From 3fd632393ab77ff6b7d7782ba701c4fee3127fdc Mon Sep 17 00:00:00 2001 From: Brian Bouterse Date: Tue, 21 Apr 2026 11:45:39 -0400 Subject: [PATCH 1/2] Refactor dev container to run without root All services now run as the pulp user (UID 700) instead of requiring root for multi-user process management: - PostgreSQL: initialized and run as pulp (not postgres). PostgreSQL only requires PGDATA ownership, not a specific OS user. - Redis: runs as pulp (no user= directive in supervisord) - Supervisord: runs as pulp (removed user=root), PID/socket files moved to /var/run/supervisord/ owned by pulp - Entrypoint: removed all runuser/su calls, commands run directly as the current user - Dockerfile: USER 700 at the end, all runtime directories owned by pulp at build time This makes the dev container compatible with OpenShift's restricted-v2 SCC which enforces runAsNonRoot and arbitrary UID assignment. --- dev-container/Dockerfile | 18 ++++++++++++++++-- dev-container/entrypoint.sh | 22 +++++++++++----------- dev-container/supervisord.conf | 11 +++-------- 3 files changed, 30 insertions(+), 21 deletions(-) diff --git a/dev-container/Dockerfile b/dev-container/Dockerfile index 342f98a9..5c7a3fee 100644 --- a/dev-container/Dockerfile +++ b/dev-container/Dockerfile @@ -107,13 +107,24 @@ RUN openssl rand -base64 32 > /etc/pulp/certs/database_fields.symmetric.key && \ chown pulp:pulp /etc/pulp/certs/database_fields.symmetric.key && \ chmod 600 /etc/pulp/certs/database_fields.symmetric.key +# PostgreSQL: initialize as pulp user (not postgres) for rootless operation. +# PostgreSQL only requires that the process user owns PGDATA. RUN mkdir -p /var/run/postgresql /var/lib/pgsql/16/data && \ - chown -R postgres:postgres /var/run/postgresql /var/lib/pgsql/16 + chown -R pulp:pulp /var/run/postgresql /var/lib/pgsql/16 -RUN runuser -l postgres -c "/usr/pgsql-16/bin/initdb -D /var/lib/pgsql/16/data" && \ +USER pulp:pulp +RUN /usr/pgsql-16/bin/initdb -D /var/lib/pgsql/16/data && \ echo "local all all trust" > /var/lib/pgsql/16/data/pg_hba.conf && \ echo "host all all 127.0.0.1/32 trust" >> /var/lib/pgsql/16/data/pg_hba.conf && \ echo "host all all ::1/128 trust" >> /var/lib/pgsql/16/data/pg_hba.conf +USER root:root + +# Ensure all runtime directories are writable by pulp for rootless operation +RUN chown -R pulp:pulp /var/run/postgresql /var/lib/pgsql /var/log/pulp \ + /var/lib/pulp /usr/local/lib/pulp /etc/pulp && \ + mkdir -p /var/run/supervisord && \ + chown pulp:pulp /var/run/supervisord && \ + chmod 777 /workspace COPY dev-container/settings.py /etc/pulp/settings.py COPY dev-container/supervisord.conf /etc/supervisord.conf @@ -121,6 +132,9 @@ COPY dev-container/entrypoint.sh /entrypoint.sh COPY dev-container/scripts/ /usr/local/bin/ RUN chmod +x /entrypoint.sh /usr/local/bin/pulp-* +# Run as pulp user — no root required at runtime +USER 700 + VOLUME ["/workspace"] EXPOSE 24817 24816 diff --git a/dev-container/entrypoint.sh b/dev-container/entrypoint.sh index 3a178a44..caccb8a8 100644 --- a/dev-container/entrypoint.sh +++ b/dev-container/entrypoint.sh @@ -4,22 +4,22 @@ set -e PG_BIN=/usr/pgsql-16/bin PG_DATA=/var/lib/pgsql/16/data -echo "=== Pulp Dev Container Starting ===" +echo "=== Pulp Dev Container Starting (rootless) ===" -# Start PostgreSQL +# Start PostgreSQL (runs as current user — no runuser needed) echo "Starting PostgreSQL..." -runuser -l postgres -c "$PG_BIN/pg_ctl -D $PG_DATA start -l /var/lib/pgsql/pg.log -w" +$PG_BIN/pg_ctl -D $PG_DATA start -l /var/lib/pgsql/pg.log -w # Wait for PostgreSQL until $PG_BIN/pg_isready -h localhost -q; do sleep 1 done -# Create pulp database and user (idempotent) -runuser -l postgres -c "$PG_BIN/psql -tc \"SELECT 1 FROM pg_user WHERE usename = 'pulp'\" | grep -q 1 || $PG_BIN/psql -c \"CREATE USER pulp WITH SUPERUSER PASSWORD 'pulp'\"" -runuser -l postgres -c "$PG_BIN/psql -tc \"SELECT 1 FROM pg_database WHERE datname = 'pulp'\" | grep -q 1 || $PG_BIN/psql -c \"CREATE DATABASE pulp OWNER pulp\"" +# Create pulp database (idempotent — current user is the DB superuser) +$PG_BIN/psql -d postgres -tc "SELECT 1 FROM pg_database WHERE datname = 'pulp'" | grep -q 1 || \ + $PG_BIN/psql -d postgres -c "CREATE DATABASE pulp" -# Start Redis +# Start Redis (runs as current user) echo "Starting