diff --git a/.github/workflows/verify-templating.yml b/.github/workflows/verify-templating.yml index 9ece508df6..e822ba6bb9 100644 --- a/.github/workflows/verify-templating.yml +++ b/.github/workflows/verify-templating.yml @@ -15,9 +15,5 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - - name: Apply Templates - run: ./apply-templates.sh - - name: Check Git Status - run: | - status="$(git status --short)" - [ -z "$status" ] + - run: ./apply-templates.sh + - run: git diff --exit-code diff --git a/12/alpine3.19/Dockerfile b/12/alpine3.19/Dockerfile deleted file mode 100644 index e3f5683277..0000000000 --- a/12/alpine3.19/Dockerfile +++ /dev/null @@ -1,234 +0,0 @@ -# -# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" -# -# PLEASE DO NOT EDIT IT DIRECTLY. -# - -FROM alpine:3.19 - -# 70 is the standard uid/gid for "postgres" in Alpine -# https://git.alpinelinux.org/aports/tree/main/postgresql/postgresql.pre-install?h=3.12-stable -RUN set -eux; \ - addgroup -g 70 -S postgres; \ - adduser -u 70 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \ -# also create the postgres user's home directory with appropriate permissions -# see https://github.com/docker-library/postgres/issues/274 - install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql - -# grab gosu for easy step-down from root -# https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.17 -RUN set -eux; \ - \ - apk add --no-cache --virtual .gosu-deps \ - ca-certificates \ - dpkg \ - gnupg \ - ; \ - \ - dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ - wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ - wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ - \ -# verify the signature - export GNUPGHOME="$(mktemp -d)"; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ - gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ - \ -# clean up fetch dependencies - apk del --no-network .gosu-deps; \ - \ - chmod +x /usr/local/bin/gosu; \ -# verify that the binary works - gosu --version; \ - gosu nobody true -RUN set -eux; ln -svf gosu /usr/local/bin/su-exec; su-exec nobody true # backwards compatibility (removed in PostgreSQL 17+) - -# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default -# alpine doesn't require explicit locale-file generation -ENV LANG en_US.utf8 - -RUN mkdir /docker-entrypoint-initdb.d - -ENV PG_MAJOR 12 -ENV PG_VERSION 12.20 -ENV PG_SHA256 2d543af3009fec7fd5af35f7a70c95085d3eef6b508e517aa9493e99b15e9ea9 - -ENV DOCKER_PG_LLVM_DEPS \ - llvm15-dev \ - clang15 - -RUN set -eux; \ - \ - wget -O postgresql.tar.bz2 "https://ftp.postgresql.org/pub/source/v$PG_VERSION/postgresql-$PG_VERSION.tar.bz2"; \ - echo "$PG_SHA256 *postgresql.tar.bz2" | sha256sum -c -; \ - mkdir -p /usr/src/postgresql; \ - tar \ - --extract \ - --file postgresql.tar.bz2 \ - --directory /usr/src/postgresql \ - --strip-components 1 \ - ; \ - rm postgresql.tar.bz2; \ - \ - apk add --no-cache --virtual .build-deps \ - $DOCKER_PG_LLVM_DEPS \ - bison \ - coreutils \ - dpkg-dev dpkg \ - flex \ - g++ \ - gcc \ - krb5-dev \ - libc-dev \ - libedit-dev \ - libxml2-dev \ - libxslt-dev \ - linux-headers \ - make \ - openldap-dev \ - openssl-dev \ - perl-dev \ - perl-ipc-run \ - perl-utils \ - python3-dev \ - tcl-dev \ - util-linux-dev \ - zlib-dev \ -# https://www.postgresql.org/docs/10/static/release-10.html#id-1.11.6.9.5.13 - icu-dev \ - ; \ - \ - cd /usr/src/postgresql; \ -# update "DEFAULT_PGSOCKET_DIR" to "/var/run/postgresql" (matching Debian) -# see https://anonscm.debian.org/git/pkg-postgresql/postgresql.git/tree/debian/patches/51-default-sockets-in-var.patch?id=8b539fcb3e093a521c095e70bdfa76887217b89f - awk '$1 == "#define" && $2 == "DEFAULT_PGSOCKET_DIR" && $3 == "\"/tmp\"" { $3 = "\"/var/run/postgresql\""; print; next } { print }' src/include/pg_config_manual.h > src/include/pg_config_manual.h.new; \ - grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \ - mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \ - gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ -# explicitly update autoconf config.guess and config.sub so they support more arches/libcs - wget -O config/config.guess 'https://git.savannah.gnu.org/cgit/config.git/plain/config.guess?id=7d3d27baf8107b630586c962c057e22149653deb'; \ - wget -O config/config.sub 'https://git.savannah.gnu.org/cgit/config.git/plain/config.sub?id=7d3d27baf8107b630586c962c057e22149653deb'; \ - \ -# https://git.alpinelinux.org/aports/tree/community/postgresql12/APKBUILD?h=3.18-stable&id=a470294e6d6ca7059e41c54769b7c3c26ec901d4#n158 - export LLVM_CONFIG="/usr/lib/llvm15/bin/llvm-config"; \ -# https://git.alpinelinux.org/aports/tree/community/postgresql12/APKBUILD?h=3.18-stable&id=a470294e6d6ca7059e41c54769b7c3c26ec901d4#n163 - export CLANG=clang-15; \ - \ -# configure options taken from: -# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5 - ./configure \ - --enable-option-checking=fatal \ - --build="$gnuArch" \ -# "/usr/src/postgresql/src/backend/access/common/tupconvert.c:105: undefined reference to `libintl_gettext'" -# --enable-nls \ - --enable-integer-datetimes \ - --enable-thread-safety \ - --enable-tap-tests \ -# skip debugging info -- we want tiny size instead -# --enable-debug \ - --disable-rpath \ - --with-uuid=e2fs \ - --with-gnu-ld \ - --with-pgport=5432 \ - --with-system-tzdata=/usr/share/zoneinfo \ - --prefix=/usr/local \ - --with-includes=/usr/local/include \ - --with-libraries=/usr/local/lib \ - --with-gssapi \ - --with-ldap \ - --with-tcl \ - --with-perl \ - --with-python \ -# --with-pam \ - --with-openssl \ - --with-libxml \ - --with-libxslt \ - --with-icu \ - --with-llvm \ - ; \ - make -j "$(nproc)" world-bin; \ - make install-world-bin; \ - make -C contrib install; \ - \ - runDeps="$( \ - scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \ - | tr ',' '\n' \ - | sort -u \ - | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ -# Remove plperl, plpython and pltcl dependencies by default to save image size -# To use the pl extensions, those have to be installed in a derived image - | grep -v -e perl -e python -e tcl \ - )"; \ - apk add --no-cache --virtual .postgresql-rundeps \ - $runDeps \ - bash \ - tzdata \ - zstd \ -# https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split - icu-data-full \ -# nss_wrapper is not availble on ppc64le: "test case segfaults in ppc64le" -# https://git.alpinelinux.org/aports/commit/testing/nss_wrapper/APKBUILD?h=3.17-stable&id=94d81ceeb58cff448d489bbcbe9a6d40c9991663 - $([ "$(apk --print-arch)" != 'ppc64le' ] && echo 'nss_wrapper') \ - ; \ - apk del --no-network .build-deps; \ - cd /; \ - rm -rf \ - /usr/src/postgresql \ - /usr/local/share/doc \ - /usr/local/share/man \ - ; \ - \ - postgres --version - -# make the sample config easier to munge (and "correct by default") -RUN set -eux; \ - cp -v /usr/local/share/postgresql/postgresql.conf.sample /usr/local/share/postgresql/postgresql.conf.sample.orig; \ - sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \ - grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample - -RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql - -ENV PGDATA /var/lib/postgresql/data -# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values) -RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA" -VOLUME /var/lib/postgresql/data - -COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/ -RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh -ENTRYPOINT ["docker-entrypoint.sh"] - -# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL -# calls "Fast Shutdown mode" wherein new connections are disallowed and any -# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and -# flush tables to disk, which is the best compromise available to avoid data -# corruption. -# -# Users who know their applications do not keep open long-lived idle connections -# may way to use a value of SIGTERM instead, which corresponds to "Smart -# Shutdown mode" in which any existing sessions are allowed to finish and the -# server stops when all sessions are terminated. -# -# See https://www.postgresql.org/docs/12/server-shutdown.html for more details -# about available PostgreSQL server shutdown signals. -# -# See also https://www.postgresql.org/docs/12/server-start.html for further -# justification of this as the default value, namely that the example (and -# shipped) systemd service files use the "Fast Shutdown mode" for service -# termination. -# -STOPSIGNAL SIGINT -# -# An additional setting that is recommended for all users regardless of this -# value is the runtime "--stop-timeout" (or your orchestrator/runtime's -# equivalent) for controlling how long to wait between sending the defined -# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption). -# -# The default in most runtimes (such as Docker) is 10 seconds, and the -# documentation at https://www.postgresql.org/docs/12/server-start.html notes -# that even 90 seconds may not be long enough in many instances. - -EXPOSE 5432 -CMD ["postgres"] diff --git a/12/alpine3.20/Dockerfile b/12/alpine3.20/Dockerfile deleted file mode 100644 index 2c1db6c7f0..0000000000 --- a/12/alpine3.20/Dockerfile +++ /dev/null @@ -1,234 +0,0 @@ -# -# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" -# -# PLEASE DO NOT EDIT IT DIRECTLY. -# - -FROM alpine:3.20 - -# 70 is the standard uid/gid for "postgres" in Alpine -# https://git.alpinelinux.org/aports/tree/main/postgresql/postgresql.pre-install?h=3.12-stable -RUN set -eux; \ - addgroup -g 70 -S postgres; \ - adduser -u 70 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \ -# also create the postgres user's home directory with appropriate permissions -# see https://github.com/docker-library/postgres/issues/274 - install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql - -# grab gosu for easy step-down from root -# https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.17 -RUN set -eux; \ - \ - apk add --no-cache --virtual .gosu-deps \ - ca-certificates \ - dpkg \ - gnupg \ - ; \ - \ - dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ - wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ - wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ - \ -# verify the signature - export GNUPGHOME="$(mktemp -d)"; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ - gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ - \ -# clean up fetch dependencies - apk del --no-network .gosu-deps; \ - \ - chmod +x /usr/local/bin/gosu; \ -# verify that the binary works - gosu --version; \ - gosu nobody true -RUN set -eux; ln -svf gosu /usr/local/bin/su-exec; su-exec nobody true # backwards compatibility (removed in PostgreSQL 17+) - -# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default -# alpine doesn't require explicit locale-file generation -ENV LANG en_US.utf8 - -RUN mkdir /docker-entrypoint-initdb.d - -ENV PG_MAJOR 12 -ENV PG_VERSION 12.20 -ENV PG_SHA256 2d543af3009fec7fd5af35f7a70c95085d3eef6b508e517aa9493e99b15e9ea9 - -ENV DOCKER_PG_LLVM_DEPS \ - llvm15-dev \ - clang15 - -RUN set -eux; \ - \ - wget -O postgresql.tar.bz2 "https://ftp.postgresql.org/pub/source/v$PG_VERSION/postgresql-$PG_VERSION.tar.bz2"; \ - echo "$PG_SHA256 *postgresql.tar.bz2" | sha256sum -c -; \ - mkdir -p /usr/src/postgresql; \ - tar \ - --extract \ - --file postgresql.tar.bz2 \ - --directory /usr/src/postgresql \ - --strip-components 1 \ - ; \ - rm postgresql.tar.bz2; \ - \ - apk add --no-cache --virtual .build-deps \ - $DOCKER_PG_LLVM_DEPS \ - bison \ - coreutils \ - dpkg-dev dpkg \ - flex \ - g++ \ - gcc \ - krb5-dev \ - libc-dev \ - libedit-dev \ - libxml2-dev \ - libxslt-dev \ - linux-headers \ - make \ - openldap-dev \ - openssl-dev \ - perl-dev \ - perl-ipc-run \ - perl-utils \ - python3-dev \ - tcl-dev \ - util-linux-dev \ - zlib-dev \ -# https://www.postgresql.org/docs/10/static/release-10.html#id-1.11.6.9.5.13 - icu-dev \ - ; \ - \ - cd /usr/src/postgresql; \ -# update "DEFAULT_PGSOCKET_DIR" to "/var/run/postgresql" (matching Debian) -# see https://anonscm.debian.org/git/pkg-postgresql/postgresql.git/tree/debian/patches/51-default-sockets-in-var.patch?id=8b539fcb3e093a521c095e70bdfa76887217b89f - awk '$1 == "#define" && $2 == "DEFAULT_PGSOCKET_DIR" && $3 == "\"/tmp\"" { $3 = "\"/var/run/postgresql\""; print; next } { print }' src/include/pg_config_manual.h > src/include/pg_config_manual.h.new; \ - grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \ - mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \ - gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ -# explicitly update autoconf config.guess and config.sub so they support more arches/libcs - wget -O config/config.guess 'https://git.savannah.gnu.org/cgit/config.git/plain/config.guess?id=7d3d27baf8107b630586c962c057e22149653deb'; \ - wget -O config/config.sub 'https://git.savannah.gnu.org/cgit/config.git/plain/config.sub?id=7d3d27baf8107b630586c962c057e22149653deb'; \ - \ -# https://git.alpinelinux.org/aports/tree/community/postgresql12/APKBUILD?h=3.18-stable&id=a470294e6d6ca7059e41c54769b7c3c26ec901d4#n158 - export LLVM_CONFIG="/usr/lib/llvm15/bin/llvm-config"; \ -# https://git.alpinelinux.org/aports/tree/community/postgresql12/APKBUILD?h=3.18-stable&id=a470294e6d6ca7059e41c54769b7c3c26ec901d4#n163 - export CLANG=clang-15; \ - \ -# configure options taken from: -# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5 - ./configure \ - --enable-option-checking=fatal \ - --build="$gnuArch" \ -# "/usr/src/postgresql/src/backend/access/common/tupconvert.c:105: undefined reference to `libintl_gettext'" -# --enable-nls \ - --enable-integer-datetimes \ - --enable-thread-safety \ - --enable-tap-tests \ -# skip debugging info -- we want tiny size instead -# --enable-debug \ - --disable-rpath \ - --with-uuid=e2fs \ - --with-gnu-ld \ - --with-pgport=5432 \ - --with-system-tzdata=/usr/share/zoneinfo \ - --prefix=/usr/local \ - --with-includes=/usr/local/include \ - --with-libraries=/usr/local/lib \ - --with-gssapi \ - --with-ldap \ - --with-tcl \ - --with-perl \ - --with-python \ -# --with-pam \ - --with-openssl \ - --with-libxml \ - --with-libxslt \ - --with-icu \ - --with-llvm \ - ; \ - make -j "$(nproc)" world-bin; \ - make install-world-bin; \ - make -C contrib install; \ - \ - runDeps="$( \ - scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \ - | tr ',' '\n' \ - | sort -u \ - | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ -# Remove plperl, plpython and pltcl dependencies by default to save image size -# To use the pl extensions, those have to be installed in a derived image - | grep -v -e perl -e python -e tcl \ - )"; \ - apk add --no-cache --virtual .postgresql-rundeps \ - $runDeps \ - bash \ - tzdata \ - zstd \ -# https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split - icu-data-full \ -# nss_wrapper is not availble on ppc64le: "test case segfaults in ppc64le" -# https://git.alpinelinux.org/aports/commit/testing/nss_wrapper/APKBUILD?h=3.17-stable&id=94d81ceeb58cff448d489bbcbe9a6d40c9991663 - $([ "$(apk --print-arch)" != 'ppc64le' ] && echo 'nss_wrapper') \ - ; \ - apk del --no-network .build-deps; \ - cd /; \ - rm -rf \ - /usr/src/postgresql \ - /usr/local/share/doc \ - /usr/local/share/man \ - ; \ - \ - postgres --version - -# make the sample config easier to munge (and "correct by default") -RUN set -eux; \ - cp -v /usr/local/share/postgresql/postgresql.conf.sample /usr/local/share/postgresql/postgresql.conf.sample.orig; \ - sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \ - grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample - -RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql - -ENV PGDATA /var/lib/postgresql/data -# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values) -RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA" -VOLUME /var/lib/postgresql/data - -COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/ -RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh -ENTRYPOINT ["docker-entrypoint.sh"] - -# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL -# calls "Fast Shutdown mode" wherein new connections are disallowed and any -# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and -# flush tables to disk, which is the best compromise available to avoid data -# corruption. -# -# Users who know their applications do not keep open long-lived idle connections -# may way to use a value of SIGTERM instead, which corresponds to "Smart -# Shutdown mode" in which any existing sessions are allowed to finish and the -# server stops when all sessions are terminated. -# -# See https://www.postgresql.org/docs/12/server-shutdown.html for more details -# about available PostgreSQL server shutdown signals. -# -# See also https://www.postgresql.org/docs/12/server-start.html for further -# justification of this as the default value, namely that the example (and -# shipped) systemd service files use the "Fast Shutdown mode" for service -# termination. -# -STOPSIGNAL SIGINT -# -# An additional setting that is recommended for all users regardless of this -# value is the runtime "--stop-timeout" (or your orchestrator/runtime's -# equivalent) for controlling how long to wait between sending the defined -# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption). -# -# The default in most runtimes (such as Docker) is 10 seconds, and the -# documentation at https://www.postgresql.org/docs/12/server-start.html notes -# that even 90 seconds may not be long enough in many instances. - -EXPOSE 5432 -CMD ["postgres"] diff --git a/13/alpine3.19/docker-ensure-initdb.sh b/13/alpine3.19/docker-ensure-initdb.sh deleted file mode 100755 index ae1f6b6b90..0000000000 --- a/13/alpine3.19/docker-ensure-initdb.sh +++ /dev/null @@ -1,71 +0,0 @@ -#!/usr/bin/env bash -set -Eeuo pipefail - -# -# This script is intended for three main use cases: -# -# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior -# -# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution -# (no-op if database is already initialized) -# -# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use -# (error if database is already initialized) -# - -source /usr/local/bin/docker-entrypoint.sh - -# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there) -if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then - set -- postgres "$@" -fi - -# see also "_main" in "docker-entrypoint.sh" - -docker_setup_env -# setup data directories and permissions (when run as root) -docker_create_db_directories -if [ "$(id -u)" = '0' ]; then - # then restart script as postgres user - exec gosu postgres "$BASH_SOURCE" "$@" -fi - -# only run initialization on an empty data directory -if [ -z "$DATABASE_ALREADY_EXISTS" ]; then - docker_verify_minimum_env - - # check dir permissions to reduce likelihood of half-initialized database - ls /docker-entrypoint-initdb.d/ > /dev/null - - docker_init_database_dir - pg_setup_hba_conf "$@" - - # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless - # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS - export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" - docker_temp_server_start "$@" - - docker_setup_db - docker_process_init_files /docker-entrypoint-initdb.d/* - - docker_temp_server_stop - unset PGPASSWORD -else - self="$(basename "$0")" - case "$self" in - docker-ensure-initdb.sh) - echo >&2 "$self: note: database already initialized in '$PGDATA'!" - exit 0 - ;; - - docker-enforce-initdb.sh) - echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!" - exit 1 - ;; - - *) - echo >&2 "$self: error: unknown file name: $self" - exit 99 - ;; - esac -fi diff --git a/13/alpine3.19/docker-entrypoint.sh b/13/alpine3.19/docker-entrypoint.sh deleted file mode 100755 index 6f59993e08..0000000000 --- a/13/alpine3.19/docker-entrypoint.sh +++ /dev/null @@ -1,356 +0,0 @@ -#!/usr/bin/env bash -set -Eeo pipefail -# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables) - -# usage: file_env VAR [DEFAULT] -# ie: file_env 'XYZ_DB_PASSWORD' 'example' -# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of -# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) -file_env() { - local var="$1" - local fileVar="${var}_FILE" - local def="${2:-}" - if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then - printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar" - exit 1 - fi - local val="$def" - if [ "${!var:-}" ]; then - val="${!var}" - elif [ "${!fileVar:-}" ]; then - val="$(< "${!fileVar}")" - fi - export "$var"="$val" - unset "$fileVar" -} - -# check to see if this file is being run or sourced from another script -_is_sourced() { - # https://unix.stackexchange.com/a/215279 - [ "${#FUNCNAME[@]}" -ge 2 ] \ - && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ - && [ "${FUNCNAME[1]}" = 'source' ] -} - -# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user -docker_create_db_directories() { - local user; user="$(id -u)" - - mkdir -p "$PGDATA" - # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory) - chmod 00700 "$PGDATA" || : - - # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 - mkdir -p /var/run/postgresql || : - chmod 03775 /var/run/postgresql || : - - # Create the transaction log directory before initdb is run so the directory is owned by the correct user - if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then - mkdir -p "$POSTGRES_INITDB_WALDIR" - if [ "$user" = '0' ]; then - find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' + - fi - chmod 700 "$POSTGRES_INITDB_WALDIR" - fi - - # allow the container to be started with `--user` - if [ "$user" = '0' ]; then - find "$PGDATA" \! -user postgres -exec chown postgres '{}' + - find /var/run/postgresql \! -user postgres -exec chown postgres '{}' + - fi -} - -# initialize empty PGDATA directory with new database via 'initdb' -# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function -# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames -# this is also where the database user is created, specified by `POSTGRES_USER` env -docker_init_database_dir() { - # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary - # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html - local uid; uid="$(id -u)" - if ! getent passwd "$uid" &> /dev/null; then - # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15) - local wrapper - for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do - if [ -s "$wrapper" ]; then - NSS_WRAPPER_PASSWD="$(mktemp)" - NSS_WRAPPER_GROUP="$(mktemp)" - export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP - local gid; gid="$(id -g)" - printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD" - printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP" - break - fi - done - fi - - if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then - set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@" - fi - - # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025 - eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' - - # unset/cleanup "nss_wrapper" bits - if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then - rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" - unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP - fi -} - -# print large warning if POSTGRES_PASSWORD is long -# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust' -# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust' -# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ] -docker_verify_minimum_env() { - case "${PG_MAJOR:-}" in - 12 | 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 - # check password first so we can output the warning before postgres - # messes it up - if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then - cat >&2 <<-'EOWARN' - - WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. - - This will not work if used via PGPASSWORD with "psql". - - https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) - https://github.com/docker-library/postgres/issues/507 - - EOWARN - fi - ;; - esac - if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then - # The - option suppresses leading tabs but *not* spaces. :) - cat >&2 <<-'EOE' - Error: Database is uninitialized and superuser password is not specified. - You must specify POSTGRES_PASSWORD to a non-empty value for the - superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run". - - You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all - connections without a password. This is *not* recommended. - - See PostgreSQL documentation about "trust": - https://www.postgresql.org/docs/current/auth-trust.html - EOE - exit 1 - fi - if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then - cat >&2 <<-'EOWARN' - ******************************************************************************** - WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow - anyone with access to the Postgres port to access your database without - a password, even if POSTGRES_PASSWORD is set. See PostgreSQL - documentation about "trust": - https://www.postgresql.org/docs/current/auth-trust.html - In Docker's default configuration, this is effectively any other - container on the same system. - - It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace - it with "-e POSTGRES_PASSWORD=password" instead to set a password in - "docker run". - ******************************************************************************** - EOWARN - fi -} - -# usage: docker_process_init_files [file [file [...]]] -# ie: docker_process_init_files /always-initdb.d/* -# process initializer files, based on file extensions and permissions -docker_process_init_files() { - # psql here for backwards compatibility "${psql[@]}" - psql=( docker_process_sql ) - - printf '\n' - local f - for f; do - case "$f" in - *.sh) - # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 - # https://github.com/docker-library/postgres/pull/452 - if [ -x "$f" ]; then - printf '%s: running %s\n' "$0" "$f" - "$f" - else - printf '%s: sourcing %s\n' "$0" "$f" - . "$f" - fi - ;; - *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;; - *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;; - *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;; - *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;; - *) printf '%s: ignoring %s\n' "$0" "$f" ;; - esac - printf '\n' - done -} - -# Execute sql script, passed via stdin (or -f flag of pqsl) -# usage: docker_process_sql [psql-cli-args] -# ie: docker_process_sql --dbname=mydb <<<'INSERT ...' -# ie: docker_process_sql -f my-file.sql -# ie: docker_process_sql > "$PGDATA/pg_hba.conf" -} - -# start socket-only postgresql server for setting up or running scripts -# all arguments will be passed along as arguments to `postgres` (via pg_ctl) -docker_temp_server_start() { - if [ "$1" = 'postgres' ]; then - shift - fi - - # internal start of server in order to allow setup using psql client - # does not listen on external TCP/IP and waits until start finishes - set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}" - - PGUSER="${PGUSER:-$POSTGRES_USER}" \ - pg_ctl -D "$PGDATA" \ - -o "$(printf '%q ' "$@")" \ - -w start -} - -# stop postgresql server after done setting up user and running scripts -docker_temp_server_stop() { - PGUSER="${PGUSER:-postgres}" \ - pg_ctl -D "$PGDATA" -m fast -w stop -} - -# check arguments for an option that would cause postgres to stop -# return true if there is one -_pg_want_help() { - local arg - for arg; do - case "$arg" in - # postgres --help | grep 'then exit' - # leaving out -C on purpose since it always fails and is unhelpful: - # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory - -'?'|--help|--describe-config|-V|--version) - return 0 - ;; - esac - done - return 1 -} - -_main() { - # if first arg looks like a flag, assume we want to run postgres server - if [ "${1:0:1}" = '-' ]; then - set -- postgres "$@" - fi - - if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then - docker_setup_env - # setup data directories and permissions (when run as root) - docker_create_db_directories - if [ "$(id -u)" = '0' ]; then - # then restart script as postgres user - exec gosu postgres "$BASH_SOURCE" "$@" - fi - - # only run initialization on an empty data directory - if [ -z "$DATABASE_ALREADY_EXISTS" ]; then - docker_verify_minimum_env - - # check dir permissions to reduce likelihood of half-initialized database - ls /docker-entrypoint-initdb.d/ > /dev/null - - docker_init_database_dir - pg_setup_hba_conf "$@" - - # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless - # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS - export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" - docker_temp_server_start "$@" - - docker_setup_db - docker_process_init_files /docker-entrypoint-initdb.d/* - - docker_temp_server_stop - unset PGPASSWORD - - cat <<-'EOM' - - PostgreSQL init process complete; ready for start up. - - EOM - else - cat <<-'EOM' - - PostgreSQL Database directory appears to contain a database; Skipping initialization - - EOM - fi - fi - - exec "$@" -} - -if ! _is_sourced; then - _main "$@" -fi diff --git a/13/alpine3.20/docker-ensure-initdb.sh b/13/alpine3.20/docker-ensure-initdb.sh deleted file mode 100755 index ae1f6b6b90..0000000000 --- a/13/alpine3.20/docker-ensure-initdb.sh +++ /dev/null @@ -1,71 +0,0 @@ -#!/usr/bin/env bash -set -Eeuo pipefail - -# -# This script is intended for three main use cases: -# -# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior -# -# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution -# (no-op if database is already initialized) -# -# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use -# (error if database is already initialized) -# - -source /usr/local/bin/docker-entrypoint.sh - -# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there) -if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then - set -- postgres "$@" -fi - -# see also "_main" in "docker-entrypoint.sh" - -docker_setup_env -# setup data directories and permissions (when run as root) -docker_create_db_directories -if [ "$(id -u)" = '0' ]; then - # then restart script as postgres user - exec gosu postgres "$BASH_SOURCE" "$@" -fi - -# only run initialization on an empty data directory -if [ -z "$DATABASE_ALREADY_EXISTS" ]; then - docker_verify_minimum_env - - # check dir permissions to reduce likelihood of half-initialized database - ls /docker-entrypoint-initdb.d/ > /dev/null - - docker_init_database_dir - pg_setup_hba_conf "$@" - - # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless - # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS - export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" - docker_temp_server_start "$@" - - docker_setup_db - docker_process_init_files /docker-entrypoint-initdb.d/* - - docker_temp_server_stop - unset PGPASSWORD -else - self="$(basename "$0")" - case "$self" in - docker-ensure-initdb.sh) - echo >&2 "$self: note: database already initialized in '$PGDATA'!" - exit 0 - ;; - - docker-enforce-initdb.sh) - echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!" - exit 1 - ;; - - *) - echo >&2 "$self: error: unknown file name: $self" - exit 99 - ;; - esac -fi diff --git a/13/alpine3.20/docker-entrypoint.sh b/13/alpine3.20/docker-entrypoint.sh deleted file mode 100755 index 6f59993e08..0000000000 --- a/13/alpine3.20/docker-entrypoint.sh +++ /dev/null @@ -1,356 +0,0 @@ -#!/usr/bin/env bash -set -Eeo pipefail -# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables) - -# usage: file_env VAR [DEFAULT] -# ie: file_env 'XYZ_DB_PASSWORD' 'example' -# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of -# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) -file_env() { - local var="$1" - local fileVar="${var}_FILE" - local def="${2:-}" - if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then - printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar" - exit 1 - fi - local val="$def" - if [ "${!var:-}" ]; then - val="${!var}" - elif [ "${!fileVar:-}" ]; then - val="$(< "${!fileVar}")" - fi - export "$var"="$val" - unset "$fileVar" -} - -# check to see if this file is being run or sourced from another script -_is_sourced() { - # https://unix.stackexchange.com/a/215279 - [ "${#FUNCNAME[@]}" -ge 2 ] \ - && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ - && [ "${FUNCNAME[1]}" = 'source' ] -} - -# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user -docker_create_db_directories() { - local user; user="$(id -u)" - - mkdir -p "$PGDATA" - # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory) - chmod 00700 "$PGDATA" || : - - # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 - mkdir -p /var/run/postgresql || : - chmod 03775 /var/run/postgresql || : - - # Create the transaction log directory before initdb is run so the directory is owned by the correct user - if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then - mkdir -p "$POSTGRES_INITDB_WALDIR" - if [ "$user" = '0' ]; then - find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' + - fi - chmod 700 "$POSTGRES_INITDB_WALDIR" - fi - - # allow the container to be started with `--user` - if [ "$user" = '0' ]; then - find "$PGDATA" \! -user postgres -exec chown postgres '{}' + - find /var/run/postgresql \! -user postgres -exec chown postgres '{}' + - fi -} - -# initialize empty PGDATA directory with new database via 'initdb' -# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function -# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames -# this is also where the database user is created, specified by `POSTGRES_USER` env -docker_init_database_dir() { - # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary - # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html - local uid; uid="$(id -u)" - if ! getent passwd "$uid" &> /dev/null; then - # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15) - local wrapper - for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do - if [ -s "$wrapper" ]; then - NSS_WRAPPER_PASSWD="$(mktemp)" - NSS_WRAPPER_GROUP="$(mktemp)" - export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP - local gid; gid="$(id -g)" - printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD" - printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP" - break - fi - done - fi - - if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then - set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@" - fi - - # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025 - eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' - - # unset/cleanup "nss_wrapper" bits - if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then - rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" - unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP - fi -} - -# print large warning if POSTGRES_PASSWORD is long -# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust' -# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust' -# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ] -docker_verify_minimum_env() { - case "${PG_MAJOR:-}" in - 12 | 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 - # check password first so we can output the warning before postgres - # messes it up - if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then - cat >&2 <<-'EOWARN' - - WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. - - This will not work if used via PGPASSWORD with "psql". - - https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) - https://github.com/docker-library/postgres/issues/507 - - EOWARN - fi - ;; - esac - if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then - # The - option suppresses leading tabs but *not* spaces. :) - cat >&2 <<-'EOE' - Error: Database is uninitialized and superuser password is not specified. - You must specify POSTGRES_PASSWORD to a non-empty value for the - superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run". - - You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all - connections without a password. This is *not* recommended. - - See PostgreSQL documentation about "trust": - https://www.postgresql.org/docs/current/auth-trust.html - EOE - exit 1 - fi - if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then - cat >&2 <<-'EOWARN' - ******************************************************************************** - WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow - anyone with access to the Postgres port to access your database without - a password, even if POSTGRES_PASSWORD is set. See PostgreSQL - documentation about "trust": - https://www.postgresql.org/docs/current/auth-trust.html - In Docker's default configuration, this is effectively any other - container on the same system. - - It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace - it with "-e POSTGRES_PASSWORD=password" instead to set a password in - "docker run". - ******************************************************************************** - EOWARN - fi -} - -# usage: docker_process_init_files [file [file [...]]] -# ie: docker_process_init_files /always-initdb.d/* -# process initializer files, based on file extensions and permissions -docker_process_init_files() { - # psql here for backwards compatibility "${psql[@]}" - psql=( docker_process_sql ) - - printf '\n' - local f - for f; do - case "$f" in - *.sh) - # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 - # https://github.com/docker-library/postgres/pull/452 - if [ -x "$f" ]; then - printf '%s: running %s\n' "$0" "$f" - "$f" - else - printf '%s: sourcing %s\n' "$0" "$f" - . "$f" - fi - ;; - *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;; - *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;; - *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;; - *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;; - *) printf '%s: ignoring %s\n' "$0" "$f" ;; - esac - printf '\n' - done -} - -# Execute sql script, passed via stdin (or -f flag of pqsl) -# usage: docker_process_sql [psql-cli-args] -# ie: docker_process_sql --dbname=mydb <<<'INSERT ...' -# ie: docker_process_sql -f my-file.sql -# ie: docker_process_sql > "$PGDATA/pg_hba.conf" -} - -# start socket-only postgresql server for setting up or running scripts -# all arguments will be passed along as arguments to `postgres` (via pg_ctl) -docker_temp_server_start() { - if [ "$1" = 'postgres' ]; then - shift - fi - - # internal start of server in order to allow setup using psql client - # does not listen on external TCP/IP and waits until start finishes - set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}" - - PGUSER="${PGUSER:-$POSTGRES_USER}" \ - pg_ctl -D "$PGDATA" \ - -o "$(printf '%q ' "$@")" \ - -w start -} - -# stop postgresql server after done setting up user and running scripts -docker_temp_server_stop() { - PGUSER="${PGUSER:-postgres}" \ - pg_ctl -D "$PGDATA" -m fast -w stop -} - -# check arguments for an option that would cause postgres to stop -# return true if there is one -_pg_want_help() { - local arg - for arg; do - case "$arg" in - # postgres --help | grep 'then exit' - # leaving out -C on purpose since it always fails and is unhelpful: - # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory - -'?'|--help|--describe-config|-V|--version) - return 0 - ;; - esac - done - return 1 -} - -_main() { - # if first arg looks like a flag, assume we want to run postgres server - if [ "${1:0:1}" = '-' ]; then - set -- postgres "$@" - fi - - if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then - docker_setup_env - # setup data directories and permissions (when run as root) - docker_create_db_directories - if [ "$(id -u)" = '0' ]; then - # then restart script as postgres user - exec gosu postgres "$BASH_SOURCE" "$@" - fi - - # only run initialization on an empty data directory - if [ -z "$DATABASE_ALREADY_EXISTS" ]; then - docker_verify_minimum_env - - # check dir permissions to reduce likelihood of half-initialized database - ls /docker-entrypoint-initdb.d/ > /dev/null - - docker_init_database_dir - pg_setup_hba_conf "$@" - - # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless - # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS - export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" - docker_temp_server_start "$@" - - docker_setup_db - docker_process_init_files /docker-entrypoint-initdb.d/* - - docker_temp_server_stop - unset PGPASSWORD - - cat <<-'EOM' - - PostgreSQL init process complete; ready for start up. - - EOM - else - cat <<-'EOM' - - PostgreSQL Database directory appears to contain a database; Skipping initialization - - EOM - fi - fi - - exec "$@" -} - -if ! _is_sourced; then - _main "$@" -fi diff --git a/13/alpine3.19/Dockerfile b/13/alpine3.21/Dockerfile similarity index 79% rename from 13/alpine3.19/Dockerfile rename to 13/alpine3.21/Dockerfile index eb4350a655..c79dfd0bb7 100644 --- a/13/alpine3.19/Dockerfile +++ b/13/alpine3.21/Dockerfile @@ -4,10 +4,10 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # -FROM alpine:3.19 +FROM alpine:3.21 # 70 is the standard uid/gid for "postgres" in Alpine -# https://git.alpinelinux.org/aports/tree/main/postgresql/postgresql.pre-install?h=3.12-stable +# https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.22-stable RUN set -eux; \ addgroup -g 70 -S postgres; \ adduser -u 70 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \ @@ -53,12 +53,12 @@ ENV LANG en_US.utf8 RUN mkdir /docker-entrypoint-initdb.d ENV PG_MAJOR 13 -ENV PG_VERSION 13.16 -ENV PG_SHA256 c9cbbb6129f02328204828066bb3785c00a85c8ca8fd329c2a8a53c1f5cd8865 +ENV PG_VERSION 13.21 +ENV PG_SHA256 dcda1294df45f033b0656cf7a8e4afbbc624c25e1b144aec79530f74d7ef4ab4 ENV DOCKER_PG_LLVM_DEPS \ - llvm15-dev \ - clang15 + llvm19-dev \ + clang19 RUN set -eux; \ \ @@ -108,14 +108,11 @@ RUN set -eux; \ grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \ mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \ gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ -# explicitly update autoconf config.guess and config.sub so they support more arches/libcs - wget -O config/config.guess 'https://git.savannah.gnu.org/cgit/config.git/plain/config.guess?id=7d3d27baf8107b630586c962c057e22149653deb'; \ - wget -O config/config.sub 'https://git.savannah.gnu.org/cgit/config.git/plain/config.sub?id=7d3d27baf8107b630586c962c057e22149653deb'; \ \ -# https://git.alpinelinux.org/aports/tree/community/postgresql12/APKBUILD?h=3.18-stable&id=a470294e6d6ca7059e41c54769b7c3c26ec901d4#n158 - export LLVM_CONFIG="/usr/lib/llvm15/bin/llvm-config"; \ -# https://git.alpinelinux.org/aports/tree/community/postgresql12/APKBUILD?h=3.18-stable&id=a470294e6d6ca7059e41c54769b7c3c26ec901d4#n163 - export CLANG=clang-15; \ +# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n176 ("export LLVM_CONFIG") + export LLVM_CONFIG="/usr/lib/llvm19/bin/llvm-config"; \ +# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n180 ("older clang versions don't have a 'clang' exe anymore.") + export CLANG=clang-19; \ \ # configure options taken from: # https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5 @@ -169,8 +166,7 @@ RUN set -eux; \ zstd \ # https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split icu-data-full \ -# nss_wrapper is not availble on ppc64le: "test case segfaults in ppc64le" -# https://git.alpinelinux.org/aports/commit/testing/nss_wrapper/APKBUILD?h=3.17-stable&id=94d81ceeb58cff448d489bbcbe9a6d40c9991663 +# https://git.alpinelinux.org/aports/tree/community/nss_wrapper/APKBUILD?h=3.22-stable#n7 ("ppc64le: test case segfaults") $([ "$(apk --print-arch)" != 'ppc64le' ] && echo 'nss_wrapper') \ ; \ apk del --no-network .build-deps; \ @@ -203,18 +199,12 @@ ENTRYPOINT ["docker-entrypoint.sh"] # We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL # calls "Fast Shutdown mode" wherein new connections are disallowed and any # in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and -# flush tables to disk, which is the best compromise available to avoid data -# corruption. +# flush tables to disk. # -# Users who know their applications do not keep open long-lived idle connections -# may way to use a value of SIGTERM instead, which corresponds to "Smart -# Shutdown mode" in which any existing sessions are allowed to finish and the -# server stops when all sessions are terminated. -# -# See https://www.postgresql.org/docs/12/server-shutdown.html for more details +# See https://www.postgresql.org/docs/current/server-shutdown.html for more details # about available PostgreSQL server shutdown signals. # -# See also https://www.postgresql.org/docs/12/server-start.html for further +# See also https://www.postgresql.org/docs/current/server-start.html for further # justification of this as the default value, namely that the example (and # shipped) systemd service files use the "Fast Shutdown mode" for service # termination. @@ -224,10 +214,10 @@ STOPSIGNAL SIGINT # An additional setting that is recommended for all users regardless of this # value is the runtime "--stop-timeout" (or your orchestrator/runtime's # equivalent) for controlling how long to wait between sending the defined -# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption). +# STOPSIGNAL and sending SIGKILL. # # The default in most runtimes (such as Docker) is 10 seconds, and the -# documentation at https://www.postgresql.org/docs/12/server-start.html notes +# documentation at https://www.postgresql.org/docs/current/server-start.html notes # that even 90 seconds may not be long enough in many instances. EXPOSE 5432 diff --git a/12/alpine3.20/docker-ensure-initdb.sh b/13/alpine3.21/docker-ensure-initdb.sh similarity index 98% rename from 12/alpine3.20/docker-ensure-initdb.sh rename to 13/alpine3.21/docker-ensure-initdb.sh index ae1f6b6b90..e9b15ef77d 100755 --- a/12/alpine3.20/docker-ensure-initdb.sh +++ b/13/alpine3.21/docker-ensure-initdb.sh @@ -33,6 +33,7 @@ fi # only run initialization on an empty data directory if [ -z "$DATABASE_ALREADY_EXISTS" ]; then docker_verify_minimum_env + docker_error_old_databases # check dir permissions to reduce likelihood of half-initialized database ls /docker-entrypoint-initdb.d/ > /dev/null diff --git a/12/bullseye/docker-entrypoint.sh b/13/alpine3.21/docker-entrypoint.sh similarity index 88% rename from 12/bullseye/docker-entrypoint.sh rename to 13/alpine3.21/docker-entrypoint.sh index 6f59993e08..5a62870b50 100755 --- a/12/bullseye/docker-entrypoint.sh +++ b/13/alpine3.21/docker-entrypoint.sh @@ -104,7 +104,7 @@ docker_init_database_dir() { # assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ] docker_verify_minimum_env() { case "${PG_MAJOR:-}" in - 12 | 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 + 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 # check password first so we can output the warning before postgres # messes it up if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then @@ -154,6 +154,29 @@ docker_verify_minimum_env() { EOWARN fi } +# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade) +docker_error_old_databases() { + if [ -n "${OLD_DATABASES[0]:-}" ]; then + cat >&2 <<-EOE + Error: in 18+, these Docker images are configured to store database data in a + format which is compatible with "pg_ctlcluster" (specifically, using + major-version-specific directory names). This better reflects how + PostgreSQL itself works, and how upgrades are to be performed. + + See also https://github.com/docker-library/postgres/pull/1259 + + Counter to that, there appears to be PostgreSQL data in: + ${OLD_DATABASES[*]} + + This is usually the result of upgrading the Docker image without upgrading + the underlying database using "pg_upgrade" (which requires both versions). + + See https://github.com/docker-library/postgres/issues/37 for a (long) + discussion around this process, and suggestions for how to do so. + EOE + exit 1 + fi +} # usage: docker_process_init_files [file [file [...]]] # ie: docker_process_init_files /always-initdb.d/* @@ -230,9 +253,17 @@ docker_setup_env() { declare -g DATABASE_ALREADY_EXISTS : "${DATABASE_ALREADY_EXISTS:=}" + declare -ag OLD_DATABASES=() # look specifically for PG_VERSION, as it is expected in the DB dir if [ -s "$PGDATA/PG_VERSION" ]; then DATABASE_ALREADY_EXISTS='true' + elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then + # https://github.com/docker-library/postgres/pull/1259 + for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do + if [ -s "$d/PG_VERSION" ]; then + OLD_DATABASES+=( "$d" ) + fi + done fi } @@ -252,7 +283,7 @@ pg_setup_hba_conf() { printf '\n' if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then printf '# warning trust is enabled for all connections\n' - printf '# see https://www.postgresql.org/docs/12/auth-trust.html\n' + printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n' fi printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD" } >> "$PGDATA/pg_hba.conf" @@ -269,6 +300,9 @@ docker_temp_server_start() { # does not listen on external TCP/IP and waits until start finishes set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}" + # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify + # any process supervisor. + NOTIFY_SOCKET= \ PGUSER="${PGUSER:-$POSTGRES_USER}" \ pg_ctl -D "$PGDATA" \ -o "$(printf '%q ' "$@")" \ @@ -316,6 +350,7 @@ _main() { # only run initialization on an empty data directory if [ -z "$DATABASE_ALREADY_EXISTS" ]; then docker_verify_minimum_env + docker_error_old_databases # check dir permissions to reduce likelihood of half-initialized database ls /docker-entrypoint-initdb.d/ > /dev/null diff --git a/13/alpine3.20/Dockerfile b/13/alpine3.22/Dockerfile similarity index 79% rename from 13/alpine3.20/Dockerfile rename to 13/alpine3.22/Dockerfile index d365154e29..ece37e9796 100644 --- a/13/alpine3.20/Dockerfile +++ b/13/alpine3.22/Dockerfile @@ -4,10 +4,10 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # -FROM alpine:3.20 +FROM alpine:3.22 # 70 is the standard uid/gid for "postgres" in Alpine -# https://git.alpinelinux.org/aports/tree/main/postgresql/postgresql.pre-install?h=3.12-stable +# https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.22-stable RUN set -eux; \ addgroup -g 70 -S postgres; \ adduser -u 70 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \ @@ -53,12 +53,12 @@ ENV LANG en_US.utf8 RUN mkdir /docker-entrypoint-initdb.d ENV PG_MAJOR 13 -ENV PG_VERSION 13.16 -ENV PG_SHA256 c9cbbb6129f02328204828066bb3785c00a85c8ca8fd329c2a8a53c1f5cd8865 +ENV PG_VERSION 13.21 +ENV PG_SHA256 dcda1294df45f033b0656cf7a8e4afbbc624c25e1b144aec79530f74d7ef4ab4 ENV DOCKER_PG_LLVM_DEPS \ - llvm15-dev \ - clang15 + llvm19-dev \ + clang19 RUN set -eux; \ \ @@ -108,14 +108,11 @@ RUN set -eux; \ grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \ mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \ gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ -# explicitly update autoconf config.guess and config.sub so they support more arches/libcs - wget -O config/config.guess 'https://git.savannah.gnu.org/cgit/config.git/plain/config.guess?id=7d3d27baf8107b630586c962c057e22149653deb'; \ - wget -O config/config.sub 'https://git.savannah.gnu.org/cgit/config.git/plain/config.sub?id=7d3d27baf8107b630586c962c057e22149653deb'; \ \ -# https://git.alpinelinux.org/aports/tree/community/postgresql12/APKBUILD?h=3.18-stable&id=a470294e6d6ca7059e41c54769b7c3c26ec901d4#n158 - export LLVM_CONFIG="/usr/lib/llvm15/bin/llvm-config"; \ -# https://git.alpinelinux.org/aports/tree/community/postgresql12/APKBUILD?h=3.18-stable&id=a470294e6d6ca7059e41c54769b7c3c26ec901d4#n163 - export CLANG=clang-15; \ +# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n176 ("export LLVM_CONFIG") + export LLVM_CONFIG="/usr/lib/llvm19/bin/llvm-config"; \ +# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n180 ("older clang versions don't have a 'clang' exe anymore.") + export CLANG=clang-19; \ \ # configure options taken from: # https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5 @@ -169,8 +166,7 @@ RUN set -eux; \ zstd \ # https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split icu-data-full \ -# nss_wrapper is not availble on ppc64le: "test case segfaults in ppc64le" -# https://git.alpinelinux.org/aports/commit/testing/nss_wrapper/APKBUILD?h=3.17-stable&id=94d81ceeb58cff448d489bbcbe9a6d40c9991663 +# https://git.alpinelinux.org/aports/tree/community/nss_wrapper/APKBUILD?h=3.22-stable#n7 ("ppc64le: test case segfaults") $([ "$(apk --print-arch)" != 'ppc64le' ] && echo 'nss_wrapper') \ ; \ apk del --no-network .build-deps; \ @@ -203,18 +199,12 @@ ENTRYPOINT ["docker-entrypoint.sh"] # We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL # calls "Fast Shutdown mode" wherein new connections are disallowed and any # in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and -# flush tables to disk, which is the best compromise available to avoid data -# corruption. +# flush tables to disk. # -# Users who know their applications do not keep open long-lived idle connections -# may way to use a value of SIGTERM instead, which corresponds to "Smart -# Shutdown mode" in which any existing sessions are allowed to finish and the -# server stops when all sessions are terminated. -# -# See https://www.postgresql.org/docs/12/server-shutdown.html for more details +# See https://www.postgresql.org/docs/current/server-shutdown.html for more details # about available PostgreSQL server shutdown signals. # -# See also https://www.postgresql.org/docs/12/server-start.html for further +# See also https://www.postgresql.org/docs/current/server-start.html for further # justification of this as the default value, namely that the example (and # shipped) systemd service files use the "Fast Shutdown mode" for service # termination. @@ -224,10 +214,10 @@ STOPSIGNAL SIGINT # An additional setting that is recommended for all users regardless of this # value is the runtime "--stop-timeout" (or your orchestrator/runtime's # equivalent) for controlling how long to wait between sending the defined -# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption). +# STOPSIGNAL and sending SIGKILL. # # The default in most runtimes (such as Docker) is 10 seconds, and the -# documentation at https://www.postgresql.org/docs/12/server-start.html notes +# documentation at https://www.postgresql.org/docs/current/server-start.html notes # that even 90 seconds may not be long enough in many instances. EXPOSE 5432 diff --git a/12/alpine3.19/docker-ensure-initdb.sh b/13/alpine3.22/docker-ensure-initdb.sh similarity index 98% rename from 12/alpine3.19/docker-ensure-initdb.sh rename to 13/alpine3.22/docker-ensure-initdb.sh index ae1f6b6b90..e9b15ef77d 100755 --- a/12/alpine3.19/docker-ensure-initdb.sh +++ b/13/alpine3.22/docker-ensure-initdb.sh @@ -33,6 +33,7 @@ fi # only run initialization on an empty data directory if [ -z "$DATABASE_ALREADY_EXISTS" ]; then docker_verify_minimum_env + docker_error_old_databases # check dir permissions to reduce likelihood of half-initialized database ls /docker-entrypoint-initdb.d/ > /dev/null diff --git a/12/alpine3.20/docker-entrypoint.sh b/13/alpine3.22/docker-entrypoint.sh similarity index 88% rename from 12/alpine3.20/docker-entrypoint.sh rename to 13/alpine3.22/docker-entrypoint.sh index 6f59993e08..5a62870b50 100755 --- a/12/alpine3.20/docker-entrypoint.sh +++ b/13/alpine3.22/docker-entrypoint.sh @@ -104,7 +104,7 @@ docker_init_database_dir() { # assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ] docker_verify_minimum_env() { case "${PG_MAJOR:-}" in - 12 | 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 + 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 # check password first so we can output the warning before postgres # messes it up if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then @@ -154,6 +154,29 @@ docker_verify_minimum_env() { EOWARN fi } +# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade) +docker_error_old_databases() { + if [ -n "${OLD_DATABASES[0]:-}" ]; then + cat >&2 <<-EOE + Error: in 18+, these Docker images are configured to store database data in a + format which is compatible with "pg_ctlcluster" (specifically, using + major-version-specific directory names). This better reflects how + PostgreSQL itself works, and how upgrades are to be performed. + + See also https://github.com/docker-library/postgres/pull/1259 + + Counter to that, there appears to be PostgreSQL data in: + ${OLD_DATABASES[*]} + + This is usually the result of upgrading the Docker image without upgrading + the underlying database using "pg_upgrade" (which requires both versions). + + See https://github.com/docker-library/postgres/issues/37 for a (long) + discussion around this process, and suggestions for how to do so. + EOE + exit 1 + fi +} # usage: docker_process_init_files [file [file [...]]] # ie: docker_process_init_files /always-initdb.d/* @@ -230,9 +253,17 @@ docker_setup_env() { declare -g DATABASE_ALREADY_EXISTS : "${DATABASE_ALREADY_EXISTS:=}" + declare -ag OLD_DATABASES=() # look specifically for PG_VERSION, as it is expected in the DB dir if [ -s "$PGDATA/PG_VERSION" ]; then DATABASE_ALREADY_EXISTS='true' + elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then + # https://github.com/docker-library/postgres/pull/1259 + for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do + if [ -s "$d/PG_VERSION" ]; then + OLD_DATABASES+=( "$d" ) + fi + done fi } @@ -252,7 +283,7 @@ pg_setup_hba_conf() { printf '\n' if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then printf '# warning trust is enabled for all connections\n' - printf '# see https://www.postgresql.org/docs/12/auth-trust.html\n' + printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n' fi printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD" } >> "$PGDATA/pg_hba.conf" @@ -269,6 +300,9 @@ docker_temp_server_start() { # does not listen on external TCP/IP and waits until start finishes set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}" + # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify + # any process supervisor. + NOTIFY_SOCKET= \ PGUSER="${PGUSER:-$POSTGRES_USER}" \ pg_ctl -D "$PGDATA" \ -o "$(printf '%q ' "$@")" \ @@ -316,6 +350,7 @@ _main() { # only run initialization on an empty data directory if [ -z "$DATABASE_ALREADY_EXISTS" ]; then docker_verify_minimum_env + docker_error_old_databases # check dir permissions to reduce likelihood of half-initialized database ls /docker-entrypoint-initdb.d/ > /dev/null diff --git a/13/bookworm/Dockerfile b/13/bookworm/Dockerfile index 8c9451e1b9..721ad94d09 100644 --- a/13/bookworm/Dockerfile +++ b/13/bookworm/Dockerfile @@ -89,7 +89,7 @@ RUN set -ex; \ ENV PG_MAJOR 13 ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin -ENV PG_VERSION 13.16-1.pgdg120+1 +ENV PG_VERSION 13.21-1.pgdg120+1 RUN set -ex; \ \ @@ -99,7 +99,7 @@ RUN set -ex; \ dpkgArch="$(dpkg --print-architecture)"; \ aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ bookworm-pgdg main $PG_MAJOR"; \ case "$dpkgArch" in \ - amd64 | arm64 | ppc64el | s390x) \ + amd64 | arm64 | ppc64el) \ # arches officialy built by upstream echo "deb $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \ apt-get update; \ @@ -131,10 +131,9 @@ RUN set -ex; \ # build .deb files from upstream's source packages (which are verified by apt-get) nproc="$(nproc)"; \ export DEB_BUILD_OPTIONS="nocheck parallel=$nproc"; \ -# we have to build postgresql-common first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/99f44476e258cae6bf9e919219fa2c5414fa2876 -# (and it "Depends: pgdg-keyring") - apt-get build-dep -y postgresql-common pgdg-keyring; \ - apt-get source --compile postgresql-common pgdg-keyring; \ +# we have to build postgresql-common-dev first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/f4338a0d28cf4541956bddb0f4e444ba9dba81b9 + apt-get build-dep -y postgresql-common-dev; \ + apt-get source --compile postgresql-common-dev; \ _update_repo; \ # we need DEBIAN_FRONTEND on postgresql-13 for slapd ("Please enter the password for the admin entry in your LDAP directory."); see https://bugs.debian.org/929417 DEBIAN_FRONTEND=noninteractive \ @@ -196,18 +195,12 @@ ENTRYPOINT ["docker-entrypoint.sh"] # We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL # calls "Fast Shutdown mode" wherein new connections are disallowed and any # in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and -# flush tables to disk, which is the best compromise available to avoid data -# corruption. +# flush tables to disk. # -# Users who know their applications do not keep open long-lived idle connections -# may way to use a value of SIGTERM instead, which corresponds to "Smart -# Shutdown mode" in which any existing sessions are allowed to finish and the -# server stops when all sessions are terminated. -# -# See https://www.postgresql.org/docs/12/server-shutdown.html for more details +# See https://www.postgresql.org/docs/current/server-shutdown.html for more details # about available PostgreSQL server shutdown signals. # -# See also https://www.postgresql.org/docs/12/server-start.html for further +# See also https://www.postgresql.org/docs/current/server-start.html for further # justification of this as the default value, namely that the example (and # shipped) systemd service files use the "Fast Shutdown mode" for service # termination. @@ -217,10 +210,10 @@ STOPSIGNAL SIGINT # An additional setting that is recommended for all users regardless of this # value is the runtime "--stop-timeout" (or your orchestrator/runtime's # equivalent) for controlling how long to wait between sending the defined -# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption). +# STOPSIGNAL and sending SIGKILL. # # The default in most runtimes (such as Docker) is 10 seconds, and the -# documentation at https://www.postgresql.org/docs/12/server-start.html notes +# documentation at https://www.postgresql.org/docs/current/server-start.html notes # that even 90 seconds may not be long enough in many instances. EXPOSE 5432 diff --git a/13/bookworm/docker-ensure-initdb.sh b/13/bookworm/docker-ensure-initdb.sh index ae1f6b6b90..e9b15ef77d 100755 --- a/13/bookworm/docker-ensure-initdb.sh +++ b/13/bookworm/docker-ensure-initdb.sh @@ -33,6 +33,7 @@ fi # only run initialization on an empty data directory if [ -z "$DATABASE_ALREADY_EXISTS" ]; then docker_verify_minimum_env + docker_error_old_databases # check dir permissions to reduce likelihood of half-initialized database ls /docker-entrypoint-initdb.d/ > /dev/null diff --git a/13/bookworm/docker-entrypoint.sh b/13/bookworm/docker-entrypoint.sh index 6f59993e08..5a62870b50 100755 --- a/13/bookworm/docker-entrypoint.sh +++ b/13/bookworm/docker-entrypoint.sh @@ -104,7 +104,7 @@ docker_init_database_dir() { # assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ] docker_verify_minimum_env() { case "${PG_MAJOR:-}" in - 12 | 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 + 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 # check password first so we can output the warning before postgres # messes it up if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then @@ -154,6 +154,29 @@ docker_verify_minimum_env() { EOWARN fi } +# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade) +docker_error_old_databases() { + if [ -n "${OLD_DATABASES[0]:-}" ]; then + cat >&2 <<-EOE + Error: in 18+, these Docker images are configured to store database data in a + format which is compatible with "pg_ctlcluster" (specifically, using + major-version-specific directory names). This better reflects how + PostgreSQL itself works, and how upgrades are to be performed. + + See also https://github.com/docker-library/postgres/pull/1259 + + Counter to that, there appears to be PostgreSQL data in: + ${OLD_DATABASES[*]} + + This is usually the result of upgrading the Docker image without upgrading + the underlying database using "pg_upgrade" (which requires both versions). + + See https://github.com/docker-library/postgres/issues/37 for a (long) + discussion around this process, and suggestions for how to do so. + EOE + exit 1 + fi +} # usage: docker_process_init_files [file [file [...]]] # ie: docker_process_init_files /always-initdb.d/* @@ -230,9 +253,17 @@ docker_setup_env() { declare -g DATABASE_ALREADY_EXISTS : "${DATABASE_ALREADY_EXISTS:=}" + declare -ag OLD_DATABASES=() # look specifically for PG_VERSION, as it is expected in the DB dir if [ -s "$PGDATA/PG_VERSION" ]; then DATABASE_ALREADY_EXISTS='true' + elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then + # https://github.com/docker-library/postgres/pull/1259 + for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do + if [ -s "$d/PG_VERSION" ]; then + OLD_DATABASES+=( "$d" ) + fi + done fi } @@ -252,7 +283,7 @@ pg_setup_hba_conf() { printf '\n' if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then printf '# warning trust is enabled for all connections\n' - printf '# see https://www.postgresql.org/docs/12/auth-trust.html\n' + printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n' fi printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD" } >> "$PGDATA/pg_hba.conf" @@ -269,6 +300,9 @@ docker_temp_server_start() { # does not listen on external TCP/IP and waits until start finishes set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}" + # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify + # any process supervisor. + NOTIFY_SOCKET= \ PGUSER="${PGUSER:-$POSTGRES_USER}" \ pg_ctl -D "$PGDATA" \ -o "$(printf '%q ' "$@")" \ @@ -316,6 +350,7 @@ _main() { # only run initialization on an empty data directory if [ -z "$DATABASE_ALREADY_EXISTS" ]; then docker_verify_minimum_env + docker_error_old_databases # check dir permissions to reduce likelihood of half-initialized database ls /docker-entrypoint-initdb.d/ > /dev/null diff --git a/13/bullseye/Dockerfile b/13/bullseye/Dockerfile index c8770da222..b914b71ff0 100644 --- a/13/bullseye/Dockerfile +++ b/13/bullseye/Dockerfile @@ -89,7 +89,7 @@ RUN set -ex; \ ENV PG_MAJOR 13 ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin -ENV PG_VERSION 13.16-1.pgdg110+1 +ENV PG_VERSION 13.21-1.pgdg110+1 RUN set -ex; \ \ @@ -99,7 +99,7 @@ RUN set -ex; \ dpkgArch="$(dpkg --print-architecture)"; \ aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ bullseye-pgdg main $PG_MAJOR"; \ case "$dpkgArch" in \ - amd64 | arm64 | ppc64el | s390x) \ + amd64 | arm64 | ppc64el) \ # arches officialy built by upstream echo "deb $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \ apt-get update; \ @@ -131,10 +131,9 @@ RUN set -ex; \ # build .deb files from upstream's source packages (which are verified by apt-get) nproc="$(nproc)"; \ export DEB_BUILD_OPTIONS="nocheck parallel=$nproc"; \ -# we have to build postgresql-common first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/99f44476e258cae6bf9e919219fa2c5414fa2876 -# (and it "Depends: pgdg-keyring") - apt-get build-dep -y postgresql-common pgdg-keyring; \ - apt-get source --compile postgresql-common pgdg-keyring; \ +# we have to build postgresql-common-dev first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/f4338a0d28cf4541956bddb0f4e444ba9dba81b9 + apt-get build-dep -y postgresql-common-dev; \ + apt-get source --compile postgresql-common-dev; \ _update_repo; \ # we need DEBIAN_FRONTEND on postgresql-13 for slapd ("Please enter the password for the admin entry in your LDAP directory."); see https://bugs.debian.org/929417 DEBIAN_FRONTEND=noninteractive \ @@ -196,18 +195,12 @@ ENTRYPOINT ["docker-entrypoint.sh"] # We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL # calls "Fast Shutdown mode" wherein new connections are disallowed and any # in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and -# flush tables to disk, which is the best compromise available to avoid data -# corruption. +# flush tables to disk. # -# Users who know their applications do not keep open long-lived idle connections -# may way to use a value of SIGTERM instead, which corresponds to "Smart -# Shutdown mode" in which any existing sessions are allowed to finish and the -# server stops when all sessions are terminated. -# -# See https://www.postgresql.org/docs/12/server-shutdown.html for more details +# See https://www.postgresql.org/docs/current/server-shutdown.html for more details # about available PostgreSQL server shutdown signals. # -# See also https://www.postgresql.org/docs/12/server-start.html for further +# See also https://www.postgresql.org/docs/current/server-start.html for further # justification of this as the default value, namely that the example (and # shipped) systemd service files use the "Fast Shutdown mode" for service # termination. @@ -217,10 +210,10 @@ STOPSIGNAL SIGINT # An additional setting that is recommended for all users regardless of this # value is the runtime "--stop-timeout" (or your orchestrator/runtime's # equivalent) for controlling how long to wait between sending the defined -# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption). +# STOPSIGNAL and sending SIGKILL. # # The default in most runtimes (such as Docker) is 10 seconds, and the -# documentation at https://www.postgresql.org/docs/12/server-start.html notes +# documentation at https://www.postgresql.org/docs/current/server-start.html notes # that even 90 seconds may not be long enough in many instances. EXPOSE 5432 diff --git a/13/bullseye/docker-ensure-initdb.sh b/13/bullseye/docker-ensure-initdb.sh index ae1f6b6b90..e9b15ef77d 100755 --- a/13/bullseye/docker-ensure-initdb.sh +++ b/13/bullseye/docker-ensure-initdb.sh @@ -33,6 +33,7 @@ fi # only run initialization on an empty data directory if [ -z "$DATABASE_ALREADY_EXISTS" ]; then docker_verify_minimum_env + docker_error_old_databases # check dir permissions to reduce likelihood of half-initialized database ls /docker-entrypoint-initdb.d/ > /dev/null diff --git a/13/bullseye/docker-entrypoint.sh b/13/bullseye/docker-entrypoint.sh index 6f59993e08..5a62870b50 100755 --- a/13/bullseye/docker-entrypoint.sh +++ b/13/bullseye/docker-entrypoint.sh @@ -104,7 +104,7 @@ docker_init_database_dir() { # assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ] docker_verify_minimum_env() { case "${PG_MAJOR:-}" in - 12 | 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 + 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 # check password first so we can output the warning before postgres # messes it up if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then @@ -154,6 +154,29 @@ docker_verify_minimum_env() { EOWARN fi } +# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade) +docker_error_old_databases() { + if [ -n "${OLD_DATABASES[0]:-}" ]; then + cat >&2 <<-EOE + Error: in 18+, these Docker images are configured to store database data in a + format which is compatible with "pg_ctlcluster" (specifically, using + major-version-specific directory names). This better reflects how + PostgreSQL itself works, and how upgrades are to be performed. + + See also https://github.com/docker-library/postgres/pull/1259 + + Counter to that, there appears to be PostgreSQL data in: + ${OLD_DATABASES[*]} + + This is usually the result of upgrading the Docker image without upgrading + the underlying database using "pg_upgrade" (which requires both versions). + + See https://github.com/docker-library/postgres/issues/37 for a (long) + discussion around this process, and suggestions for how to do so. + EOE + exit 1 + fi +} # usage: docker_process_init_files [file [file [...]]] # ie: docker_process_init_files /always-initdb.d/* @@ -230,9 +253,17 @@ docker_setup_env() { declare -g DATABASE_ALREADY_EXISTS : "${DATABASE_ALREADY_EXISTS:=}" + declare -ag OLD_DATABASES=() # look specifically for PG_VERSION, as it is expected in the DB dir if [ -s "$PGDATA/PG_VERSION" ]; then DATABASE_ALREADY_EXISTS='true' + elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then + # https://github.com/docker-library/postgres/pull/1259 + for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do + if [ -s "$d/PG_VERSION" ]; then + OLD_DATABASES+=( "$d" ) + fi + done fi } @@ -252,7 +283,7 @@ pg_setup_hba_conf() { printf '\n' if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then printf '# warning trust is enabled for all connections\n' - printf '# see https://www.postgresql.org/docs/12/auth-trust.html\n' + printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n' fi printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD" } >> "$PGDATA/pg_hba.conf" @@ -269,6 +300,9 @@ docker_temp_server_start() { # does not listen on external TCP/IP and waits until start finishes set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}" + # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify + # any process supervisor. + NOTIFY_SOCKET= \ PGUSER="${PGUSER:-$POSTGRES_USER}" \ pg_ctl -D "$PGDATA" \ -o "$(printf '%q ' "$@")" \ @@ -316,6 +350,7 @@ _main() { # only run initialization on an empty data directory if [ -z "$DATABASE_ALREADY_EXISTS" ]; then docker_verify_minimum_env + docker_error_old_databases # check dir permissions to reduce likelihood of half-initialized database ls /docker-entrypoint-initdb.d/ > /dev/null diff --git a/14/alpine3.19/docker-ensure-initdb.sh b/14/alpine3.19/docker-ensure-initdb.sh deleted file mode 100755 index ae1f6b6b90..0000000000 --- a/14/alpine3.19/docker-ensure-initdb.sh +++ /dev/null @@ -1,71 +0,0 @@ -#!/usr/bin/env bash -set -Eeuo pipefail - -# -# This script is intended for three main use cases: -# -# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior -# -# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution -# (no-op if database is already initialized) -# -# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use -# (error if database is already initialized) -# - -source /usr/local/bin/docker-entrypoint.sh - -# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there) -if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then - set -- postgres "$@" -fi - -# see also "_main" in "docker-entrypoint.sh" - -docker_setup_env -# setup data directories and permissions (when run as root) -docker_create_db_directories -if [ "$(id -u)" = '0' ]; then - # then restart script as postgres user - exec gosu postgres "$BASH_SOURCE" "$@" -fi - -# only run initialization on an empty data directory -if [ -z "$DATABASE_ALREADY_EXISTS" ]; then - docker_verify_minimum_env - - # check dir permissions to reduce likelihood of half-initialized database - ls /docker-entrypoint-initdb.d/ > /dev/null - - docker_init_database_dir - pg_setup_hba_conf "$@" - - # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless - # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS - export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" - docker_temp_server_start "$@" - - docker_setup_db - docker_process_init_files /docker-entrypoint-initdb.d/* - - docker_temp_server_stop - unset PGPASSWORD -else - self="$(basename "$0")" - case "$self" in - docker-ensure-initdb.sh) - echo >&2 "$self: note: database already initialized in '$PGDATA'!" - exit 0 - ;; - - docker-enforce-initdb.sh) - echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!" - exit 1 - ;; - - *) - echo >&2 "$self: error: unknown file name: $self" - exit 99 - ;; - esac -fi diff --git a/14/alpine3.19/docker-entrypoint.sh b/14/alpine3.19/docker-entrypoint.sh deleted file mode 100755 index 6f59993e08..0000000000 --- a/14/alpine3.19/docker-entrypoint.sh +++ /dev/null @@ -1,356 +0,0 @@ -#!/usr/bin/env bash -set -Eeo pipefail -# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables) - -# usage: file_env VAR [DEFAULT] -# ie: file_env 'XYZ_DB_PASSWORD' 'example' -# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of -# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) -file_env() { - local var="$1" - local fileVar="${var}_FILE" - local def="${2:-}" - if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then - printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar" - exit 1 - fi - local val="$def" - if [ "${!var:-}" ]; then - val="${!var}" - elif [ "${!fileVar:-}" ]; then - val="$(< "${!fileVar}")" - fi - export "$var"="$val" - unset "$fileVar" -} - -# check to see if this file is being run or sourced from another script -_is_sourced() { - # https://unix.stackexchange.com/a/215279 - [ "${#FUNCNAME[@]}" -ge 2 ] \ - && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ - && [ "${FUNCNAME[1]}" = 'source' ] -} - -# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user -docker_create_db_directories() { - local user; user="$(id -u)" - - mkdir -p "$PGDATA" - # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory) - chmod 00700 "$PGDATA" || : - - # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 - mkdir -p /var/run/postgresql || : - chmod 03775 /var/run/postgresql || : - - # Create the transaction log directory before initdb is run so the directory is owned by the correct user - if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then - mkdir -p "$POSTGRES_INITDB_WALDIR" - if [ "$user" = '0' ]; then - find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' + - fi - chmod 700 "$POSTGRES_INITDB_WALDIR" - fi - - # allow the container to be started with `--user` - if [ "$user" = '0' ]; then - find "$PGDATA" \! -user postgres -exec chown postgres '{}' + - find /var/run/postgresql \! -user postgres -exec chown postgres '{}' + - fi -} - -# initialize empty PGDATA directory with new database via 'initdb' -# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function -# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames -# this is also where the database user is created, specified by `POSTGRES_USER` env -docker_init_database_dir() { - # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary - # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html - local uid; uid="$(id -u)" - if ! getent passwd "$uid" &> /dev/null; then - # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15) - local wrapper - for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do - if [ -s "$wrapper" ]; then - NSS_WRAPPER_PASSWD="$(mktemp)" - NSS_WRAPPER_GROUP="$(mktemp)" - export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP - local gid; gid="$(id -g)" - printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD" - printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP" - break - fi - done - fi - - if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then - set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@" - fi - - # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025 - eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' - - # unset/cleanup "nss_wrapper" bits - if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then - rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" - unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP - fi -} - -# print large warning if POSTGRES_PASSWORD is long -# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust' -# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust' -# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ] -docker_verify_minimum_env() { - case "${PG_MAJOR:-}" in - 12 | 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 - # check password first so we can output the warning before postgres - # messes it up - if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then - cat >&2 <<-'EOWARN' - - WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. - - This will not work if used via PGPASSWORD with "psql". - - https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) - https://github.com/docker-library/postgres/issues/507 - - EOWARN - fi - ;; - esac - if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then - # The - option suppresses leading tabs but *not* spaces. :) - cat >&2 <<-'EOE' - Error: Database is uninitialized and superuser password is not specified. - You must specify POSTGRES_PASSWORD to a non-empty value for the - superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run". - - You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all - connections without a password. This is *not* recommended. - - See PostgreSQL documentation about "trust": - https://www.postgresql.org/docs/current/auth-trust.html - EOE - exit 1 - fi - if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then - cat >&2 <<-'EOWARN' - ******************************************************************************** - WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow - anyone with access to the Postgres port to access your database without - a password, even if POSTGRES_PASSWORD is set. See PostgreSQL - documentation about "trust": - https://www.postgresql.org/docs/current/auth-trust.html - In Docker's default configuration, this is effectively any other - container on the same system. - - It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace - it with "-e POSTGRES_PASSWORD=password" instead to set a password in - "docker run". - ******************************************************************************** - EOWARN - fi -} - -# usage: docker_process_init_files [file [file [...]]] -# ie: docker_process_init_files /always-initdb.d/* -# process initializer files, based on file extensions and permissions -docker_process_init_files() { - # psql here for backwards compatibility "${psql[@]}" - psql=( docker_process_sql ) - - printf '\n' - local f - for f; do - case "$f" in - *.sh) - # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 - # https://github.com/docker-library/postgres/pull/452 - if [ -x "$f" ]; then - printf '%s: running %s\n' "$0" "$f" - "$f" - else - printf '%s: sourcing %s\n' "$0" "$f" - . "$f" - fi - ;; - *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;; - *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;; - *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;; - *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;; - *) printf '%s: ignoring %s\n' "$0" "$f" ;; - esac - printf '\n' - done -} - -# Execute sql script, passed via stdin (or -f flag of pqsl) -# usage: docker_process_sql [psql-cli-args] -# ie: docker_process_sql --dbname=mydb <<<'INSERT ...' -# ie: docker_process_sql -f my-file.sql -# ie: docker_process_sql > "$PGDATA/pg_hba.conf" -} - -# start socket-only postgresql server for setting up or running scripts -# all arguments will be passed along as arguments to `postgres` (via pg_ctl) -docker_temp_server_start() { - if [ "$1" = 'postgres' ]; then - shift - fi - - # internal start of server in order to allow setup using psql client - # does not listen on external TCP/IP and waits until start finishes - set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}" - - PGUSER="${PGUSER:-$POSTGRES_USER}" \ - pg_ctl -D "$PGDATA" \ - -o "$(printf '%q ' "$@")" \ - -w start -} - -# stop postgresql server after done setting up user and running scripts -docker_temp_server_stop() { - PGUSER="${PGUSER:-postgres}" \ - pg_ctl -D "$PGDATA" -m fast -w stop -} - -# check arguments for an option that would cause postgres to stop -# return true if there is one -_pg_want_help() { - local arg - for arg; do - case "$arg" in - # postgres --help | grep 'then exit' - # leaving out -C on purpose since it always fails and is unhelpful: - # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory - -'?'|--help|--describe-config|-V|--version) - return 0 - ;; - esac - done - return 1 -} - -_main() { - # if first arg looks like a flag, assume we want to run postgres server - if [ "${1:0:1}" = '-' ]; then - set -- postgres "$@" - fi - - if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then - docker_setup_env - # setup data directories and permissions (when run as root) - docker_create_db_directories - if [ "$(id -u)" = '0' ]; then - # then restart script as postgres user - exec gosu postgres "$BASH_SOURCE" "$@" - fi - - # only run initialization on an empty data directory - if [ -z "$DATABASE_ALREADY_EXISTS" ]; then - docker_verify_minimum_env - - # check dir permissions to reduce likelihood of half-initialized database - ls /docker-entrypoint-initdb.d/ > /dev/null - - docker_init_database_dir - pg_setup_hba_conf "$@" - - # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless - # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS - export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" - docker_temp_server_start "$@" - - docker_setup_db - docker_process_init_files /docker-entrypoint-initdb.d/* - - docker_temp_server_stop - unset PGPASSWORD - - cat <<-'EOM' - - PostgreSQL init process complete; ready for start up. - - EOM - else - cat <<-'EOM' - - PostgreSQL Database directory appears to contain a database; Skipping initialization - - EOM - fi - fi - - exec "$@" -} - -if ! _is_sourced; then - _main "$@" -fi diff --git a/14/alpine3.20/docker-ensure-initdb.sh b/14/alpine3.20/docker-ensure-initdb.sh deleted file mode 100755 index ae1f6b6b90..0000000000 --- a/14/alpine3.20/docker-ensure-initdb.sh +++ /dev/null @@ -1,71 +0,0 @@ -#!/usr/bin/env bash -set -Eeuo pipefail - -# -# This script is intended for three main use cases: -# -# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior -# -# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution -# (no-op if database is already initialized) -# -# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use -# (error if database is already initialized) -# - -source /usr/local/bin/docker-entrypoint.sh - -# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there) -if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then - set -- postgres "$@" -fi - -# see also "_main" in "docker-entrypoint.sh" - -docker_setup_env -# setup data directories and permissions (when run as root) -docker_create_db_directories -if [ "$(id -u)" = '0' ]; then - # then restart script as postgres user - exec gosu postgres "$BASH_SOURCE" "$@" -fi - -# only run initialization on an empty data directory -if [ -z "$DATABASE_ALREADY_EXISTS" ]; then - docker_verify_minimum_env - - # check dir permissions to reduce likelihood of half-initialized database - ls /docker-entrypoint-initdb.d/ > /dev/null - - docker_init_database_dir - pg_setup_hba_conf "$@" - - # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless - # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS - export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" - docker_temp_server_start "$@" - - docker_setup_db - docker_process_init_files /docker-entrypoint-initdb.d/* - - docker_temp_server_stop - unset PGPASSWORD -else - self="$(basename "$0")" - case "$self" in - docker-ensure-initdb.sh) - echo >&2 "$self: note: database already initialized in '$PGDATA'!" - exit 0 - ;; - - docker-enforce-initdb.sh) - echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!" - exit 1 - ;; - - *) - echo >&2 "$self: error: unknown file name: $self" - exit 99 - ;; - esac -fi diff --git a/14/alpine3.20/docker-entrypoint.sh b/14/alpine3.20/docker-entrypoint.sh deleted file mode 100755 index 6f59993e08..0000000000 --- a/14/alpine3.20/docker-entrypoint.sh +++ /dev/null @@ -1,356 +0,0 @@ -#!