-
Notifications
You must be signed in to change notification settings - Fork 261
Postgres | Error opening executable #2632
Comments
I think your postgres is located at |
Czesc @mkow What we did is to move the Postgres DB to the Examples folder for the graphene-direct test. It works like a charm by using the following command without Graphene:
Is it possible to define a user who should execute the command?
In the dockerfile is already such a command:
It seems that this isn't working, because the user |
Cześć :) No, we don't emulate users and permissions inside Graphene. But the logs you pasted above show that the problem is just in a wrong path to the postgres binary. |
Hi, yes, I understood your point and you are right! I was confused and used the wrong path :D
Since there is no argument to emulate the user, is there no way to get around this issue?
|
Hmm, depends how postgres checks it. You can try changing the env variable ( |
Maybe it's good time to implement emulation of a current user in Graphene? The current hard-coding of Why not:
Sounds much more logical than having the root user always and asking developers to circumvent this weirdness. |
But there's no "current user", we're running a completely different OS instance than the host, so, passing host user id is conceptually wrong. What we can do is to hardcode some other ID than 0 or add a proper uid emulation. |
It's not wrong: we do not emulate any permission checks, i.e. allow for everything, which is pretty much all capabilities (default uid I would rather say it's the problem of postgress. Why it disallows being run as root? uid |
Well, yes, maybe just hard-coding some ID other than 0. We can also have a manifest option for this. I am also curious if Postgress decides whether it runs as root by looking at |
Actually, why do you say that it's "conceptually wrong"? Graphene is not really a "completely different OS instance", since Graphene re-uses the FS and the network stacks (and all the resources limitations, and all scheduling, etc.) from the host OS. So I would say that what conceptually wrong is that Graphene virtualizes the user ID (hey, you have all permissions) but doesn't virtualize host-file permissions (hey, you have all virtual permissions but you can't open files because of insufficient real permissions). There seems to be a clear disconnect between "what Graphene virtualizes" and "what Graphene can do". |
This is only the case for a specific implementation of specific PAL. Well, it's the case for all PALs currently, but that should not affect the overall arch design.
We definitely should visualize UIDs. Keeping Graphene file permissions as host-level file permissions is imo design flaw, but that's an orthogonal issue. Also please read my previous message. |
Ah, this is a good point. Ok, so virtualizing the user ID (instead of propagating such info from the host OS) is the correct way. So how should Graphene behave in a situation with an application refusing to run with And, continuing my example, how should Graphene behave on an application trying to e.g. access some file that can be opened only by root (assuming current Linux PAL), but the current host-user ID is non-root? In this case, the application gets confused: it thinks that it has root privileges and can open any file, but opening results in |
Fix your application then :) Is there no option like
If the host-fs file permissions are wrong (Graphene cannot access the file): |
Agreed with your logic.
Yes, sounds like everyone is fine with this approach. |
Hi,
we're trying to run Postgres in Graphene. OS is Ubuntu 20.04.
To that end we created our own Dockerfile:
Which we then build and signed using gsc.
However when starting the image we encounter the following problem:
Remembering what dimakuv said in a previous issue, we took a step back to try again without gsc and only graphene-direct using the memcached example as a base.
During the Postgres server startup we faced a similar issue:
Do you have any ideas to fix this issue?
Thanks in advance.
The text was updated successfully, but these errors were encountered: