containers icon indicating copy to clipboard operation
containers copied to clipboard
verified publisher icon bitnami

[bitnami/postgresql] Supporting read only filesystems

Open JKrehling opened this issue 2 years ago • 5 comments

Name and Version

bitnami/postgresql:16.0.0-debian-11-r15

What is the problem this feature will solve?

The current bitnami images must run without immutable root filesystems which is quickly becoming a non-starter in some containerized environments. You can find many hardening guides suggesting the readOnlyRootFilesystem is enabled (NSA for example).

What is the feature you are proposing to solve the problem?

Moving the config directory at runtime from a template config directory to an active one would allow this.
https://github.com/bitnami/containers/compare/main...JKrehling:containers:postgresql-read-only

What alternatives have you considered?

Depending on the environment you can get around this.

https://github.com/bitnami/charts/issues/5986

Considered workarounds like this to remount and move things on startup if deploying in kubernetes but was thinking there must be a better way than multiple containers and moving volumes around.

JKrehling avatar Nov 08 '23 18:11 JKrehling

Looks like this was mentioned in the past for the kubernetes side https://github.com/bitnami/charts/issues/8500 Unsure what business demand would be but there will probably be more asks for the common set of security requests going forward and various workarounds being done for each of them.

JKrehling avatar Nov 08 '23 19:11 JKrehling

Hi,

We have plans to make our charts compatible with these restrictions, but it would require us time, especially in applications like PostgreSQL. In our new products we add this support, as well as using non-root groups. As soon as there are news on this matter, we will let the community know.

javsalgar avatar Nov 14 '23 08:11 javsalgar

@javsalgar Thanks for the reply. I can work around this if I build it myself because for at least postgresql it only writes the conf directory on startup from what I have seen so just moving it after creation in the Dockerfile and writing it back in the entrypoint is enough to support readOnlyRootFilesystem but I'm not sure if this is how you would like to implement such a solution.

JKrehling avatar Jan 09 '24 05:01 JKrehling

Hi!

Thanks for the input! Feel free to submit a PR with the solution so the team can check it and discuss it.

javsalgar avatar Jan 09 '24 08:01 javsalgar

Hi @JKrehling,

Sorry for the delay. Thanks for your efforts in addressing this issue.

The latest version already includes this feature. Could you please verify if everything is working as expected? We value your feedback and comments, so please don't hesitate to let us know.

CeliaGMqrz avatar Feb 26 '24 09:02 CeliaGMqrz

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

github-actions[bot] avatar Mar 19 '24 01:03 github-actions[bot]

Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.

github-actions[bot] avatar Mar 24 '24 01:03 github-actions[bot]