/usr/bin/env bash -set -Eeo pipefail -# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables) - -# usage: file_env VAR [DEFAULT] -# ie: file_env 'XYZ_DB_PASSWORD' 'example' -# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of -# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) -file_env() { - local var="$1" - local fileVar="${var}_FILE" - local def="${2:-}" - if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then - printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar" - exit 1 - fi - local val="$def" - if [ "${!var:-}" ]; then - val="${!var}" - elif [ "${!fileVar:-}" ]; then - val="$(< "${!fileVar}")" - fi - export "$var"="$val" - unset "$fileVar" -} - -# check to see if this file is being run or sourced from another script -_is_sourced() { - # https://unix.stackexchange.com/a/215279 - [ "${#FUNCNAME[@]}" -ge 2 ] \ - && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ - && [ "${FUNCNAME[1]}" = 'source' ] -} - -# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user -docker_create_db_directories() { - local user; user="$(id -u)" - - mkdir -p "$PGDATA" - # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory) - chmod 00700 "$PGDATA" || : - - # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 - mkdir -p /var/run/postgresql || : - chmod 03775 /var/run/postgresql || : - - # Create the transaction log directory before initdb is run so the directory is owned by the correct user - if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then - mkdir -p "$POSTGRES_INITDB_WALDIR" - if [ "$user" = '0' ]; then - find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' + - fi - chmod 700 "$POSTGRES_INITDB_WALDIR" - fi - - # allow the container to be started with `--user` - if [ "$user" = '0' ]; then - find "$PGDATA" \! -user postgres -exec chown postgres '{}' + - find /var/run/postgresql \! -user postgres -exec chown postgres '{}' + - fi -} - -# initialize empty PGDATA directory with new database via 'initdb' -# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function -# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames -# this is also where the database user is created, specified by `POSTGRES_USER` env -docker_init_database_dir() { - # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary - # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html - local uid; uid="$(id -u)" - if ! getent passwd "$uid" &> /dev/null; then - # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15) - local wrapper - for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do - if [ -s "$wrapper" ]; then - NSS_WRAPPER_PASSWD="$(mktemp)" - NSS_WRAPPER_GROUP="$(mktemp)" - export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP - local gid; gid="$(id -g)" - printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD" - printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP" - break - fi - done - fi - - if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then - set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@" - fi - - # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025 - eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' - - # unset/cleanup "nss_wrapper" bits - if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then - rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" - unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP - fi -} - -# print large warning if POSTGRES_PASSWORD is long -# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust' -# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust' -# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ] -docker_verify_minimum_env() { - case "${PG_MAJOR:-}" in - 12 | 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 - # check password first so we can output the warning before postgres - # messes it up - if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then - cat >&2 <<-'EOWARN' - - WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. - - This will not work if used via PGPASSWORD with "psql". - - https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) - https://github.com/docker-library/postgres/issues/507 - - EOWARN - fi - ;; - esac - if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then - # The - option suppresses leading tabs but *not* spaces. :) - cat >&2 <<-'EOE' - Error: Database is uninitialized and superuser password is not specified. - You must specify POSTGRES_PASSWORD to a non-empty value for the - superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run". - - You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all - connections without a password. This is *not* recommended. - - See PostgreSQL documentation about "trust": - https://www.postgresql.org/docs/current/auth-trust.html - EOE - exit 1 - fi - if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then - cat >&2 <<-'EOWARN' - ******************************************************************************** - WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow - anyone with access to the Postgres port to access your database without - a password, even if POSTGRES_PASSWORD is set. See PostgreSQL - documentation about "trust": - https://www.postgresql.org/docs/current/auth-trust.html - In Docker's default configuration, this is effectively any other - container on the same system. - - It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace - it with "-e POSTGRES_PASSWORD=password" instead to set a password in - "docker run". - ******************************************************************************** - EOWARN - fi -} - -# usage: docker_process_init_files [file [file [...]]] -# ie: docker_process_init_files /always-initdb.d/* -# process initializer files, based on file extensions and permissions -docker_process_init_files() { - # psql here for backwards compatibility "${psql[@]}" - psql=( docker_process_sql ) - - printf '\n' - local f - for f; do - case "$f" in - *.sh) - # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 - # https://github.com/docker-library/postgres/pull/452 - if [ -x "$f" ]; then - printf '%s: running %s\n' "$0" "$f" - "$f" - else - printf '%s: sourcing %s\n' "$0" "$f" - . "$f" - fi - ;; - *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;; - *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;; - *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;; - *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;; - *) printf '%s: ignoring %s\n' "$0" "$f" ;; - esac - printf '\n' - done -} - -# Execute sql script, passed via stdin (or -f flag of pqsl) -# usage: docker_process_sql [psql-cli-args] -# ie: docker_process_sql --dbname=mydb <<<'INSERT ...' -# ie: docker_process_sql -f my-file.sql -# ie: docker_process_sql > "$PGDATA/pg_hba.conf" -} - -# start socket-only postgresql server for setting up or running scripts -# all arguments will be passed along as arguments to `postgres` (via pg_ctl) -docker_temp_server_start() { - if [ "$1" = 'postgres' ]; then - shift - fi - - # internal start of server in order to allow setup using psql client - # does not listen on external TCP/IP and waits until start finishes - set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}" - - PGUSER="${PGUSER:-$POSTGRES_USER}" \ - pg_ctl -D "$PGDATA" \ - -o "$(printf '%q ' "$@")" \ - -w start -} - -# stop postgresql server after done setting up user and running scripts -docker_temp_server_stop() { - PGUSER="${PGUSER:-postgres}" \ - pg_ctl -D "$PGDATA" -m fast -w stop -} - -# check arguments for an option that would cause postgres to stop -# return true if there is one -_pg_want_help() { - local arg - for arg; do - case "$arg" in - # postgres --help | grep 'then exit' - # leaving out -C on purpose since it always fails and is unhelpful: - # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory - -'?'|--help|--describe-config|-V|--version) - return 0 - ;; - esac - done - return 1 -} - -_main() { - # if first arg looks like a flag, assume we want to run postgres server - if [ "${1:0:1}" = '-' ]; then - set -- postgres "$@" - fi - - if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then - docker_setup_env - # setup data directories and permissions (when run as root) - docker_create_db_directories - if [ "$(id -u)" = '0' ]; then - # then restart script as postgres user - exec gosu postgres "$BASH_SOURCE" "$@" - fi - - # only run initialization on an empty data directory - if [ -z "$DATABASE_ALREADY_EXISTS" ]; then - docker_verify_minimum_env - - # check dir permissions to reduce likelihood of half-initialized database - ls /docker-entrypoint-initdb.d/ > /dev/null - - docker_init_database_dir - pg_setup_hba_conf "$@" - - # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless - # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS - export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" - docker_temp_server_start "$@" - - docker_setup_db - docker_process_init_files /docker-entrypoint-initdb.d/* - - docker_temp_server_stop - unset PGPASSWORD - - cat <<-'EOM' - - PostgreSQL init process complete; ready for start up. - - EOM - else - cat <<-'EOM' - - PostgreSQL Database directory appears to contain a database; Skipping initialization - - EOM - fi - fi - - exec "$@" -} - -if ! _is_sourced; then - _main "$@" -fi diff --git a/14/alpine3.19/Dockerfile b/14/alpine3.21/Dockerfile similarity index 79% rename from 14/alpine3.19/Dockerfile rename to 14/alpine3.21/Dockerfile index 533e23e6be..49eb44c2c7 100644 --- a/14/alpine3.19/Dockerfile +++ b/14/alpine3.21/Dockerfile @@ -4,10 +4,10 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # -FROM alpine:3.19 +FROM alpine:3.21 # 70 is the standard uid/gid for "postgres" in Alpine -# https://git.alpinelinux.org/aports/tree/main/postgresql/postgresql.pre-install?h=3.12-stable +# https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.22-stable RUN set -eux; \ addgroup -g 70 -S postgres; \ adduser -u 70 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \ @@ -53,12 +53,12 @@ ENV LANG en_US.utf8 RUN mkdir /docker-entrypoint-initdb.d ENV PG_MAJOR 14 -ENV PG_VERSION 14.13 -ENV PG_SHA256 59aa3c4b495ab26a9ec69f3ad0a0228c51f0fe6facf3634dfad4d1197d613a56 +ENV PG_VERSION 14.18 +ENV PG_SHA256 83ab29d6bfc3dc58b2ed3c664114fdfbeb6a0450c4b8d7fa69aee91e3ca14f8e ENV DOCKER_PG_LLVM_DEPS \ - llvm15-dev \ - clang15 + llvm19-dev \ + clang19 RUN set -eux; \ \ @@ -110,14 +110,11 @@ RUN set -eux; \ grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \ mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \ gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ -# explicitly update autoconf config.guess and config.sub so they support more arches/libcs - wget -O config/config.guess 'https://git.savannah.gnu.org/cgit/config.git/plain/config.guess?id=7d3d27baf8107b630586c962c057e22149653deb'; \ - wget -O config/config.sub 'https://git.savannah.gnu.org/cgit/config.git/plain/config.sub?id=7d3d27baf8107b630586c962c057e22149653deb'; \ \ -# https://git.alpinelinux.org/aports/tree/community/postgresql12/APKBUILD?h=3.18-stable&id=a470294e6d6ca7059e41c54769b7c3c26ec901d4#n158 - export LLVM_CONFIG="/usr/lib/llvm15/bin/llvm-config"; \ -# https://git.alpinelinux.org/aports/tree/community/postgresql12/APKBUILD?h=3.18-stable&id=a470294e6d6ca7059e41c54769b7c3c26ec901d4#n163 - export CLANG=clang-15; \ +# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n176 ("export LLVM_CONFIG") + export LLVM_CONFIG="/usr/lib/llvm19/bin/llvm-config"; \ +# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n180 ("older clang versions don't have a 'clang' exe anymore.") + export CLANG=clang-19; \ \ # configure options taken from: # https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5 @@ -172,8 +169,7 @@ RUN set -eux; \ zstd \ # https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split icu-data-full \ -# nss_wrapper is not availble on ppc64le: "test case segfaults in ppc64le" -# https://git.alpinelinux.org/aports/commit/testing/nss_wrapper/APKBUILD?h=3.17-stable&id=94d81ceeb58cff448d489bbcbe9a6d40c9991663 +# https://git.alpinelinux.org/aports/tree/community/nss_wrapper/APKBUILD?h=3.22-stable#n7 ("ppc64le: test case segfaults") $([ "$(apk --print-arch)" != 'ppc64le' ] && echo 'nss_wrapper') \ ; \ apk del --no-network .build-deps; \ @@ -206,18 +202,12 @@ ENTRYPOINT ["docker-entrypoint.sh"] # We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL # calls "Fast Shutdown mode" wherein new connections are disallowed and any # in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and -# flush tables to disk, which is the best compromise available to avoid data -# corruption. +# flush tables to disk. # -# Users who know their applications do not keep open long-lived idle connections -# may way to use a value of SIGTERM instead, which corresponds to "Smart -# Shutdown mode" in which any existing sessions are allowed to finish and the -# server stops when all sessions are terminated. -# -# See https://www.postgresql.org/docs/12/server-shutdown.html for more details +# See https://www.postgresql.org/docs/current/server-shutdown.html for more details # about available PostgreSQL server shutdown signals. # -# See also https://www.postgresql.org/docs/12/server-start.html for further +# See also https://www.postgresql.org/docs/current/server-start.html for further # justification of this as the default value, namely that the example (and # shipped) systemd service files use the "Fast Shutdown mode" for service # termination. @@ -227,10 +217,10 @@ STOPSIGNAL SIGINT # An additional setting that is recommended for all users regardless of this # value is the runtime "--stop-timeout" (or your orchestrator/runtime's # equivalent) for controlling how long to wait between sending the defined -# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption). +# STOPSIGNAL and sending SIGKILL. # # The default in most runtimes (such as Docker) is 10 seconds, and the -# documentation at https://www.postgresql.org/docs/12/server-start.html notes +# documentation at https://www.postgresql.org/docs/current/server-start.html notes # that even 90 seconds may not be long enough in many instances. EXPOSE 5432 diff --git a/12/bookworm/docker-ensure-initdb.sh b/14/alpine3.21/docker-ensure-initdb.sh similarity index 98% rename from 12/bookworm/docker-ensure-initdb.sh rename to 14/alpine3.21/docker-ensure-initdb.sh index ae1f6b6b90..e9b15ef77d 100755 --- a/12/bookworm/docker-ensure-initdb.sh +++ b/14/alpine3.21/docker-ensure-initdb.sh @@ -33,6 +33,7 @@ fi # only run initialization on an empty data directory if [ -z "$DATABASE_ALREADY_EXISTS" ]; then docker_verify_minimum_env + docker_error_old_databases # check dir permissions to reduce likelihood of half-initialized database ls /docker-entrypoint-initdb.d/ > /dev/null diff --git a/12/alpine3.19/docker-entrypoint.sh b/14/alpine3.21/docker-entrypoint.sh similarity index 88% rename from 12/alpine3.19/docker-entrypoint.sh rename to 14/alpine3.21/docker-entrypoint.sh index 6f59993e08..5a62870b50 100755 --- a/12/alpine3.19/docker-entrypoint.sh +++ b/14/alpine3.21/docker-entrypoint.sh @@ -104,7 +104,7 @@ docker_init_database_dir() { # assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ] docker_verify_minimum_env() { case "${PG_MAJOR:-}" in - 12 | 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 + 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 # check password first so we can output the warning before postgres # messes it up if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then @@ -154,6 +154,29 @@ docker_verify_minimum_env() { EOWARN fi } +# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade) +docker_error_old_databases() { + if [ -n "${OLD_DATABASES[0]:-}" ]; then + cat >&2 <<-EOE + Error: in 18+, these Docker images are configured to store database data in a + format which is compatible with "pg_ctlcluster" (specifically, using + major-version-specific directory names). This better reflects how + PostgreSQL itself works, and how upgrades are to be performed. + + See also https://github.com/docker-library/postgres/pull/1259 + + Counter to that, there appears to be PostgreSQL data in: + ${OLD_DATABASES[*]} + + This is usually the result of upgrading the Docker image without upgrading + the underlying database using "pg_upgrade" (which requires both versions). + + See https://github.com/docker-library/postgres/issues/37 for a (long) + discussion around this process, and suggestions for how to do so. + EOE + exit 1 + fi +} # usage: docker_process_init_files [file [file [...]]] # ie: docker_process_init_files /always-initdb.d/* @@ -230,9 +253,17 @@ docker_setup_env() { declare -g DATABASE_ALREADY_EXISTS : "${DATABASE_ALREADY_EXISTS:=}" + declare -ag OLD_DATABASES=() # look specifically for PG_VERSION, as it is expected in the DB dir if [ -s "$PGDATA/PG_VERSION" ]; then DATABASE_ALREADY_EXISTS='true' + elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then + # https://github.com/docker-library/postgres/pull/1259 + for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do + if [ -s "$d/PG_VERSION" ]; then + OLD_DATABASES+=( "$d" ) + fi + done fi } @@ -252,7 +283,7 @@ pg_setup_hba_conf() { printf '\n' if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then printf '# warning trust is enabled for all connections\n' - printf '# see https://www.postgresql.org/docs/12/auth-trust.html\n' + printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n' fi printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD" } >> "$PGDATA/pg_hba.conf" @@ -269,6 +300,9 @@ docker_temp_server_start() { # does not listen on external TCP/IP and waits until start finishes set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}" + # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify + # any process supervisor. + NOTIFY_SOCKET= \ PGUSER="${PGUSER:-$POSTGRES_USER}" \ pg_ctl -D "$PGDATA" \ -o "$(printf '%q ' "$@")" \ @@ -316,6 +350,7 @@ _main() { # only run initialization on an empty data directory if [ -z "$DATABASE_ALREADY_EXISTS" ]; then docker_verify_minimum_env + docker_error_old_databases # check dir permissions to reduce likelihood of half-initialized database ls /docker-entrypoint-initdb.d/ > /dev/null diff --git a/14/alpine3.20/Dockerfile b/14/alpine3.22/Dockerfile similarity index 79% rename from 14/alpine3.20/Dockerfile rename to 14/alpine3.22/Dockerfile index 4b89e0d558..238930ef21 100644 --- a/14/alpine3.20/Dockerfile +++ b/14/alpine3.22/Dockerfile @@ -4,10 +4,10 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # -FROM alpine:3.20 +FROM alpine:3.22 # 70 is the standard uid/gid for "postgres" in Alpine -# https://git.alpinelinux.org/aports/tree/main/postgresql/postgresql.pre-install?h=3.12-stable +# https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.22-stable RUN set -eux; \ addgroup -g 70 -S postgres; \ adduser -u 70 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \ @@ -53,12 +53,12 @@ ENV LANG en_US.utf8 RUN mkdir /docker-entrypoint-initdb.d ENV PG_MAJOR 14 -ENV PG_VERSION 14.13 -ENV PG_SHA256 59aa3c4b495ab26a9ec69f3ad0a0228c51f0fe6facf3634dfad4d1197d613a56 +ENV PG_VERSION 14.18 +ENV PG_SHA256 83ab29d6bfc3dc58b2ed3c664114fdfbeb6a0450c4b8d7fa69aee91e3ca14f8e ENV DOCKER_PG_LLVM_DEPS \ - llvm15-dev \ - clang15 + llvm19-dev \ + clang19 RUN set -eux; \ \ @@ -110,14 +110,11 @@ RUN set -eux; \ grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \ mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \ gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ -# explicitly update autoconf config.guess and config.sub so they support more arches/libcs - wget -O config/config.guess 'https://git.savannah.gnu.org/cgit/config.git/plain/config.guess?id=7d3d27baf8107b630586c962c057e22149653deb'; \ - wget -O config/config.sub 'https://git.savannah.gnu.org/cgit/config.git/plain/config.sub?id=7d3d27baf8107b630586c962c057e22149653deb'; \ \ -# https://git.alpinelinux.org/aports/tree/community/postgresql12/APKBUILD?h=3.18-stable&id=a470294e6d6ca7059e41c54769b7c3c26ec901d4#n158 - export LLVM_CONFIG="/usr/lib/llvm15/bin/llvm-config"; \ -# https://git.alpinelinux.org/aports/tree/community/postgresql12/APKBUILD?h=3.18-stable&id=a470294e6d6ca7059e41c54769b7c3c26ec901d4#n163 - export CLANG=clang-15; \ +# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n176 ("export LLVM_CONFIG") + export LLVM_CONFIG="/usr/lib/llvm19/bin/llvm-config"; \ +# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n180 ("older clang versions don't have a 'clang' exe anymore.") + export CLANG=clang-19; \ \ # configure options taken from: # https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5 @@ -172,8 +169,7 @@ RUN set -eux; \ zstd \ # https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split icu-data-full \ -# nss_wrapper is not availble on ppc64le: "test case segfaults in ppc64le" -# https://git.alpinelinux.org/aports/commit/testing/nss_wrapper/APKBUILD?h=3.17-stable&id=94d81ceeb58cff448d489bbcbe9a6d40c9991663 +# https://git.alpinelinux.org/aports/tree/community/nss_wrapper/APKBUILD?h=3.22-stable#n7 ("ppc64le: test case segfaults") $([ "$(apk --print-arch)" != 'ppc64le' ] && echo 'nss_wrapper') \ ; \ apk del --no-network .build-deps; \ @@ -206,18 +202,12 @@ ENTRYPOINT ["docker-entrypoint.sh"] # We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL # calls "Fast Shutdown mode" wherein new connections are disallowed and any # in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and -# flush tables to disk, which is the best compromise available to avoid data -# corruption. +# flush tables to disk. # -# Users who know their applications do not keep open long-lived idle connections -# may way to use a value of SIGTERM instead, which corresponds to "Smart -# Shutdown mode" in which any existing sessions are allowed to finish and the -# server stops when all sessions are terminated. -# -# See https://www.postgresql.org/docs/12/server-shutdown.html for more details +# See https://www.postgresql.org/docs/current/server-shutdown.html for more details # about available PostgreSQL server shutdown signals. # -# See also https://www.postgresql.org/docs/12/server-start.html for further +# See also https://www.postgresql.org/docs/current/server-start.html for further # justification of this as the default value, namely that the example (and # shipped) systemd service files use the "Fast Shutdown mode" for service # termination. @@ -227,10 +217,10 @@ STOPSIGNAL SIGINT # An additional setting that is recommended for all users regardless of this # value is the runtime "--stop-timeout" (or your orchestrator/runtime's # equivalent) for controlling how long to wait between sending the defined -# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption). +# STOPSIGNAL and sending SIGKILL. # # The default in most runtimes (such as Docker) is 10 seconds, and the -# documentation at https://www.postgresql.org/docs/12/server-start.html notes +# documentation at https://www.postgresql.org/docs/current/server-start.html notes # that even 90 seconds may not be long enough in many instances. EXPOSE 5432 diff --git a/12/bullseye/docker-ensure-initdb.sh b/14/alpine3.22/docker-ensure-initdb.sh similarity index 98% rename from 12/bullseye/docker-ensure-initdb.sh rename to 14/alpine3.22/docker-ensure-initdb.sh index ae1f6b6b90..e9b15ef77d 100755 --- a/12/bullseye/docker-ensure-initdb.sh +++ b/14/alpine3.22/docker-ensure-initdb.sh @@ -33,6 +33,7 @@ fi # only run initialization on an empty data directory if [ -z "$DATABASE_ALREADY_EXISTS" ]; then docker_verify_minimum_env + docker_error_old_databases # check dir permissions to reduce likelihood of half-initialized database ls /docker-entrypoint-initdb.d/ > /dev/null diff --git a/12/bookworm/docker-entrypoint.sh b/14/alpine3.22/docker-entrypoint.sh similarity index 88% rename from 12/bookworm/docker-entrypoint.sh rename to 14/alpine3.22/docker-entrypoint.sh index 6f59993e08..5a62870b50 100755 --- a/12/bookworm/docker-entrypoint.sh +++ b/14/alpine3.22/docker-entrypoint.sh @@ -104,7 +104,7 @@ docker_init_database_dir() { # assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ] docker_verify_minimum_env() { case "${PG_MAJOR:-}" in - 12 | 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 + 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 # check password first so we can output the warning before postgres # messes it up if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then @@ -154,6 +154,29 @@ docker_verify_minimum_env() { EOWARN fi } +# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade) +docker_error_old_databases() { + if [ -n "${OLD_DATABASES[0]:-}" ]; then + cat >&2 <<-EOE + Error: in 18+, these Docker images are configured to store database data in a + format which is compatible with "pg_ctlcluster" (specifically, using + major-version-specific directory names). This better reflects how + PostgreSQL itself works, and how upgrades are to be performed. + + See also https://github.com/docker-library/postgres/pull/1259 + + Counter to that, there appears to be PostgreSQL data in: + ${OLD_DATABASES[*]} + + This is usually the result of upgrading the Docker image without upgrading + the underlying database using "pg_upgrade" (which requires both versions). + + See https://github.com/docker-library/postgres/issues/37 for a (long) + discussion around this process, and suggestions for how to do so. + EOE + exit 1 + fi +} # usage: docker_process_init_files [file [file [...]]] # ie: docker_process_init_files /always-initdb.d/* @@ -230,9 +253,17 @@ docker_setup_env() { declare -g DATABASE_ALREADY_EXISTS : "${DATABASE_ALREADY_EXISTS:=}" + declare -ag OLD_DATABASES=() # look specifically for PG_VERSION, as it is expected in the DB dir if [ -s "$PGDATA/PG_VERSION" ]; then DATABASE_ALREADY_EXISTS='true' + elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then + # https://github.com/docker-library/postgres/pull/1259 + for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do + if [ -s "$d/PG_VERSION" ]; then + OLD_DATABASES+=( "$d" ) + fi + done fi } @@ -252,7 +283,7 @@ pg_setup_hba_conf() { printf '\n' if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then printf '# warning trust is enabled for all connections\n' - printf '# see https://www.postgresql.org/docs/12/auth-trust.html\n' + printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n' fi printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD" } >> "$PGDATA/pg_hba.conf" @@ -269,6 +300,9 @@ docker_temp_server_start() { # does not listen on external TCP/IP and waits until start finishes set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}" + # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify + # any process supervisor. + NOTIFY_SOCKET= \ PGUSER="${PGUSER:-$POSTGRES_USER}" \ pg_ctl -D "$PGDATA" \ -o "$(printf '%q ' "$@")" \ @@ -316,6 +350,7 @@ _main() { # only run initialization on an empty data directory if [ -z "$DATABASE_ALREADY_EXISTS" ]; then docker_verify_minimum_env + docker_error_old_databases # check dir permissions to reduce likelihood of half-initialized database ls /docker-entrypoint-initdb.d/ > /dev/null diff --git a/14/bookworm/Dockerfile b/14/bookworm/Dockerfile index 88743d5041..e9a0e21b1c 100644 --- a/14/bookworm/Dockerfile +++ b/14/bookworm/Dockerfile @@ -89,7 +89,7 @@ RUN set -ex; \ ENV PG_MAJOR 14 ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin -ENV PG_VERSION 14.13-1.pgdg120+1 +ENV PG_VERSION 14.18-1.pgdg120+1 RUN set -ex; \ \ @@ -99,7 +99,7 @@ RUN set -ex; \ dpkgArch="$(dpkg --print-architecture)"; \ aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ bookworm-pgdg main $PG_MAJOR"; \ case "$dpkgArch" in \ - amd64 | arm64 | ppc64el | s390x) \ + amd64 | arm64 | ppc64el) \ # arches officialy built by upstream echo "deb $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \ apt-get update; \ @@ -131,10 +131,9 @@ RUN set -ex; \ # build .deb files from upstream's source packages (which are verified by apt-get) nproc="$(nproc)"; \ export DEB_BUILD_OPTIONS="nocheck parallel=$nproc"; \ -# we have to build postgresql-common first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/99f44476e258cae6bf9e919219fa2c5414fa2876 -# (and it "Depends: pgdg-keyring") - apt-get build-dep -y postgresql-common pgdg-keyring; \ - apt-get source --compile postgresql-common pgdg-keyring; \ +# we have to build postgresql-common-dev first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/f4338a0d28cf4541956bddb0f4e444ba9dba81b9 + apt-get build-dep -y postgresql-common-dev; \ + apt-get source --compile postgresql-common-dev; \ _update_repo; \ apt-get build-dep -y "postgresql-$PG_MAJOR=$PG_VERSION"; \ apt-get source --compile "postgresql-$PG_MAJOR=$PG_VERSION"; \ @@ -194,18 +193,12 @@ ENTRYPOINT ["docker-entrypoint.sh"] # We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL # calls "Fast Shutdown mode" wherein new connections are disallowed and any # in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and -# flush tables to disk, which is the best compromise available to avoid data -# corruption. +# flush tables to disk. # -# Users who know their applications do not keep open long-lived idle connections -# may way to use a value of SIGTERM instead, which corresponds to "Smart -# Shutdown mode" in which any existing sessions are allowed to finish and the -# server stops when all sessions are terminated. -# -# See https://www.postgresql.org/docs/12/server-shutdown.html for more details +# See https://www.postgresql.org/docs/current/server-shutdown.html for more details # about available PostgreSQL server shutdown signals. # -# See also https://www.postgresql.org/docs/12/server-start.html for further +# See also https://www.postgresql.org/docs/current/server-start.html for further # justification of this as the default value, namely that the example (and # shipped) systemd service files use the "Fast Shutdown mode" for service # termination. @@ -215,10 +208,10 @@ STOPSIGNAL SIGINT # An additional setting that is recommended for all users regardless of this # value is the runtime "--stop-timeout" (or your orchestrator/runtime's # equivalent) for controlling how long to wait between sending the defined -# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption). +# STOPSIGNAL and sending SIGKILL. # # The default in most runtimes (such as Docker) is 10 seconds, and the -# documentation at https://www.postgresql.org/docs/12/server-start.html notes +# documentation at https://www.postgresql.org/docs/current/server-start.html notes # that even 90 seconds may not be long enough in many instances. EXPOSE 5432 diff --git a/14/bookworm/docker-ensure-initdb.sh b/14/bookworm/docker-ensure-initdb.sh index ae1f6b6b90..e9b15ef77d 100755 --- a/14/bookworm/docker-ensure-initdb.sh +++ b/14/bookworm/docker-ensure-initdb.sh @@ -33,6 +33,7 @@ fi # only run initialization on an empty data directory if [ -z "$DATABASE_ALREADY_EXISTS" ]; then docker_verify_minimum_env + docker_error_old_databases # check dir permissions to reduce likelihood of half-initialized database ls /docker-entrypoint-initdb.d/ > /dev/null diff --git a/14/bookworm/docker-entrypoint.sh b/14/bookworm/docker-entrypoint.sh index 6f59993e08..5a62870b50 100755 --- a/14/bookworm/docker-entrypoint.sh +++ b/14/bookworm/docker-entrypoint.sh @@ -104,7 +104,7 @@ docker_init_database_dir() { # assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ] docker_verify_minimum_env() { case "${PG_MAJOR:-}" in - 12 | 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 + 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 # check password first so we can output the warning before postgres # messes it up if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then @@ -154,6 +154,29 @@ docker_verify_minimum_env() { EOWARN fi } +# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade) +docker_error_old_databases() { + if [ -n "${OLD_DATABASES[0]:-}" ]; then + cat >&2 <<-EOE + Error: in 18+, these Docker images are configured to store database data in a + format which is compatible with "pg_ctlcluster" (specifically, using + major-version-specific directory names). This better reflects how + PostgreSQL itself works, and how upgrades are to be performed. + + See also https://github.com/docker-library/postgres/pull/1259 + + Counter to that, there appears to be PostgreSQL data in: + ${OLD_DATABASES[*]} + + This is usually the result of upgrading the Docker image without upgrading + the underlying database using "pg_upgrade" (which requires both versions). + + See https://github.com/docker-library/postgres/issues/37 for a (long) + discussion around this process, and suggestions for how to do so. + EOE + exit 1 + fi +} # usage: docker_process_init_files [file [file [...]]] # ie: docker_process_init_files /always-initdb.d/* @@ -230,9 +253,17 @@ docker_setup_env() { declare -g DATABASE_ALREADY_EXISTS : "${DATABASE_ALREADY_EXISTS:=}" + declare -ag OLD_DATABASES=() # look specifically for PG_VERSION, as it is expected in the DB dir if [ -s "$PGDATA/PG_VERSION" ]; then DATABASE_ALREADY_EXISTS='true' + elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then + # https://github.com/docker-library/postgres/pull/1259 + for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do + if [ -s "$d/PG_VERSION" ]; then + OLD_DATABASES+=( "$d" ) + fi + done fi } @@ -252,7 +283,7 @@ pg_setup_hba_conf() { printf '\n' if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then printf '# warning trust is enabled for all connections\n' - printf '# see https://www.postgresql.org/docs/12/auth-trust.html\n' + printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n' fi printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD" } >> "$PGDATA/pg_hba.conf" @@ -269,6 +300,9 @@ docker_temp_server_start() { # does not listen on external TCP/IP and waits until start finishes set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}" + # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify + # any process supervisor. + NOTIFY_SOCKET= \ PGUSER="${PGUSER:-$POSTGRES_USER}" \ pg_ctl -D "$PGDATA" \ -o "$(printf '%q ' "$@")" \ @@ -316,6 +350,7 @@ _main() { # only run initialization on an empty data directory if [ -z "$DATABASE_ALREADY_EXISTS" ]; then docker_verify_minimum_env + docker_error_old_databases # check dir permissions to reduce likelihood of half-initialized database ls /docker-entrypoint-initdb.d/ > /dev/null diff --git a/14/bullseye/Dockerfile b/14/bullseye/Dockerfile index a69d4098f9..ff863ef774 100644 --- a/14/bullseye/Dockerfile +++ b/14/bullseye/Dockerfile @@ -89,7 +89,7 @@ RUN set -ex; \ ENV PG_MAJOR 14 ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin -ENV PG_VERSION 14.13-1.pgdg110+1 +ENV PG_VERSION 14.18-1.pgdg110+1 RUN set -ex; \ \ @@ -99,7 +99,7 @@ RUN set -ex; \ dpkgArch="$(dpkg --print-architecture)"; \ aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ bullseye-pgdg main $PG_MAJOR"; \ case "$dpkgArch" in \ - amd64 | arm64 | ppc64el | s390x) \ + amd64 | arm64 | ppc64el) \ # arches officialy built by upstream echo "deb $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \ apt-get update; \ @@ -131,10 +131,9 @@ RUN set -ex; \ # build .deb files from upstream's source packages (which are verified by apt-get) nproc="$(nproc)"; \ export DEB_BUILD_OPTIONS="nocheck parallel=$nproc"; \ -# we have to build postgresql-common first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/99f44476e258cae6bf9e919219fa2c5414fa2876 -# (and it "Depends: pgdg-keyring") - apt-get build-dep -y postgresql-common pgdg-keyring; \ - apt-get source --compile postgresql-common pgdg-keyring; \ +# we have to build postgresql-common-dev first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/f4338a0d28cf4541956bddb0f4e444ba9dba81b9 + apt-get build-dep -y postgresql-common-dev; \ + apt-get source --compile postgresql-common-dev; \ _update_repo; \ apt-get build-dep -y "postgresql-$PG_MAJOR=$PG_VERSION"; \ apt-get source --compile "postgresql-$PG_MAJOR=$PG_VERSION"; \ @@ -194,18 +193,12 @@ ENTRYPOINT ["docker-entrypoint.sh"] # We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL # calls "Fast Shutdown mode" wherein new connections are disallowed and any # in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and -# flush tables to disk, which is the best compromise available to avoid data -# corruption. +# flush tables to disk. # -# Users who know their applications do not keep open long-lived idle connections -# may way to use a value of SIGTERM instead, which corresponds to "Smart -# Shutdown mode" in which any existing sessions are allowed to finish and the -# server stops when all sessions are terminated. -# -# See https://www.postgresql.org/docs/12/server-shutdown.html for more details +# See https://www.postgresql.org/docs/current/server-shutdown.html for more details # about available PostgreSQL server shutdown signals. # -# See also https://www.postgresql.org/docs/12/server-start.html for further +# See also https://www.postgresql.org/docs/current/server-start.html for further # justification of this as the default value, namely that the example (and # shipped) systemd service files use the "Fast Shutdown mode" for service # termination. @@ -215,10 +208,10 @@ STOPSIGNAL SIGINT # An additional setting that is recommended for all users regardless of this # value is the runtime "--stop-timeout" (or your orchestrator/runtime's # equivalent) for controlling how long to wait between sending the defined -# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption). +# STOPSIGNAL and sending SIGKILL. # # The default in most runtimes (such as Docker) is 10 seconds, and the -# documentation at https://www.postgresql.org/docs/12/server-start.html notes +# documentation at https://www.postgresql.org/docs/current/server-start.html notes # that even 90 seconds may not be long enough in many instances. EXPOSE 5432 diff --git a/14/bullseye/docker-ensure-initdb.sh b/14/bullseye/docker-ensure-initdb.sh index ae1f6b6b90..e9b15ef77d 100755 --- a/14/bullseye/docker-ensure-initdb.sh +++ b/14/bullseye/docker-ensure-initdb.sh @@ -33,6 +33,7 @@ fi # only run initialization on an empty data directory if [ -z "$DATABASE_ALREADY_EXISTS" ]; then docker_verify_minimum_env + docker_error_old_databases # check dir permissions to reduce likelihood of half-initialized database ls /docker-entrypoint-initdb.d/ > /dev/null diff --git a/14/bullseye/docker-entrypoint.sh b/14/bullseye/docker-entrypoint.sh index 6f59993e08..5a62870b50 100755 --- a/14/bullseye/docker-entrypoint.sh +++ b/14/bullseye/docker-entrypoint.sh @@ -104,7 +104,7 @@ docker_init_database_dir() { # assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ] docker_verify_minimum_env() { case "${PG_MAJOR:-}" in - 12 | 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 + 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 # check password first so we can output the warning before postgres # messes it up if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then @@ -154,6 +154,29 @@ docker_verify_minimum_env() { EOWARN fi } +# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade) +docker_error_old_databases() { + if [ -n "${OLD_DATABASES[0]:-}" ]; then + cat >&2 <<-EOE + Error: in 18+, these Docker images are configured to store database data in a + format which is compatible with "pg_ctlcluster" (specifically, using + major-version-specific directory names). This better reflects how + PostgreSQL itself works, and how upgrades are to be performed. + + See also https://github.com/docker-library/postgres/pull/1259 + + Counter to that, there appears to be PostgreSQL data in: + ${OLD_DATABASES[*]} + + This is usually the result of upgrading the Docker image without upgrading + the underlying database using "pg_upgrade" (which requires both versions). + + See https://github.com/docker-library/postgres/issues/37 for a (long) + discussion around this process, and suggestions for how to do so. + EOE + exit 1 + fi +} # usage: docker_process_init_files [file [file [...]]] # ie: docker_process_init_files /always-initdb.d/* @@ -230,9 +253,17 @@ docker_setup_env() { declare -g DATABASE_ALREADY_EXISTS : "${DATABASE_ALREADY_EXISTS:=}" + declare -ag OLD_DATABASES=() # look specifically for PG_VERSION, as it is expected in the DB dir if [ -s "$PGDATA/PG_VERSION" ]; then DATABASE_ALREADY_EXISTS='true' + elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then + # https://github.com/docker-library/postgres/pull/1259 + for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do + if [ -s "$d/PG_VERSION" ]; then + OLD_DATABASES+=( "$d" ) + fi + done fi } @@ -252,7 +283,7 @@ pg_setup_hba_conf() { printf '\n' if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then printf '# warning trust is enabled for all connections\n' - printf '# see https://www.postgresql.org/docs/12/auth-trust.html\n' + printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n' fi printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD" } >> "$PGDATA/pg_hba.conf" @@ -269,6 +300,9 @@ docker_temp_server_start() { # does not listen on external TCP/IP and waits until start finishes set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}" + # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify + # any process supervisor. + NOTIFY_SOCKET= \ PGUSER="${PGUSER:-$POSTGRES_USER}" \ pg_ctl -D "$PGDATA" \ -o "$(printf '%q ' "$@")" \ @@ -316,6 +350,7 @@ _main() { # only run initialization on an empty data directory if [ -z "$DATABASE_ALREADY_EXISTS" ]; then docker_verify_minimum_env + docker_error_old_databases # check dir permissions to reduce likelihood of half-initialized database ls /docker-entrypoint-initdb.d/ > /dev/null diff --git a/15/alpine3.19/docker-ensure-initdb.sh b/15/alpine3.19/docker-ensure-initdb.sh deleted file mode 100755 index ae1f6b6b90..0000000000 --- a/15/alpine3.19/docker-ensure-initdb.sh +++ /dev/null @@ -1,71 +0,0 @@ -#!