Polish "Allow running under root on Linux when unshare is available"

tomix26 · tomix26 · commit 97f7211516d0 · 2020-08-16T15:55:36.000+02:00
diff --git a/README.md b/README.md
@@ -150,17 +150,21 @@ Since `PostgreSQL 10.0`, there are additional artifacts with `alpine-lite` suffi
 
 ### Process [/tmp/embedded-pg/PG-XYZ/bin/initdb, ...] failed
 
-Try to remove `/tmp/embedded-pg/PG-XYZ` directory containing temporary binaries of the embedded postgres database. That should solve the problem. 
+Check the console output for an `initdb: cannot be run as root` message. If the error is present, try to upgrade to a newer version of the library (1.2.8+), or ensure the build process to be running as a non-root user.
+
+If the error is not present, try to clean up the `/tmp/embedded-pg/PG-XYZ` directory containing temporary binaries of the embedded database. 
 
 ### Running tests on Windows does not work
 
-You probably need to install the [Microsoft Visual C++ 2013 Redistributable Package](https://support.microsoft.com/en-us/help/3179560/update-for-visual-c-2013-and-visual-c-redistributable-package). The version 2013 is important, installation of other versions will not help. More detailed is the problem discussed [here](https://github.com/opentable/otj-pg-embedded/issues/65).
+You probably need to install [Microsoft Visual C++ 2013 Redistributable Package](https://support.microsoft.com/en-us/help/3179560/update-for-visual-c-2013-and-visual-c-redistributable-package). The version 2013 is important, installation of other versions will not help. More detailed is the problem discussed [here](https://github.com/opentable/otj-pg-embedded/issues/65).
+
+### Running tests in Docker does not work
 
-### Running tests inside Docker does not work
+Running builds inside a Docker container is fully supported, including Alpine Linux. However, PostgreSQL has a restriction the database process must run under a non-root user. Otherwise, the database does not start and fails with an error.  
 
-Running build inside Docker is fully supported, including Alpine Linux. But you must keep in mind that the **PostgreSQL database must be run under a non-root user**. Otherwise, the database does not start and fails with an error.
+So be sure to use a docker image that uses a non-root user. Or, since version `1.2.8` you can run the docker container with `--privileged` option, which allows taking advantage of `unshare` command to run the database process in a separate namespace.
 
-So be sure to use a docker image that uses a non-root user, or you can use any of the following Dockerfiles to prepare your own image.
+Below are some examples of how to prepare a docker image running with a non-root user:
 
 <details>
   <summary>Standard Dockerfile</summary>
diff --git a/src/main/java/io/zonky/test/db/postgres/embedded/EmbeddedPostgres.java b/src/main/java/io/zonky/test/db/postgres/embedded/EmbeddedPostgres.java
@@ -13,8 +13,12 @@
  */
 package io.zonky.test.db.postgres.embedded;
 
-
-import java.io.*;
+import java.io.ByteArrayInputStream;
+import java.io.Closeable;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
 import java.net.InetAddress;
 import java.net.InetSocketAddress;
 import java.net.ServerSocket;
@@ -66,7 +70,8 @@
 import org.slf4j.LoggerFactory;
 import org.tukaani.xz.XZInputStream;
 
-import static io.zonky.test.db.postgres.util.LinuxUtils.isUnshareUseable;
+import io.zonky.test.db.postgres.util.LinuxUtils;
+
 import static java.nio.file.StandardOpenOption.CREATE;
 import static java.nio.file.StandardOpenOption.WRITE;
 import static java.util.Collections.unmodifiableMap;
@@ -99,7 +104,6 @@ public class EmbeddedPostgres implements Closeable
     private volatile FileOutputStream lockStream;
     private volatile FileLock lock;
     private final boolean cleanDataDirectory;
-    private static boolean useUnshare;
 
     private final ProcessBuilder.Redirect errorRedirector;
     private final ProcessBuilder.Redirect outputRedirector;
@@ -129,8 +133,6 @@ public class EmbeddedPostgres implements Closeable
         this.pgStartupWait = pgStartupWait;
         Objects.requireNonNull(this.pgStartupWait, "Wait time cannot be null");
 