Redis..." redis-server --bind 127.0.0.1 --daemonize yes --protected-mode yes @@ -29,16 +29,16 @@ if [ -d "/workspace/pulp-service/pulp_service" ]; then pip install -e /workspace/pulp-service/pulp_service --quiet 2>&1 || true fi -# Run database migrations +# Run database migrations (already running as pulp) echo "Running database migrations..." -runuser -u pulp -- bash -c 'PATH=/usr/local/lib/pulp/bin:$PATH pulpcore-manager migrate --noinput' +pulpcore-manager migrate --noinput # Set admin password echo "Setting admin password..." -runuser -u pulp -- bash -c "PATH=/usr/local/lib/pulp/bin:\$PATH pulpcore-manager reset-admin-password --password '${PULP_DEFAULT_ADMIN_PASSWORD:-password}'" 2>/dev/null || true +pulpcore-manager reset-admin-password --password "${PULP_DEFAULT_ADMIN_PASSWORD:-password}" 2>/dev/null || true # Stop PostgreSQL and Redis — supervisord will manage them -runuser -l postgres -c "$PG_BIN/pg_ctl -D $PG_DATA stop -m fast -w" +$PG_BIN/pg_ctl -D $PG_DATA stop -m fast -w redis-cli shutdown 2>/dev/null || true echo "=== Initialization complete. Starting services via supervisord ===" diff --git a/dev-container/supervisord.conf b/dev-container/supervisord.conf index c62fe411..d64d05a7 100644 --- a/dev-container/supervisord.conf +++ b/dev-container/supervisord.conf @@ -1,21 +1,19 @@ [supervisord] nodaemon=true -user=root logfile=/var/log/pulp/supervisord.log -pidfile=/var/run/supervisord.pid +pidfile=/var/run/supervisord/supervisord.pid [unix_http_server] -file=/var/run/supervisor.sock +file=/var/run/supervisord/supervisor.sock [rpcinterface:supervisor] supervisor.rpcinterface_factory=supervisor.rpcinterface:make_main_rpcinterface [supervisorctl] -serverurl=unix:///var/run/supervisor.sock +serverurl=unix:///var/run/supervisord/supervisor.sock [program:postgresql] command=/usr/pgsql-16/bin/postgres -D /var/lib/pgsql/16/data -user=postgres autostart=true autorestart=true priority=100 @@ -32,7 +30,6 @@ stderr_logfile=/var/log/pulp/redis-stderr.log [program:pulp-api] command=/usr/bin/pulp-api -user=pulp autostart=true autorestart=true priority=300 @@ -42,7 +39,6 @@ stderr_logfile=/var/log/pulp/pulp-api-stderr.log [program:pulp-content] command=/usr/bin/pulp-content -user=pulp autostart=true autorestart=true priority=300 @@ -52,7 +48,6 @@ stderr_logfile=/var/log/pulp/pulp-content-stderr.log [program:pulp-worker] command=/usr/bin/pulp-worker -user=pulp autostart=true autorestart=true priority=300 From 8d5195182b680b3184fa780e7b6f9aeeece305fa Mon Sep 17 00:00:00 2001 From: Brian Bouterse Date: Tue, 21 Apr 2026 11:52:13 -0400 Subject: [PATCH 2/2] fix: use numeric UID 700 and chmod for initdb permission issue --- dev-container/Dockerfile | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/dev-container/Dockerfile b/dev-container/Dockerfile index 5c7a3fee..72cbe6c8 100644 --- a/dev-container/Dockerfile +++ b/dev-container/Dockerfile @@ -109,21 +109,23 @@ RUN openssl rand -base64 32 > /etc/pulp/certs/database_fields.symmetric.key && \ # PostgreSQL: initialize as pulp user (not postgres) for rootless operation. # PostgreSQL only requires that the process user owns PGDATA. +# The RPM creates /var/lib/pgsql owned by postgres — reassign everything to pulp. RUN mkdir -p /var/run/postgresql /var/lib/pgsql/16/data && \ - chown -R pulp:pulp /var/run/postgresql /var/lib/pgsql/16 + chown -R 700:700 /var/run/postgresql /var/lib/pgsql && \ + chmod -R 700 /var/lib/pgsql/16/data -USER pulp:pulp +USER 700 RUN /usr/pgsql-16/bin/initdb -D /var/lib/pgsql/16/data && \ echo "local all all trust" > /var/lib/pgsql/16/data/pg_hba.conf && \ echo "host all all 127.0.0.1/32 trust" >> /var/lib/pgsql/16/data/pg_hba.conf && \ echo "host all all ::1/128 trust" >> /var/lib/pgsql/16/data/pg_hba.conf -USER root:root +USER root # Ensure all runtime directories are writable by pulp for rootless operation -RUN chown -R pulp:pulp /var/run/postgresql /var/lib/pgsql /var/log/pulp \ - /var/lib/pulp /usr/local/lib/pulp /etc/pulp && \ +RUN chown -R 700:700 /var/run/postgresql /var/lib/pgsql /var/log/pulp \ + /var/lib/pulp /usr/local/lib/pulp /etc/pulp && \ mkdir -p /var/run/supervisord && \ - chown pulp:pulp /var/run/supervisord && \ + chown 700:700 /var/run/supervisord && \ chmod 777 /workspace COPY dev-container/settings.py /etc/pulp/settings.py