Option to allow custom commands during startup.

[TafkaMax]

Is there a possiblity to add custom commands on startup?

I am battling the godforbidden riddance of permission rights for certificates. As I have an external cert I wish to mount to use TLS encryption. The problem is that the cert has root:ssl-cert rights, but the host and postgres container differ in the GID.

I wish to do groupmod -g GID_THAT_IS_IN_HOST ssl-cert. So when I mount the private key with permissions 640 that the postgres user can read the file inside the container.

As the docker-entrypoint logic is only run during initalization, when there is no pgdata, on restarts this does not persist.

[TafkaMax]

I propose something like:

"Run files in folder /docker-entrypoint-initdb.d/always/* regardless if database has been initalized." As this is done before the postgres instance is started, the group ID should be changed and postgres will not fail to read SSL private key for me. I guess this can be useful for other cases aswell, if people need to modify the docker container logic, before start of the postgres itself. Ofcourse the folder can be something else that /always/

[TafkaMax]

There seems to be a caveat right now:

I tried to add these lines to docker-entrypoint.sh through ansible.

+     - 'chown root:ssl-cert /etc/ssl/private'
+     - 'groupmod -g {{ansible_facts.getent_group["ssl-cert"][1]}} ssl-cert'

But I found out that because the user who runs the docker container is 1000:1000 does not have root access inside the container to change these permissions.

echo $(whoami)
whoami: cannot find name for user ID 1000

[tianon]

If you want a solution that does something with a started database (like our existing initdb scripts do), see #173, #821, #191, #929 for some other issues that have some good thoughts / suggestions.

However, it looks like you just want "something" to run before PostgreSQL starts, which is a much easier ask -- you'll want to set your container's "command" to something like sh -c 'chown ... && groupmod ... && exec docker-entrypoint.sh' (which will then invoke postgres after running your extra commands, and if you're not running the container as a non-root user will run those initial commands as root after which the entrypoint script will re-exec itself as non-root).

If the directory you're doing this to is a bind-mount, you could also do those modifications on the host directory before mounting it (and the container shouldn't touch them), or if they're image-only you might consider having a short Dockerfile instead (FROM postgres + RUN chown ... && groupmod ...).

[TafkaMax]

Thank you for the response.

In the end I changed the ssl-cert group in the host to match the GID of the 'user' that runs the docker container.

 - name: Change ssl-cert /etc/ssl/private group permissions if present.
   file:
     path: /etc/ssl/private
     state: directory
     owner: root
     group: '{{ certbot_ssl_cert_group_name }}'
     recurse: true
   when: certbot_ssl_cert_group_name != "ssl-cert"

The docker-compose ended up looking like this.

version: "3.8"
services:
  db:
    container_name: db
    hostname: db
    image: docker.io/postgres:14.7-bullseye
    restart: unless-stopped
    volumes:
      - /opt/postgres-docker/postgres/data:/var/lib/postgresql/data
      - /opt/postgres-docker/postgres/initdb:/docker-entrypoint-initdb.d
      - /etc/ssl/certs/REDACTED.pem:/var/lib/postgresql/data/server.cert
      - /etc/ssl/private/REDACTED.pem:/var/lib/postgresql/data/server.key
    user: "1000:1000"
    ports:
      - "5432:5432"
    env_file:
      - '/opt/postgres-docker/postgres/env-postgres-server'
    networks:
      - postgres-docker-network
  pgbackup:
    container_name: pgbackup
    hostname: pgbackup
    image: docker.io/prodrigestivill/postgres-backup-local:14-alpine
    restart: unless-stopped
    volumes:
        - /opt/postgres-docker/postgres/backups:/backups
    env_file:
      - '/opt/postgres-docker/postgres/env-postgres-backup'
    networks:
      - postgres-docker-network
    depends_on:
        - db
    
networks:
  postgres-docker-network:
    driver: bridge
    name: postgres-docker-network

Now the SSL certs are read by postgresql.conf options.