/usr/bin/env bash -set -Eeuo pipefail - -# -# This script is intended for three main use cases: -# -# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior -# -# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution -# (no-op if database is already initialized) -# -# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use -# (error if database is already initialized) -# - -source /usr/local/bin/docker-entrypoint.sh - -# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there) -if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then - set -- postgres "$@" -fi - -# see also "_main" in "docker-entrypoint.sh" - -docker_setup_env -# setup data directories and permissions (when run as root) -docker_create_db_directories -if [ "$(id -u)" = '0' ]; then - # then restart script as postgres user - exec gosu postgres "$BASH_SOURCE" "$@" -fi - -# only run initialization on an empty data directory -if [ -z "$DATABASE_ALREADY_EXISTS" ]; then - docker_verify_minimum_env - - # check dir permissions to reduce likelihood of half-initialized database - ls /docker-entrypoint-initdb.d/ > /dev/null - - docker_init_database_dir - pg_setup_hba_conf "$@" - - # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless - # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS - export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" - docker_temp_server_start "$@" - - docker_setup_db - docker_process_init_files /docker-entrypoint-initdb.d/* - - docker_temp_server_stop - unset PGPASSWORD -else - self="$(basename "$0")" - case "$self" in - docker-ensure-initdb.sh) - echo >&2 "$self: note: database already initialized in '$PGDATA'!" - exit 0 - ;; - - docker-enforce-initdb.sh) - echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!" - exit 1 - ;; - - *) - echo >&2 "$self: error: unknown file name: $self" - exit 99 - ;; - esac -fi diff --git a/15/alpine3.19/docker-entrypoint.sh b/15/alpine3.19/docker-entrypoint.sh deleted file mode 100755 index 6f59993e08..0000000000 --- a/15/alpine3.19/docker-entrypoint.sh +++ /dev/null @@ -1,356 +0,0 @@ -#!/usr/bin/env bash -set -Eeo pipefail -# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables) - -# usage: file_env VAR [DEFAULT] -# ie: file_env 'XYZ_DB_PASSWORD' 'example' -# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of -# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) -file_env() { - local var="$1" - local fileVar="${var}_FILE" - local def="${2:-}" - if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then - printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar" - exit 1 - fi - local val="$def" - if [ "${!var:-}" ]; then - val="${!var}" - elif [ "${!fileVar:-}" ]; then - val="$(< "${!fileVar}")" - fi - export "$var"="$val" - unset "$fileVar" -} - -# check to see if this file is being run or sourced from another script -_is_sourced() { - # https://unix.stackexchange.com/a/215279 - [ "${#FUNCNAME[@]}" -ge 2 ] \ - && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ - && [ "${FUNCNAME[1]}" = 'source' ] -} - -# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user -docker_create_db_directories() { - local user; user="$(id -u)" - - mkdir -p "$PGDATA" - # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory) - chmod 00700 "$PGDATA" || : - - # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 - mkdir -p /var/run/postgresql || : - chmod 03775 /var/run/postgresql || : - - # Create the transaction log directory before initdb is run so the directory is owned by the correct user - if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then - mkdir -p "$POSTGRES_INITDB_WALDIR" - if [ "$user" = '0' ]; then - find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' + - fi - chmod 700 "$POSTGRES_INITDB_WALDIR" - fi - - # allow the container to be started with `--user` - if [ "$user" = '0' ]; then - find "$PGDATA" \! -user postgres -exec chown postgres '{}' + - find /var/run/postgresql \! -user postgres -exec chown postgres '{}' + - fi -} - -# initialize empty PGDATA directory with new database via 'initdb' -# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function -# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames -# this is also where the database user is created, specified by `POSTGRES_USER` env -docker_init_database_dir() { - # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary - # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html - local uid; uid="$(id -u)" - if ! getent passwd "$uid" &> /dev/null; then - # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15) - local wrapper - for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do - if [ -s "$wrapper" ]; then - NSS_WRAPPER_PASSWD="$(mktemp)" - NSS_WRAPPER_GROUP="$(mktemp)" - export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP - local gid; gid="$(id -g)" - printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD" - printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP" - break - fi - done - fi - - if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then - set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@" - fi - - # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025 - eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' - - # unset/cleanup "nss_wrapper" bits - if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then - rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" - unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP - fi -} - -# print large warning if POSTGRES_PASSWORD is long -# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust' -# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust' -# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ] -docker_verify_minimum_env() { - case "${PG_MAJOR:-}" in - 12 | 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 - # check password first so we can output the warning before postgres - # messes it up - if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then - cat >&2 <<-'EOWARN' - - WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. - - This will not work if used via PGPASSWORD with "psql". - - https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) - https://github.com/docker-library/postgres/issues/507 - - EOWARN - fi - ;; - esac - if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then - # The - option suppresses leading tabs but *not* spaces. :) - cat >&2 <<-'EOE' - Error: Database is uninitialized and superuser password is not specified. - You must specify POSTGRES_PASSWORD to a non-empty value for the - superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run". - - You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all - connections without a password. This is *not* recommended. - - See PostgreSQL documentation about "trust": - https://www.postgresql.org/docs/current/auth-trust.html - EOE - exit 1 - fi - if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then - cat >&2 <<-'EOWARN' - ******************************************************************************** - WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow - anyone with access to the Postgres port to access your database without - a password, even if POSTGRES_PASSWORD is set. See PostgreSQL - documentation about "trust": - https://www.postgresql.org/docs/current/auth-trust.html - In Docker's default configuration, this is effectively any other - container on the same system. - - It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace - it with "-e POSTGRES_PASSWORD=password" instead to set a password in - "docker run". - ******************************************************************************** - EOWARN - fi -} - -# usage: docker_process_init_files [file [file [...]]] -# ie: docker_process_init_files /always-initdb.d/* -# process initializer files, based on file extensions and permissions -docker_process_init_files() { - # psql here for backwards compatibility "${psql[@]}" - psql=( docker_process_sql ) - - printf '\n' - local f - for f; do - case "$f" in - *.sh) - # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 - # https://github.com/docker-library/postgres/pull/452 - if [ -x "$f" ]; then - printf '%s: running %s\n' "$0" "$f" - "$f" - else - printf '%s: sourcing %s\n' "$0" "$f" - . "$f" - fi - ;; - *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;; - *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;; - *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;; - *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;; - *) printf '%s: ignoring %s\n' "$0" "$f" ;; - esac - printf '\n' - done -} - -# Execute sql script, passed via stdin (or -f flag of pqsl) -# usage: docker_process_sql [psql-cli-args] -# ie: docker_process_sql --dbname=mydb <<<'INSERT ...' -# ie: docker_process_sql -f my-file.sql -# ie: docker_process_sql > "$PGDATA/pg_hba.conf" -} - -# start socket-only postgresql server for setting up or running scripts -# all arguments will be passed along as arguments to `postgres` (via pg_ctl) -docker_temp_server_start() { - if [ "$1" = 'postgres' ]; then - shift - fi - - # internal start of server in order to allow setup using psql client - # does not listen on external TCP/IP and waits until start finishes - set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}" - - PGUSER="${PGUSER:-$POSTGRES_USER}" \ - pg_ctl -D "$PGDATA" \ - -o "$(printf '%q ' "$@")" \ - -w start -} - -# stop postgresql server after done setting up user and running scripts -docker_temp_server_stop() { - PGUSER="${PGUSER:-postgres}" \ - pg_ctl -D "$PGDATA" -m fast -w stop -} - -# check arguments for an option that would cause postgres to stop -# return true if there is one -_pg_want_help() { - local arg - for arg; do - case "$arg" in - # postgres --help | grep 'then exit' - # leaving out -C on purpose since it always fails and is unhelpful: - # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory - -'?'|--help|--describe-config|-V|--version) - return 0 - ;; - esac - done - return 1 -} - -_main() { - # if first arg looks like a flag, assume we want to run postgres server - if [ "${1:0:1}" = '-' ]; then - set -- postgres "$@" - fi - - if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then - docker_setup_env - # setup data directories and permissions (when run as root) - docker_create_db_directories - if [ "$(id -u)" = '0' ]; then - # then restart script as postgres user - exec gosu postgres "$BASH_SOURCE" "$@" - fi - - # only run initialization on an empty data directory - if [ -z "$DATABASE_ALREADY_EXISTS" ]; then - docker_verify_minimum_env - - # check dir permissions to reduce likelihood of half-initialized database - ls /docker-entrypoint-initdb.d/ > /dev/null - - docker_init_database_dir - pg_setup_hba_conf "$@" - - # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless - # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS - export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" - docker_temp_server_start "$@" - - docker_setup_db - docker_process_init_files /docker-entrypoint-initdb.d/* - - docker_temp_server_stop - unset PGPASSWORD - - cat <<-'EOM' - - PostgreSQL init process complete; ready for start up. - - EOM - else - cat <<-'EOM' - - PostgreSQL Database directory appears to contain a database; Skipping initialization - - EOM - fi - fi - - exec "$@" -} - -if ! _is_sourced; then - _main "$@" -fi diff --git a/15/alpine3.20/docker-ensure-initdb.sh b/15/alpine3.20/docker-ensure-initdb.sh deleted file mode 100755 index ae1f6b6b90..0000000000 --- a/15/alpine3.20/docker-ensure-initdb.sh +++ /dev/null @@ -1,71 +0,0 @@ -#!/usr/bin/env bash -set -Eeuo pipefail - -# -# This script is intended for three main use cases: -# -# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior -# -# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution -# (no-op if database is already initialized) -# -# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use -# (error if database is already initialized) -# - -source /usr/local/bin/docker-entrypoint.sh - -# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there) -if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then - set -- postgres "$@" -fi - -# see also "_main" in "docker-entrypoint.sh" - -docker_setup_env -# setup data directories and permissions (when run as root) -docker_create_db_directories -if [ "$(id -u)" = '0' ]; then - # then restart script as postgres user - exec gosu postgres "$BASH_SOURCE" "$@" -fi - -# only run initialization on an empty data directory -if [ -z "$DATABASE_ALREADY_EXISTS" ]; then - docker_verify_minimum_env - - # check dir permissions to reduce likelihood of half-initialized database - ls /docker-entrypoint-initdb.d/ > /dev/null - - docker_init_database_dir - pg_setup_hba_conf "$@" - - # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless - # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS - export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" - docker_temp_server_start "$@" - - docker_setup_db - docker_process_init_files /docker-entrypoint-initdb.d/* - - docker_temp_server_stop - unset PGPASSWORD -else - self="$(basename "$0")" - case "$self" in - docker-ensure-initdb.sh) - echo >&2 "$self: note: database already initialized in '$PGDATA'!" - exit 0 - ;; - - docker-enforce-initdb.sh) - echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!" - exit 1 - ;; - - *) - echo >&2 "$self: error: unknown file name: $self" - exit 99 - ;; - esac -fi diff --git a/15/alpine3.20/docker-entrypoint.sh b/15/alpine3.20/docker-entrypoint.sh deleted file mode 100755 index 6f59993e08..0000000000 --- a/15/alpine3.20/docker-entrypoint.sh +++ /dev/null @@ -1,356 +0,0 @@ -#!/usr/bin/env bash -set -Eeo pipefail -# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables) - -# usage: file_env VAR [DEFAULT] -# ie: file_env 'XYZ_DB_PASSWORD' 'example' -# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of -# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) -file_env() { - local var="$1" - local fileVar="${var}_FILE" - local def="${2:-}" - if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then - printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar" - exit 1 - fi - local val="$def" - if [ "${!var:-}" ]; then - val="${!var}" - elif [ "${!fileVar:-}" ]; then - val="$(< "${!fileVar}")" - fi - export "$var"="$val" - unset "$fileVar" -} - -# check to see if this file is being run or sourced from another script -_is_sourced() { - # https://unix.stackexchange.com/a/215279 - [ "${#FUNCNAME[@]}" -ge 2 ] \ - && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ - && [ "${FUNCNAME[1]}" = 'source' ] -} - -# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user -docker_create_db_directories() { - local user; user="$(id -u)" - - mkdir -p "$PGDATA" - # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory) - chmod 00700 "$PGDATA" || : - - # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 - mkdir -p /var/run/postgresql || : - chmod 03775 /var/run/postgresql || : - - # Create the transaction log directory before initdb is run so the directory is owned by the correct user - if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then - mkdir -p "$POSTGRES_INITDB_WALDIR" - if [ "$user" = '0' ]; then - find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' + - fi - chmod 700 "$POSTGRES_INITDB_WALDIR" - fi - - # allow the container to be started with `--user` - if [ "$user" = '0' ]; then - find "$PGDATA" \! -user postgres -exec chown postgres '{}' + - find /var/run/postgresql \! -user postgres -exec chown postgres '{}' + - fi -} - -# initialize empty PGDATA directory with new database via 'initdb' -# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function -# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames -# this is also where the database user is created, specified by `POSTGRES_USER` env -docker_init_database_dir() { - # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary - # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html - local uid; uid="$(id -u)" - if ! getent passwd "$uid" &> /dev/null; then - # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15) - local wrapper - for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do - if [ -s "$wrapper" ]; then - NSS_WRAPPER_PASSWD="$(mktemp)" - NSS_WRAPPER_GROUP="$(mktemp)" - export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP - local gid; gid="$(id -g)" - printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD" - printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP" - break - fi - done - fi - - if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then - set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@" - fi - - # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025 - eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' - - # unset/cleanup "nss_wrapper" bits - if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then - rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" - unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP - fi -} - -# print large warning if POSTGRES_PASSWORD is long -# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust' -# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust' -# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ] -docker_verify_minimum_env() { - case "${PG_MAJOR:-}" in - 12 | 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 - # check password first so we can output the warning before postgres - # messes it up - if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then - cat >&2 <<-'EOWARN' - - WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. - - This will not work if used via PGPASSWORD with "psql". - - https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) - https://github.com/docker-library/postgres/issues/507 - - EOWARN - fi - ;; - esac - if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then - # The - option suppresses leading tabs but *not* spaces. :) - cat >&2 <<-'EOE' - Error: Database is uninitialized and superuser password is not specified. - You must specify POSTGRES_PASSWORD to a non-empty value for the - superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run". - - You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all - connections without a password. This is *not* recommended. - - See PostgreSQL documentation about "trust": - https://www.postgresql.org/docs/current/auth-trust.html - EOE - exit 1 - fi - if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then - cat >&2 <<-'EOWARN' - ******************************************************************************** - WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow - anyone with access to the Postgres port to access your database without - a password, even if POSTGRES_PASSWORD is set. See PostgreSQL - documentation about "trust": - https://www.postgresql.org/docs/current/auth-trust.html - In Docker's default configuration, this is effectively any other - container on the same system. - - It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace - it with "-e POSTGRES_PASSWORD=password" instead to set a password in - "docker run". - ******************************************************************************** - EOWARN - fi -} - -# usage: docker_process_init_files [file [file [...]]] -# ie: docker_process_init_files /always-initdb.d/* -# process initializer files, based on file extensions and permissions -docker_process_init_files() { - # psql here for backwards compatibility "${psql[@]}" - psql=( docker_process_sql ) - - printf '\n' - local f - for f; do - case "$f" in - *.sh) - # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 - # https://github.com/docker-library/postgres/pull/452 - if [ -x "$f" ]; then - printf '%s: running %s\n' "$0" "$f" - "$f" - else - printf '%s: sourcing %s\n' "$0" "$f" - . "$f" - fi - ;; - *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;; - *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;; - *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;; - *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;; - *) printf '%s: ignoring %s\n' "$0" "$f" ;; - esac - printf '\n' - done -} - -# Execute sql script, passed via stdin (or -f flag of pqsl) -# usage: docker_process_sql [psql-cli-args] -# ie: docker_process_sql --dbname=mydb <<<'INSERT ...' -# ie: docker_process_sql -f my-file.sql -# ie: docker_process_sql > "$PGDATA/pg_hba.conf" -} - -# start socket-only postgresql server for setting up or running scripts -# all arguments will be passed along as arguments to `postgres` (via pg_ctl) -docker_temp_server_start() { - if [ "$1" = 'postgres' ]; then - shift - fi - - # internal start of server in order to allow setup using psql client - # does not listen on external TCP/IP and waits until start finishes - set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}" - - PGUSER="${PGUSER:-$POSTGRES_USER}" \ - pg_ctl -D "$PGDATA" \ - -o "$(printf '%q ' "$@")" \ - -w start -} - -# stop postgresql server after done setting up user and running scripts -docker_temp_server_stop() { - PGUSER="${PGUSER:-postgres}" \ - pg_ctl -D "$PGDATA" -m fast -w stop -} - -# check arguments for an option that would cause postgres to stop -# return true if there is one -_pg_want_help() { - local arg - for arg; do - case "$arg" in - # postgres --help | grep 'then exit' - # leaving out -C on purpose since it always fails and is unhelpful: - # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory - -'?'|--help|--describe-config|-V|--version) - return 0 - ;; - esac - done - return 1 -} - -_main() { - # if first arg looks like a flag, assume we want to run postgres server - if [ "${1:0:1}" = '-' ]; then - set -- postgres "$@" - fi - - if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then - docker_setup_env - # setup data directories and permissions (when run as root) - docker_create_db_directories - if [ "$(id -u)" = '0' ]; then - # then restart script as postgres user - exec gosu postgres "$BASH_SOURCE" "$@" - fi - - # only run initialization on an empty data directory - if [ -z "$DATABASE_ALREADY_EXISTS" ]; then - docker_verify_minimum_env - - # check dir permissions to reduce likelihood of half-initialized database - ls /docker-entrypoint-initdb.d/ > /dev/null - - docker_init_database_dir - pg_setup_hba_conf "$@" - - # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless - # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS - export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" - docker_temp_server_start "$@" - - docker_setup_db - docker_process_init_files /docker-entrypoint-initdb.d/* - - docker_temp_server_stop - unset PGPASSWORD - - cat <<-'EOM' - - PostgreSQL init process complete; ready for start up. - - EOM - else - cat <<-'EOM' - - PostgreSQL Database directory appears to contain a database; Skipping initialization - - EOM - fi - fi - - exec "$@" -} - -if ! _is_sourced; then - _main "$@" -fi diff --git a/15/alpine3.19/Dockerfile b/15/alpine3.21/Dockerfile similarity index 79% rename from 15/alpine3.19/Dockerfile rename to 15/alpine3.21/Dockerfile index e9c2dbb37d..91ab89c023 100644 --- a/15/alpine3.19/Dockerfile +++ b/15/alpine3.21/Dockerfile @@ -4,10 +4,10 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # -FROM alpine:3.19 +FROM alpine:3.21 # 70 is the standard uid/gid for "postgres" in Alpine -# https://git.alpinelinux.org/aports/tree/main/postgresql/postgresql.pre-install?h=3.12-stable +# https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.22-stable RUN set -eux; \ addgroup -g 70 -S postgres; \ adduser -u 70 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \ @@ -53,12 +53,12 @@ ENV LANG en_US.utf8 RUN mkdir /docker-entrypoint-initdb.d ENV PG_MAJOR 15 -ENV PG_VERSION 15.8 -ENV PG_SHA256 4403515f9a69eeb3efebc98f30b8c696122bfdf895e92b3b23f5b8e769edcb6a +ENV PG_VERSION 15.13 +ENV PG_SHA256 4f62e133d22ea08a0401b0840920e26698644d01a80c34341fb732dd0a90ca5d ENV DOCKER_PG_LLVM_DEPS \ - llvm15-dev \ - clang15 + llvm19-dev \ + clang19 RUN set -eux; \ \ @@ -112,14 +112,11 @@ RUN set -eux; \ grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \ mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \ gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ -# explicitly update autoconf config.guess and config.sub so they support more arches/libcs - wget -O config/config.guess 'https://git.savannah.gnu.org/cgit/config.git/plain/config.guess?id=7d3d27baf8107b630586c962c057e22149653deb'; \ - wget -O config/config.sub 'https://git.savannah.gnu.org/cgit/config.git/plain/config.sub?id=7d3d27baf8107b630586c962c057e22149653deb'; \ \ -# https://git.alpinelinux.org/aports/tree/community/postgresql12/APKBUILD?h=3.18-stable&id=a470294e6d6ca7059e41c54769b7c3c26ec901d4#n158 - export LLVM_CONFIG="/usr/lib/llvm15/bin/llvm-config"; \ -# https://git.alpinelinux.org/aports/tree/community/postgresql12/APKBUILD?h=3.18-stable&id=a470294e6d6ca7059e41c54769b7c3c26ec901d4#n163 - export CLANG=clang-15; \ +# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n176 ("export LLVM_CONFIG") + export LLVM_CONFIG="/usr/lib/llvm19/bin/llvm-config"; \ +# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n180 ("older clang versions don't have a 'clang' exe anymore.") + export CLANG=clang-19; \ \ # configure options taken from: # https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5 @@ -175,8 +172,7 @@ RUN set -eux; \ zstd \ # https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split icu-data-full \ -# nss_wrapper is not availble on ppc64le: "test case segfaults in ppc64le" -# https://git.alpinelinux.org/aports/commit/testing/nss_wrapper/APKBUILD?h=3.17-stable&id=94d81ceeb58cff448d489bbcbe9a6d40c9991663 +# https://git.alpinelinux.org/aports/tree/community/nss_wrapper/APKBUILD?h=3.22-stable#n7 ("ppc64le: test case segfaults") $([ "$(apk --print-arch)" != 'ppc64le' ] && echo 'nss_wrapper') \ ; \ apk del --no-network .build-deps; \ @@ -209,18 +205,12 @@ ENTRYPOINT ["docker-entrypoint.sh"] # We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL # calls "Fast Shutdown mode" wherein new connections are disallowed and any # in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and -# flush tables to disk, which is the best compromise available to avoid data -# corruption. +# flush tables to disk. # -# Users who know their applications do not keep open long-lived idle connections -# may way to use a value of SIGTERM instead, which corresponds to "Smart -# Shutdown mode" in which any existing sessions are allowed to finish and the -# server stops when all sessions are terminated. -# -# See https://www.postgresql.org/docs/12/server-shutdown.html for more details +# See https://www.postgresql.org/docs/current/server-shutdown.html for more details # about available PostgreSQL server shutdown signals. # -# See also https://www.postgresql.org/docs/12/server-start.html for further +# See also https://www.postgresql.org/docs/current/server-start.html for further # justification of this as the default value, namely that the example (and # shipped) systemd service files use the "Fast Shutdown mode" for service # termination. @@ -230,10 +220,10 @@ STOPSIGNAL SIGINT # An additional setting that is recommended for all users regardless of this # value is the runtime "--stop-timeout" (or your orchestrator/runtime's # equivalent) for controlling how long to wait between sending the defined -# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption). +# STOPSIGNAL and sending SIGKILL. # # The default in most runtimes (such as Docker) is 10 seconds, and the -# documentation at https://www.postgresql.org/docs/12/server-start.html notes +# documentation at https://www.postgresql.org/docs/current/server-start.html notes # that even 90 seconds may not be long enough in many instances. EXPOSE 5432 diff --git a/15/alpine3.21/docker-ensure-initdb.sh b/15/alpine3.21/docker-ensure-initdb.sh new file mode 100755 index 0000000000..e9b15ef77d --- /dev/null +++ b/15/alpine3.21/docker-ensure-initdb.sh @@ -0,0 +1,72 @@ +#!/usr/bin/env bash +set -Eeuo pipefail + +# +# This script is intended for three main use cases: +# +# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior +# +# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution +# (no-op if database is already initialized) +# +# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use +# (error if database is already initialized) +# + +source /usr/local/bin/docker-entrypoint.sh + +# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there) +if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then + set -- postgres "$@" +fi + +# see also "_main" in "docker-entrypoint.sh" + +docker_setup_env +# setup data directories and permissions (when run as root) +docker_create_db_directories +if [ "$(id -u)" = '0' ]; then + # then restart script as postgres user + exec gosu postgres "$BASH_SOURCE" "$@" +fi + +# only run initialization on an empty data directory +if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + docker_verify_minimum_env + docker_error_old_databases + + # check dir permissions to reduce likelihood of half-initialized database + ls /docker-entrypoint-initdb.d/ > /dev/null + + docker_init_database_dir + pg_setup_hba_conf "$@" + + # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless + # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS + export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" + docker_temp_server_start "$@" + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + + docker_temp_server_stop + unset PGPASSWORD +else + self="$(basename "$0")" + case "$self" in + docker-ensure-initdb.sh) + echo >&2 "$self: note: database already initialized in '$PGDATA'!" + exit 0 + ;; + + docker-enforce-initdb.sh) + echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!" + exit 1 + ;; + + *) + echo >&2 "$self: error: unknown file name: $self" + exit 99 + ;; + esac +fi diff --git a/15/alpine3.21/docker-entrypoint.sh b/15/alpine3.21/docker-entrypoint.sh new file mode 100755 index 0000000000..5a62870b50 --- /dev/null +++ b/15/alpine3.21/docker-entrypoint.sh @@ -0,0 +1,391 @@ +#!/usr/bin/env bash +set -Eeo pipefail +# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables) + +# usage: file_env VAR [DEFAULT] +# ie: file_env 'XYZ_DB_PASSWORD' 'example' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then + printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar" + exit 1 + fi + local val="$def" + if [ "${!var:-}" ]; then + val="${!var}" + elif [ "${!fileVar:-}" ]; then + val="$(< "${!fileVar}")" + fi + export "$var"="$val" + unset "$fileVar" +} + +# check to see if this file is being run or sourced from another script +_is_sourced() { + # https://unix.stackexchange.com/a/215279 + [ "${#FUNCNAME[@]}" -ge 2 ] \ + && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ + && [ "${FUNCNAME[1]}" = 'source' ] +} + +# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user +docker_create_db_directories() { + local user; user="$(id -u)" + + mkdir -p "$PGDATA" + # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory) + chmod 00700 "$PGDATA" || : + + # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 + mkdir -p /var/run/postgresql || : + chmod 03775 /var/run/postgresql || : + + # Create the transaction log directory before initdb is run so the directory is owned by the correct user + if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then + mkdir -p "$POSTGRES_INITDB_WALDIR" + if [ "$user" = '0' ]; then + find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' + + fi + chmod 700 "$POSTGRES_INITDB_WALDIR" + fi + + # allow the container to be started with `--user` + if [ "$user" = '0' ]; then + find "$PGDATA" \! -user postgres -exec chown postgres '{}' + + find /var/run/postgresql \! -user postgres -exec chown postgres '{}' + + fi +} + +# initialize empty PGDATA directory with new database via 'initdb' +# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function +# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames +# this is also where the database user is created, specified by `POSTGRES_USER` env +docker_init_database_dir() { + # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary + # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html + local uid; uid="$(id -u)" + if ! getent passwd "$uid" &> /dev/null; then + # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15) + local wrapper + for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do + if [ -s "$wrapper" ]; then + NSS_WRAPPER_PASSWD="$(mktemp)" + NSS_WRAPPER_GROUP="$(mktemp)" + export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + local gid; gid="$(id -g)" + printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD" + printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP" + break + fi + done + fi + + if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then + set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@" + fi + + # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025 + eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' + + # unset/cleanup "nss_wrapper" bits + if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then + rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" + unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + fi +} + +# print large warning if POSTGRES_PASSWORD is long +# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust' +# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust' +# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ] +docker_verify_minimum_env() { + case "${PG_MAJOR:-}" in + 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 + # check password first so we can output the warning before postgres + # messes it up + if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then + cat >&2 <<-'EOWARN' + + WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. + + This will not work if used via PGPASSWORD with "psql". + + https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) + https://github.com/docker-library/postgres/issues/507 + + EOWARN + fi + ;; + esac + if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then + # The - option suppresses leading tabs but *not* spaces. :) + cat >&2 <<-'EOE' + Error: Database is uninitialized and superuser password is not specified. + You must specify POSTGRES_PASSWORD to a non-empty value for the + superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run". + + You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all + connections without a password. This is *not* recommended. + + See PostgreSQL documentation about "trust": + https://www.postgresql.org/docs/current/auth-trust.html + EOE + exit 1 + fi + if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then + cat >&2 <<-'EOWARN' + ******************************************************************************** + WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow + anyone with access to the Postgres port to access your database without + a password, even if POSTGRES_PASSWORD is set. See PostgreSQL + documentation about "trust": + https://www.postgresql.org/docs/current/auth-trust.html + In Docker's default configuration, this is effectively any other + container on the same system. + + It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace + it with "-e POSTGRES_PASSWORD=password" instead to set a password in + "docker run". + ******************************************************************************** + EOWARN + fi +} +# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade) +docker_error_old_databases() { + if [ -n "${OLD_DATABASES[0]:-}" ]; then + cat >&2 <<-EOE + Error: in 18+, these Docker images are configured to store database data in a + format which is compatible with "pg_ctlcluster" (specifically, using + major-version-specific directory names). This better reflects how + PostgreSQL itself works, and how upgrades are to be performed. + + See also https://github.com/docker-library/postgres/pull/1259 + + Counter to that, there appears to be PostgreSQL data in: + ${OLD_DATABASES[*]} + + This is usually the result of upgrading the Docker image without upgrading + the underlying database using "pg_upgrade" (which requires both versions). + + See https://github.com/docker-library/postgres/issues/37 for a (long) + discussion around this process, and suggestions for how to do so. + EOE + exit 1 + fi +} + +# usage: docker_process_init_files [file [file [...]]] +# ie: docker_process_init_files /always-initdb.d/* +# process initializer files, based on file extensions and permissions +docker_process_init_files() { + # psql here for backwards compatibility "${psql[@]}" + psql=( docker_process_sql ) + + printf '\n' + local f + for f; do + case "$f" in + *.sh) + # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 + # https://github.com/docker-library/postgres/pull/452 + if [ -x "$f" ]; then + printf '%s: running %s\n' "$0" "$f" + "$f" + else + printf '%s: sourcing %s\n' "$0" "$f" + . "$f" + fi + ;; + *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;; + *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;; + *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;; + *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;; + *) printf '%s: ignoring %s\n' "$0" "$f" ;; + esac + printf '\n' + done +} + +# Execute sql script, passed via stdin (or -f flag of pqsl) +# usage: docker_process_sql [psql-cli-args] +# ie: docker_process_sql --dbname=mydb <<<'INSERT ...' +# ie: docker_process_sql -f my-file.sql +# ie: docker_process_sql > "$PGDATA/pg_hba.conf" +} + +# start socket-only postgresql server for setting up or running scripts +# all arguments will be passed along as arguments to `postgres` (via pg_ctl) +docker_temp_server_start() { + if [ "$1" = 'postgres' ]; then + shift + fi + + # internal start of server in order to allow setup using psql client + # does not listen on external TCP/IP and waits until start finishes + set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}" + + # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify + # any process supervisor. + NOTIFY_SOCKET= \ + PGUSER="${PGUSER:-$POSTGRES_USER}" \ + pg_ctl -D "$PGDATA" \ + -o "$(printf '%q ' "$@")" \ + -w start +} + +# stop postgresql server after done setting up user and running scripts +docker_temp_server_stop() { + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" -m fast -w stop +} + +# check arguments for an option that would cause postgres to stop +# return true if there is one +_pg_want_help() { + local arg + for arg; do + case "$arg" in + # postgres --help | grep 'then exit' + # leaving out -C on purpose since it always fails and is unhelpful: + # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory + -'?'|--help|--describe-config|-V|--version) + return 0 + ;; + esac + done + return 1 +} + +_main() { + # if first arg looks like a flag, assume we want to run postgres server + if [ "${1:0:1}" = '-' ]; then + set -- postgres "$@" + fi + + if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then + docker_setup_env + # setup data directories and permissions (when run as root) + docker_create_db_directories + if [ "$(id -u)" = '0' ]; then + # then restart script as postgres user + exec gosu postgres "$BASH_SOURCE" "$@" + fi + + # only run initialization on an empty data directory + if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + docker_verify_minimum_env + docker_error_old_databases + + # check dir permissions to reduce likelihood of half-initialized database + ls /docker-entrypoint-initdb.d/ > /dev/null + + docker_init_database_dir + pg_setup_hba_conf "$@" + + # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless + # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS + export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" + docker_temp_server_start "$@" + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + + docker_temp_server_stop + unset PGPASSWORD + + cat <<-'EOM' + + PostgreSQL init process complete; ready for start up. + + EOM + else + cat <<-'EOM' + + PostgreSQL Database directory appears to contain a database; Skipping initialization + + EOM + fi + fi + + exec "$@" +} + +if ! _is_sourced; then + _main "$@" +fi diff --git a/15/alpine3.20/Dockerfile b/15/alpine3.22/Dockerfile similarity index 79% rename from 15/alpine3.20/Dockerfile rename to 15/alpine3.22/Dockerfile index 83e8a4640d..201065d8a3 100644 --- a/15/alpine3.20/Dockerfile +++ b/15/alpine3.22/Dockerfile @@ -4,10 +4,10 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # -FROM alpine:3.20 +FROM alpine:3.22 # 70 is the standard uid/gid for "postgres" in Alpine -# https://git.alpinelinux.org/aports/tree/main/postgresql/postgresql.pre-install?h=3.12-stable +# https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.22-stable RUN set -eux; \ addgroup -g 70 -S postgres; \ adduser -u 70 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \ @@ -53,12 +53,12 @@ ENV LANG en_US.utf8 RUN mkdir /docker-entrypoint-initdb.d ENV PG_MAJOR 15 -ENV PG_VERSION 15.8 -ENV PG_SHA256 4403515f9a69eeb3efebc98f30b8c696122bfdf895e92b3b23f5b8e769edcb6a +ENV PG_VERSION 15.13 +ENV PG_SHA256 4f62e133d22ea08a0401b0840920e26698644d01a80c34341fb732dd0a90ca5d ENV DOCKER_PG_LLVM_DEPS \ - llvm15-dev \ - clang15 + llvm19-dev \ + clang19 RUN set -eux; \ \ @@ -112,14 +112,11 @@ RUN set -eux; \ grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \ mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \ gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ -# explicitly update autoconf config.guess and config.sub so they support more arches/libcs - wget -O config/config.guess 'https://git.savannah.gnu.org/cgit/config.git/plain/config.guess?id=7d3d27baf8107b630586c962c057e22149653deb'; \ - wget -O config/config.sub 'https://git.savannah.gnu.org/cgit/config.git/plain/config.sub?id=7d3d27baf8107b630586c962c057e22149653deb'; \ \ -# https://git.alpinelinux.org/aports/tree/community/postgresql12/APKBUILD?h=3.18-stable&id=a470294e6d6ca7059e41c54769b7c3c26ec901d4#n158 - export LLVM_CONFIG="/usr/lib/llvm15/bin/llvm-config"; \ -# https://git.alpinelinux.org/aports/tree/community/postgresql12/APKBUILD?h=3.18-stable&id=a470294e6d6ca7059e41c54769b7c3c26ec901d4#n163 - export CLANG=clang-15; \ +# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n176 ("export LLVM_CONFIG") + export LLVM_CONFIG="/usr/lib/llvm19/bin/llvm-config"; \ +# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n180 ("older clang versions don't have a 'clang' exe anymore.") + export CLANG=clang-19; \ \ # configure options taken from: # https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5 @@ -175,8 +172,7 @@ RUN set -eux; \ zstd \ # https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split icu-data-full \ -# nss_wrapper is not availble on ppc64le: "test case segfaults in ppc64le" -# https://git.alpinelinux.org/aports/commit/testing/nss_wrapper/APKBUILD?h=3.17-stable&id=94d81ceeb58cff448d489bbcbe9a6d40c9991663 +# https://git.alpinelinux.org/aports/tree/community/nss_wrapper/APKBUILD?h=3.22-stable#n7 ("ppc64le: test case segfaults") $([ "$(apk --print-arch)" != 'ppc64le' ] && echo 'nss_wrapper') \ ; \ apk del --no-network .build-deps; \ @@ -209,18 +205,12 @@ ENTRYPOINT ["docker-entrypoint.sh"] # We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL # calls "Fast Shutdown mode" wherein new connections are disallowed and any # in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and -# flush tables to disk, which is the best compromise available to avoid data -# corruption. +# flush tables to disk. # -# Users who know their applications do not keep open long-lived idle connections -# may way to use a value of SIGTERM instead, which corresponds to "Smart -# Shutdown mode" in which any existing sessions are allowed to finish and the -# server stops when all sessions are terminated. -# -# See https://www.postgresql.org/docs/12/server-shutdown.html for more details +# See https://www.postgresql.org/docs/current/server-shutdown.html for more details # about available PostgreSQL server shutdown signals. # -# See also https://www.postgresql.org/docs/12/server-start.html for further +# See also https://www.postgresql.org/docs/current/server-start.html for further # justification of this as the default value, namely that the example (and # shipped) systemd service files use the "Fast Shutdown mode" for service # termination. @@ -230,10 +220,10 @@ STOPSIGNAL SIGINT # An additional setting that is recommended for all users regardless of this # value is the runtime "--stop-timeout" (or your orchestrator/runtime's # equivalent) for controlling how long to wait between sending the defined -# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption). +# STOPSIGNAL and sending SIGKILL. # # The default in most runtimes (such as Docker) is 10 seconds, and the -# documentation at https://www.postgresql.org/docs/12/server-start.html notes +# documentation at https://www.postgresql.org/docs/current/server-start.html notes # that even 90 seconds may not be long enough in many instances. EXPOSE 5432 diff --git a/15/alpine3.22/docker-ensure-initdb.sh b/15/alpine3.22/docker-ensure-initdb.sh new file mode 100755 index 0000000000..e9b15ef77d --- /dev/null +++ b/15/alpine3.22/docker-ensure-initdb.sh @@ -0,0 +1,72 @@ +#!