Skip to content

docker arbitrary user support via PUID and PGID #9633

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
khushboovashi merged 8 commits into from
Feb 24, 2026
Merged

docker arbitrary user support via PUID and PGID #9633

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
e2dd738
add su-exec and remove hardcoded user
kon-foo Feb 10, 2026
e540336
rassign pgadmin user to pass PUID and PGID, chwon required files, use…
kon-foo Feb 10, 2026
6e8fe13
set SU_EXEC var to prevent running as 5050:0 when someone uses the Do…
kon-foo Feb 10, 2026
ae4229f
Merge branch 'pgadmin-org:master' into feature/docker-arbitrary-user-…
kon-foo Feb 13, 2026
d518f88
chown /certs when using PUID/GUID
kon-foo Feb 13, 2026
7a2d48d
add safe_chown function to check if dir/file exists and if it already…
kon-foo Feb 20, 2026
d3f2eb5
fix: check against correct parameters
kon-foo Feb 20, 2026
7ee0af1
issue warning when usermod fails
kon-foo Feb 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 2 additions & 3 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -165,7 +165,8 @@ RUN apk update && apk upgrade && \
tzdata \
libedit \
libldap \
libcap && \
libcap \
su-exec && \
rm -rf /var/cache/apk/*

# Copy in the Python packages
Expand Down Expand Up @@ -206,8 +207,6 @@ RUN /venv/bin/python3 -m pip install --no-cache-dir gunicorn==23.0.0 && \
echo "pgadmin ALL = NOPASSWD: /usr/sbin/postfix start" > /etc/sudoers.d/postfix && \
echo "pgadminr ALL = NOPASSWD: /usr/sbin/postfix start" >> /etc/sudoers.d/postfix

USER 5050

# Finish up
VOLUME /var/lib/pgadmin
EXPOSE 80 443
Expand Down
50 changes: 48 additions & 2 deletions pkg/docker/entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,23 @@
#!/usr/bin/env bash
PUID=${PUID:-5050}
PGID=${PGID:-0}

if [ "$(id -u)" = "0" ]; then
# Ensure a group with the target GID exists
if ! getent group "$PGID" > /dev/null 2>&1; then
addgroup -g "$PGID" pggroup
fi

# Reassign the pgadmin user to the desired UID/GID
usermod -o -u "$PUID" -g "$PGID" pgadmin 2>&1 || \
echo "WARNING: usermod failed for UID=$PUID GID=$PGID"

# Compose su-exec command
SU_EXEC="su-exec $PUID:$PGID"
echo "pgAdmin will run as UID=$PUID, GID=$PGID"
else
SU_EXEC=""
fi

# Fixup the passwd file, in case we're on OpenShift
if ! whoami > /dev/null 2>&1; then
Expand All @@ -9,6 +28,27 @@ if ! whoami > /dev/null 2>&1; then
fi
fi

# Helper: chown a path only if it exists and isn't already owned correctly
safe_chown() {
local target="$1"
local owner="$2:$3" # UID:GID

# Skip if path doesn't exist
[ -e "$target" ] || return 0

# Get current ownership
local current_uid current_gid
current_uid=$(stat -c '%u' "$target")
current_gid=$(stat -c '%g' "$target")

# Skip if already owned correctly
if [ "$current_uid" = "$2" ] && [ "$current_gid" = "$3" ]; then
return 0
fi

chown -R "$owner" "$target"
}

# usage: file_env VAR [DEFAULT] ie: file_env 'XYZ_DB_PASSWORD' 'example'
# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
# "$XYZ_DB_PASSWORD" from a file, for Docker's secrets feature)
Expand Down Expand Up @@ -178,6 +218,12 @@ fi
# to define the Gunicorn worker timeout
TIMEOUT=$(cd /pgadmin4 && /venv/bin/python3 -c 'import config; print(config.SESSION_EXPIRATION_TIME * 60 * 60 * 24)')

if [ "$(id -u)" = "0" ]; then
for path in /run/pgadmin /var/lib/pgadmin "$CONFIG_DISTRO_FILE_PATH" /certs; do
safe_chown "$path" "$PUID" "$PGID"
done
fi

# NOTE: currently pgadmin can run only with 1 worker due to sessions implementation
# Using --threads to have multi-threaded single-process worker

Expand All @@ -192,7 +238,7 @@ else
fi

if [ -n "${PGADMIN_ENABLE_TLS}" ]; then
exec /venv/bin/gunicorn --limit-request-line "${GUNICORN_LIMIT_REQUEST_LINE:-8190}" --timeout "${TIMEOUT}" --bind "${BIND_ADDRESS}" -w 1 --threads "${GUNICORN_THREADS:-25}" --access-logfile "${GUNICORN_ACCESS_LOGFILE:--}" --keyfile /certs/server.key --certfile /certs/server.cert -c gunicorn_config.py run_pgadmin:app
exec $SU_EXEC /venv/bin/gunicorn --limit-request-line "${GUNICORN_LIMIT_REQUEST_LINE:-8190}" --timeout "${TIMEOUT}" --bind "${BIND_ADDRESS}" -w 1 --threads "${GUNICORN_THREADS:-25}" --access-logfile "${GUNICORN_ACCESS_LOGFILE:--}" --keyfile /certs/server.key --certfile /certs/server.cert -c gunicorn_config.py run_pgadmin:app
else
exec /venv/bin/gunicorn --limit-request-line "${GUNICORN_LIMIT_REQUEST_LINE:-8190}" --limit-request-fields "${GUNICORN_LIMIT_REQUEST_FIELDS:-100}" --limit-request-field_size "${GUNICORN_LIMIT_REQUEST_FIELD_SIZE:-8190}" --timeout "${TIMEOUT}" --bind "${BIND_ADDRESS}" -w 1 --threads "${GUNICORN_THREADS:-25}" --access-logfile "${GUNICORN_ACCESS_LOGFILE:--}" -c gunicorn_config.py run_pgadmin:app
exec $SU_EXEC /venv/bin/gunicorn --limit-request-line "${GUNICORN_LIMIT_REQUEST_LINE:-8190}" --limit-request-fields "${GUNICORN_LIMIT_REQUEST_FIELDS:-100}" --limit-request-field_size "${GUNICORN_LIMIT_REQUEST_FIELD_SIZE:-8190}" --timeout "${TIMEOUT}" --bind "${BIND_ADDRESS}" -w 1 --threads "${GUNICORN_THREADS:-25}" --access-logfile "${GUNICORN_ACCESS_LOGFILE:--}" -c gunicorn_config.py run_pgadmin:app
fi
Loading