see if we can do it without root

jphenow · jphenow · commit 681ea1855590 · 2025-05-21T15:12:45.000-05:00
diff --git a/Dockerfile b/Dockerfile
@@ -1,8 +1,5 @@
 FROM percona/percona-postgresql-operator:2.6.0-ppg16.8-postgres
 
-# Switch to root user temporarily to gain necessary privileges for setup
-USER 0
-
 COPY postgres-oom-adjuster.sh /usr/local/bin/
 COPY entrypoint-wrapper.sh /usr/local/bin/
 
diff --git a/entrypoint-wrapper.sh b/entrypoint-wrapper.sh
@@ -2,34 +2,23 @@
 set -e
 
 # For Percona PostgreSQL Operator, we need to focus on protecting the postmaster process
-# Original user in the Percona PostgreSQL Operator image
-ORIGINAL_USER=26
 ORIGINAL_ENTRYPOINT="/opt/crunchy/bin/postgres-ha/bootstrap-postgres-ha.sh"
 
-# Set OOM score adjustment for our own process (will be inherited)
-if [ -f "/proc/self/oom_score_adj" ]; then
-    echo -900 > /proc/self/oom_score_adj
-    echo "Set OOM score adjustment to -900 for pid 1"
-else
-    echo "WARNING: Cannot set OOM score adjustment (file not found)"
+# Try to set OOM score adjustment if possible, but don't fail if we can't
+if command -v sudo >/dev/null 2>&1; then
+  # If sudo is available, use it to set OOM score
+  sudo -n sh -c 'echo -900 > /proc/self/oom_score_adj' >/dev/null 2>&1 || true
+  echo "Attempted to set OOM score adjustment using sudo"
+elif command -v setcap >/dev/null 2>&1; then
+  # Try to give the oom-adjuster script the capability to adjust OOM scores
+  setcap 'cap_sys_resource=+ep' /usr/local/bin/postgres-oom-adjuster.sh >/dev/null 2>&1 || true
+  echo "Attempted to grant capabilities to OOM adjuster"
 fi
 
-# Start the OOM adjuster in the background
+# Start a background process to monitor and adjust PostgreSQL if possible
 nohup /usr/local/bin/postgres-oom-adjuster.sh >> /tmp/postgres-oom-adjuster.log 2>&1 &
 echo "Started postmaster OOM adjuster in background"
 
-# Set environment variables for PostgreSQL child processes
-export PG_OOM_ADJUST_FILE=/proc/self/oom_score_adj
-export PG_OOM_ADJUST_VALUE=0
-
-# Switching to the original user and executing original entrypoint
-echo "Switching to user $ORIGINAL_USER and executing original entrypoint: $ORIGINAL_ENTRYPOINT $@"
-
-# Check which user-switching command is available
-if command -v runuser >/dev/null 2>&1; then
-    # Use runuser (available on RHEL/CentOS/Fedora)
-    exec runuser -u "#$ORIGINAL_USER" -- "$ORIGINAL_ENTRYPOINT" "$@"
-else
-    # Fall back to su
-    exec su -s /bin/bash $ORIGINAL_USER -c "$ORIGINAL_ENTRYPOINT $*"
-fi
+# Execute the original entrypoint
+echo "Executing original entrypoint: $ORIGINAL_ENTRYPOINT $@"
+exec "$ORIGINAL_ENTRYPOINT" "$@"