/usr/bin/env bash +set -Eeuo pipefail + +# +# This script is intended for three main use cases: +# +# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior +# +# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution +# (no-op if database is already initialized) +# +# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use +# (error if database is already initialized) +# + +source /usr/local/bin/docker-entrypoint.sh + +# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there) +if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then + set -- postgres "$@" +fi + +# see also "_main" in "docker-entrypoint.sh" + +docker_setup_env +# setup data directories and permissions (when run as root) +docker_create_db_directories +if [ "$(id -u)" = '0' ]; then + # then restart script as postgres user + exec gosu postgres "$BASH_SOURCE" "$@" +fi + +# only run initialization on an empty data directory +if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + docker_verify_minimum_env + docker_error_old_databases + + # check dir permissions to reduce likelihood of half-initialized database + ls /docker-entrypoint-initdb.d/ > /dev/null + + docker_init_database_dir + pg_setup_hba_conf "$@" + + # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless + # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS + export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" + docker_temp_server_start "$@" + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + + docker_temp_server_stop + unset PGPASSWORD +else + self="$(basename "$0")" + case "$self" in + docker-ensure-initdb.sh) + echo >&2 "$self: note: database already initialized in '$PGDATA'!" + exit 0 + ;; + + docker-enforce-initdb.sh) + echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!" + exit 1 + ;; + + *) + echo >&2 "$self: error: unknown file name: $self" + exit 99 + ;; + esac +fi diff --git a/15/alpine3.22/docker-entrypoint.sh b/15/alpine3.22/docker-entrypoint.sh new file mode 100755 index 0000000000..5a62870b50 --- /dev/null +++ b/15/alpine3.22/docker-entrypoint.sh @@ -0,0 +1,391 @@ +#!/usr/bin/env bash +set -Eeo pipefail +# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables) + +# usage: file_env VAR [DEFAULT] +# ie: file_env 'XYZ_DB_PASSWORD' 'example' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then + printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar" + exit 1 + fi + local val="$def" + if [ "${!var:-}" ]; then + val="${!var}" + elif [ "${!fileVar:-}" ]; then + val="$(< "${!fileVar}")" + fi + export "$var"="$val" + unset "$fileVar" +} + +# check to see if this file is being run or sourced from another script +_is_sourced() { + # https://unix.stackexchange.com/a/215279 + [ "${#FUNCNAME[@]}" -ge 2 ] \ + && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ + && [ "${FUNCNAME[1]}" = 'source' ] +} + +# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user +docker_create_db_directories() { + local user; user="$(id -u)" + + mkdir -p "$PGDATA" + # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory) + chmod 00700 "$PGDATA" || : + + # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 + mkdir -p /var/run/postgresql || : + chmod 03775 /var/run/postgresql || : + + # Create the transaction log directory before initdb is run so the directory is owned by the correct user + if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then + mkdir -p "$POSTGRES_INITDB_WALDIR" + if [ "$user" = '0' ]; then + find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' + + fi + chmod 700 "$POSTGRES_INITDB_WALDIR" + fi + + # allow the container to be started with `--user` + if [ "$user" = '0' ]; then + find "$PGDATA" \! -user postgres -exec chown postgres '{}' + + find /var/run/postgresql \! -user postgres -exec chown postgres '{}' + + fi +} + +# initialize empty PGDATA directory with new database via 'initdb' +# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function +# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames +# this is also where the database user is created, specified by `POSTGRES_USER` env +docker_init_database_dir() { + # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary + # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html + local uid; uid="$(id -u)" + if ! getent passwd "$uid" &> /dev/null; then + # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15) + local wrapper + for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do + if [ -s "$wrapper" ]; then + NSS_WRAPPER_PASSWD="$(mktemp)" + NSS_WRAPPER_GROUP="$(mktemp)" + export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + local gid; gid="$(id -g)" + printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD" + printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP" + break + fi + done + fi + + if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then + set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@" + fi + + # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025 + eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' + + # unset/cleanup "nss_wrapper" bits + if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then + rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" + unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + fi +} + +# print large warning if POSTGRES_PASSWORD is long +# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust' +# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust' +# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ] +docker_verify_minimum_env() { + case "${PG_MAJOR:-}" in + 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 + # check password first so we can output the warning before postgres + # messes it up + if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then + cat >&2 <<-'EOWARN' + + WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. + + This will not work if used via PGPASSWORD with "psql". + + https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) + https://github.com/docker-library/postgres/issues/507 + + EOWARN + fi + ;; + esac + if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then + # The - option suppresses leading tabs but *not* spaces. :) + cat >&2 <<-'EOE' + Error: Database is uninitialized and superuser password is not specified. + You must specify POSTGRES_PASSWORD to a non-empty value for the + superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run". + + You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all + connections without a password. This is *not* recommended. + + See PostgreSQL documentation about "trust": + https://www.postgresql.org/docs/current/auth-trust.html + EOE + exit 1 + fi + if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then + cat >&2 <<-'EOWARN' + ******************************************************************************** + WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow + anyone with access to the Postgres port to access your database without + a password, even if POSTGRES_PASSWORD is set. See PostgreSQL + documentation about "trust": + https://www.postgresql.org/docs/current/auth-trust.html + In Docker's default configuration, this is effectively any other + container on the same system. + + It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace + it with "-e POSTGRES_PASSWORD=password" instead to set a password in + "docker run". + ******************************************************************************** + EOWARN + fi +} +# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade) +docker_error_old_databases() { + if [ -n "${OLD_DATABASES[0]:-}" ]; then + cat >&2 <<-EOE + Error: in 18+, these Docker images are configured to store database data in a + format which is compatible with "pg_ctlcluster" (specifically, using + major-version-specific directory names). This better reflects how + PostgreSQL itself works, and how upgrades are to be performed. + + See also https://github.com/docker-library/postgres/pull/1259 + + Counter to that, there appears to be PostgreSQL data in: + ${OLD_DATABASES[*]} + + This is usually the result of upgrading the Docker image without upgrading + the underlying database using "pg_upgrade" (which requires both versions). + + See https://github.com/docker-library/postgres/issues/37 for a (long) + discussion around this process, and suggestions for how to do so. + EOE + exit 1 + fi +} + +# usage: docker_process_init_files [file [file [...]]] +# ie: docker_process_init_files /always-initdb.d/* +# process initializer files, based on file extensions and permissions +docker_process_init_files() { + # psql here for backwards compatibility "${psql[@]}" + psql=( docker_process_sql ) + + printf '\n' + local f + for f; do + case "$f" in + *.sh) + # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 + # https://github.com/docker-library/postgres/pull/452 + if [ -x "$f" ]; then + printf '%s: running %s\n' "$0" "$f" + "$f" + else + printf '%s: sourcing %s\n' "$0" "$f" + . "$f" + fi + ;; + *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;; + *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;; + *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;; + *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;; + *) printf '%s: ignoring %s\n' "$0" "$f" ;; + esac + printf '\n' + done +} + +# Execute sql script, passed via stdin (or -f flag of pqsl) +# usage: docker_process_sql [psql-cli-args] +# ie: docker_process_sql --dbname=mydb <<<'INSERT ...' +# ie: docker_process_sql -f my-file.sql +# ie: docker_process_sql > "$PGDATA/pg_hba.conf" +} + +# start socket-only postgresql server for setting up or running scripts +# all arguments will be passed along as arguments to `postgres` (via pg_ctl) +docker_temp_server_start() { + if [ "$1" = 'postgres' ]; then + shift + fi + + # internal start of server in order to allow setup using psql client + # does not listen on external TCP/IP and waits until start finishes + set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}" + + # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify + # any process supervisor. + NOTIFY_SOCKET= \ + PGUSER="${PGUSER:-$POSTGRES_USER}" \ + pg_ctl -D "$PGDATA" \ + -o "$(printf '%q ' "$@")" \ + -w start +} + +# stop postgresql server after done setting up user and running scripts +docker_temp_server_stop() { + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" -m fast -w stop +} + +# check arguments for an option that would cause postgres to stop +# return true if there is one +_pg_want_help() { + local arg + for arg; do + case "$arg" in + # postgres --help | grep 'then exit' + # leaving out -C on purpose since it always fails and is unhelpful: + # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory + -'?'|--help|--describe-config|-V|--version) + return 0 + ;; + esac + done + return 1 +} + +_main() { + # if first arg looks like a flag, assume we want to run postgres server + if [ "${1:0:1}" = '-' ]; then + set -- postgres "$@" + fi + + if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then + docker_setup_env + # setup data directories and permissions (when run as root) + docker_create_db_directories + if [ "$(id -u)" = '0' ]; then + # then restart script as postgres user + exec gosu postgres "$BASH_SOURCE" "$@" + fi + + # only run initialization on an empty data directory + if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + docker_verify_minimum_env + docker_error_old_databases + + # check dir permissions to reduce likelihood of half-initialized database + ls /docker-entrypoint-initdb.d/ > /dev/null + + docker_init_database_dir + pg_setup_hba_conf "$@" + + # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless + # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS + export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" + docker_temp_server_start "$@" + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + + docker_temp_server_stop + unset PGPASSWORD + + cat <<-'EOM' + + PostgreSQL init process complete; ready for start up. + + EOM + else + cat <<-'EOM' + + PostgreSQL Database directory appears to contain a database; Skipping initialization + + EOM + fi + fi + + exec "$@" +} + +if ! _is_sourced; then + _main "$@" +fi diff --git a/15/bookworm/Dockerfile b/15/bookworm/Dockerfile index 859acbfbdd..d58f9ab6a4 100644 --- a/15/bookworm/Dockerfile +++ b/15/bookworm/Dockerfile @@ -89,7 +89,7 @@ RUN set -ex; \ ENV PG_MAJOR 15 ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin -ENV PG_VERSION 15.8-1.pgdg120+1 +ENV PG_VERSION 15.13-1.pgdg120+1 RUN set -ex; \ \ @@ -99,7 +99,7 @@ RUN set -ex; \ dpkgArch="$(dpkg --print-architecture)"; \ aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ bookworm-pgdg main $PG_MAJOR"; \ case "$dpkgArch" in \ - amd64 | arm64 | ppc64el | s390x) \ + amd64 | arm64 | ppc64el) \ # arches officialy built by upstream echo "deb $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \ apt-get update; \ @@ -131,10 +131,9 @@ RUN set -ex; \ # build .deb files from upstream's source packages (which are verified by apt-get) nproc="$(nproc)"; \ export DEB_BUILD_OPTIONS="nocheck parallel=$nproc"; \ -# we have to build postgresql-common first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/99f44476e258cae6bf9e919219fa2c5414fa2876 -# (and it "Depends: pgdg-keyring") - apt-get build-dep -y postgresql-common pgdg-keyring; \ - apt-get source --compile postgresql-common pgdg-keyring; \ +# we have to build postgresql-common-dev first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/f4338a0d28cf4541956bddb0f4e444ba9dba81b9 + apt-get build-dep -y postgresql-common-dev; \ + apt-get source --compile postgresql-common-dev; \ _update_repo; \ apt-get build-dep -y "postgresql-$PG_MAJOR=$PG_VERSION"; \ apt-get source --compile "postgresql-$PG_MAJOR=$PG_VERSION"; \ @@ -194,18 +193,12 @@ ENTRYPOINT ["docker-entrypoint.sh"] # We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL # calls "Fast Shutdown mode" wherein new connections are disallowed and any # in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and -# flush tables to disk, which is the best compromise available to avoid data -# corruption. +# flush tables to disk. # -# Users who know their applications do not keep open long-lived idle connections -# may way to use a value of SIGTERM instead, which corresponds to "Smart -# Shutdown mode" in which any existing sessions are allowed to finish and the -# server stops when all sessions are terminated. -# -# See https://www.postgresql.org/docs/12/server-shutdown.html for more details +# See https://www.postgresql.org/docs/current/server-shutdown.html for more details # about available PostgreSQL server shutdown signals. # -# See also https://www.postgresql.org/docs/12/server-start.html for further +# See also https://www.postgresql.org/docs/current/server-start.html for further # justification of this as the default value, namely that the example (and # shipped) systemd service files use the "Fast Shutdown mode" for service # termination. @@ -215,10 +208,10 @@ STOPSIGNAL SIGINT # An additional setting that is recommended for all users regardless of this # value is the runtime "--stop-timeout" (or your orchestrator/runtime's # equivalent) for controlling how long to wait between sending the defined -# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption). +# STOPSIGNAL and sending SIGKILL. # # The default in most runtimes (such as Docker) is 10 seconds, and the -# documentation at https://www.postgresql.org/docs/12/server-start.html notes +# documentation at https://www.postgresql.org/docs/current/server-start.html notes # that even 90 seconds may not be long enough in many instances. EXPOSE 5432 diff --git a/15/bookworm/docker-ensure-initdb.sh b/15/bookworm/docker-ensure-initdb.sh index ae1f6b6b90..e9b15ef77d 100755 --- a/15/bookworm/docker-ensure-initdb.sh +++ b/15/bookworm/docker-ensure-initdb.sh @@ -33,6 +33,7 @@ fi # only run initialization on an empty data directory if [ -z "$DATABASE_ALREADY_EXISTS" ]; then docker_verify_minimum_env + docker_error_old_databases # check dir permissions to reduce likelihood of half-initialized database ls /docker-entrypoint-initdb.d/ > /dev/null diff --git a/15/bookworm/docker-entrypoint.sh b/15/bookworm/docker-entrypoint.sh index 6f59993e08..5a62870b50 100755 --- a/15/bookworm/docker-entrypoint.sh +++ b/15/bookworm/docker-entrypoint.sh @@ -104,7 +104,7 @@ docker_init_database_dir() { # assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ] docker_verify_minimum_env() { case "${PG_MAJOR:-}" in - 12 | 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 + 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 # check password first so we can output the warning before postgres # messes it up if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then @@ -154,6 +154,29 @@ docker_verify_minimum_env() { EOWARN fi } +# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade) +docker_error_old_databases() { + if [ -n "${OLD_DATABASES[0]:-}" ]; then + cat >&2 <<-EOE + Error: in 18+, these Docker images are configured to store database data in a + format which is compatible with "pg_ctlcluster" (specifically, using + major-version-specific directory names). This better reflects how + PostgreSQL itself works, and how upgrades are to be performed. + + See also https://github.com/docker-library/postgres/pull/1259 + + Counter to that, there appears to be PostgreSQL data in: + ${OLD_DATABASES[*]} + + This is usually the result of upgrading the Docker image without upgrading + the underlying database using "pg_upgrade" (which requires both versions). + + See https://github.com/docker-library/postgres/issues/37 for a (long) + discussion around this process, and suggestions for how to do so. + EOE + exit 1 + fi +} # usage: docker_process_init_files [file [file [...]]] # ie: docker_process_init_files /always-initdb.d/* @@ -230,9 +253,17 @@ docker_setup_env() { declare -g DATABASE_ALREADY_EXISTS : "${DATABASE_ALREADY_EXISTS:=}" + declare -ag OLD_DATABASES=() # look specifically for PG_VERSION, as it is expected in the DB dir if [ -s "$PGDATA/PG_VERSION" ]; then DATABASE_ALREADY_EXISTS='true' + elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then + # https://github.com/docker-library/postgres/pull/1259 + for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do + if [ -s "$d/PG_VERSION" ]; then + OLD_DATABASES+=( "$d" ) + fi + done fi } @@ -252,7 +283,7 @@ pg_setup_hba_conf() { printf '\n' if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then printf '# warning trust is enabled for all connections\n' - printf '# see https://www.postgresql.org/docs/12/auth-trust.html\n' + printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n' fi printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD" } >> "$PGDATA/pg_hba.conf" @@ -269,6 +300,9 @@ docker_temp_server_start() { # does not listen on external TCP/IP and waits until start finishes set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}" + # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify + # any process supervisor. + NOTIFY_SOCKET= \ PGUSER="${PGUSER:-$POSTGRES_USER}" \ pg_ctl -D "$PGDATA" \ -o "$(printf '%q ' "$@")" \ @@ -316,6 +350,7 @@ _main() { # only run initialization on an empty data directory if [ -z "$DATABASE_ALREADY_EXISTS" ]; then docker_verify_minimum_env + docker_error_old_databases # check dir permissions to reduce likelihood of half-initialized database ls /docker-entrypoint-initdb.d/ > /dev/null diff --git a/15/bullseye/Dockerfile b/15/bullseye/Dockerfile index aff946fa54..ec325d7c88 100644 --- a/15/bullseye/Dockerfile +++ b/15/bullseye/Dockerfile @@ -89,7 +89,7 @@ RUN set -ex; \ ENV PG_MAJOR 15 ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin -ENV PG_VERSION 15.8-1.pgdg110+1 +ENV PG_VERSION 15.13-1.pgdg110+1 RUN set -ex; \ \ @@ -99,7 +99,7 @@ RUN set -ex; \ dpkgArch="$(dpkg --print-architecture)"; \ aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ bullseye-pgdg main $PG_MAJOR"; \ case "$dpkgArch" in \ - amd64 | arm64 | ppc64el | s390x) \ + amd64 | arm64 | ppc64el) \ # arches officialy built by upstream echo "deb $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \ apt-get update; \ @@ -131,10 +131,9 @@ RUN set -ex; \ # build .deb files from upstream's source packages (which are verified by apt-get) nproc="$(nproc)"; \ export DEB_BUILD_OPTIONS="nocheck parallel=$nproc"; \ -# we have to build postgresql-common first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/99f44476e258cae6bf9e919219fa2c5414fa2876 -# (and it "Depends: pgdg-keyring") - apt-get build-dep -y postgresql-common pgdg-keyring; \ - apt-get source --compile postgresql-common pgdg-keyring; \ +# we have to build postgresql-common-dev first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/f4338a0d28cf4541956bddb0f4e444ba9dba81b9 + apt-get build-dep -y postgresql-common-dev; \ + apt-get source --compile postgresql-common-dev; \ _update_repo; \ apt-get build-dep -y "postgresql-$PG_MAJOR=$PG_VERSION"; \ apt-get source --compile "postgresql-$PG_MAJOR=$PG_VERSION"; \ @@ -194,18 +193,12 @@ ENTRYPOINT ["docker-entrypoint.sh"] # We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL # calls "Fast Shutdown mode" wherein new connections are disallowed and any # in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and -# flush tables to disk, which is the best compromise available to avoid data -# corruption. +# flush tables to disk. # -# Users who know their applications do not keep open long-lived idle connections -# may way to use a value of SIGTERM instead, which corresponds to "Smart -# Shutdown mode" in which any existing sessions are allowed to finish and the -# server stops when all sessions are terminated. -# -# See https://www.postgresql.org/docs/12/server-shutdown.html for more details +# See https://www.postgresql.org/docs/current/server-shutdown.html for more details # about available PostgreSQL server shutdown signals. # -# See also https://www.postgresql.org/docs/12/server-start.html for further +# See also https://www.postgresql.org/docs/current/server-start.html for further # justification of this as the default value, namely that the example (and # shipped) systemd service files use the "Fast Shutdown mode" for service # termination. @@ -215,10 +208,10 @@ STOPSIGNAL SIGINT # An additional setting that is recommended for all users regardless of this # value is the runtime "--stop-timeout" (or your orchestrator/runtime's # equivalent) for controlling how long to wait between sending the defined -# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption). +# STOPSIGNAL and sending SIGKILL. # # The default in most runtimes (such as Docker) is 10 seconds, and the -# documentation at https://www.postgresql.org/docs/12/server-start.html notes +# documentation at https://www.postgresql.org/docs/current/server-start.html notes # that even 90 seconds may not be long enough in many instances. EXPOSE 5432 diff --git a/15/bullseye/docker-ensure-initdb.sh b/15/bullseye/docker-ensure-initdb.sh index ae1f6b6b90..e9b15ef77d 100755 --- a/15/bullseye/docker-ensure-initdb.sh +++ b/15/bullseye/docker-ensure-initdb.sh @@ -33,6 +33,7 @@ fi # only run initialization on an empty data directory if [ -z "$DATABASE_ALREADY_EXISTS" ]; then docker_verify_minimum_env + docker_error_old_databases # check dir permissions to reduce likelihood of half-initialized database ls /docker-entrypoint-initdb.d/ > /dev/null diff --git a/15/bullseye/docker-entrypoint.sh b/15/bullseye/docker-entrypoint.sh index 6f59993e08..5a62870b50 100755 --- a/15/bullseye/docker-entrypoint.sh +++ b/15/bullseye/docker-entrypoint.sh @@ -104,7 +104,7 @@ docker_init_database_dir() { # assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ] docker_verify_minimum_env() { case "${PG_MAJOR:-}" in - 12 | 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 + 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 # check password first so we can output the warning before postgres # messes it up if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then @@ -154,6 +154,29 @@ docker_verify_minimum_env() { EOWARN fi } +# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade) +docker_error_old_databases() { + if [ -n "${OLD_DATABASES[0]:-}" ]; then + cat >&2 <<-EOE + Error: in 18+, these Docker images are configured to store database data in a + format which is compatible with "pg_ctlcluster" (specifically, using + major-version-specific directory names). This better reflects how + PostgreSQL itself works, and how upgrades are to be performed. + + See also https://github.com/docker-library/postgres/pull/1259 + + Counter to that, there appears to be PostgreSQL data in: + ${OLD_DATABASES[*]} + + This is usually the result of upgrading the Docker image without upgrading + the underlying database using "pg_upgrade" (which requires both versions). + + See https://github.com/docker-library/postgres/issues/37 for a (long) + discussion around this process, and suggestions for how to do so. + EOE + exit 1 + fi +} # usage: docker_process_init_files [file [file [...]]] # ie: docker_process_init_files /always-initdb.d/* @@ -230,9 +253,17 @@ docker_setup_env() { declare -g DATABASE_ALREADY_EXISTS : "${DATABASE_ALREADY_EXISTS:=}" + declare -ag OLD_DATABASES=() # look specifically for PG_VERSION, as it is expected in the DB dir if [ -s "$PGDATA/PG_VERSION" ]; then DATABASE_ALREADY_EXISTS='true' + elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then + # https://github.com/docker-library/postgres/pull/1259 + for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do + if [ -s "$d/PG_VERSION" ]; then + OLD_DATABASES+=( "$d" ) + fi + done fi } @@ -252,7 +283,7 @@ pg_setup_hba_conf() { printf '\n' if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then printf '# warning trust is enabled for all connections\n' - printf '# see https://www.postgresql.org/docs/12/auth-trust.html\n' + printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n' fi printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD" } >> "$PGDATA/pg_hba.conf" @@ -269,6 +300,9 @@ docker_temp_server_start() { # does not listen on external TCP/IP and waits until start finishes set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}" + # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify + # any process supervisor. + NOTIFY_SOCKET= \ PGUSER="${PGUSER:-$POSTGRES_USER}" \ pg_ctl -D "$PGDATA" \ -o "$(printf '%q ' "$@")" \ @@ -316,6 +350,7 @@ _main() { # only run initialization on an empty data directory if [ -z "$DATABASE_ALREADY_EXISTS" ]; then docker_verify_minimum_env + docker_error_old_databases # check dir permissions to reduce likelihood of half-initialized database ls /docker-entrypoint-initdb.d/ > /dev/null diff --git a/16/alpine3.19/docker-ensure-initdb.sh b/16/alpine3.19/docker-ensure-initdb.sh deleted file mode 100755 index ae1f6b6b90..0000000000 --- a/16/alpine3.19/docker-ensure-initdb.sh +++ /dev/null @@ -1,71 +0,0 @@ -#!/usr/bin/env bash -set -Eeuo pipefail - -# -# This script is intended for three main use cases: -# -# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior -# -# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution -# (no-op if database is already initialized) -# -# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use -# (error if database is already initialized) -# - -source /usr/local/bin/docker-entrypoint.sh - -# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there) -if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then - set -- postgres "$@" -fi - -# see also "_main" in "docker-entrypoint.sh" - -docker_setup_env -# setup data directories and permissions (when run as root) -docker_create_db_directories -if [ "$(id -u)" = '0' ]; then - # then restart script as postgres user - exec gosu postgres "$BASH_SOURCE" "$@" -fi - -# only run initialization on an empty data directory -if [ -z "$DATABASE_ALREADY_EXISTS" ]; then - docker_verify_minimum_env - - # check dir permissions to reduce likelihood of half-initialized database - ls /docker-entrypoint-initdb.d/ > /dev/null - - docker_init_database_dir - pg_setup_hba_conf "$@" - - # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless - # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS - export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" - docker_temp_server_start "$@" - - docker_setup_db - docker_process_init_files /docker-entrypoint-initdb.d/* - - docker_temp_server_stop - unset PGPASSWORD -else - self="$(basename "$0")" - case "$self" in - docker-ensure-initdb.sh) - echo >&2 "$self: note: database already initialized in '$PGDATA'!" - exit 0 - ;; - - docker-enforce-initdb.sh) - echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!" - exit 1 - ;; - - *) - echo >&2 "$self: error: unknown file name: $self" - exit 99 - ;; - esac -fi diff --git a/16/alpine3.19/docker-entrypoint.sh b/16/alpine3.19/docker-entrypoint.sh deleted file mode 100755 index 6f59993e08..0000000000 --- a/16/alpine3.19/docker-entrypoint.sh +++ /dev/null @@ -1,356 +0,0 @@ -#!/usr/bin/env bash -set -Eeo pipefail -# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables) - -# usage: file_env VAR [DEFAULT] -# ie: file_env 'XYZ_DB_PASSWORD' 'example' -# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of -# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) -file_env() { - local var="$1" - local fileVar="${var}_FILE" - local def="${2:-}" - if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then - printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar" - exit 1 - fi - local val="$def" - if [ "${!var:-}" ]; then - val="${!var}" - elif [ "${!fileVar:-}" ]; then - val="$(< "${!fileVar}")" - fi - export "$var"="$val" - unset "$fileVar" -} - -# check to see if this file is being run or sourced from another script -_is_sourced() { - # https://unix.stackexchange.com/a/215279 - [ "${#FUNCNAME[@]}" -ge 2 ] \ - && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ - && [ "${FUNCNAME[1]}" = 'source' ] -} - -# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user -docker_create_db_directories() { - local user; user="$(id -u)" - - mkdir -p "$PGDATA" - # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory) - chmod 00700 "$PGDATA" || : - - # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 - mkdir -p /var/run/postgresql || : - chmod 03775 /var/run/postgresql || : - - # Create the transaction log directory before initdb is run so the directory is owned by the correct user - if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then - mkdir -p "$POSTGRES_INITDB_WALDIR" - if [ "$user" = '0' ]; then - find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' + - fi - chmod 700 "$POSTGRES_INITDB_WALDIR" - fi - - # allow the container to be started with `--user` - if [ "$user" = '0' ]; then - find "$PGDATA" \! -user postgres -exec chown postgres '{}' + - find /var/run/postgresql \! -user postgres -exec chown postgres '{}' + - fi -} - -# initialize empty PGDATA directory with new database via 'initdb' -# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function -# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames -# this is also where the database user is created, specified by `POSTGRES_USER` env -docker_init_database_dir() { - # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary - # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html - local uid; uid="$(id -u)" - if ! getent passwd "$uid" &> /dev/null; then - # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15) - local wrapper - for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do - if [ -s "$wrapper" ]; then - NSS_WRAPPER_PASSWD="$(mktemp)" - NSS_WRAPPER_GROUP="$(mktemp)" - export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP - local gid; gid="$(id -g)" - printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD" - printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP" - break - fi - done - fi - - if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then - set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@" - fi - - # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025 - eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' - - # unset/cleanup "nss_wrapper" bits - if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then - rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" - unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP - fi -} - -# print large warning if POSTGRES_PASSWORD is long -# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust' -# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust' -# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ] -docker_verify_minimum_env() { - case "${PG_MAJOR:-}" in - 12 | 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 - # check password first so we can output the warning before postgres - # messes it up - if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then - cat >&2 <<-'EOWARN' - - WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. - - This will not work if used via PGPASSWORD with "psql". - - https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) - https://github.com/docker-library/postgres/issues/507 - - EOWARN - fi - ;; - esac - if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then - # The - option suppresses leading tabs but *not* spaces. :) - cat >&2 <<-'EOE' - Error: Database is uninitialized and superuser password is not specified. - You must specify POSTGRES_PASSWORD to a non-empty value for the - superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run". - - You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all - connections without a password. This is *not* recommended. - - See PostgreSQL documentation about "trust": - https://www.postgresql.org/docs/current/auth-trust.html - EOE - exit 1 - fi - if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then - cat >&2 <<-'EOWARN' - ******************************************************************************** - WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow - anyone with access to the Postgres port to access your database without - a password, even if POSTGRES_PASSWORD is set. See PostgreSQL - documentation about "trust": - https://www.postgresql.org/docs/current/auth-trust.html - In Docker's default configuration, this is effectively any other - container on the same system. - - It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace - it with "-e POSTGRES_PASSWORD=password" instead to set a password in - "docker run". - ******************************************************************************** - EOWARN - fi -} - -# usage: docker_process_init_files [file [file [...]]] -# ie: docker_process_init_files /always-initdb.d/* -# process initializer files, based on file extensions and permissions -docker_process_init_files() { - # psql here for backwards compatibility "${psql[@]}" - psql=( docker_process_sql ) - - printf '\n' - local f - for f; do - case "$f" in - *.sh) - # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 - # https://github.com/docker-library/postgres/pull/452 - if [ -x "$f" ]; then - printf '%s: running %s\n' "$0" "$f" - "$f" - else - printf '%s: sourcing %s\n' "$0" "$f" - . "$f" - fi - ;; - *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;; - *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;; - *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;; - *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;; - *) printf '%s: ignoring %s\n' "$0" "$f" ;; - esac - printf '\n' - done -} - -# Execute sql script, passed via stdin (or -f flag of pqsl) -# usage: docker_process_sql [psql-cli-args] -# ie: docker_process_sql --dbname=mydb <<<'INSERT ...' -# ie: docker_process_sql -f my-file.sql -# ie: docker_process_sql > "$PGDATA/pg_hba.conf" -} - -# start socket-only postgresql server for setting up or running scripts -# all arguments will be passed along as arguments to `postgres` (via pg_ctl) -docker_temp_server_start() { - if [ "$1" = 'postgres' ]; then - shift - fi - - # internal start of server in order to allow setup using psql client - # does not listen on external TCP/IP and waits until start finishes - set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}" - - PGUSER="${PGUSER:-$POSTGRES_USER}" \ - pg_ctl -D "$PGDATA" \ - -o "$(printf '%q ' "$@")" \ - -w start -} - -# stop postgresql server after done setting up user and running scripts -docker_temp_server_stop() { - PGUSER="${PGUSER:-postgres}" \ - pg_ctl -D "$PGDATA" -m fast -w stop -} - -# check arguments for an option that would cause postgres to stop -# return true if there is one -_pg_want_help() { - local arg - for arg; do - case "$arg" in - # postgres --help | grep 'then exit' - # leaving out -C on purpose since it always fails and is unhelpful: - # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory - -'?'|--help|--describe-config|-V|--version) - return 0 - ;; - esac - done - return 1 -} - -_main() { - # if first arg looks like a flag, assume we want to run postgres server - if [ "${1:0:1}" = '-' ]; then - set -- postgres "$@" - fi - - if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then - docker_setup_env - # setup data directories and permissions (when run as root) - docker_create_db_directories - if [ "$(id -u)" = '0' ]; then - # then restart script as postgres user - exec gosu postgres "$BASH_SOURCE" "$@" - fi - - # only run initialization on an empty data directory - if [ -z "$DATABASE_ALREADY_EXISTS" ]; then - docker_verify_minimum_env - - # check dir permissions to reduce likelihood of half-initialized database - ls /docker-entrypoint-initdb.d/ > /dev/null - - docker_init_database_dir - pg_setup_hba_conf "$@" - - # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless - # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS - export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" - docker_temp_server_start "$@" - - docker_setup_db - docker_process_init_files /docker-entrypoint-initdb.d/* - - docker_temp_server_stop - unset PGPASSWORD - - cat <<-'EOM' - - PostgreSQL init process complete; ready for start up. - - EOM - else - cat <<-'EOM' - - PostgreSQL Database directory appears to contain a database; Skipping initialization - - EOM - fi - fi - - exec "$@" -} - -if ! _is_sourced; then - _main "$@" -fi diff --git a/16/alpine3.20/docker-ensure-initdb.sh b/16/alpine3.20/docker-ensure-initdb.sh deleted file mode 100755 index ae1f6b6b90..0000000000 --- a/16/alpine3.20/docker-ensure-initdb.sh +++ /dev/null @@ -1,71 +0,0 @@ -#!/usr/bin/env bash -set -Eeuo pipefail - -# -# This script is intended for three main use cases: -# -# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior -# -# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution -# (no-op if database is already initialized) -# -# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use -# (error if database is already initialized) -# - -source /usr/local/bin/docker-entrypoint.sh - -# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there) -if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then - set -- postgres "$@" -fi - -# see also "_main" in "docker-entrypoint.sh" - -docker_setup_env -# setup data directories and permissions (when run as root) -docker_create_db_directories -if [ "$(id -u)" = '0' ]; then - # then restart script as postgres user - exec gosu postgres "$BASH_SOURCE" "$@" -fi - -# only run initialization on an empty data directory -if [ -z "$DATABASE_ALREADY_EXISTS" ]; then - docker_verify_minimum_env - - # check dir permissions to reduce likelihood of half-initialized database - ls /docker-entrypoint-initdb.d/ > /dev/null - - docker_init_database_dir - pg_setup_hba_conf "$@" - - # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless - # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS - export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" - docker_temp_server_start "$@" - - docker_setup_db - docker_process_init_files /docker-entrypoint-initdb.d/* - - docker_temp_server_stop - unset PGPASSWORD -else - self="$(basename "$0")" - case "$self" in - docker-ensure-initdb.sh) - echo >&2 "$self: note: database already initialized in '$PGDATA'!" - exit 0 - ;; - - docker-enforce-initdb.sh) - echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!" - exit 1 - ;; - - *) - echo >&2 "$self: error: unknown file name: $self" - exit 99 - ;; - esac -fi diff --git a/16/alpine3.20/docker-entrypoint.sh b/16/alpine3.20/docker-entrypoint.sh deleted file mode 100755 index 6f59993e08..0000000000 --- a/16/alpine3.20/docker-entrypoint.sh +++ /dev/null @@ -1,356 +0,0 @@ -#!