docker-entrypoint-initdb.d should complain about missing permissions

[mcnesium]

During the research for that problem I came to the finding that if any files mounted to docker-entrypoint-initdb.d are unreadable to postgres user (e.g. have wrong permissions), docker-entrypoint.sh just goes ahead and ignores them.

IMHO the entrypoint script should be more verbose in terms of complaining about files being there but having wrong permissions, instead of just passing by and starting up the server.

[yosifkit]

That is incorrect. Your problem seems to be that it can't even read the directory and thus it can't list the files that are in there (which looks identical to an empty directory with for f in /docker-entrypoint-initdb.d/*;). We could add a line similar to the mysql image so that the startup fails and prints a reasonable error (docker-library/mysql#453).

This is what happens when the folder is readable and the file is not readable by postgres:

$ ls -lan docker-entrypoint-initdb.d/
total 12
drwxrwsr-x 2 1000 1000 4096 Nov 12 13:54 .
drwxrwsr-x 4 1000 1000 4096 Sep 13  2018 ..
-rwx------ 1 1000 1000 241 Nov 12 13:54 test.sql
docker run -it --rm -v "$PWD"/docker-entrypoint-initdb.d/:/docker-entrypoint-initdb.d/ postgres:11
The files belonging to this database system will be owned by user "postgres".
This user must also own the server process.

The database cluster will be initialized with locale "en_US.utf8".
The default database encoding has accordingly been set to "UTF8".
The default text search configuration will be set to "english".

Data page checksums are disabled.

fixing permissions on existing directory /var/lib/postgresql/data ... ok
creating subdirectories ... ok
selecting default max_connections ... 100
selecting default shared_buffers ... 128MB
selecting dynamic shared memory implementation ... posix
creating configuration files ... ok
running bootstrap script ... ok
performing post-bootstrap initialization ... ok
syncing data to disk ... ok

WARNING: enabling "trust" authentication for local connections
You can change this by editing pg_hba.conf or using the option -A, or
--auth-local and --auth-host, the next time you run initdb.

Success. You can now start the database server using:

    pg_ctl -D /var/lib/postgresql/data -l logfile start

****************************************************
WARNING: No password has been set for the database.
         This will allow anyone with access to the
         Postgres port to access your database. In
         Docker's default configuration, this is
         effectively any other container on the same
         system.

         Use "-e POSTGRES_PASSWORD=password" to set
         it in "docker run".
****************************************************
waiting for server to start....2019-05-09 23:25:16.854 UTC [44] LOG:  listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
2019-05-09 23:25:16.871 UTC [45] LOG:  database system was shut down at 2019-05-09 23:25:16 UTC
2019-05-09 23:25:16.876 UTC [44] LOG:  database system is ready to accept connections
 done
server started

/usr/local/bin/docker-entrypoint.sh: running /docker-entrypoint-initdb.d/test.sql
/docker-entrypoint-initdb.d/test.sql: Permission denied
$ # here it crashed
$ # maybe this case could be improved, but it is not what you saw

And here is when the directory is unreadable:

$ chmod 700 docker-entrypoint-initdb.d/
$ ls -lna docker-entrypoint-initdb.d/
total 12
drwx--S--- 2 1000 1000 4096 Nov 12 13:54 .
drwxrwsr-x 4 1000 1000 4096 Sep 13  2018 ..
-rwx------ 1 1000 1000  241 Nov 12 13:54 test.sql
$ docker run -it --rm -v "$PWD"/docker-entrypoint-initdb.d/:/docker-entrypoint-initdb.d/ postgres:11
The files belonging to this database system will be owned by user "postgres".
This user must also own the server process.

The database cluster will be initialized with locale "en_US.utf8".
The default database encoding has accordingly been set to "UTF8".
The default text search configuration will be set to "english".

Data page checksums are disabled.

fixing permissions on existing directory /var/lib/postgresql/data ... ok
creating subdirectories ... ok
selecting default max_connections ... 100
selecting default shared_buffers ... 128MB
selecting dynamic shared memory implementation ... posix
creating configuration files ... ok
running bootstrap script ... ok
performing post-bootstrap initialization ... ok
syncing data to disk ... ok

WARNING: enabling "trust" authentication for local connections
You can change this by editing pg_hba.conf or using the option -A, or
--auth-local and --auth-host, the next time you run initdb.

Success. You can now start the database server using:

    pg_ctl -D /var/lib/postgresql/data -l logfile start

****************************************************
WARNING: No password has been set for the database.
         This will allow anyone with access to the
         Postgres port to access your database. In
         Docker's default configuration, this is
         effectively any other container on the same
         system.

         Use "-e POSTGRES_PASSWORD=password" to set
         it in "docker run".
****************************************************
waiting for server to start....2019-05-09 23:30:35.380 UTC [44] LOG:  listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
2019-05-09 23:30:35.391 UTC [45] LOG:  database system was shut down at 2019-05-09 23:30:35 UTC
2019-05-09 23:30:35.394 UTC [44] LOG:  database system is ready to accept connections
 done
server started

/usr/local/bin/docker-entrypoint.sh: ignoring /docker-entrypoint-initdb.d/*

2019-05-09 23:30:35.465 UTC [44] LOG:  received fast shutdown request
waiting for server to shut down....2019-05-09 23:30:35.466 UTC [44] LOG:  aborting any active transactions
2019-05-09 23:30:35.469 UTC [44] LOG:  background worker "logical replication launcher" (PID 51) exited with exit code 1
2019-05-09 23:30:35.470 UTC [46] LOG:  shutting down
2019-05-09 23:30:35.487 UTC [44] LOG:  database system is shut down
 done
server stopped

PostgreSQL init process complete; ready for start up.

2019-05-09 23:30:35.597 UTC [1] LOG:  listening on IPv4 address "0.0.0.0", port 5432
2019-05-09 23:30:35.597 UTC [1] LOG:  listening on IPv6 address "::", port 5432
2019-05-09 23:30:35.599 UTC [1] LOG:  listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
2019-05-09 23:30:35.616 UTC [53] LOG:  database system was shut down at 2019-05-09 23:30:35 UTC
2019-05-09 23:30:35.620 UTC [1] LOG:  database system is ready to accept connections
^C2019-05-09 23:30:38.345 UTC [1] LOG:  received fast shutdown request
2019-05-09 23:30:38.346 UTC [1] LOG:  aborting any active transactions
2019-05-09 23:30:38.353 UTC [1] LOG:  background worker "logical replication launcher" (PID 59) exited with exit code 1
2019-05-09 23:30:38.353 UTC [54] LOG:  shutting down
2019-05-09 23:30:38.371 UTC [1] LOG:  database system is shut down

[beck]

I can sympathize.

Would be nice if /docker-entrypoint-initdb.d/* was special cased because it represents something has gone wrong.

Posted a lousy workaround here.

[yosifkit]

#694 should make the case of "/docker-entrypoint-initdb.d/ being unreadable" easier to see.

[tianon]

This was really fixed by #694 😅