>> problem? >>> >> >> If we do that, then we break the container for anyone who is using a >> privileged port for the server (e.g. everyone using default settings). I >> don't see how we could introduce such a change without causing problems for >> such users. >> > Two separate containers can help. > Sure, but that requires more testing and more builds to maintain. If this were a common request, I would be inclined to re-prioritise the resources to handle the additional work, however resources are thin (as always), and it doesn't make sense in response to a single request (with apologies to Albert of course). -- Dave Page Blog: https://pgsnake.blogspot.com Twitter: @pgsnake EDB: https://www.enterprisedb.com