/usr/bin/env bash -set -Eeo pipefail -# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables) - -# usage: file_env VAR [DEFAULT] -# ie: file_env 'XYZ_DB_PASSWORD' 'example' -# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of -# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) -file_env() { - local var="$1" - local fileVar="${var}_FILE" - local def="${2:-}" - if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then - printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar" - exit 1 - fi - local val="$def" - if [ "${!var:-}" ]; then - val="${!var}" - elif [ "${!fileVar:-}" ]; then - val="$(< "${!fileVar}")" - fi - export "$var"="$val" - unset "$fileVar" -} - -# check to see if this file is being run or sourced from another script -_is_sourced() { - # https://unix.stackexchange.com/a/215279 - [ "${#FUNCNAME[@]}" -ge 2 ] \ - && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ - && [ "${FUNCNAME[1]}" = 'source' ] -} - -# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user -docker_create_db_directories() { - local user; user="$(id -u)" - - mkdir -p "$PGDATA" - # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory) - chmod 00700 "$PGDATA" || : - - # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 - mkdir -p /var/run/postgresql || : - chmod 03775 /var/run/postgresql || : - - # Create the transaction log directory before initdb is run so the directory is owned by the correct user - if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then - mkdir -p "$POSTGRES_INITDB_WALDIR" - if [ "$user" = '0' ]; then - find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' + - fi - chmod 700 "$POSTGRES_INITDB_WALDIR" - fi - - # allow the container to be started with `--user` - if [ "$user" = '0' ]; then - find "$PGDATA" \! -user postgres -exec chown postgres '{}' + - find /var/run/postgresql \! -user postgres -exec chown postgres '{}' + - fi -} - -# initialize empty PGDATA directory with new database via 'initdb' -# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function -# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames -# this is also where the database user is created, specified by `POSTGRES_USER` env -docker_init_database_dir() { - # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary - # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html - local uid; uid="$(id -u)" - if ! getent passwd "$uid" &> /dev/null; then - # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15) - local wrapper - for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do - if [ -s "$wrapper" ]; then - NSS_WRAPPER_PASSWD="$(mktemp)" - NSS_WRAPPER_GROUP="$(mktemp)" - export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP - local gid; gid="$(id -g)" - printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD" - printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP" - break - fi - done - fi - - if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then - set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@" - fi - - # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025 - eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' - - # unset/cleanup "nss_wrapper" bits - if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then - rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" - unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP - fi -} - -# print large warning if POSTGRES_PASSWORD is long -# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust' -# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust' -# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ] -docker_verify_minimum_env() { - case "${PG_MAJOR:-}" in - 12 | 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 - # check password first so we can output the warning before postgres - # messes it up - if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then - cat >&2 <<-'EOWARN' - - WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. - - This will not work if used via PGPASSWORD with "psql". - - https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) - https://github.com/docker-library/postgres/issues/507 - - EOWARN - fi - ;; - esac - if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then - # The - option suppresses leading tabs but *not* spaces. :) - cat >&2 <<-'EOE' - Error: Database is uninitialized and superuser password is not specified. - You must specify POSTGRES_PASSWORD to a non-empty value for the - superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run". - - You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all - connections without a password. This is *not* recommended. - - See PostgreSQL documentation about "trust": - https://www.postgresql.org/docs/current/auth-trust.html - EOE - exit 1 - fi - if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then - cat >&2 <<-'EOWARN' - ******************************************************************************** - WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow - anyone with access to the Postgres port to access your database without - a password, even if POSTGRES_PASSWORD is set. See PostgreSQL - documentation about "trust": - https://www.postgresql.org/docs/current/auth-trust.html - In Docker's default configuration, this is effectively any other - container on the same system. - - It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace - it with "-e POSTGRES_PASSWORD=password" instead to set a password in - "docker run". - ******************************************************************************** - EOWARN - fi -} - -# usage: docker_process_init_files [file [file [...]]] -# ie: docker_process_init_files /always-initdb.d/* -# process initializer files, based on file extensions and permissions -docker_process_init_files() { - # psql here for backwards compatibility "${psql[@]}" - psql=( docker_process_sql ) - - printf '\n' - local f - for f; do - case "$f" in - *.sh) - # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 - # https://github.com/docker-library/postgres/pull/452 - if [ -x "$f" ]; then - printf '%s: running %s\n' "$0" "$f" - "$f" - else - printf '%s: sourcing %s\n' "$0" "$f" - . "$f" - fi - ;; - *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;; - *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;; - *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;; - *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;; - *) printf '%s: ignoring %s\n' "$0" "$f" ;; - esac - printf '\n' - done -} - -# Execute sql script, passed via stdin (or -f flag of pqsl) -# usage: docker_process_sql [psql-cli-args] -# ie: docker_process_sql --dbname=mydb <<<'INSERT ...' -# ie: docker_process_sql -f my-file.sql -# ie: docker_process_sql > "$PGDATA/pg_hba.conf" -} - -# start socket-only postgresql server for setting up or running scripts -# all arguments will be passed along as arguments to `postgres` (via pg_ctl) -docker_temp_server_start() { - if [ "$1" = 'postgres' ]; then - shift - fi - - # internal start of server in order to allow setup using psql client - # does not listen on external TCP/IP and waits until start finishes - set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}" - - PGUSER="${PGUSER:-$POSTGRES_USER}" \ - pg_ctl -D "$PGDATA" \ - -o "$(printf '%q ' "$@")" \ - -w start -} - -# stop postgresql server after done setting up user and running scripts -docker_temp_server_stop() { - PGUSER="${PGUSER:-postgres}" \ - pg_ctl -D "$PGDATA" -m fast -w stop -} - -# check arguments for an option that would cause postgres to stop -# return true if there is one -_pg_want_help() { - local arg - for arg; do - case "$arg" in - # postgres --help | grep 'then exit' - # leaving out -C on purpose since it always fails and is unhelpful: - # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory - -'?'|--help|--describe-config|-V|--version) - return 0 - ;; - esac - done - return 1 -} - -_main() { - # if first arg looks like a flag, assume we want to run postgres server - if [ "${1:0:1}" = '-' ]; then - set -- postgres "$@" - fi - - if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then - docker_setup_env - # setup data directories and permissions (when run as root) - docker_create_db_directories - if [ "$(id -u)" = '0' ]; then - # then restart script as postgres user - exec gosu postgres "$BASH_SOURCE" "$@" - fi - - # only run initialization on an empty data directory - if [ -z "$DATABASE_ALREADY_EXISTS" ]; then - docker_verify_minimum_env - - # check dir permissions to reduce likelihood of half-initialized database - ls /docker-entrypoint-initdb.d/ > /dev/null - - docker_init_database_dir - pg_setup_hba_conf "$@" - - # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless - # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS - export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" - docker_temp_server_start "$@" - - docker_setup_db - docker_process_init_files /docker-entrypoint-initdb.d/* - - docker_temp_server_stop - unset PGPASSWORD - - cat <<-'EOM' - - PostgreSQL init process complete; ready for start up. - - EOM - else - cat <<-'EOM' - - PostgreSQL Database directory appears to contain a database; Skipping initialization - - EOM - fi - fi - - exec "$@" -} - -if ! _is_sourced; then - _main "$@" -fi diff --git a/16/alpine3.19/Dockerfile b/16/alpine3.21/Dockerfile similarity index 79% rename from 16/alpine3.19/Dockerfile rename to 16/alpine3.21/Dockerfile index 16f3df5884..1bf2cab5a5 100644 --- a/16/alpine3.19/Dockerfile +++ b/16/alpine3.21/Dockerfile @@ -4,10 +4,10 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # -FROM alpine:3.19 +FROM alpine:3.21 # 70 is the standard uid/gid for "postgres" in Alpine -# https://git.alpinelinux.org/aports/tree/main/postgresql/postgresql.pre-install?h=3.12-stable +# https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.22-stable RUN set -eux; \ addgroup -g 70 -S postgres; \ adduser -u 70 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \ @@ -53,12 +53,12 @@ ENV LANG en_US.utf8 RUN mkdir /docker-entrypoint-initdb.d ENV PG_MAJOR 16 -ENV PG_VERSION 16.4 -ENV PG_SHA256 971766d645aa73e93b9ef4e3be44201b4f45b5477095b049125403f9f3386d6f +ENV PG_VERSION 16.9 +ENV PG_SHA256 07c00fb824df0a0c295f249f44691b86e3266753b380c96f633c3311e10bd005 ENV DOCKER_PG_LLVM_DEPS \ - llvm15-dev \ - clang15 + llvm19-dev \ + clang19 RUN set -eux; \ \ @@ -112,14 +112,11 @@ RUN set -eux; \ grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \ mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \ gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ -# explicitly update autoconf config.guess and config.sub so they support more arches/libcs - wget -O config/config.guess 'https://git.savannah.gnu.org/cgit/config.git/plain/config.guess?id=7d3d27baf8107b630586c962c057e22149653deb'; \ - wget -O config/config.sub 'https://git.savannah.gnu.org/cgit/config.git/plain/config.sub?id=7d3d27baf8107b630586c962c057e22149653deb'; \ \ -# https://git.alpinelinux.org/aports/tree/community/postgresql12/APKBUILD?h=3.18-stable&id=a470294e6d6ca7059e41c54769b7c3c26ec901d4#n158 - export LLVM_CONFIG="/usr/lib/llvm15/bin/llvm-config"; \ -# https://git.alpinelinux.org/aports/tree/community/postgresql12/APKBUILD?h=3.18-stable&id=a470294e6d6ca7059e41c54769b7c3c26ec901d4#n163 - export CLANG=clang-15; \ +# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n176 ("export LLVM_CONFIG") + export LLVM_CONFIG="/usr/lib/llvm19/bin/llvm-config"; \ +# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n180 ("older clang versions don't have a 'clang' exe anymore.") + export CLANG=clang-19; \ \ # configure options taken from: # https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5 @@ -174,8 +171,7 @@ RUN set -eux; \ zstd \ # https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split icu-data-full \ -# nss_wrapper is not availble on ppc64le: "test case segfaults in ppc64le" -# https://git.alpinelinux.org/aports/commit/testing/nss_wrapper/APKBUILD?h=3.17-stable&id=94d81ceeb58cff448d489bbcbe9a6d40c9991663 +# https://git.alpinelinux.org/aports/tree/community/nss_wrapper/APKBUILD?h=3.22-stable#n7 ("ppc64le: test case segfaults") $([ "$(apk --print-arch)" != 'ppc64le' ] && echo 'nss_wrapper') \ ; \ apk del --no-network .build-deps; \ @@ -208,18 +204,12 @@ ENTRYPOINT ["docker-entrypoint.sh"] # We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL # calls "Fast Shutdown mode" wherein new connections are disallowed and any # in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and -# flush tables to disk, which is the best compromise available to avoid data -# corruption. +# flush tables to disk. # -# Users who know their applications do not keep open long-lived idle connections -# may way to use a value of SIGTERM instead, which corresponds to "Smart -# Shutdown mode" in which any existing sessions are allowed to finish and the -# server stops when all sessions are terminated. -# -# See https://www.postgresql.org/docs/12/server-shutdown.html for more details +# See https://www.postgresql.org/docs/current/server-shutdown.html for more details # about available PostgreSQL server shutdown signals. # -# See also https://www.postgresql.org/docs/12/server-start.html for further +# See also https://www.postgresql.org/docs/current/server-start.html for further # justification of this as the default value, namely that the example (and # shipped) systemd service files use the "Fast Shutdown mode" for service # termination. @@ -229,10 +219,10 @@ STOPSIGNAL SIGINT # An additional setting that is recommended for all users regardless of this # value is the runtime "--stop-timeout" (or your orchestrator/runtime's # equivalent) for controlling how long to wait between sending the defined -# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption). +# STOPSIGNAL and sending SIGKILL. # # The default in most runtimes (such as Docker) is 10 seconds, and the -# documentation at https://www.postgresql.org/docs/12/server-start.html notes +# documentation at https://www.postgresql.org/docs/current/server-start.html notes # that even 90 seconds may not be long enough in many instances. EXPOSE 5432 diff --git a/16/alpine3.21/docker-ensure-initdb.sh b/16/alpine3.21/docker-ensure-initdb.sh new file mode 100755 index 0000000000..e9b15ef77d --- /dev/null +++ b/16/alpine3.21/docker-ensure-initdb.sh @@ -0,0 +1,72 @@ +#!/usr/bin/env bash +set -Eeuo pipefail + +# +# This script is intended for three main use cases: +# +# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior +# +# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution +# (no-op if database is already initialized) +# +# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use +# (error if database is already initialized) +# + +source /usr/local/bin/docker-entrypoint.sh + +# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there) +if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then + set -- postgres "$@" +fi + +# see also "_main" in "docker-entrypoint.sh" + +docker_setup_env +# setup data directories and permissions (when run as root) +docker_create_db_directories +if [ "$(id -u)" = '0' ]; then + # then restart script as postgres user + exec gosu postgres "$BASH_SOURCE" "$@" +fi + +# only run initialization on an empty data directory +if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + docker_verify_minimum_env + docker_error_old_databases + + # check dir permissions to reduce likelihood of half-initialized database + ls /docker-entrypoint-initdb.d/ > /dev/null + + docker_init_database_dir + pg_setup_hba_conf "$@" + + # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless + # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS + export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" + docker_temp_server_start "$@" + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + + docker_temp_server_stop + unset PGPASSWORD +else + self="$(basename "$0")" + case "$self" in + docker-ensure-initdb.sh) + echo >&2 "$self: note: database already initialized in '$PGDATA'!" + exit 0 + ;; + + docker-enforce-initdb.sh) + echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!" + exit 1 + ;; + + *) + echo >&2 "$self: error: unknown file name: $self" + exit 99 + ;; + esac +fi diff --git a/16/alpine3.21/docker-entrypoint.sh b/16/alpine3.21/docker-entrypoint.sh new file mode 100755 index 0000000000..5a62870b50 --- /dev/null +++ b/16/alpine3.21/docker-entrypoint.sh @@ -0,0 +1,391 @@ +#!/usr/bin/env bash +set -Eeo pipefail +# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables) + +# usage: file_env VAR [DEFAULT] +# ie: file_env 'XYZ_DB_PASSWORD' 'example' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then + printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar" + exit 1 + fi + local val="$def" + if [ "${!var:-}" ]; then + val="${!var}" + elif [ "${!fileVar:-}" ]; then + val="$(< "${!fileVar}")" + fi + export "$var"="$val" + unset "$fileVar" +} + +# check to see if this file is being run or sourced from another script +_is_sourced() { + # https://unix.stackexchange.com/a/215279 + [ "${#FUNCNAME[@]}" -ge 2 ] \ + && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ + && [ "${FUNCNAME[1]}" = 'source' ] +} + +# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user +docker_create_db_directories() { + local user; user="$(id -u)" + + mkdir -p "$PGDATA" + # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory) + chmod 00700 "$PGDATA" || : + + # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 + mkdir -p /var/run/postgresql || : + chmod 03775 /var/run/postgresql || : + + # Create the transaction log directory before initdb is run so the directory is owned by the correct user + if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then + mkdir -p "$POSTGRES_INITDB_WALDIR" + if [ "$user" = '0' ]; then + find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' + + fi + chmod 700 "$POSTGRES_INITDB_WALDIR" + fi + + # allow the container to be started with `--user` + if [ "$user" = '0' ]; then + find "$PGDATA" \! -user postgres -exec chown postgres '{}' + + find /var/run/postgresql \! -user postgres -exec chown postgres '{}' + + fi +} + +# initialize empty PGDATA directory with new database via 'initdb' +# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function +# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames +# this is also where the database user is created, specified by `POSTGRES_USER` env +docker_init_database_dir() { + # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary + # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html + local uid; uid="$(id -u)" + if ! getent passwd "$uid" &> /dev/null; then + # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15) + local wrapper + for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do + if [ -s "$wrapper" ]; then + NSS_WRAPPER_PASSWD="$(mktemp)" + NSS_WRAPPER_GROUP="$(mktemp)" + export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + local gid; gid="$(id -g)" + printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD" + printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP" + break + fi + done + fi + + if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then + set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@" + fi + + # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025 + eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' + + # unset/cleanup "nss_wrapper" bits + if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then + rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" + unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + fi +} + +# print large warning if POSTGRES_PASSWORD is long +# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust' +# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust' +# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ] +docker_verify_minimum_env() { + case "${PG_MAJOR:-}" in + 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 + # check password first so we can output the warning before postgres + # messes it up + if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then + cat >&2 <<-'EOWARN' + + WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. + + This will not work if used via PGPASSWORD with "psql". + + https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) + https://github.com/docker-library/postgres/issues/507 + + EOWARN + fi + ;; + esac + if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then + # The - option suppresses leading tabs but *not* spaces. :) + cat >&2 <<-'EOE' + Error: Database is uninitialized and superuser password is not specified. + You must specify POSTGRES_PASSWORD to a non-empty value for the + superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run". + + You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all + connections without a password. This is *not* recommended. + + See PostgreSQL documentation about "trust": + https://www.postgresql.org/docs/current/auth-trust.html + EOE + exit 1 + fi + if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then + cat >&2 <<-'EOWARN' + ******************************************************************************** + WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow + anyone with access to the Postgres port to access your database without + a password, even if POSTGRES_PASSWORD is set. See PostgreSQL + documentation about "trust": + https://www.postgresql.org/docs/current/auth-trust.html + In Docker's default configuration, this is effectively any other + container on the same system. + + It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace + it with "-e POSTGRES_PASSWORD=password" instead to set a password in + "docker run". + ******************************************************************************** + EOWARN + fi +} +# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade) +docker_error_old_databases() { + if [ -n "${OLD_DATABASES[0]:-}" ]; then + cat >&2 <<-EOE + Error: in 18+, these Docker images are configured to store database data in a + format which is compatible with "pg_ctlcluster" (specifically, using + major-version-specific directory names). This better reflects how + PostgreSQL itself works, and how upgrades are to be performed. + + See also https://github.com/docker-library/postgres/pull/1259 + + Counter to that, there appears to be PostgreSQL data in: + ${OLD_DATABASES[*]} + + This is usually the result of upgrading the Docker image without upgrading + the underlying database using "pg_upgrade" (which requires both versions). + + See https://github.com/docker-library/postgres/issues/37 for a (long) + discussion around this process, and suggestions for how to do so. + EOE + exit 1 + fi +} + +# usage: docker_process_init_files [file [file [...]]] +# ie: docker_process_init_files /always-initdb.d/* +# process initializer files, based on file extensions and permissions +docker_process_init_files() { + # psql here for backwards compatibility "${psql[@]}" + psql=( docker_process_sql ) + + printf '\n' + local f + for f; do + case "$f" in + *.sh) + # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 + # https://github.com/docker-library/postgres/pull/452 + if [ -x "$f" ]; then + printf '%s: running %s\n' "$0" "$f" + "$f" + else + printf '%s: sourcing %s\n' "$0" "$f" + . "$f" + fi + ;; + *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;; + *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;; + *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;; + *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;; + *) printf '%s: ignoring %s\n' "$0" "$f" ;; + esac + printf '\n' + done +} + +# Execute sql script, passed via stdin (or -f flag of pqsl) +# usage: docker_process_sql [psql-cli-args] +# ie: docker_process_sql --dbname=mydb <<<'INSERT ...' +# ie: docker_process_sql -f my-file.sql +# ie: docker_process_sql > "$PGDATA/pg_hba.conf" +} + +# start socket-only postgresql server for setting up or running scripts +# all arguments will be passed along as arguments to `postgres` (via pg_ctl) +docker_temp_server_start() { + if [ "$1" = 'postgres' ]; then + shift + fi + + # internal start of server in order to allow setup using psql client + # does not listen on external TCP/IP and waits until start finishes + set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}" + + # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify + # any process supervisor. + NOTIFY_SOCKET= \ + PGUSER="${PGUSER:-$POSTGRES_USER}" \ + pg_ctl -D "$PGDATA" \ + -o "$(printf '%q ' "$@")" \ + -w start +} + +# stop postgresql server after done setting up user and running scripts +docker_temp_server_stop() { + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" -m fast -w stop +} + +# check arguments for an option that would cause postgres to stop +# return true if there is one +_pg_want_help() { + local arg + for arg; do + case "$arg" in + # postgres --help | grep 'then exit' + # leaving out -C on purpose since it always fails and is unhelpful: + # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory + -'?'|--help|--describe-config|-V|--version) + return 0 + ;; + esac + done + return 1 +} + +_main() { + # if first arg looks like a flag, assume we want to run postgres server + if [ "${1:0:1}" = '-' ]; then + set -- postgres "$@" + fi + + if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then + docker_setup_env + # setup data directories and permissions (when run as root) + docker_create_db_directories + if [ "$(id -u)" = '0' ]; then + # then restart script as postgres user + exec gosu postgres "$BASH_SOURCE" "$@" + fi + + # only run initialization on an empty data directory + if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + docker_verify_minimum_env + docker_error_old_databases + + # check dir permissions to reduce likelihood of half-initialized database + ls /docker-entrypoint-initdb.d/ > /dev/null + + docker_init_database_dir + pg_setup_hba_conf "$@" + + # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless + # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS + export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" + docker_temp_server_start "$@" + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + + docker_temp_server_stop + unset PGPASSWORD + + cat <<-'EOM' + + PostgreSQL init process complete; ready for start up. + + EOM + else + cat <<-'EOM' + + PostgreSQL Database directory appears to contain a database; Skipping initialization + + EOM + fi + fi + + exec "$@" +} + +if ! _is_sourced; then + _main "$@" +fi diff --git a/16/alpine3.20/Dockerfile b/16/alpine3.22/Dockerfile similarity index 79% rename from 16/alpine3.20/Dockerfile rename to 16/alpine3.22/Dockerfile index 33d01092b9..902de7538f 100644 --- a/16/alpine3.20/Dockerfile +++ b/16/alpine3.22/Dockerfile @@ -4,10 +4,10 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # -FROM alpine:3.20 +FROM alpine:3.22 # 70 is the standard uid/gid for "postgres" in Alpine -# https://git.alpinelinux.org/aports/tree/main/postgresql/postgresql.pre-install?h=3.12-stable +# https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.22-stable RUN set -eux; \ addgroup -g 70 -S postgres; \ adduser -u 70 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \ @@ -53,12 +53,12 @@ ENV LANG en_US.utf8 RUN mkdir /docker-entrypoint-initdb.d ENV PG_MAJOR 16 -ENV PG_VERSION 16.4 -ENV PG_SHA256 971766d645aa73e93b9ef4e3be44201b4f45b5477095b049125403f9f3386d6f +ENV PG_VERSION 16.9 +ENV PG_SHA256 07c00fb824df0a0c295f249f44691b86e3266753b380c96f633c3311e10bd005 ENV DOCKER_PG_LLVM_DEPS \ - llvm15-dev \ - clang15 + llvm19-dev \ + clang19 RUN set -eux; \ \ @@ -112,14 +112,11 @@ RUN set -eux; \ grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \ mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \ gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ -# explicitly update autoconf config.guess and config.sub so they support more arches/libcs - wget -O config/config.guess 'https://git.savannah.gnu.org/cgit/config.git/plain/config.guess?id=7d3d27baf8107b630586c962c057e22149653deb'; \ - wget -O config/config.sub 'https://git.savannah.gnu.org/cgit/config.git/plain/config.sub?id=7d3d27baf8107b630586c962c057e22149653deb'; \ \ -# https://git.alpinelinux.org/aports/tree/community/postgresql12/APKBUILD?h=3.18-stable&id=a470294e6d6ca7059e41c54769b7c3c26ec901d4#n158 - export LLVM_CONFIG="/usr/lib/llvm15/bin/llvm-config"; \ -# https://git.alpinelinux.org/aports/tree/community/postgresql12/APKBUILD?h=3.18-stable&id=a470294e6d6ca7059e41c54769b7c3c26ec901d4#n163 - export CLANG=clang-15; \ +# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n176 ("export LLVM_CONFIG") + export LLVM_CONFIG="/usr/lib/llvm19/bin/llvm-config"; \ +# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n180 ("older clang versions don't have a 'clang' exe anymore.") + export CLANG=clang-19; \ \ # configure options taken from: # https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5 @@ -174,8 +171,7 @@ RUN set -eux; \ zstd \ # https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split icu-data-full \ -# nss_wrapper is not availble on ppc64le: "test case segfaults in ppc64le" -# https://git.alpinelinux.org/aports/commit/testing/nss_wrapper/APKBUILD?h=3.17-stable&id=94d81ceeb58cff448d489bbcbe9a6d40c9991663 +# https://git.alpinelinux.org/aports/tree/community/nss_wrapper/APKBUILD?h=3.22-stable#n7 ("ppc64le: test case segfaults") $([ "$(apk --print-arch)" != 'ppc64le' ] && echo 'nss_wrapper') \ ; \ apk del --no-network .build-deps; \ @@ -208,18 +204,12 @@ ENTRYPOINT ["docker-entrypoint.sh"] # We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL # calls "Fast Shutdown mode" wherein new connections are disallowed and any # in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and -# flush tables to disk, which is the best compromise available to avoid data -# corruption. +# flush tables to disk. # -# Users who know their applications do not keep open long-lived idle connections -# may way to use a value of SIGTERM instead, which corresponds to "Smart -# Shutdown mode" in which any existing sessions are allowed to finish and the -# server stops when all sessions are terminated. -# -# See https://www.postgresql.org/docs/12/server-shutdown.html for more details +# See https://www.postgresql.org/docs/current/server-shutdown.html for more details # about available PostgreSQL server shutdown signals. # -# See also https://www.postgresql.org/docs/12/server-start.html for further +# See also https://www.postgresql.org/docs/current/server-start.html for further # justification of this as the default value, namely that the example (and # shipped) systemd service files use the "Fast Shutdown mode" for service # termination. @@ -229,10 +219,10 @@ STOPSIGNAL SIGINT # An additional setting that is recommended for all users regardless of this # value is the runtime "--stop-timeout" (or your orchestrator/runtime's # equivalent) for controlling how long to wait between sending the defined -# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption). +# STOPSIGNAL and sending SIGKILL. # # The default in most runtimes (such as Docker) is 10 seconds, and the -# documentation at https://www.postgresql.org/docs/12/server-start.html notes +# documentation at https://www.postgresql.org/docs/current/server-start.html notes # that even 90 seconds may not be long enough in many instances. EXPOSE 5432 diff --git a/16/alpine3.22/docker-ensure-initdb.sh b/16/alpine3.22/docker-ensure-initdb.sh new file mode 100755 index 0000000000..e9b15ef77d --- /dev/null +++ b/16/alpine3.22/docker-ensure-initdb.sh @@ -0,0 +1,72 @@ +#!/usr/bin/env bash +set -Eeuo pipefail + +# +# This script is intended for three main use cases: +# +# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior +# +# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution +# (no-op if database is already initialized) +# +# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use +# (error if database is already initialized) +# + +source /usr/local/bin/docker-entrypoint.sh + +# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there) +if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then + set -- postgres "$@" +fi + +# see also "_main" in "docker-entrypoint.sh" + +docker_setup_env +# setup data directories and permissions (when run as root) +docker_create_db_directories +if [ "$(id -u)" = '0' ]; then + # then restart script as postgres user + exec gosu postgres "$BASH_SOURCE" "$@" +fi + +# only run initialization on an empty data directory +if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + docker_verify_minimum_env + docker_error_old_databases + + # check dir permissions to reduce likelihood of half-initialized database + ls /docker-entrypoint-initdb.d/ > /dev/null + + docker_init_database_dir + pg_setup_hba_conf "$@" + + # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless + # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS + export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" + docker_temp_server_start "$@" + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + + docker_temp_server_stop + unset PGPASSWORD +else + self="$(basename "$0")" + case "$self" in + docker-ensure-initdb.sh) + echo >&2 "$self: note: database already initialized in '$PGDATA'!" + exit 0 + ;; + + docker-enforce-initdb.sh) + echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!" + exit 1 + ;; + + *) + echo >&2 "$self: error: unknown file name: $self" + exit 99 + ;; + esac +fi diff --git a/16/alpine3.22/docker-entrypoint.sh b/16/alpine3.22/docker-entrypoint.sh new file mode 100755 index 0000000000..5a62870b50 --- /dev/null +++ b/16/alpine3.22/docker-entrypoint.sh @@ -0,0 +1,391 @@ +#!/usr/bin/env bash +set -Eeo pipefail +# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables) + +# usage: file_env VAR [DEFAULT] +# ie: file_env 'XYZ_DB_PASSWORD' 'example' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then + printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar" + exit 1 + fi + local val="$def" + if [ "${!var:-}" ]; then + val="${!var}" + elif [ "${!fileVar:-}" ]; then + val="$(< "${!fileVar}")" + fi + export "$var"="$val" + unset "$fileVar" +} + +# check to see if this file is being run or sourced from another script +_is_sourced() { + # https://unix.stackexchange.com/a/215279 + [ "${#FUNCNAME[@]}" -ge 2 ] \ + && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ + && [ "${FUNCNAME[1]}" = 'source' ] +} + +# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user +docker_create_db_directories() { + local user; user="$(id -u)" + + mkdir -p "$PGDATA" + # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory) + chmod 00700 "$PGDATA" || : + + # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 + mkdir -p /var/run/postgresql || : + chmod 03775 /var/run/postgresql || : + + # Create the transaction log directory before initdb is run so the directory is owned by the correct user + if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then + mkdir -p "$POSTGRES_INITDB_WALDIR" + if [ "$user" = '0' ]; then + find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' + + fi + chmod 700 "$POSTGRES_INITDB_WALDIR" + fi + + # allow the container to be started with `--user` + if [ "$user" = '0' ]; then + find "$PGDATA" \! -user postgres -exec chown postgres '{}' + + find /var/run/postgresql \! -user postgres -exec chown postgres '{}' + + fi +} + +# initialize empty PGDATA directory with new database via 'initdb' +# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function +# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames +# this is also where the database user is created, specified by `POSTGRES_USER` env +docker_init_database_dir() { + # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary + # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html + local uid; uid="$(id -u)" + if ! getent passwd "$uid" &> /dev/null; then + # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15) + local wrapper + for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do + if [ -s "$wrapper" ]; then + NSS_WRAPPER_PASSWD="$(mktemp)" + NSS_WRAPPER_GROUP="$(mktemp)" + export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + local gid; gid="$(id -g)" + printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD" + printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP" + break + fi + done + fi + + if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then + set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@" + fi + + # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025 + eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' + + # unset/cleanup "nss_wrapper" bits + if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then + rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" + unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + fi +} + +# print large warning if POSTGRES_PASSWORD is long +# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust' +# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust' +# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ] +docker_verify_minimum_env() { + case "${PG_MAJOR:-}" in + 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 + # check password first so we can output the warning before postgres + # messes it up + if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then + cat >&2 <<-'EOWARN' + + WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. + + This will not work if used via PGPASSWORD with "psql". + + https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) + https://github.com/docker-library/postgres/issues/507 + + EOWARN + fi + ;; + esac + if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then + # The - option suppresses leading tabs but *not* spaces. :) + cat >&2 <<-'EOE' + Error: Database is uninitialized and superuser password is not specified. + You must specify POSTGRES_PASSWORD to a non-empty value for the + superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run". + + You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all + connections without a password. This is *not* recommended. + + See PostgreSQL documentation about "trust": + https://www.postgresql.org/docs/current/auth-trust.html + EOE + exit 1 + fi + if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then + cat >&2 <<-'EOWARN' + ******************************************************************************** + WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow + anyone with access to the Postgres port to access your database without + a password, even if POSTGRES_PASSWORD is set. See PostgreSQL + documentation about "trust": + https://www.postgresql.org/docs/current/auth-trust.html + In Docker's default configuration, this is effectively any other + container on the same system. + + It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace + it with "-e POSTGRES_PASSWORD=password" instead to set a password in + "docker run". + ******************************************************************************** + EOWARN + fi +} +# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade) +docker_error_old_databases() { + if [ -n "${OLD_DATABASES[0]:-}" ]; then + cat >&2 <<-EOE + Error: in 18+, these Docker images are configured to store database data in a + format which is compatible with "pg_ctlcluster" (specifically, using + major-version-specific directory names). This better reflects how + PostgreSQL itself works, and how upgrades are to be performed. + + See also https://github.com/docker-library/postgres/pull/1259 + + Counter to that, there appears to be PostgreSQL data in: + ${OLD_DATABASES[*]} + + This is usually the result of upgrading the Docker image without upgrading + the underlying database using "pg_upgrade" (which requires both versions). + + See https://github.com/docker-library/postgres/issues/37 for a (long) + discussion around this process, and suggestions for how to do so. + EOE + exit 1 + fi +} + +# usage: docker_process_init_files [file [file [...]]] +# ie: docker_process_init_files /always-initdb.d/* +# process initializer files, based on file extensions and permissions +docker_process_init_files() { + # psql here for backwards compatibility "${psql[@]}" + psql=( docker_process_sql ) + + printf '\n' + local f + for f; do + case "$f" in + *.sh) + # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 + # https://github.com/docker-library/postgres/pull/452 + if [ -x "$f" ]; then + printf '%s: running %s\n' "$0" "$f" + "$f" + else + printf '%s: sourcing %s\n' "$0" "$f" + . "$f" + fi + ;; + *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;; + *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;; + *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;; + *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;; + *) printf '%s: ignoring %s\n' "$0" "$f" ;; + esac + printf '\n' + done +} + +# Execute sql script, passed via stdin (or -f flag of pqsl) +# usage: docker_process_sql [psql-cli-args] +# ie: docker_process_sql --dbname=mydb <<<'INSERT ...' +# ie: docker_process_sql -f my-file.sql +# ie: docker_process_sql > "$PGDATA/pg_hba.conf" +} + +# start socket-only postgresql server for setting up or running scripts +# all arguments will be passed along as arguments to `postgres` (via pg_ctl) +docker_temp_server_start() { + if [ "$1" = 'postgres' ]; then + shift + fi + + # internal start of server in order to allow setup using psql client + # does not listen on external TCP/IP and waits until start finishes + set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}" + + # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify + # any process supervisor. + NOTIFY_SOCKET= \ + PGUSER="${PGUSER:-$POSTGRES_USER}" \ + pg_ctl -D "$PGDATA" \ + -o "$(printf '%q ' "$@")" \ + -w start +} + +# stop postgresql server after done setting up user and running scripts +docker_temp_server_stop() { + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" -m fast -w stop +} + +# check arguments for an option that would cause postgres to stop +# return true if there is one +_pg_want_help() { + local arg + for arg; do + case "$arg" in + # postgres --help | grep 'then exit' + # leaving out -C on purpose since it always fails and is unhelpful: + # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory + -'?'