-        useUnshare = isUnshareUseable();
-
         if (parentDirectory != null) {
             mkdirs(parentDirectory);
             cleanOldDataDirectories(parentDirectory);
@@ -239,12 +241,12 @@ private void initdb()
     {
         final StopWatch watch = new StopWatch();
         watch.start();
-        List<String> command = new ArrayList<>();
-        command.addAll(Arrays.asList(
+        List<String> args = new ArrayList<>();
+        args.addAll(Arrays.asList(
                 "-A", "trust", "-U", PG_SUPERUSER,
                 "-D", dataDirectory.getPath(), "-E", "UTF-8"));
-        command.addAll(createLocaleOptions());
-        system(pgBin("initdb"), command);
+        args.addAll(createLocaleOptions());
+        system(INIT_DB, args);
         LOG.info("{} initdb completed in {}", instanceId, watch);
     }
 
@@ -257,21 +259,19 @@ private void startPostmaster() throws IOException
         }
 
         final List<String> args = new ArrayList<>();
-        args.addAll(pgBin("postgres"));
-        args.addAll(Arrays.asList(
-                "-D", dataDirectory.getPath()
-        ));
+        args.addAll(Arrays.asList("-D", dataDirectory.getPath()));
         args.addAll(createInitOptions());
 
-        final ProcessBuilder builder = new ProcessBuilder(args);
+        final ProcessBuilder builder = new ProcessBuilder();
+        POSTGRES.applyTo(builder, args);
 
         builder.redirectErrorStream(true);
         builder.redirectError(errorRedirector);
         builder.redirectOutput(outputRedirector);
         final Process postmaster = builder.start();
 
         if (outputRedirector.type() == ProcessBuilder.Redirect.Type.PIPE) {
-            ProcessOutputLogger.logOutput(LOG, postmaster, "postgres");
+            ProcessOutputLogger.logOutput(LOG, postmaster, POSTGRES.processName());
         }
 
         LOG.info("{} postmaster started as {} on port {}.  Waiting up to {} for server startup to finish.", instanceId, postmaster.toString(), port, pgStartupWait);
@@ -416,7 +416,7 @@ private void pgCtl(File dir, String action)
                 "-m", PG_STOP_MODE, "-t",
                 PG_STOP_WAIT_S, "-w"
         ));
-        system(pgBin("pg_ctl"), args);
+        system(PG_CTL, args);
     }
 
     private void cleanOldDataDirectories(File parentDirectory)
@@ -463,19 +463,6 @@ private void cleanOldDataDirectories(File parentDirectory)
         }
     }
 
-    private List<String> pgBin(String binaryName)
-    {
-        final List<String> args = new ArrayList<>();
-        if (useUnshare) {
-            args.addAll(Arrays.asList(
-                    "unshare", "-U"
-            ));
-        }
-        final String extension = SystemUtils.IS_OS_WINDOWS ? ".exe" : "";
-        args.add(new File(pgDir, "bin/" + binaryName + extension).getPath());
-        return args;
-    }
-
     private static File getWorkingDirectory()
     {
         final File tempWorkingDirectory = new File(System.getProperty("java.io.tmpdir"), "embedded-pg");
@@ -623,24 +610,23 @@ public int hashCode() {
         }
     }
 
-    private void system(List<String> bin, List<String> args)
+    private void system(Command command, List<String> args)
     {
-        final List<String> command = new ArrayList<>();
-        command.addAll(bin);
-        command.addAll(args);
         try {
-            final ProcessBuilder builder = new ProcessBuilder(command);
+            final ProcessBuilder builder = new ProcessBuilder();
+
+            command.applyTo(builder, args);
             builder.redirectErrorStream(true);
             builder.redirectError(errorRedirector);
             builder.redirectOutput(outputRedirector);
+
             final Process process = builder.start();
 
