embedded-postgres icon indicating copy to clipboard operation
embedded-postgres copied to clipboard

Published 20 hours ago verified publisher icon fergusstrange

Add runAsUser functionality

Open same-id opened this issue 2 years ago • 1 comments

By supplying runAsUser it is possible to run initdb as non-root user (which otherwise fails) even if the calling process runs as root.

In addition, flush logger on failures to get more detailed errors.

same-id avatar Jul 25 '22 21:07 same-id

Coverage is being a bit hard to achieve, even with added tests

same-id avatar Jul 26 '22 13:07 same-id

Hey @same-id, the Postgres instance should run as the same user that is running the GoLang process / tests making this feature a little redundant.

This is really a testing library so if it's being used in any other capacity that's not really within our core aim.

Happy to address the flush logger calls in a separate / altered PR however as that seems a good idea.

fergusstrange avatar Aug 09 '22 02:08 fergusstrange

Hey!

I don't agree with the statement that it must run as the same user.

When we run our tests locally we are indeed enjoying the fact the test runs as the same user on our OSX/Linux.

But, on a more practical note, in our CI, when using the popular golang containers, the only available user is root.

So the tests just fail to run on these containers due to postgres limit to run as root (by the way - the failure message is not available to why this library fails - this is why this PR also adds relevant logger flushes also in failures).

Changing the user for the entire golang process is also not great in the popular golang container (lots of errors due to chmod problems of existing /go files that are accessible by root only)

Adding a nonroot user and running postgres as that user in the CI works super great - this way we can still run go as root but the postgres process will run as nonroot.

same-id avatar Aug 10 '22 09:08 same-id

Hey @same-id,

Here's an example in our very own build system where we spin up an Alpine Linux image (that defaults to root) and change user before running the test suite.

https://github.com/fergusstrange/embedded-postgres/blob/f9d296fcdef65d59f5eaefd6e699ab526aeec18e/.github/workflows/build.yml#L69

This is really effective and requires pretty minimal code overhead.

I'd still be open to the logger flush code if you wish to open that in a separate PR.

fergusstrange avatar Aug 16 '22 00:08 fergusstrange

Things are not always this easy thought :-)

We are building using earthly.dev and we pass GitHub credentials using an ssh agent integrating into the docker.

i.e. RUN --ssh go mod download

And since today the ssh sock is only accessible by the root user:

https://github.com/earthly/earthly/issues/1549

(notice that this is fixed in buildkit/moby since they allow mode https://github.com/moby/buildkit/issues/760)

All of the downloaded go modules are owned by root, so we need to do things like

USER root
RUN --ssh go mod download
RUN chmod ...
USER nonroot
RUN go test ... (postgres)

Notice that a simple RUN --ssh go test will not return successfully because modules might need to be downloaded so must be root for --ssh access but then postgres initdb will fail.

Obviously that's not an embedded-postgres problem, but IMO having a embedded-postgres run as root and fork as nonroot process just makes it a lot more flexible for developers.

At the moment we are using a fork of embedded-postgres which allows us to just specify a different nonroot user for the postgres process.

Will submit the failure logs as a different PR though.

same-id avatar Aug 21 '22 18:08 same-id

Support for root user to init db would be very helpful

niclausse avatar Nov 21 '23 03:11 niclausse