|--help|--describe-config|-V|--version) + return 0 + ;; + esac + done + return 1 +} + +_main() { + # if first arg looks like a flag, assume we want to run postgres server + if [ "${1:0:1}" = '-' ]; then + set -- postgres "$@" + fi + + if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then + docker_setup_env + # setup data directories and permissions (when run as root) + docker_create_db_directories + if [ "$(id -u)" = '0' ]; then + # then restart script as postgres user + exec gosu postgres "$BASH_SOURCE" "$@" + fi + + # only run initialization on an empty data directory + if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + docker_verify_minimum_env + docker_error_old_databases + + # check dir permissions to reduce likelihood of half-initialized database + ls /docker-entrypoint-initdb.d/ > /dev/null + + docker_init_database_dir + pg_setup_hba_conf "$@" + + # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless + # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS + export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" + docker_temp_server_start "$@" + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + + docker_temp_server_stop + unset PGPASSWORD + + cat <<-'EOM' + + PostgreSQL init process complete; ready for start up. + + EOM + else + cat <<-'EOM' + + PostgreSQL Database directory appears to contain a database; Skipping initialization + + EOM + fi + fi + + exec "$@" +} + +if ! _is_sourced; then + _main "$@" +fi diff --git a/16/bookworm/Dockerfile b/16/bookworm/Dockerfile index 40feae2173..7421ccaf0a 100644 --- a/16/bookworm/Dockerfile +++ b/16/bookworm/Dockerfile @@ -89,7 +89,7 @@ RUN set -ex; \ ENV PG_MAJOR 16 ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin -ENV PG_VERSION 16.4-1.pgdg120+2 +ENV PG_VERSION 16.9-1.pgdg120+1 RUN set -ex; \ \ @@ -99,7 +99,7 @@ RUN set -ex; \ dpkgArch="$(dpkg --print-architecture)"; \ aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ bookworm-pgdg main $PG_MAJOR"; \ case "$dpkgArch" in \ - amd64 | arm64 | ppc64el | s390x) \ + amd64 | arm64 | ppc64el) \ # arches officialy built by upstream echo "deb $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \ apt-get update; \ @@ -131,10 +131,9 @@ RUN set -ex; \ # build .deb files from upstream's source packages (which are verified by apt-get) nproc="$(nproc)"; \ export DEB_BUILD_OPTIONS="nocheck parallel=$nproc"; \ -# we have to build postgresql-common first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/99f44476e258cae6bf9e919219fa2c5414fa2876 -# (and it "Depends: pgdg-keyring") - apt-get build-dep -y postgresql-common pgdg-keyring; \ - apt-get source --compile postgresql-common pgdg-keyring; \ +# we have to build postgresql-common-dev first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/f4338a0d28cf4541956bddb0f4e444ba9dba81b9 + apt-get build-dep -y postgresql-common-dev; \ + apt-get source --compile postgresql-common-dev; \ _update_repo; \ apt-get build-dep -y "postgresql-$PG_MAJOR=$PG_VERSION"; \ apt-get source --compile "postgresql-$PG_MAJOR=$PG_VERSION"; \ @@ -194,18 +193,12 @@ ENTRYPOINT ["docker-entrypoint.sh"] # We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL # calls "Fast Shutdown mode" wherein new connections are disallowed and any # in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and -# flush tables to disk, which is the best compromise available to avoid data -# corruption. +# flush tables to disk. # -# Users who know their applications do not keep open long-lived idle connections -# may way to use a value of SIGTERM instead, which corresponds to "Smart -# Shutdown mode" in which any existing sessions are allowed to finish and the -# server stops when all sessions are terminated. -# -# See https://www.postgresql.org/docs/12/server-shutdown.html for more details +# See https://www.postgresql.org/docs/current/server-shutdown.html for more details # about available PostgreSQL server shutdown signals. # -# See also https://www.postgresql.org/docs/12/server-start.html for further +# See also https://www.postgresql.org/docs/current/server-start.html for further # justification of this as the default value, namely that the example (and # shipped) systemd service files use the "Fast Shutdown mode" for service # termination. @@ -215,10 +208,10 @@ STOPSIGNAL SIGINT # An additional setting that is recommended for all users regardless of this # value is the runtime "--stop-timeout" (or your orchestrator/runtime's # equivalent) for controlling how long to wait between sending the defined -# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption). +# STOPSIGNAL and sending SIGKILL. # # The default in most runtimes (such as Docker) is 10 seconds, and the -# documentation at https://www.postgresql.org/docs/12/server-start.html notes +# documentation at https://www.postgresql.org/docs/current/server-start.html notes # that even 90 seconds may not be long enough in many instances. EXPOSE 5432 diff --git a/16/bookworm/docker-ensure-initdb.sh b/16/bookworm/docker-ensure-initdb.sh index ae1f6b6b90..e9b15ef77d 100755 --- a/16/bookworm/docker-ensure-initdb.sh +++ b/16/bookworm/docker-ensure-initdb.sh @@ -33,6 +33,7 @@ fi # only run initialization on an empty data directory if [ -z "$DATABASE_ALREADY_EXISTS" ]; then docker_verify_minimum_env + docker_error_old_databases # check dir permissions to reduce likelihood of half-initialized database ls /docker-entrypoint-initdb.d/ > /dev/null diff --git a/16/bookworm/docker-entrypoint.sh b/16/bookworm/docker-entrypoint.sh index 6f59993e08..5a62870b50 100755 --- a/16/bookworm/docker-entrypoint.sh +++ b/16/bookworm/docker-entrypoint.sh @@ -104,7 +104,7 @@ docker_init_database_dir() { # assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ] docker_verify_minimum_env() { case "${PG_MAJOR:-}" in - 12 | 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 + 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 # check password first so we can output the warning before postgres # messes it up if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then @@ -154,6 +154,29 @@ docker_verify_minimum_env() { EOWARN fi } +# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade) +docker_error_old_databases() { + if [ -n "${OLD_DATABASES[0]:-}" ]; then + cat >&2 <<-EOE + Error: in 18+, these Docker images are configured to store database data in a + format which is compatible with "pg_ctlcluster" (specifically, using + major-version-specific directory names). This better reflects how + PostgreSQL itself works, and how upgrades are to be performed. + + See also https://github.com/docker-library/postgres/pull/1259 + + Counter to that, there appears to be PostgreSQL data in: + ${OLD_DATABASES[*]} + + This is usually the result of upgrading the Docker image without upgrading + the underlying database using "pg_upgrade" (which requires both versions). + + See https://github.com/docker-library/postgres/issues/37 for a (long) + discussion around this process, and suggestions for how to do so. + EOE + exit 1 + fi +} # usage: docker_process_init_files [file [file [...]]] # ie: docker_process_init_files /always-initdb.d/* @@ -230,9 +253,17 @@ docker_setup_env() { declare -g DATABASE_ALREADY_EXISTS : "${DATABASE_ALREADY_EXISTS:=}" + declare -ag OLD_DATABASES=() # look specifically for PG_VERSION, as it is expected in the DB dir if [ -s "$PGDATA/PG_VERSION" ]; then DATABASE_ALREADY_EXISTS='true' + elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then + # https://github.com/docker-library/postgres/pull/1259 + for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do + if [ -s "$d/PG_VERSION" ]; then + OLD_DATABASES+=( "$d" ) + fi + done fi } @@ -252,7 +283,7 @@ pg_setup_hba_conf() { printf '\n' if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then printf '# warning trust is enabled for all connections\n' - printf '# see https://www.postgresql.org/docs/12/auth-trust.html\n' + printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n' fi printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD" } >> "$PGDATA/pg_hba.conf" @@ -269,6 +300,9 @@ docker_temp_server_start() { # does not listen on external TCP/IP and waits until start finishes set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}" + # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify + # any process supervisor. + NOTIFY_SOCKET= \ PGUSER="${PGUSER:-$POSTGRES_USER}" \ pg_ctl -D "$PGDATA" \ -o "$(printf '%q ' "$@")" \ @@ -316,6 +350,7 @@ _main() { # only run initialization on an empty data directory if [ -z "$DATABASE_ALREADY_EXISTS" ]; then docker_verify_minimum_env + docker_error_old_databases # check dir permissions to reduce likelihood of half-initialized database ls /docker-entrypoint-initdb.d/ > /dev/null diff --git a/16/bullseye/Dockerfile b/16/bullseye/Dockerfile index fb685497f9..a3ac0c55ab 100644 --- a/16/bullseye/Dockerfile +++ b/16/bullseye/Dockerfile @@ -89,7 +89,7 @@ RUN set -ex; \ ENV PG_MAJOR 16 ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin -ENV PG_VERSION 16.4-1.pgdg110+2 +ENV PG_VERSION 16.9-1.pgdg110+1 RUN set -ex; \ \ @@ -99,7 +99,7 @@ RUN set -ex; \ dpkgArch="$(dpkg --print-architecture)"; \ aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ bullseye-pgdg main $PG_MAJOR"; \ case "$dpkgArch" in \ - amd64 | arm64 | ppc64el | s390x) \ + amd64 | arm64 | ppc64el) \ # arches officialy built by upstream echo "deb $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \ apt-get update; \ @@ -131,10 +131,9 @@ RUN set -ex; \ # build .deb files from upstream's source packages (which are verified by apt-get) nproc="$(nproc)"; \ export DEB_BUILD_OPTIONS="nocheck parallel=$nproc"; \ -# we have to build postgresql-common first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/99f44476e258cae6bf9e919219fa2c5414fa2876 -# (and it "Depends: pgdg-keyring") - apt-get build-dep -y postgresql-common pgdg-keyring; \ - apt-get source --compile postgresql-common pgdg-keyring; \ +# we have to build postgresql-common-dev first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/f4338a0d28cf4541956bddb0f4e444ba9dba81b9 + apt-get build-dep -y postgresql-common-dev; \ + apt-get source --compile postgresql-common-dev; \ _update_repo; \ apt-get build-dep -y "postgresql-$PG_MAJOR=$PG_VERSION"; \ apt-get source --compile "postgresql-$PG_MAJOR=$PG_VERSION"; \ @@ -194,18 +193,12 @@ ENTRYPOINT ["docker-entrypoint.sh"] # We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL # calls "Fast Shutdown mode" wherein new connections are disallowed and any # in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and -# flush tables to disk, which is the best compromise available to avoid data -# corruption. +# flush tables to disk. # -# Users who know their applications do not keep open long-lived idle connections -# may way to use a value of SIGTERM instead, which corresponds to "Smart -# Shutdown mode" in which any existing sessions are allowed to finish and the -# server stops when all sessions are terminated. -# -# See https://www.postgresql.org/docs/12/server-shutdown.html for more details +# See https://www.postgresql.org/docs/current/server-shutdown.html for more details # about available PostgreSQL server shutdown signals. # -# See also https://www.postgresql.org/docs/12/server-start.html for further +# See also https://www.postgresql.org/docs/current/server-start.html for further # justification of this as the default value, namely that the example (and # shipped) systemd service files use the "Fast Shutdown mode" for service # termination. @@ -215,10 +208,10 @@ STOPSIGNAL SIGINT # An additional setting that is recommended for all users regardless of this # value is the runtime "--stop-timeout" (or your orchestrator/runtime's # equivalent) for controlling how long to wait between sending the defined -# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption). +# STOPSIGNAL and sending SIGKILL. # # The default in most runtimes (such as Docker) is 10 seconds, and the -# documentation at https://www.postgresql.org/docs/12/server-start.html notes +# documentation at https://www.postgresql.org/docs/current/server-start.html notes # that even 90 seconds may not be long enough in many instances. EXPOSE 5432 diff --git a/16/bullseye/docker-ensure-initdb.sh b/16/bullseye/docker-ensure-initdb.sh index ae1f6b6b90..e9b15ef77d 100755 --- a/16/bullseye/docker-ensure-initdb.sh +++ b/16/bullseye/docker-ensure-initdb.sh @@ -33,6 +33,7 @@ fi # only run initialization on an empty data directory if [ -z "$DATABASE_ALREADY_EXISTS" ]; then docker_verify_minimum_env + docker_error_old_databases # check dir permissions to reduce likelihood of half-initialized database ls /docker-entrypoint-initdb.d/ > /dev/null diff --git a/16/bullseye/docker-entrypoint.sh b/16/bullseye/docker-entrypoint.sh index 6f59993e08..5a62870b50 100755 --- a/16/bullseye/docker-entrypoint.sh +++ b/16/bullseye/docker-entrypoint.sh @@ -104,7 +104,7 @@ docker_init_database_dir() { # assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ] docker_verify_minimum_env() { case "${PG_MAJOR:-}" in - 12 | 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 + 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 # check password first so we can output the warning before postgres # messes it up if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then @@ -154,6 +154,29 @@ docker_verify_minimum_env() { EOWARN fi } +# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade) +docker_error_old_databases() { + if [ -n "${OLD_DATABASES[0]:-}" ]; then + cat >&2 <<-EOE + Error: in 18+, these Docker images are configured to store database data in a + format which is compatible with "pg_ctlcluster" (specifically, using + major-version-specific directory names). This better reflects how + PostgreSQL itself works, and how upgrades are to be performed. + + See also https://github.com/docker-library/postgres/pull/1259 + + Counter to that, there appears to be PostgreSQL data in: + ${OLD_DATABASES[*]} + + This is usually the result of upgrading the Docker image without upgrading + the underlying database using "pg_upgrade" (which requires both versions). + + See https://github.com/docker-library/postgres/issues/37 for a (long) + discussion around this process, and suggestions for how to do so. + EOE + exit 1 + fi +} # usage: docker_process_init_files [file [file [...]]] # ie: docker_process_init_files /always-initdb.d/* @@ -230,9 +253,17 @@ docker_setup_env() { declare -g DATABASE_ALREADY_EXISTS : "${DATABASE_ALREADY_EXISTS:=}" + declare -ag OLD_DATABASES=() # look specifically for PG_VERSION, as it is expected in the DB dir if [ -s "$PGDATA/PG_VERSION" ]; then DATABASE_ALREADY_EXISTS='true' + elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then + # https://github.com/docker-library/postgres/pull/1259 + for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do + if [ -s "$d/PG_VERSION" ]; then + OLD_DATABASES+=( "$d" ) + fi + done fi } @@ -252,7 +283,7 @@ pg_setup_hba_conf() { printf '\n' if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then printf '# warning trust is enabled for all connections\n' - printf '# see https://www.postgresql.org/docs/12/auth-trust.html\n' + printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n' fi printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD" } >> "$PGDATA/pg_hba.conf" @@ -269,6 +300,9 @@ docker_temp_server_start() { # does not listen on external TCP/IP and waits until start finishes set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}" + # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify + # any process supervisor. + NOTIFY_SOCKET= \ PGUSER="${PGUSER:-$POSTGRES_USER}" \ pg_ctl -D "$PGDATA" \ -o "$(printf '%q ' "$@")" \ @@ -316,6 +350,7 @@ _main() { # only run initialization on an empty data directory if [ -z "$DATABASE_ALREADY_EXISTS" ]; then docker_verify_minimum_env + docker_error_old_databases # check dir permissions to reduce likelihood of half-initialized database ls /docker-entrypoint-initdb.d/ > /dev/null diff --git a/17/alpine3.19/docker-ensure-initdb.sh b/17/alpine3.19/docker-ensure-initdb.sh deleted file mode 100755 index ae1f6b6b90..0000000000 --- a/17/alpine3.19/docker-ensure-initdb.sh +++ /dev/null @@ -1,71 +0,0 @@ -#!/usr/bin/env bash -set -Eeuo pipefail - -# -# This script is intended for three main use cases: -# -# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior -# -# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution -# (no-op if database is already initialized) -# -# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use -# (error if database is already initialized) -# - -source /usr/local/bin/docker-entrypoint.sh - -# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there) -if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then - set -- postgres "$@" -fi - -# see also "_main" in "docker-entrypoint.sh" - -docker_setup_env -# setup data directories and permissions (when run as root) -docker_create_db_directories -if [ "$(id -u)" = '0' ]; then - # then restart script as postgres user - exec gosu postgres "$BASH_SOURCE" "$@" -fi - -# only run initialization on an empty data directory -if [ -z "$DATABASE_ALREADY_EXISTS" ]; then - docker_verify_minimum_env - - # check dir permissions to reduce likelihood of half-initialized database - ls /docker-entrypoint-initdb.d/ > /dev/null - - docker_init_database_dir - pg_setup_hba_conf "$@" - - # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless - # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS - export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" - docker_temp_server_start "$@" - - docker_setup_db - docker_process_init_files /docker-entrypoint-initdb.d/* - - docker_temp_server_stop - unset PGPASSWORD -else - self="$(basename "$0")" - case "$self" in - docker-ensure-initdb.sh) - echo >&2 "$self: note: database already initialized in '$PGDATA'!" - exit 0 - ;; - - docker-enforce-initdb.sh) - echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!" - exit 1 - ;; - - *) - echo >&2 "$self: error: unknown file name: $self" - exit 99 - ;; - esac -fi diff --git a/17/alpine3.19/docker-entrypoint.sh b/17/alpine3.19/docker-entrypoint.sh deleted file mode 100755 index 6f59993e08..0000000000 --- a/17/alpine3.19/docker-entrypoint.sh +++ /dev/null @@ -1,356 +0,0 @@ -#!/usr/bin/env bash -set -Eeo pipefail -# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables) - -# usage: file_env VAR [DEFAULT] -# ie: file_env 'XYZ_DB_PASSWORD' 'example' -# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of -# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) -file_env() { - local var="$1" - local fileVar="${var}_FILE" - local def="${2:-}" - if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then - printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar" - exit 1 - fi - local val="$def" - if [ "${!var:-}" ]; then - val="${!var}" - elif [ "${!fileVar:-}" ]; then - val="$(< "${!fileVar}")" - fi - export "$var"="$val" - unset "$fileVar" -} - -# check to see if this file is being run or sourced from another script -_is_sourced() { - # https://unix.stackexchange.com/a/215279 - [ "${#FUNCNAME[@]}" -ge 2 ] \ - && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ - && [ "${FUNCNAME[1]}" = 'source' ] -} - -# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user -docker_create_db_directories() { - local user; user="$(id -u)" - - mkdir -p "$PGDATA" - # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory) - chmod 00700 "$PGDATA" || : - - # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 - mkdir -p /var/run/postgresql || : - chmod 03775 /var/run/postgresql || : - - # Create the transaction log directory before initdb is run so the directory is owned by the correct user - if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then - mkdir -p "$POSTGRES_INITDB_WALDIR" - if [ "$user" = '0' ]; then - find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' + - fi - chmod 700 "$POSTGRES_INITDB_WALDIR" - fi - - # allow the container to be started with `--user` - if [ "$user" = '0' ]; then - find "$PGDATA" \! -user postgres -exec chown postgres '{}' + - find /var/run/postgresql \! -user postgres -exec chown postgres '{}' + - fi -} - -# initialize empty PGDATA directory with new database via 'initdb' -# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function -# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames -# this is also where the database user is created, specified by `POSTGRES_USER` env -docker_init_database_dir() { - # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary - # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html - local uid; uid="$(id -u)" - if ! getent passwd "$uid" &> /dev/null; then - # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15) - local wrapper - for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do - if [ -s "$wrapper" ]; then - NSS_WRAPPER_PASSWD="$(mktemp)" - NSS_WRAPPER_GROUP="$(mktemp)" - export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP - local gid; gid="$(id -g)" - printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD" - printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP" - break - fi - done - fi - - if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then - set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@" - fi - - # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025 - eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' - - # unset/cleanup "nss_wrapper" bits - if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then - rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" - unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP - fi -} - -# print large warning if POSTGRES_PASSWORD is long -# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust' -# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust' -# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ] -docker_verify_minimum_env() { - case "${PG_MAJOR:-}" in - 12 | 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 - # check password first so we can output the warning before postgres - # messes it up - if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then - cat >&2 <<-'EOWARN' - - WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. - - This will not work if used via PGPASSWORD with "psql". - - https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) - https://github.com/docker-library/postgres/issues/507 - - EOWARN - fi - ;; - esac - if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then - # The - option suppresses leading tabs but *not* spaces. :) - cat >&2 <<-'EOE' - Error: Database is uninitialized and superuser password is not specified. - You must specify POSTGRES_PASSWORD to a non-empty value for the - superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run". - - You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all - connections without a password. This is *not* recommended. - - See PostgreSQL documentation about "trust": - https://www.postgresql.org/docs/current/auth-trust.html - EOE - exit 1 - fi - if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then - cat >&2 <<-'EOWARN' - ******************************************************************************** - WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow - anyone with access to the Postgres port to access your database without - a password, even if POSTGRES_PASSWORD is set. See PostgreSQL - documentation about "trust": - https://www.postgresql.org/docs/current/auth-trust.html - In Docker's default configuration, this is effectively any other - container on the same system. - - It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace - it with "-e POSTGRES_PASSWORD=password" instead to set a password in - "docker run". - ******************************************************************************** - EOWARN - fi -} - -# usage: docker_process_init_files [file [file [...]]] -# ie: docker_process_init_files /always-initdb.d/* -# process initializer files, based on file extensions and permissions -docker_process_init_files() { - # psql here for backwards compatibility "${psql[@]}" - psql=( docker_process_sql ) - - printf '\n' - local f - for f; do - case "$f" in - *.sh) - # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 - # https://github.com/docker-library/postgres/pull/452 - if [ -x "$f" ]; then - printf '%s: running %s\n' "$0" "$f" - "$f" - else - printf '%s: sourcing %s\n' "$0" "$f" - . "$f" - fi - ;; - *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;; - *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;; - *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;; - *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;; - *) printf '%s: ignoring %s\n' "$0" "$f" ;; - esac - printf '\n' - done -} - -# Execute sql script, passed via stdin (or -f flag of pqsl) -# usage: docker_process_sql [psql-cli-args] -# ie: docker_process_sql --dbname=mydb <<<'INSERT ...' -# ie: docker_process_sql -f my-file.sql -# ie: docker_process_sql > "$PGDATA/pg_hba.conf" -} - -# start socket-only postgresql server for setting up or running scripts -# all arguments will be passed along as arguments to `postgres` (via pg_ctl) -docker_temp_server_start() { - if [ "$1" = 'postgres' ]; then - shift - fi - - # internal start of server in order to allow setup using psql client - # does not listen on external TCP/IP and waits until start finishes - set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}" - - PGUSER="${PGUSER:-$POSTGRES_USER}" \ - pg_ctl -D "$PGDATA" \ - -o "$(printf '%q ' "$@")" \ - -w start -} - -# stop postgresql server after done setting up user and running scripts -docker_temp_server_stop() { - PGUSER="${PGUSER:-postgres}" \ - pg_ctl -D "$PGDATA" -m fast -w stop -} - -# check arguments for an option that would cause postgres to stop -# return true if there is one -_pg_want_help() { - local arg - for arg; do - case "$arg" in - # postgres --help | grep 'then exit' - # leaving out -C on purpose since it always fails and is unhelpful: - # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory - -'?'|--help|--describe-config|-V|--version) - return 0 - ;; - esac - done - return 1 -} - -_main() { - # if first arg looks like a flag, assume we want to run postgres server - if [ "${1:0:1}" = '-' ]; then - set -- postgres "$@" - fi - - if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then - docker_setup_env - # setup data directories and permissions (when run as root) - docker_create_db_directories - if [ "$(id -u)" = '0' ]; then - # then restart script as postgres user - exec gosu postgres "$BASH_SOURCE" "$@" - fi - - # only run initialization on an empty data directory - if [ -z "$DATABASE_ALREADY_EXISTS" ]; then - docker_verify_minimum_env - - # check dir permissions to reduce likelihood of half-initialized database - ls /docker-entrypoint-initdb.d/ > /dev/null - - docker_init_database_dir - pg_setup_hba_conf "$@" - - # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless - # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS - export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" - docker_temp_server_start "$@" - - docker_setup_db - docker_process_init_files /docker-entrypoint-initdb.d/* - - docker_temp_server_stop - unset PGPASSWORD - - cat <<-'EOM' - - PostgreSQL init process complete; ready for start up. - - EOM - else - cat <<-'EOM' - - PostgreSQL Database directory appears to contain a database; Skipping initialization - - EOM - fi - fi - - exec "$@" -} - -if ! _is_sourced; then - _main "$@" -fi diff --git a/17/alpine3.20/docker-ensure-initdb.sh b/17/alpine3.20/docker-ensure-initdb.sh deleted file mode 100755 index ae1f6b6b90..0000000000 --- a/17/alpine3.20/docker-ensure-initdb.sh +++ /dev/null @@ -1,71 +0,0 @@ -#!/usr/bin/env bash -set -Eeuo pipefail - -# -# This script is intended for three main use cases: -# -# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior -# -# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution -# (no-op if database is already initialized) -# -# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use -# (error if database is already initialized) -# - -source /usr/local/bin/docker-entrypoint.sh - -# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there) -if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then - set -- postgres "$@" -fi - -# see also "_main" in "docker-entrypoint.sh" - -docker_setup_env -# setup data directories and permissions (when run as root) -docker_create_db_directories -if [ "$(id -u)" = '0' ]; then - # then restart script as postgres user - exec gosu postgres "$BASH_SOURCE" "$@" -fi - -# only run initialization on an empty data directory -if [ -z "$DATABASE_ALREADY_EXISTS" ]; then - docker_verify_minimum_env - - # check dir permissions to reduce likelihood of half-initialized database - ls /docker-entrypoint-initdb.d/ > /dev/null - - docker_init_database_dir - pg_setup_hba_conf "$@" - - # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless - # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS - export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" - docker_temp_server_start "$@" - - docker_setup_db - docker_process_init_files /docker-entrypoint-initdb.d/* - - docker_temp_server_stop - unset PGPASSWORD -else - self="$(basename "$0")" - case "$self" in - docker-ensure-initdb.sh) - echo >&2 "$self: note: database already initialized in '$PGDATA'!" - exit 0 - ;; - - docker-enforce-initdb.sh) - echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!" - exit 1 - ;; - - *) - echo >&2 "$self: error: unknown file name: $self" - exit 99 - ;; - esac -fi diff --git a/17/alpine3.20/docker-entrypoint.sh b/17/alpine3.20/docker-entrypoint.sh deleted file mode 100755 index 6f59993e08..0000000000 --- a/17/alpine3.20/docker-entrypoint.sh +++ /dev/null @@ -1,356 +0,0 @@ -#!/usr/bin/env bash -set -Eeo pipefail -# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables) - -# usage: file_env VAR [DEFAULT] -# ie: file_env 'XYZ_DB_PASSWORD' 'example' -# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of -# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) -file_env() { - local var="$1" - local fileVar="${var}_FILE" - local def="${2:-}" - if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then - printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar" - exit 1 - fi - local val="$def" - if [ "${!var:-}" ]; then - val="${!var}" - elif [ "${!fileVar:-}" ]; then - val="$(< "${!fileVar}")" - fi - export "$var"="$val" - unset "$fileVar" -} - -# check to see if this file is being run or sourced from another script -_is_sourced() { - # https://unix.stackexchange.com/a/215279 - [ "${#FUNCNAME[@]}" -ge 2 ] \ - && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ - && [ "${FUNCNAME[1]}" = 'source' ] -} - -# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user -docker_create_db_directories() { - local user; user="$(id -u)" - - mkdir -p "$PGDATA" - # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory) - chmod 00700 "$PGDATA" || : - - # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 - mkdir -p /var/run/postgresql || : - chmod 03775 /var/run/postgresql || : - - # Create the transaction log directory before initdb is run so the directory is owned by the correct user - if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then - mkdir -p "$POSTGRES_INITDB_WALDIR" - if [ "$user" = '0' ]; then - find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' + - fi - chmod 700 "$POSTGRES_INITDB_WALDIR" - fi - - # allow the container to be started with `--user` - if [ "$user" = '0' ]; then - find "$PGDATA" \! -user postgres -exec chown postgres '{}' + - find /var/run/postgresql \! -user postgres -exec chown postgres '{}' + - fi -} - -# initialize empty PGDATA directory with new database via 'initdb' -# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function -# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames -# this is also where the database user is created, specified by `POSTGRES_USER` env -docker_init_database_dir() { - # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary - # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html - local uid; uid="$(id -u)" - if ! getent passwd "$uid" &> /dev/null; then - # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15) - local wrapper - for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do - if [ -s "$wrapper" ]; then - NSS_WRAPPER_PASSWD="$(mktemp)" - NSS_WRAPPER_GROUP="$(mktemp)" - export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP - local gid; gid="$(id -g)" - printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD" - printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP" - break - fi - done - fi - - if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then - set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@" - fi - - # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025 - eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' - - # unset/cleanup "nss_wrapper" bits - if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then - rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" - unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP - fi -} - -# print large warning if POSTGRES_PASSWORD is long -# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust' -# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust' -# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ] -docker_verify_minimum_env() { - case "${PG_MAJOR:-}" in - 12 | 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 - # check password first so we can output the warning before postgres - # messes it up - if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then - cat >&2 <<-'EOWARN' - - WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. - - This will not work if used via PGPASSWORD with "psql". - - https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) - https://github.com/docker-library/postgres/issues/507 - - EOWARN - fi - ;; - esac - if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then - # The - option suppresses leading tabs but *not* spaces. :) - cat >&2 <<-'EOE' - Error: Database is uninitialized and superuser password is not specified. - You must specify POSTGRES_PASSWORD to a non-empty value for the - superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run". - - You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all - connections without a password. This is *not* recommended. - - See PostgreSQL documentation about "trust": - https://www.postgresql.org/docs/current/auth-trust.html - EOE - exit 1 - fi - if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then - cat >&2 <<-'EOWARN' - ******************************************************************************** - WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow - anyone with access to the Postgres port to access your database without - a password, even if POSTGRES_PASSWORD is set. See PostgreSQL - documentation about "trust": - https://www.postgresql.org/docs/current/auth-trust.html - In Docker's default configuration, this is effectively any other - container on the same system. - - It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace - it with "-e POSTGRES_PASSWORD=password" instead to set a password in - "docker run". - ******************************************************************************** - EOWARN - fi -} - -# usage: docker_process_init_files [file [file [...]]] -# ie: docker_process_init_files /always-initdb.d/* -# process initializer files, based on file extensions and permissions -docker_process_init_files() { - # psql here for backwards compatibility "${psql[@]}" - psql=( docker_process_sql ) - - printf '\n' - local f - for f; do - case "$f" in - *.sh) - # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 - # https://github.com/docker-library/postgres/pull/452 - if [ -x "$f" ]; then - printf '%s: running %s\n' "$0" "$f" - "$f" - else - printf '%s: sourcing %s\n' "$0" "$f" - . "$f" - fi - ;; - *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;; - *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;; - *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;; - *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;; - *) printf '%s: ignoring %s\n' "$0" "$f" ;; - esac - printf '\n' - done -} - -# Execute sql script, passed via stdin (or -f flag of pqsl) -# usage: docker_process_sql [psql-cli-args] -# ie: docker_process_sql --dbname=mydb <<<'INSERT ...' -# ie: docker_process_sql -f my-file.sql -# ie: docker_process_sql > "$PGDATA/pg_hba.conf" -} - -# start socket-only postgresql server for setting up or running scripts -# all arguments will be passed along as arguments to `postgres` (via pg_ctl) -docker_temp_server_start() { - if [ "$1" = 'postgres' ]; then - shift - fi - - # internal start of server in order to allow setup using psql client - # does not listen on external TCP/IP and waits until start finishes - set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}" - - PGUSER="${PGUSER:-$POSTGRES_USER}" \ - pg_ctl -D "$PGDATA" \ - -o "$(printf '%q ' "$@")" \ - -w start -} - -# stop postgresql server after done setting up user and running scripts -docker_temp_server_stop() { - PGUSER="${PGUSER:-postgres}" \ - pg_ctl -D "$PGDATA" -m fast -w stop -} - -# check arguments for an option that would cause postgres to stop -# return true if there is one -_pg_want_help() { - local arg - for arg; do - case "$arg" in - # postgres --help | grep 'then exit' - # leaving out -C on purpose since it always fails and is unhelpful: - # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory - -'?'|--help|--describe-config|-V|--version) - return 0 - ;; - esac - done - return 1 -} - -_main() { - # if first arg looks like a flag, assume we want to run postgres server - if [ "${1:0:1}" = '-' ]; then - set -- postgres "$@" - fi - - if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then - docker_setup_env - # setup data directories and permissions (when run as root) - docker_create_db_directories - if [ "$(id -u)" = '0' ]; then - # then restart script as postgres user - exec gosu postgres "$BASH_SOURCE" "$@" - fi - - # only run initialization on an empty data directory - if [ -z "$DATABASE_ALREADY_EXISTS" ]; then - docker_verify_minimum_env - - # check dir permissions to reduce likelihood of half-initialized database - ls /docker-entrypoint-initdb.d/ > /dev/null - - docker_init_database_dir - pg_setup_hba_conf "$@" - - # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless - # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS - export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" - docker_temp_server_start "$@" - - docker_setup_db - docker_process_init_files /docker-entrypoint-initdb.d/* - - docker_temp_server_stop - unset PGPASSWORD - - cat <<-'EOM' - - PostgreSQL init process complete; ready for start up. - - EOM - else - cat <<-'EOM' - - PostgreSQL Database directory appears to contain a database; Skipping initialization - - EOM - fi - fi - - exec "$@" -} - -if ! _is_sourced; then - _main "$@" -fi diff --git a/17/alpine3.19/Dockerfile b/17/alpine3.21/Dockerfile similarity index 79% rename from 17/alpine3.19/Dockerfile rename to 17/alpine3.21/Dockerfile index 793e3d49c5..c3c81bd437 100644 --- a/17/alpine3.19/Dockerfile +++ b/17/alpine3.21/Dockerfile @@ -4,10 +4,10 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # -FROM alpine:3.19 +FROM alpine:3.21 # 70 is the standard uid/gid for "postgres" in Alpine -# https://git.alpinelinux.org/aports/tree/main/postgresql/postgresql.pre-install?h=3.12-stable +# https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.22-stable RUN set -eux; \ addgroup -g 70 -S postgres; \ adduser -u 70 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \ @@ -52,12 +52,12 @@ ENV LANG en_US.utf8 RUN mkdir /docker-entrypoint-initdb.d ENV PG_MAJOR 17 -ENV PG_VERSION 17.0 -ENV PG_SHA256 7e276131c0fdd6b62588dbad9b3bb24b8c3498d5009328dba59af16e819109de +ENV PG_VERSION 17.5 +ENV PG_SHA256 fcb7ab38e23b264d1902cb25e6adafb4525a6ebcbd015434aeef9eda80f528d8 ENV DOCKER_PG_LLVM_DEPS \ - llvm15-dev \ - clang15 + llvm19-dev \ + clang19 RUN set -eux; \ \ @@ -111,14 +111,11 @@ RUN set -eux; \ grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \ mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \ gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ -# explicitly update autoconf config.guess and config.sub so they support more arches/libcs - wget -O config/config.guess 'https://git.savannah.gnu.org/cgit/config.git/plain/config.guess?id=7d3d27baf8107b630586c962c057e22149653deb'; \ - wget -O config/config.sub 'https://git.savannah.gnu.org/cgit/config.git/plain/config.sub?id=7d3d27baf8107b630586c962c057e22149653deb'; \ \ -# https://git.alpinelinux.org/aports/tree/community/postgresql12/APKBUILD?h=3.18-stable&id=a470294e6d6ca7059e41c54769b7c3c26ec901d4#n158 - export LLVM_CONFIG="/usr/lib/llvm15/bin/llvm-config"; \ -# https://git.alpinelinux.org/aports/tree/community/postgresql12/APKBUILD?h=3.18-stable&id=a470294e6d6ca7059e41c54769b7c3c26ec901d4#n163 - export CLANG=clang-15; \ +# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n176 ("export LLVM_CONFIG") + export LLVM_CONFIG="/usr/lib/llvm19/bin/llvm-config"; \ +# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n180 ("older clang versions don't have a 'clang' exe anymore.") + export CLANG=clang-19; \ \ # configure options taken from: # https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5 @@ -172,8 +169,7 @@ RUN set -eux; \ zstd \ # https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split icu-data-full \ -# nss_wrapper is not availble on ppc64le: "test case segfaults in ppc64le" -# https://git.alpinelinux.org/aports/commit/testing/nss_wrapper/APKBUILD?h=3.17-stable&id=94d81ceeb58cff448d489bbcbe9a6d40c9991663 +# https://git.alpinelinux.org/aports/tree/community/nss_wrapper/APKBUILD?h=3.22-stable#n7 ("ppc64le: test case segfaults") $([ "$(apk --print-arch)" != 'ppc64le' ] && echo 'nss_wrapper') \ ; \ apk del --no-network .build-deps; \ @@ -206,18 +202,12 @@ ENTRYPOINT ["docker-entrypoint.sh"] # We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL # calls "Fast Shutdown mode" wherein new connections are disallowed and any # in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and -# flush tables to disk, which is the best compromise available to avoid data -# corruption. +# flush tables to disk. # -# Users who know their applications do not keep open long-lived idle connections -# may way to use a value of SIGTERM instead, which corresponds to "Smart -# Shutdown mode" in which any existing sessions are allowed to finish and the -# server stops when all sessions are terminated. -# -# See https://www.postgresql.org/docs/12/server-shutdown.html for more details +# See https://www.postgresql.org/docs/current/server-shutdown.html for more details # about available PostgreSQL server shutdown signals. # -# See also https://www.postgresql.org/docs/12/server-start.html for further +# See also https://www.postgresql.org/docs/current/server-start.html for further # justification of this as the default value, namely that the example (and # shipped) systemd service files use the "Fast Shutdown mode" for service # termination. @@ -227,10 +217,10 @@ STOPSIGNAL SIGINT # An additional setting that is recommended for all users regardless of this # value is the runtime "--stop-timeout" (or your orchestrator/runtime's # equivalent) for controlling how long to wait between sending the defined -# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption). +# STOPSIGNAL and sending SIGKILL. # # The default in most runtimes (such as Docker) is 10 seconds, and the -# documentation at https://www.postgresql.org/docs/12/server-start.html notes +# documentation at https://www.postgresql.org/docs/current/server-start.html notes # that even 90 seconds may not be long enough in many instances. EXPOSE 5432 diff --git a/17/alpine3.21/docker-ensure-initdb.sh b/17/alpine3.21/docker-ensure-initdb.sh new file mode 100755 index 0000000000..e9b15ef77d --- /dev/null +++ b/17/alpine3.21/docker-ensure-initdb.sh @@ -0,0 +1,72 @@ +#!/usr/bin/env bash +set -Eeuo pipefail + +# +# This script is intended for three main use cases: +# +# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior +# +# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution +# (no-op if database is already initialized) +# +# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use +# (error if database is already initialized) +# + +source /usr/local/bin/docker-entrypoint.sh + +# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there) +if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then + set -- postgres "$@" +fi + +# see also "_main" in "docker-entrypoint.sh" + +docker_setup_env +# setup data directories and permissions (when run as root) +docker_create_db_directories +if [ "$(id -u)" = '0' ]; then + # then restart script as postgres user + exec gosu postgres "$BASH_SOURCE" "$@" +fi + +# only run initialization on an empty data directory +if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + docker_verify_minimum_env + docker_error_old_databases + + # check dir permissions to reduce likelihood of half-initialized database + ls /docker-entrypoint-initdb.d/ > /dev/null + + docker_init_database_dir + pg_setup_hba_conf "$@" + + # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless + # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS + export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" + docker_temp_server_start "$@" + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + + docker_temp_server_stop + unset PGPASSWORD +else + self="$(basename "$0")" + case "$self" in + docker-ensure-initdb.sh) + echo >&2 "$self: note: database already initialized in '$PGDATA'!" + exit 0 + ;; + + docker-enforce-initdb.sh) + echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!" + exit 1 + ;; + + *) + echo >&2 "$self: error: unknown file name: $self" + exit 99 + ;; + esac +fi diff --git a/17/alpine3.21/docker-entrypoint.sh b/17/alpine3.21/docker-entrypoint.sh new file mode 100755 index 0000000000..5a62870b50 --- /dev/null +++ b/17/alpine3.21/docker-entrypoint.sh @@ -0,0 +1,391 @@ +#!