Hi Dave,I understand the situation and I believe both options, that you suggested, could improve the container.
If you could leave this issue marked on somewhere to be analyzed in the future, I thank you so much.
Thank you for your help. Best regards, Rodrigo On 22/10/2021 11:31, Dave Page wrote:
HiOn Fri, Oct 22, 2021 at 3:12 PM Rodrigo Mariano <rodmarian...@gmail.com <mailto:rodmarian...@gmail.com>> wrote:Hi Dave, I tested the ACL command, as you suggested, and it worked when docker container was turned off, but when I lauched pgadmin, it reset the folder permissions again.That's very odd - pgAdmin only resets the permission bits. It doesn't have any code to touch the ACL.Could you consider, in future versions, to give access to host user to //var/lib/pgadmin/storage/ folder? For example, other files and folders (e.g. sessions and pgadmin4.db) could be restricted, but storage, as a folder to user files, could have read and execute permissions in order to host user be able to access it.That may be safe in your environment, but perhaps not in others (and we always aim for secure-by-default). Perhaps a suitable compromise would be to either have a config option to avoid the chmod at startup, or to only perform it when the directory is first created (so that you can change it after first launch, and not have it reset in the future).Thank you for your help. Best regards, Rodrigo On 22/10/2021 06:31, Dave Page wrote:Hi On Thu, Oct 21, 2021 at 7:51 PM Rodrigo Mariano <rodmarian...@gmail.com <mailto:rodmarian...@gmail.com>> wrote: Hi Dave, Which OS do you use? I'm using Ubuntu 18. macOS, primarily. Nautilus is the file manager to Ubuntu. Ah, OK. I updated my image to dpage/pgadmin4:6.0 in order to avoid old versions. I add a new volume and I executed the chown command (i.e. sudo chown -R 5050:5050 <host_directory>). I tried to add my user to 5050 group, but it did not work, because when pgadmin4 Docker container is executed, it allows just 5050 user to edit the folder and not other ones from the same group (i.e. *drwx------*). *drwx------* is the default permission that pgadmin4 Docker container gives to volume it creates, in other words, just 5050 user can edit the volume data, not other ones, even if that user belongs to 5050 group. OK, now I understand what you mean. Yes, when pgAdmin launches, it'll check the directories it needs, and always tries to fix the permissions to ensure they're secure (i.e. 0700 permissions). You might be able to use the extended ACL to work around that, e.g. setfacl -Rm u:rodrigo:rwX,d:u:rodrigo:rwX <host_directory> I believe that will recursively give you permissions on the directory on the host (assuming your username is rodrigo), and set it up so permissions are inherited. You may need to ensure your host filesystem is mounted with the 'acl' option. Thank you. Best regards, Rodrigo On 21/10/2021 10:20, Dave Page wrote:On Thu, Oct 21, 2021 at 1:33 PM Rodrigo Mariano <rodmarian...@gmail.com <mailto:rodmarian...@gmail.com>> wrote: Hi Dave, /> I've never needed to do that with plain Docker or Kubernetes. I've never used Docker Compose though. / Have you ever tried to create a volume to //var/lib/pgadmin/storage/ folder using newer image versions and you were able to access it via host in the nautilus? Using plain Docker. I have no idea what "the nautilus" is, but yes, I've mapped /var/lib/pgadmin to the host many times (including 30 seconds ago with 6.1), and it works fine. As long as appropriate permissions are set on the directory on the host, I can access it from there as well. If you have, how could I do that? As you suggested, you could add yourself to the 5050 group, and ensure the directory on the host is group readable. I did not have this kind of issue with older versions of pgadmin4 Docker image (e.g. /dpage/pgadmin4:4.15/), this issue has started with recent images that I need to change folder permission to 5050:5050 (e.g. /dpage/pgadmin4:5.4/). 