Run a PostgreSQL container as a non-root user in OpenShift

In this blog post I want to point out a simple topic: How to run a simple PostgreSQL Docker image as a non-productive container in OpenShift? As you maybe know, OpenShift doesn’t allow by default to run container images as root.

The image below shows the result of the simply deployed postgreSQL image from dockerhub.

It’s possible to enable images to run as root on OpenShift, that’s documented in the OpenShift documentation here, by adding a service account.

But, in this blog post we choose an alternative way, where we don’t change the security in OpenShift, here we will customize the postgreSQL Docker image a bit. We will follow the steps to create a postgreSQL database on OpenShift, along the creation of the database called postgreSQL database-articles for the Cloud Native Starter reactive example .

These are the major steps:

1. Write the specifications and configurations  for:
   1. … the Dockerfile
   2. … the  yaml with a Kubernetes Deployment and a Kubernetes Service specification. 
2. Execute the oc CLI commands to:
   1. … create a OpenShift project
   2. … create a OpenShift build configuration
   3. … start the build
   4. … apply the Deployment and Service specification
   5. … expose the Service

Specifications and configurations

Dockerfile

In the content of the Dockerfile below you see, that it specifies a non-root user and group. The user is called non-root-postgres-user. That user get’s all access rights to the /temp folder to create the needed database files in the container. To run the container later as non root we change the user for the execution to the non-root-postgres-user .

FROM postgres:12

# Create the needed temp file before the first postgreSQL execution

RUN mkdir temp

# Create group and user

RUN groupadd non-root-postgres-group
RUN useradd non-root-postgres-user --group non-root-postgres-group

# Set user rights to allow the on-root-postgres-user 
# to access the temp folder

RUN chown -R non-root-postgres-user:non-root-postgres-group /temp
RUN chmod 777 /temp

# Change to non-root privilege

USER non-root-postgres

The Kubernetes Deployment and Kubernetes Service specification

In the Deployment and Service specification for OpenShift we need to define the name for the Pod and Service. As you see in the yaml extract below the name is database-articles, that’s needed by our Cloud Native Starter example application. The needed env settings for the postgreSQL container to create the database in the container are defined in the spec.template.spec.container.env Deployment section of the yaml.

You find the definition for that environment configuration in the postgreSQL Docker image on dockerhub.

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: database-articles
    name: database-articles
  namespace: postgres
spec:
  selector:
    matchLabels:
      app: database-articles
  template:
    metadata:
      labels:
        app: database-articles
    spec:
      containers:
        - env:
          - name: POSTGRES_DB
            value: postgres
          - name: POSTGRES_USER
            value: postgres
          - name: POSTGRES_PASSWORD
            value: postgres
          - name: PGDATA
            value: /temp/data
      image: image-registry.openshift-image-registry.svc:5000/postgres/build-postgres:latest
      imagePullPolicy: Always
      name: postgres
    ports:
      - containerPort: 5432
        protocol: TCP
    resources:
      limits:
        cpu: 60m
        memory: 512Mi
      requests:
        cpu: 30m
        memory: 128Mi
      restartPolicy: Always
---

apiVersion: v1
kind: Service
metadata:
  labels:
    app: database-articles
  name: database-articles
  namespace: postgres
spec:
  ports:
    - name: http
      port: 5432
      protocol: TCP
  selector:
    app: database-articles

Deploy postgreSQL with the oc CLI commands

• To separate the postgreSQL database from the Cloud Native Starter example application, we create an additional project called postgres in OpenShift.

  oc new-project postgres

• Then we create a OpenShift build configuration. The name of the configuration isbuild-postgres.  The reason why we don’t use the same name as for the Deployment and Service, you remember the name is database-articles, is: later we maybe want to automate the deployment to OpenShift with a bash script and it that bash script we will use grep and awk to verify the oc CLI outputs to get the status of the deployment.
   

  oc new-build --name build-postgres --binary --strategy docker

• Now it’s time to start the build and then directly apply the Kubernetes Deployment and a Kubernetes Service specification in the postgres-oc.yaml.
  
   

  oc start-build build-postgres --from-dir=.
  oc apply -f ./postgres-oc.yaml

• The last step is to expose the service, so that we can access our database with our sample application.

  oc expose svc/database-articles
  

In the following gif you see the result of the steps above in a OpenShift cluster on IBM Cloud.

I hope this was useful for you and let’s see what’s next?

Greetings,

Thomas

PS:  You can try out Cloud Foundry Apps or Kubernetes on IBM Cloud. By the way, you can use the IBM Cloud for free, if you simply create an IBM Lite account. Here you only need an e-mail address.

#IBMDeveloper, #IBMCloud, #postgreSQL, #OpenShift , #container, #docker