             if (outputRedirector.type() == ProcessBuilder.Redirect.Type.PIPE) {
-                String processName = bin.get(bin.size() - 1).replaceAll("^.*[\\\\/](\\w+)(\\.exe)?$", "$1");
-                ProcessOutputLogger.logOutput(LOG, process, processName);
+                ProcessOutputLogger.logOutput(LOG, process, command.processName());
             }
             if (0 != process.waitFor()) {
-                throw new IllegalStateException(String.format("Process %s failed", Arrays.asList(command)));
+                throw new IllegalStateException(String.format("Process %s failed", builder.command()));
             }
         } catch (final RuntimeException e) { // NOPMD
             throw e;
@@ -853,4 +839,35 @@ public String toString()
     {
         return "EmbeddedPG-" + instanceId;
     }
+
+    private final Command INIT_DB = new Command("initdb");
+    private final Command POSTGRES = new Command("postgres");
+    private final Command PG_CTL = new Command("pg_ctl");
+
+    private class Command {
+
+        private final String commandName;
+
+        private Command(String commandName) {
+            this.commandName = commandName;
+        }
+
+        public String processName() {
+            return commandName;
+        }
+
+        public void applyTo(ProcessBuilder builder, List<String> arguments) {
+            List<String> command = new ArrayList<>();
+
+            if (LinuxUtils.isUnshareAvailable()) {
+                command.addAll(Arrays.asList("unshare", "-U"));
+            }
+
+            String extension = SystemUtils.IS_OS_WINDOWS ? ".exe" : "";
+            command.add(new File(pgDir, "bin/" + commandName + extension).getPath());
+            command.addAll(arguments);
+
+            builder.command(command);
+        }
+    }
 }
diff --git a/src/main/java/io/zonky/test/db/postgres/util/LinuxUtils.java b/src/main/java/io/zonky/test/db/postgres/util/LinuxUtils.java
@@ -22,13 +22,9 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
-import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
 import java.nio.file.Files;
 import java.nio.file.Path;
-import java.util.ArrayList;
-import java.util.Arrays;
-import java.util.List;
 
 import static java.nio.charset.StandardCharsets.UTF_8;
 import static java.nio.file.StandardCopyOption.REPLACE_EXISTING;
@@ -38,16 +34,17 @@ public final class LinuxUtils {
     private static final Logger logger = LoggerFactory.getLogger(LinuxUtils.class);
 
     private static final String DISTRIBUTION_NAME = resolveDistributionName();
-
-    private static final boolean UNSHARE_USEABLE = unshareUseable();
+    private static final boolean UNSHARE_AVAILABLE = unshareAvailable();
 
     private LinuxUtils() {}
 
     public static String getDistributionName() {
         return DISTRIBUTION_NAME;
     }
 
-    public static boolean isUnshareUseable() { return UNSHARE_USEABLE; }
+    public static boolean isUnshareAvailable() {
+        return UNSHARE_AVAILABLE;
+    }
 
     private static String resolveDistributionName() {
         if (!SystemUtils.IS_OS_LINUX) {
@@ -95,46 +92,36 @@ private static String resolveDistributionName() {
         }
     }
 
-    private static boolean unshareUseable() {
-        if (SystemUtils.IS_OS_LINUX) {
-            int uid;
-            try {
-                Class<?> c = Class.forName("com.sun.security.auth.module.UnixSystem");
-                Object o = c.getDeclaredConstructor().newInstance();
-                Method method = c.getDeclaredMethod("getUid");
-                uid = ((Number) method.invoke(o)).intValue();
-            } catch (ClassNotFoundException | IllegalAccessException | InstantiationException |
-                    NoSuchMethodException | InvocationTargetException e) {
+    private static boolean unshareAvailable() {
+        if (!SystemUtils.IS_OS_LINUX) {
+            return false;
+        }
+
+        try {
+            Class<?> clazz = Class.forName("com.sun.security.auth.module.UnixSystem");
+            Object instance = clazz.getDeclaredConstructor().newInstance();
+            Method method = clazz.getDeclaredMethod("getUid");
+            int uid = ((Number) method.invoke(instance)).intValue();
+
+            if (uid != 0) {
                 return false;
             }
-            if (uid == 0) {
-                final List<String> command = new ArrayList<>();
-                command.addAll(Arrays.asList(
-                        "unshare", "-U",
-                        "id", "-u"
-                ));
-                final ProcessBuilder builder = new ProcessBuilder(command);
-                final Process process;
-                try {
-                    process = builder.start();
-                } catch (IOException e) {
-                    return false;
-                }
-                BufferedReader br = new BufferedReader(new InputStreamReader(process.getInputStream()));
-                try {
-                    process.waitFor();
-                } catch (InterruptedException e) {
-                    return false;
-                }
-                try {
-                    if (process.exitValue() == 0 && br.readLine() != "0") {
-                        return true;
-                    }
-                } catch (IOException e) {
-                    return false;
+
+            ProcessBuilder builder = new ProcessBuilder();
+            builder.command("unshare", "-U", "id", "-u");
+
+            Process process = builder.start();
+            process.waitFor();
+
+            try (BufferedReader outputReader = new BufferedReader(new InputStreamReader(process.getInputStream(), UTF_8))) {
+                if (process.exitValue() == 0 && !"0".equals(outputReader.readLine())) {
+                    return true;
                 }
             }
+
+            return false;
+        } catch (Exception e) {
+            return false;
         }
-        return false;
     }
 }