4.15 is very old. We've long since had additional checks in pgAdmin to ensure that we can successfully write to the storage directory, and to stop running the processes in the container as root that was a) quite dangerous and b) could allow it to override permissions on the host. In particular, you're probably hitting the issue mentioned in the callout box at the top of https://www.pgadmin.org/docs/pgadmin4/6.1/release_notes_4_16.html <https://www.pgadmin.org/docs/pgadmin4/6.1/release_notes_4_16.html> Thank you. Best regards, Rodrigo On 21/10/2021 08:36, Dave Page wrote:On Thu, Oct 21, 2021 at 12:27 PM Rodrigo Mariano <rodmarian...@gmail.com <mailto:rodmarian...@gmail.com>> wrote: Hi Aditya, According to the documentation, I need to change user and group of my host folder to /5050:5050/ through /chown/. If my default user and group is /rodrigo:rodrigo/, how could my default user access a folder that belongs to another one (i.e. /5050:5050/)? The pgAdmin processes in the container run under uid 5050, gid 5050. As far as I know, I cannot access a folder that belongs to other user normally. Maybe should I add my default user (i.e. /rodrigo/) to pgadmin group (i.e. /5050/)? I've never needed to do that with plain Docker or Kubernetes. I've never used Docker Compose though. If I should, I believe this information could be written on the documentation. Thank you. Best regards, Rodrigo On 21/10/2021 02:06, Aditya Toshniwal wrote:Hi Rodrigo, pgAdmin just needs a readable and writable directory. pgAdmin cannot change any permission on its own. It might be some other ownership issue on your system then. On Wed, Oct 20, 2021 at 11:29 PM Rodrigo Mariano <rodmarian...@gmail.com <mailto:rodmarian...@gmail.com>> wrote: Hi Aditya, I did both. First, I changed the folder permissions to 5050:5050 and the Docker container worked, but I was not able to get into the folder; the folder is locked and I cannot access its subfolders, even through terminal. For example: After that, I tried using default permissions, however that error message appeared. Thank you. Best regards, Rodrigo On 20/10/2021 10:08, Aditya Toshniwal wrote:Hi Rodrigo, Did you run sudo chown -R 5050:5050 ./volumes/pgadmin4 and sudo chown -R 5050:5050 ./volumes/pgadmin4_storage As per - https://www.pgadmin.org/docs/pgadmin4/6.0/container_deployment.html#mapped-files-and-directories <https://www.pgadmin.org/docs/pgadmin4/6.0/container_deployment.html#mapped-files-and-directories> ? On Wed, Oct 20, 2021 at 6:14 PM Rodrigo Mariano <rodmarian...@gmail.com <mailto:rodmarian...@gmail.com>> wrote: Hi Aditya, I tried to create the volume to sub directory as well (i.e. //var/lib/pgadmin/storage/postgres_localhost.com <http://postgres_localhost.com>/), but the same error message appears. I send below the traceback. Thank you for your help. Best regards, Rodrigo - Traceback (most recent call last): File "/venv/lib/python3.8/site-packages/gunicorn/arbiter.py", line 589, in spawn_worker worker.init_process() File "/venv/lib/python3.8/site-packages/gunicorn/workers/gthread.py", line 92, in init_process super().init_process() File "/venv/lib/python3.8/site-packages/gunicorn/workers/base.py", line 134, in init_process self.load_wsgi() File "/venv/lib/python3.8/site-packages/gunicorn/workers/base.py", line 146, in load_wsgi self.wsgi = self.app.wsgi() File "/venv/lib/python3.8/site-packages/gunicorn/app/base.py", line 67, in wsgi self.callable = self.load() File "/venv/lib/python3.8/site-packages/gunicorn/app/wsgiapp.py", line 58, in load return self.load_wsgiapp() File "/venv/lib/python3.8/site-packages/gunicorn/app/wsgiapp.py", line 48, in load_wsgiapp return util.import_app(self.app_uri) File "/venv/lib/python3.8/site-packages/gunicorn/util.py", line 359, in import_app mod = importlib.import_module(module) File "/usr/lib/python3.8/importlib/__init__.py", line 127, in import_module return _bootstrap._gcd_import(name[level:], package, level) File "<frozen importlib._bootstrap>", line 1014, in _gcd_import File "<frozen importlib._bootstrap>", line 991, in _find_and_load File "<frozen importlib._bootstrap>", line 975, in _find_and_load_unlocked File "<frozen importlib._bootstrap>", line 671, in _load_unlocked File "<frozen importlib._bootstrap_external>", line 848, in exec_module File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed File "/pgadmin4/run_pgadmin.py", line 4, in <module> from pgAdmin4 import app File "/pgadmin4/pgAdmin4.py", line 98, in <module> app = create_app() File "/pgadmin4/pgadmin/__init__.py", line 441, in create_app paths.init_app(app) File "/pgadmin4/pgadmin/utils/paths.py", line 103, in init_app raise InternalServerError( werkzeug.exceptions.InternalServerError: 500 Internal Server Error: The user does not have permission to read and write to the specified storage directory. On 20/10/2021 09:08, Aditya Toshniwal wrote:Hi Rodrigo, /var/lib/pgadmin/storage is the base directory. A sub directory for each user will be created for storing user files. On Wed, Oct 20, 2021 at 5:10 PM Rodrigo Mariano <rodmarian...@gmail.com <mailto:rodmarian...@gmail.com>> wrote: Hi, I'm having a trouble related to pgadmin 4 Docker image <https://hub.docker.com/r/dpage/pgadmin4> <https://hub.docker.com/r/dpage/pgadmin4>. I would like to create a volume to //var/lib/pgadmin/storage/ folder, in order to access backup files created by pgadmin 4 interface, however error messages about permission denied are raised, for example: werkzeug.exceptions.InternalServerError: 500 Internal Server Error: The user does not have permission to read and write to the specified storage directory. Is there a way to create this volume? I had to use a command to change user and group of my volume to 5050:5050 (i.e. /sudo chown -R 5050:5050 pgadmin4/), but now I'm not able to get into the folder anymore, even when I try creating a volume to //var/lib/pgadmin/storage/ folder directly. I send below my Docker compose file with default values. Thank you in advance. Best regards, Rodrigo - /docker-compose.yml/ version: '3' services: cdsr_postgis: container_name: cdsr_postgis image: kartoza/postgis:11.0-2.5 restart: on-failure environment: - POSTGRES_USER=postgres - POSTGRES_PASS=postgres - ALLOW_IP_RANGE=0.0.0.0/0 <http://0.0.0.0/0> - POSTGRES_MULTIPLE_EXTENSIONS=postgis,hstore,postgis_topology,pgrouting volumes: - ./volumes/postgresql:/var/lib/postgresql networks: - cdsr ports: - 6000:5432 cdsr_pgadmin4: container_name: cdsr_pgadmin4 image: dpage/pgadmin4:5.4 restart: on-failure environment: - PGADMIN_DEFAULT_EMAIL=postg...@localhost.com <mailto:PGADMIN_DEFAULT_EMAIL=postg...@localhost.com> - PGADMIN_DEFAULT_PASSWORD=postgres volumes: # to fix permission bugs: # sudo chown -R 5050:5050 pgadmin4 - ./volumes/pgadmin4:/var/lib/pgadmin - ./volumes/pgadmin4_storage:/var/lib/pgadmin/storage networks: - cdsr depends_on: - cdsr_postgis ports: - 6001:80 networks: cdsr: driver: bridge-- Thanks,Aditya Toshniwal pgAdmin Hacker | Software Architect | *edbpostgres.com* <http://edbpostgres.com> "Don't Complain about Heat, Plant a TREE"-- Thanks,Aditya Toshniwal pgAdmin Hacker | Software Architect | *edbpostgres.com* <http://edbpostgres.com> "Don't Complain about Heat, Plant a TREE"-- Thanks,Aditya Toshniwal pgAdmin Hacker | Software Architect | *edbpostgres.com* <http://edbpostgres.com> "Don't Complain about Heat, Plant a TREE"-- Dave PageBlog: https://pgsnake.blogspot.com <https://pgsnake.blogspot.com> Twitter: @pgsnake EDB: https://www.enterprisedb.com <https://www.enterprisedb.com>-- Dave PageBlog: https://pgsnake.blogspot.com <https://pgsnake.blogspot.com> Twitter: @pgsnake EDB: https://www.enterprisedb.com <https://www.enterprisedb.com>-- Dave PageBlog: https://pgsnake.blogspot.com <https://pgsnake.blogspot.com> Twitter: @pgsnake EDB: https://www.enterprisedb.com <https://www.enterprisedb.com>-- Dave Page Blog: https://pgsnake.blogspot.com <https://pgsnake.blogspot.com> Twitter: @pgsnake EDB: https://www.enterprisedb.com <https://www.enterprisedb.com>