/usr/bin/env bash +set -Eeo pipefail +# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables) + +# usage: file_env VAR [DEFAULT] +# ie: file_env 'XYZ_DB_PASSWORD' 'example' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then + printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar" + exit 1 + fi + local val="$def" + if [ "${!var:-}" ]; then + val="${!var}" + elif [ "${!fileVar:-}" ]; then + val="$(< "${!fileVar}")" + fi + export "$var"="$val" + unset "$fileVar" +} + +# check to see if this file is being run or sourced from another script +_is_sourced() { + # https://unix.stackexchange.com/a/215279 + [ "${#FUNCNAME[@]}" -ge 2 ] \ + && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ + && [ "${FUNCNAME[1]}" = 'source' ] +} + +# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user +docker_create_db_directories() { + local user; user="$(id -u)" + + mkdir -p "$PGDATA" + # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory) + chmod 00700 "$PGDATA" || : + + # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 + mkdir -p /var/run/postgresql || : + chmod 03775 /var/run/postgresql || : + + # Create the transaction log directory before initdb is run so the directory is owned by the correct user + if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then + mkdir -p "$POSTGRES_INITDB_WALDIR" + if [ "$user" = '0' ]; then + find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' + + fi + chmod 700 "$POSTGRES_INITDB_WALDIR" + fi + + # allow the container to be started with `--user` + if [ "$user" = '0' ]; then + find "$PGDATA" \! -user postgres -exec chown postgres '{}' + + find /var/run/postgresql \! -user postgres -exec chown postgres '{}' + + fi +} + +# initialize empty PGDATA directory with new database via 'initdb' +# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function +# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames +# this is also where the database user is created, specified by `POSTGRES_USER` env +docker_init_database_dir() { + # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary + # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html + local uid; uid="$(id -u)" + if ! getent passwd "$uid" &> /dev/null; then + # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15) + local wrapper + for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do + if [ -s "$wrapper" ]; then + NSS_WRAPPER_PASSWD="$(mktemp)" + NSS_WRAPPER_GROUP="$(mktemp)" + export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + local gid; gid="$(id -g)" + printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD" + printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP" + break + fi + done + fi + + if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then + set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@" + fi + + # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025 + eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' + + # unset/cleanup "nss_wrapper" bits + if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then + rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" + unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + fi +} + +# print large warning if POSTGRES_PASSWORD is long +# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust' +# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust' +# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ] +docker_verify_minimum_env() { + case "${PG_MAJOR:-}" in + 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 + # check password first so we can output the warning before postgres + # messes it up + if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then + cat >&2 <<-'EOWARN' + + WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. + + This will not work if used via PGPASSWORD with "psql". + + https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) + https://github.com/docker-library/postgres/issues/507 + + EOWARN + fi + ;; + esac + if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then + # The - option suppresses leading tabs but *not* spaces. :) + cat >&2 <<-'EOE' + Error: Database is uninitialized and superuser password is not specified. + You must specify POSTGRES_PASSWORD to a non-empty value for the + superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run". + + You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all + connections without a password. This is *not* recommended. + + See PostgreSQL documentation about "trust": + https://www.postgresql.org/docs/current/auth-trust.html + EOE + exit 1 + fi + if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then + cat >&2 <<-'EOWARN' + ******************************************************************************** + WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow + anyone with access to the Postgres port to access your database without + a password, even if POSTGRES_PASSWORD is set. See PostgreSQL + documentation about "trust": + https://www.postgresql.org/docs/current/auth-trust.html + In Docker's default configuration, this is effectively any other + container on the same system. + + It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace + it with "-e POSTGRES_PASSWORD=password" instead to set a password in + "docker run". + ******************************************************************************** + EOWARN + fi +} +# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade) +docker_error_old_databases() { + if [ -n "${OLD_DATABASES[0]:-}" ]; then + cat >&2 <<-EOE + Error: in 18+, these Docker images are configured to store database data in a + format which is compatible with "pg_ctlcluster" (specifically, using + major-version-specific directory names). This better reflects how + PostgreSQL itself works, and how upgrades are to be performed. + + See also https://github.com/docker-library/postgres/pull/1259 + + Counter to that, there appears to be PostgreSQL data in: + ${OLD_DATABASES[*]} + + This is usually the result of upgrading the Docker image without upgrading + the underlying database using "pg_upgrade" (which requires both versions). + + See https://github.com/docker-library/postgres/issues/37 for a (long) + discussion around this process, and suggestions for how to do so. + EOE + exit 1 + fi +} + +# usage: docker_process_init_files [file [file [...]]] +# ie: docker_process_init_files /always-initdb.d/* +# process initializer files, based on file extensions and permissions +docker_process_init_files() { + # psql here for backwards compatibility "${psql[@]}" + psql=( docker_process_sql ) + + printf '\n' + local f + for f; do + case "$f" in + *.sh) + # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 + # https://github.com/docker-library/postgres/pull/452 + if [ -x "$f" ]; then + printf '%s: running %s\n' "$0" "$f" + "$f" + else + printf '%s: sourcing %s\n' "$0" "$f" + . "$f" + fi + ;; + *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;; + *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;; + *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;; + *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;; + *) printf '%s: ignoring %s\n' "$0" "$f" ;; + esac + printf '\n' + done +} + +# Execute sql script, passed via stdin (or -f flag of pqsl) +# usage: docker_process_sql [psql-cli-args] +# ie: docker_process_sql --dbname=mydb <<<'INSERT ...' +# ie: docker_process_sql -f my-file.sql +# ie: docker_process_sql > "$PGDATA/pg_hba.conf" +} + +# start socket-only postgresql server for setting up or running scripts +# all arguments will be passed along as arguments to `postgres` (via pg_ctl) +docker_temp_server_start() { + if [ "$1" = 'postgres' ]; then + shift + fi + + # internal start of server in order to allow setup using psql client + # does not listen on external TCP/IP and waits until start finishes + set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}" + + # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify + # any process supervisor. + NOTIFY_SOCKET= \ + PGUSER="${PGUSER:-$POSTGRES_USER}" \ + pg_ctl -D "$PGDATA" \ + -o "$(printf '%q ' "$@")" \ + -w start +} + +# stop postgresql server after done setting up user and running scripts +docker_temp_server_stop() { + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" -m fast -w stop +} + +# check arguments for an option that would cause postgres to stop +# return true if there is one +_pg_want_help() { + local arg + for arg; do + case "$arg" in + # postgres --help | grep 'then exit' + # leaving out -C on purpose since it always fails and is unhelpful: + # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory + -'?'|--help|--describe-config|-V|--version) + return 0 + ;; + esac + done + return 1 +} + +_main() { + # if first arg looks like a flag, assume we want to run postgres server + if [ "${1:0:1}" = '-' ]; then + set -- postgres "$@" + fi + + if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then + docker_setup_env + # setup data directories and permissions (when run as root) + docker_create_db_directories + if [ "$(id -u)" = '0' ]; then + # then restart script as postgres user + exec gosu postgres "$BASH_SOURCE" "$@" + fi + + # only run initialization on an empty data directory + if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + docker_verify_minimum_env + docker_error_old_databases + + # check dir permissions to reduce likelihood of half-initialized database + ls /docker-entrypoint-initdb.d/ > /dev/null + + docker_init_database_dir + pg_setup_hba_conf "$@" + + # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless + # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS + export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" + docker_temp_server_start "$@" + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + + docker_temp_server_stop + unset PGPASSWORD + + cat <<-'EOM' + + PostgreSQL init process complete; ready for start up. + + EOM + else + cat <<-'EOM' + + PostgreSQL Database directory appears to contain a database; Skipping initialization + + EOM + fi + fi + + exec "$@" +} + +if ! _is_sourced; then + _main "$@" +fi diff --git a/17/alpine3.20/Dockerfile b/17/alpine3.22/Dockerfile similarity index 79% rename from 17/alpine3.20/Dockerfile rename to 17/alpine3.22/Dockerfile index 4a33b69d48..5c303bd7d0 100644 --- a/17/alpine3.20/Dockerfile +++ b/17/alpine3.22/Dockerfile @@ -4,10 +4,10 @@ # PLEASE DO NOT EDIT IT DIRECTLY. # -FROM alpine:3.20 +FROM alpine:3.22 # 70 is the standard uid/gid for "postgres" in Alpine -# https://git.alpinelinux.org/aports/tree/main/postgresql/postgresql.pre-install?h=3.12-stable +# https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.22-stable RUN set -eux; \ addgroup -g 70 -S postgres; \ adduser -u 70 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \ @@ -52,12 +52,12 @@ ENV LANG en_US.utf8 RUN mkdir /docker-entrypoint-initdb.d ENV PG_MAJOR 17 -ENV PG_VERSION 17.0 -ENV PG_SHA256 7e276131c0fdd6b62588dbad9b3bb24b8c3498d5009328dba59af16e819109de +ENV PG_VERSION 17.5 +ENV PG_SHA256 fcb7ab38e23b264d1902cb25e6adafb4525a6ebcbd015434aeef9eda80f528d8 ENV DOCKER_PG_LLVM_DEPS \ - llvm15-dev \ - clang15 + llvm19-dev \ + clang19 RUN set -eux; \ \ @@ -111,14 +111,11 @@ RUN set -eux; \ grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \ mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \ gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ -# explicitly update autoconf config.guess and config.sub so they support more arches/libcs - wget -O config/config.guess 'https://git.savannah.gnu.org/cgit/config.git/plain/config.guess?id=7d3d27baf8107b630586c962c057e22149653deb'; \ - wget -O config/config.sub 'https://git.savannah.gnu.org/cgit/config.git/plain/config.sub?id=7d3d27baf8107b630586c962c057e22149653deb'; \ \ -# https://git.alpinelinux.org/aports/tree/community/postgresql12/APKBUILD?h=3.18-stable&id=a470294e6d6ca7059e41c54769b7c3c26ec901d4#n158 - export LLVM_CONFIG="/usr/lib/llvm15/bin/llvm-config"; \ -# https://git.alpinelinux.org/aports/tree/community/postgresql12/APKBUILD?h=3.18-stable&id=a470294e6d6ca7059e41c54769b7c3c26ec901d4#n163 - export CLANG=clang-15; \ +# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n176 ("export LLVM_CONFIG") + export LLVM_CONFIG="/usr/lib/llvm19/bin/llvm-config"; \ +# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n180 ("older clang versions don't have a 'clang' exe anymore.") + export CLANG=clang-19; \ \ # configure options taken from: # https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5 @@ -172,8 +169,7 @@ RUN set -eux; \ zstd \ # https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split icu-data-full \ -# nss_wrapper is not availble on ppc64le: "test case segfaults in ppc64le" -# https://git.alpinelinux.org/aports/commit/testing/nss_wrapper/APKBUILD?h=3.17-stable&id=94d81ceeb58cff448d489bbcbe9a6d40c9991663 +# https://git.alpinelinux.org/aports/tree/community/nss_wrapper/APKBUILD?h=3.22-stable#n7 ("ppc64le: test case segfaults") $([ "$(apk --print-arch)" != 'ppc64le' ] && echo 'nss_wrapper') \ ; \ apk del --no-network .build-deps; \ @@ -206,18 +202,12 @@ ENTRYPOINT ["docker-entrypoint.sh"] # We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL # calls "Fast Shutdown mode" wherein new connections are disallowed and any # in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and -# flush tables to disk, which is the best compromise available to avoid data -# corruption. +# flush tables to disk. # -# Users who know their applications do not keep open long-lived idle connections -# may way to use a value of SIGTERM instead, which corresponds to "Smart -# Shutdown mode" in which any existing sessions are allowed to finish and the -# server stops when all sessions are terminated. -# -# See https://www.postgresql.org/docs/12/server-shutdown.html for more details +# See https://www.postgresql.org/docs/current/server-shutdown.html for more details # about available PostgreSQL server shutdown signals. # -# See also https://www.postgresql.org/docs/12/server-start.html for further +# See also https://www.postgresql.org/docs/current/server-start.html for further # justification of this as the default value, namely that the example (and # shipped) systemd service files use the "Fast Shutdown mode" for service # termination. @@ -227,10 +217,10 @@ STOPSIGNAL SIGINT # An additional setting that is recommended for all users regardless of this # value is the runtime "--stop-timeout" (or your orchestrator/runtime's # equivalent) for controlling how long to wait between sending the defined -# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption). +# STOPSIGNAL and sending SIGKILL. # # The default in most runtimes (such as Docker) is 10 seconds, and the -# documentation at https://www.postgresql.org/docs/12/server-start.html notes +# documentation at https://www.postgresql.org/docs/current/server-start.html notes # that even 90 seconds may not be long enough in many instances. EXPOSE 5432 diff --git a/17/alpine3.22/docker-ensure-initdb.sh b/17/alpine3.22/docker-ensure-initdb.sh new file mode 100755 index 0000000000..e9b15ef77d --- /dev/null +++ b/17/alpine3.22/docker-ensure-initdb.sh @@ -0,0 +1,72 @@ +#!/usr/bin/env bash +set -Eeuo pipefail + +# +# This script is intended for three main use cases: +# +# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior +# +# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution +# (no-op if database is already initialized) +# +# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use +# (error if database is already initialized) +# + +source /usr/local/bin/docker-entrypoint.sh + +# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there) +if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then + set -- postgres "$@" +fi + +# see also "_main" in "docker-entrypoint.sh" + +docker_setup_env +# setup data directories and permissions (when run as root) +docker_create_db_directories +if [ "$(id -u)" = '0' ]; then + # then restart script as postgres user + exec gosu postgres "$BASH_SOURCE" "$@" +fi + +# only run initialization on an empty data directory +if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + docker_verify_minimum_env + docker_error_old_databases + + # check dir permissions to reduce likelihood of half-initialized database + ls /docker-entrypoint-initdb.d/ > /dev/null + + docker_init_database_dir + pg_setup_hba_conf "$@" + + # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless + # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS + export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" + docker_temp_server_start "$@" + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + + docker_temp_server_stop + unset PGPASSWORD +else + self="$(basename "$0")" + case "$self" in + docker-ensure-initdb.sh) + echo >&2 "$self: note: database already initialized in '$PGDATA'!" + exit 0 + ;; + + docker-enforce-initdb.sh) + echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!" + exit 1 + ;; + + *) + echo >&2 "$self: error: unknown file name: $self" + exit 99 + ;; + esac +fi diff --git a/17/alpine3.22/docker-entrypoint.sh b/17/alpine3.22/docker-entrypoint.sh new file mode 100755 index 0000000000..5a62870b50 --- /dev/null +++ b/17/alpine3.22/docker-entrypoint.sh @@ -0,0 +1,391 @@ +#!/usr/bin/env bash +set -Eeo pipefail +# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables) + +# usage: file_env VAR [DEFAULT] +# ie: file_env 'XYZ_DB_PASSWORD' 'example' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then + printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar" + exit 1 + fi + local val="$def" + if [ "${!var:-}" ]; then + val="${!var}" + elif [ "${!fileVar:-}" ]; then + val="$(< "${!fileVar}")" + fi + export "$var"="$val" + unset "$fileVar" +} + +# check to see if this file is being run or sourced from another script +_is_sourced() { + # https://unix.stackexchange.com/a/215279 + [ "${#FUNCNAME[@]}" -ge 2 ] \ + && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ + && [ "${FUNCNAME[1]}" = 'source' ] +} + +# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user +docker_create_db_directories() { + local user; user="$(id -u)" + + mkdir -p "$PGDATA" + # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory) + chmod 00700 "$PGDATA" || : + + # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 + mkdir -p /var/run/postgresql || : + chmod 03775 /var/run/postgresql || : + + # Create the transaction log directory before initdb is run so the directory is owned by the correct user + if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then + mkdir -p "$POSTGRES_INITDB_WALDIR" + if [ "$user" = '0' ]; then + find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' + + fi + chmod 700 "$POSTGRES_INITDB_WALDIR" + fi + + # allow the container to be started with `--user` + if [ "$user" = '0' ]; then + find "$PGDATA" \! -user postgres -exec chown postgres '{}' + + find /var/run/postgresql \! -user postgres -exec chown postgres '{}' + + fi +} + +# initialize empty PGDATA directory with new database via 'initdb' +# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function +# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames +# this is also where the database user is created, specified by `POSTGRES_USER` env +docker_init_database_dir() { + # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary + # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html + local uid; uid="$(id -u)" + if ! getent passwd "$uid" &> /dev/null; then + # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15) + local wrapper + for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do + if [ -s "$wrapper" ]; then + NSS_WRAPPER_PASSWD="$(mktemp)" + NSS_WRAPPER_GROUP="$(mktemp)" + export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + local gid; gid="$(id -g)" + printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD" + printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP" + break + fi + done + fi + + if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then + set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@" + fi + + # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025 + eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' + + # unset/cleanup "nss_wrapper" bits + if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then + rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" + unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + fi +} + +# print large warning if POSTGRES_PASSWORD is long +# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust' +# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust' +# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ] +docker_verify_minimum_env() { + case "${PG_MAJOR:-}" in + 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 + # check password first so we can output the warning before postgres + # messes it up + if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then + cat >&2 <<-'EOWARN' + + WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. + + This will not work if used via PGPASSWORD with "psql". + + https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) + https://github.com/docker-library/postgres/issues/507 + + EOWARN + fi + ;; + esac + if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then + # The - option suppresses leading tabs but *not* spaces. :) + cat >&2 <<-'EOE' + Error: Database is uninitialized and superuser password is not specified. + You must specify POSTGRES_PASSWORD to a non-empty value for the + superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run". + + You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all + connections without a password. This is *not* recommended. + + See PostgreSQL documentation about "trust": + https://www.postgresql.org/docs/current/auth-trust.html + EOE + exit 1 + fi + if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then + cat >&2 <<-'EOWARN' + ******************************************************************************** + WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow + anyone with access to the Postgres port to access your database without + a password, even if POSTGRES_PASSWORD is set. See PostgreSQL + documentation about "trust": + https://www.postgresql.org/docs/current/auth-trust.html + In Docker's default configuration, this is effectively any other + container on the same system. + + It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace + it with "-e POSTGRES_PASSWORD=password" instead to set a password in + "docker run". + ******************************************************************************** + EOWARN + fi +} +# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade) +docker_error_old_databases() { + if [ -n "${OLD_DATABASES[0]:-}" ]; then + cat >&2 <<-EOE + Error: in 18+, these Docker images are configured to store database data in a + format which is compatible with "pg_ctlcluster" (specifically, using + major-version-specific directory names). This better reflects how + PostgreSQL itself works, and how upgrades are to be performed. + + See also https://github.com/docker-library/postgres/pull/1259 + + Counter to that, there appears to be PostgreSQL data in: + ${OLD_DATABASES[*]} + + This is usually the result of upgrading the Docker image without upgrading + the underlying database using "pg_upgrade" (which requires both versions). + + See https://github.com/docker-library/postgres/issues/37 for a (long) + discussion around this process, and suggestions for how to do so. + EOE + exit 1 + fi +} + +# usage: docker_process_init_files [file [file [...]]] +# ie: docker_process_init_files /always-initdb.d/* +# process initializer files, based on file extensions and permissions +docker_process_init_files() { + # psql here for backwards compatibility "${psql[@]}" + psql=( docker_process_sql ) + + printf '\n' + local f + for f; do + case "$f" in + *.sh) + # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 + # https://github.com/docker-library/postgres/pull/452 + if [ -x "$f" ]; then + printf '%s: running %s\n' "$0" "$f" + "$f" + else + printf '%s: sourcing %s\n' "$0" "$f" + . "$f" + fi + ;; + *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;; + *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;; + *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;; + *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;; + *) printf '%s: ignoring %s\n' "$0" "$f" ;; + esac + printf '\n' + done +} + +# Execute sql script, passed via stdin (or -f flag of pqsl) +# usage: docker_process_sql [psql-cli-args] +# ie: docker_process_sql --dbname=mydb <<<'INSERT ...' +# ie: docker_process_sql -f my-file.sql +# ie: docker_process_sql > "$PGDATA/pg_hba.conf" +} + +# start socket-only postgresql server for setting up or running scripts +# all arguments will be passed along as arguments to `postgres` (via pg_ctl) +docker_temp_server_start() { + if [ "$1" = 'postgres' ]; then + shift + fi + + # internal start of server in order to allow setup using psql client + # does not listen on external TCP/IP and waits until start finishes + set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}" + + # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify + # any process supervisor. + NOTIFY_SOCKET= \ + PGUSER="${PGUSER:-$POSTGRES_USER}" \ + pg_ctl -D "$PGDATA" \ + -o "$(printf '%q ' "$@")" \ + -w start +} + +# stop postgresql server after done setting up user and running scripts +docker_temp_server_stop() { + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" -m fast -w stop +} + +# check arguments for an option that would cause postgres to stop +# return true if there is one +_pg_want_help() { + local arg + for arg; do + case "$arg" in + # postgres --help | grep 'then exit' + # leaving out -C on purpose since it always fails and is unhelpful: + # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory + -'?'|--help|--describe-config|-V|--version) + return 0 + ;; + esac + done + return 1 +} + +_main() { + # if first arg looks like a flag, assume we want to run postgres server + if [ "${1:0:1}" = '-' ]; then + set -- postgres "$@" + fi + + if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then + docker_setup_env + # setup data directories and permissions (when run as root) + docker_create_db_directories + if [ "$(id -u)" = '0' ]; then + # then restart script as postgres user + exec gosu postgres "$BASH_SOURCE" "$@" + fi + + # only run initialization on an empty data directory + if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + docker_verify_minimum_env + docker_error_old_databases + + # check dir permissions to reduce likelihood of half-initialized database + ls /docker-entrypoint-initdb.d/ > /dev/null + + docker_init_database_dir + pg_setup_hba_conf "$@" + + # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless + # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS + export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" + docker_temp_server_start "$@" + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + + docker_temp_server_stop + unset PGPASSWORD + + cat <<-'EOM' + + PostgreSQL init process complete; ready for start up. + + EOM + else + cat <<-'EOM' + + PostgreSQL Database directory appears to contain a database; Skipping initialization + + EOM + fi + fi + + exec "$@" +} + +if ! _is_sourced; then + _main "$@" +fi diff --git a/17/bookworm/Dockerfile b/17/bookworm/Dockerfile index 21a1f4958d..25c2142f1f 100644 --- a/17/bookworm/Dockerfile +++ b/17/bookworm/Dockerfile @@ -89,7 +89,7 @@ RUN set -ex; \ ENV PG_MAJOR 17 ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin -ENV PG_VERSION 17.0-1.pgdg120+1 +ENV PG_VERSION 17.5-1.pgdg120+1 RUN set -ex; \ \ @@ -99,7 +99,7 @@ RUN set -ex; \ dpkgArch="$(dpkg --print-architecture)"; \ aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ bookworm-pgdg main $PG_MAJOR"; \ case "$dpkgArch" in \ - amd64 | arm64 | ppc64el | s390x) \ + amd64 | arm64 | ppc64el) \ # arches officialy built by upstream echo "deb $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \ apt-get update; \ @@ -131,10 +131,9 @@ RUN set -ex; \ # build .deb files from upstream's source packages (which are verified by apt-get) nproc="$(nproc)"; \ export DEB_BUILD_OPTIONS="nocheck parallel=$nproc"; \ -# we have to build postgresql-common first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/99f44476e258cae6bf9e919219fa2c5414fa2876 -# (and it "Depends: pgdg-keyring") - apt-get build-dep -y postgresql-common pgdg-keyring; \ - apt-get source --compile postgresql-common pgdg-keyring; \ +# we have to build postgresql-common-dev first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/f4338a0d28cf4541956bddb0f4e444ba9dba81b9 + apt-get build-dep -y postgresql-common-dev; \ + apt-get source --compile postgresql-common-dev; \ _update_repo; \ apt-get build-dep -y "postgresql-$PG_MAJOR=$PG_VERSION"; \ apt-get source --compile "postgresql-$PG_MAJOR=$PG_VERSION"; \ @@ -194,18 +193,12 @@ ENTRYPOINT ["docker-entrypoint.sh"] # We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL # calls "Fast Shutdown mode" wherein new connections are disallowed and any # in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and -# flush tables to disk, which is the best compromise available to avoid data -# corruption. +# flush tables to disk. # -# Users who know their applications do not keep open long-lived idle connections -# may way to use a value of SIGTERM instead, which corresponds to "Smart -# Shutdown mode" in which any existing sessions are allowed to finish and the -# server stops when all sessions are terminated. -# -# See https://www.postgresql.org/docs/12/server-shutdown.html for more details +# See https://www.postgresql.org/docs/current/server-shutdown.html for more details # about available PostgreSQL server shutdown signals. # -# See also https://www.postgresql.org/docs/12/server-start.html for further +# See also https://www.postgresql.org/docs/current/server-start.html for further # justification of this as the default value, namely that the example (and # shipped) systemd service files use the "Fast Shutdown mode" for service # termination. @@ -215,10 +208,10 @@ STOPSIGNAL SIGINT # An additional setting that is recommended for all users regardless of this # value is the runtime "--stop-timeout" (or your orchestrator/runtime's # equivalent) for controlling how long to wait between sending the defined -# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption). +# STOPSIGNAL and sending SIGKILL. # # The default in most runtimes (such as Docker) is 10 seconds, and the -# documentation at https://www.postgresql.org/docs/12/server-start.html notes +# documentation at https://www.postgresql.org/docs/current/server-start.html notes # that even 90 seconds may not be long enough in many instances. EXPOSE 5432 diff --git a/17/bookworm/docker-ensure-initdb.sh b/17/bookworm/docker-ensure-initdb.sh index ae1f6b6b90..e9b15ef77d 100755 --- a/17/bookworm/docker-ensure-initdb.sh +++ b/17/bookworm/docker-ensure-initdb.sh @@ -33,6 +33,7 @@ fi # only run initialization on an empty data directory if [ -z "$DATABASE_ALREADY_EXISTS" ]; then docker_verify_minimum_env + docker_error_old_databases # check dir permissions to reduce likelihood of half-initialized database ls /docker-entrypoint-initdb.d/ > /dev/null diff --git a/17/bookworm/docker-entrypoint.sh b/17/bookworm/docker-entrypoint.sh index 6f59993e08..5a62870b50 100755 --- a/17/bookworm/docker-entrypoint.sh +++ b/17/bookworm/docker-entrypoint.sh @@ -104,7 +104,7 @@ docker_init_database_dir() { # assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ] docker_verify_minimum_env() { case "${PG_MAJOR:-}" in - 12 | 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 + 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 # check password first so we can output the warning before postgres # messes it up if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then @@ -154,6 +154,29 @@ docker_verify_minimum_env() { EOWARN fi } +# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade) +docker_error_old_databases() { + if [ -n "${OLD_DATABASES[0]:-}" ]; then + cat >&2 <<-EOE + Error: in 18+, these Docker images are configured to store database data in a + format which is compatible with "pg_ctlcluster" (specifically, using + major-version-specific directory names). This better reflects how + PostgreSQL itself works, and how upgrades are to be performed. + + See also https://github.com/docker-library/postgres/pull/1259 + + Counter to that, there appears to be PostgreSQL data in: + ${OLD_DATABASES[*]} + + This is usually the result of upgrading the Docker image without upgrading + the underlying database using "pg_upgrade" (which requires both versions). + + See https://github.com/docker-library/postgres/issues/37 for a (long) + discussion around this process, and suggestions for how to do so. + EOE + exit 1 + fi +} # usage: docker_process_init_files [file [file [...]]] # ie: docker_process_init_files /always-initdb.d/* @@ -230,9 +253,17 @@ docker_setup_env() { declare -g DATABASE_ALREADY_EXISTS : "${DATABASE_ALREADY_EXISTS:=}" + declare -ag OLD_DATABASES=() # look specifically for PG_VERSION, as it is expected in the DB dir if [ -s "$PGDATA/PG_VERSION" ]; then DATABASE_ALREADY_EXISTS='true' + elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then + # https://github.com/docker-library/postgres/pull/1259 + for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do + if [ -s "$d/PG_VERSION" ]; then + OLD_DATABASES+=( "$d" ) + fi + done fi } @@ -252,7 +283,7 @@ pg_setup_hba_conf() { printf '\n' if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then printf '# warning trust is enabled for all connections\n' - printf '# see https://www.postgresql.org/docs/12/auth-trust.html\n' + printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n' fi printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD" } >> "$PGDATA/pg_hba.conf" @@ -269,6 +300,9 @@ docker_temp_server_start() { # does not listen on external TCP/IP and waits until start finishes set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}" + # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify + # any process supervisor. + NOTIFY_SOCKET= \ PGUSER="${PGUSER:-$POSTGRES_USER}" \ pg_ctl -D "$PGDATA" \ -o "$(printf '%q ' "$@")" \ @@ -316,6 +350,7 @@ _main() { # only run initialization on an empty data directory if [ -z "$DATABASE_ALREADY_EXISTS" ]; then docker_verify_minimum_env + docker_error_old_databases # check dir permissions to reduce likelihood of half-initialized database ls /docker-entrypoint-initdb.d/ > /dev/null diff --git a/17/bullseye/Dockerfile b/17/bullseye/Dockerfile index a7ff8247c8..fc554d1fae 100644 --- a/17/bullseye/Dockerfile +++ b/17/bullseye/Dockerfile @@ -89,7 +89,7 @@ RUN set -ex; \ ENV PG_MAJOR 17 ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin -ENV PG_VERSION 17.0-1.pgdg110+1 +ENV PG_VERSION 17.5-1.pgdg110+1 RUN set -ex; \ \ @@ -99,7 +99,7 @@ RUN set -ex; \ dpkgArch="$(dpkg --print-architecture)"; \ aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ bullseye-pgdg main $PG_MAJOR"; \ case "$dpkgArch" in \ - amd64 | arm64 | ppc64el | s390x) \ + amd64 | arm64 | ppc64el) \ # arches officialy built by upstream echo "deb $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \ apt-get update; \ @@ -131,10 +131,9 @@ RUN set -ex; \ # build .deb files from upstream's source packages (which are verified by apt-get) nproc="$(nproc)"; \ export DEB_BUILD_OPTIONS="nocheck parallel=$nproc"; \ -# we have to build postgresql-common first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/99f44476e258cae6bf9e919219fa2c5414fa2876 -# (and it "Depends: pgdg-keyring") - apt-get build-dep -y postgresql-common pgdg-keyring; \ - apt-get source --compile postgresql-common pgdg-keyring; \ +# we have to build postgresql-common-dev first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/f4338a0d28cf4541956bddb0f4e444ba9dba81b9 + apt-get build-dep -y postgresql-common-dev; \ + apt-get source --compile postgresql-common-dev; \ _update_repo; \ apt-get build-dep -y "postgresql-$PG_MAJOR=$PG_VERSION"; \ apt-get source --compile "postgresql-$PG_MAJOR=$PG_VERSION"; \ @@ -194,18 +193,12 @@ ENTRYPOINT ["docker-entrypoint.sh"] # We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL # calls "Fast Shutdown mode" wherein new connections are disallowed and any # in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and -# flush tables to disk, which is the best compromise available to avoid data -# corruption. +# flush tables to disk. # -# Users who know their applications do not keep open long-lived idle connections -# may way to use a value of SIGTERM instead, which corresponds to "Smart -# Shutdown mode" in which any existing sessions are allowed to finish and the -# server stops when all sessions are terminated. -# -# See https://www.postgresql.org/docs/12/server-shutdown.html for more details +# See https://www.postgresql.org/docs/current/server-shutdown.html for more details # about available PostgreSQL server shutdown signals. # -# See also https://www.postgresql.org/docs/12/server-start.html for further +# See also https://www.postgresql.org/docs/current/server-start.html for further # justification of this as the default value, namely that the example (and # shipped) systemd service files use the "Fast Shutdown mode" for service # termination. @@ -215,10 +208,10 @@ STOPSIGNAL SIGINT # An additional setting that is recommended for all users regardless of this # value is the runtime "--stop-timeout" (or your orchestrator/runtime's # equivalent) for controlling how long to wait between sending the defined -# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption). +# STOPSIGNAL and sending SIGKILL. # # The default in most runtimes (such as Docker) is 10 seconds, and the -# documentation at https://www.postgresql.org/docs/12/server-start.html notes +# documentation at https://www.postgresql.org/docs/current/server-start.html notes # that even 90 seconds may not be long enough in many instances. EXPOSE 5432 diff --git a/17/bullseye/docker-ensure-initdb.sh b/17/bullseye/docker-ensure-initdb.sh index ae1f6b6b90..e9b15ef77d 100755 --- a/17/bullseye/docker-ensure-initdb.sh +++ b/17/bullseye/docker-ensure-initdb.sh @@ -33,6 +33,7 @@ fi # only run initialization on an empty data directory if [ -z "$DATABASE_ALREADY_EXISTS" ]; then docker_verify_minimum_env + docker_error_old_databases # check dir permissions to reduce likelihood of half-initialized database ls /docker-entrypoint-initdb.d/ > /dev/null diff --git a/17/bullseye/docker-entrypoint.sh b/17/bullseye/docker-entrypoint.sh index 6f59993e08..5a62870b50 100755 --- a/17/bullseye/docker-entrypoint.sh +++ b/17/bullseye/docker-entrypoint.sh @@ -104,7 +104,7 @@ docker_init_database_dir() { # assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ] docker_verify_minimum_env() { case "${PG_MAJOR:-}" in - 12 | 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 + 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 # check password first so we can output the warning before postgres # messes it up if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then @@ -154,6 +154,29 @@ docker_verify_minimum_env() { EOWARN fi } +# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade) +docker_error_old_databases() { + if [ -n "${OLD_DATABASES[0]:-}" ]; then + cat >&2 <<-EOE + Error: in 18+, these Docker images are configured to store database data in a + format which is compatible with "pg_ctlcluster" (specifically, using + major-version-specific directory names). This better reflects how + PostgreSQL itself works, and how upgrades are to be performed. + + See also https://github.com/docker-library/postgres/pull/1259 + + Counter to that, there appears to be PostgreSQL data in: + ${OLD_DATABASES[*]} + + This is usually the result of upgrading the Docker image without upgrading + the underlying database using "pg_upgrade" (which requires both versions). + + See https://github.com/docker-library/postgres/issues/37 for a (long) + discussion around this process, and suggestions for how to do so. + EOE + exit 1 + fi +} # usage: docker_process_init_files [file [file [...]]] # ie: docker_process_init_files /always-initdb.d/* @@ -230,9 +253,17 @@ docker_setup_env() { declare -g DATABASE_ALREADY_EXISTS : "${DATABASE_ALREADY_EXISTS:=}" + declare -ag OLD_DATABASES=() # look specifically for PG_VERSION, as it is expected in the DB dir if [ -s "$PGDATA/PG_VERSION" ]; then DATABASE_ALREADY_EXISTS='true' + elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then + # https://github.com/docker-library/postgres/pull/1259 + for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do + if [ -s "$d/PG_VERSION" ]; then + OLD_DATABASES+=( "$d" ) + fi + done fi } @@ -252,7 +283,7 @@ pg_setup_hba_conf() { printf '\n' if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then printf '# warning trust is enabled for all connections\n' - printf '# see https://www.postgresql.org/docs/12/auth-trust.html\n' + printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n' fi printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD" } >> "$PGDATA/pg_hba.conf" @@ -269,6 +300,9 @@ docker_temp_server_start() { # does not listen on external TCP/IP and waits until start finishes set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}" + # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify + # any process supervisor. + NOTIFY_SOCKET= \ PGUSER="${PGUSER:-$POSTGRES_USER}" \ pg_ctl -D "$PGDATA" \ -o "$(printf '%q ' "$@")" \ @@ -316,6 +350,7 @@ _main() { # only run initialization on an empty data directory if [ -z "$DATABASE_ALREADY_EXISTS" ]; then docker_verify_minimum_env + docker_error_old_databases # check dir permissions to reduce likelihood of half-initialized database ls /docker-entrypoint-initdb.d/ > /dev/null diff --git a/18/alpine3.21/Dockerfile b/18/alpine3.21/Dockerfile new file mode 100644 index 0000000000..d124d7eb5c --- /dev/null +++ b/18/alpine3.21/Dockerfile @@ -0,0 +1,230 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + +FROM alpine:3.21 + +# 70 is the standard uid/gid for "postgres" in Alpine +# https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.22-stable +RUN set -eux; \ + addgroup -g 70 -S postgres; \ + adduser -u 70 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \ +# also create the postgres user's home directory with appropriate permissions +# see https://github.com/docker-library/postgres/issues/274 + install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql + +# grab gosu for easy step-down from root +# https://github.com/tianon/gosu/releases +ENV GOSU_VERSION 1.17 +RUN set -eux; \ + \ + apk add --no-cache --virtual .gosu-deps \ + ca-certificates \ + dpkg \ + gnupg \ + ; \ + \ + dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ + wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ + wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ + \ +# verify the signature + export GNUPGHOME="$(mktemp -d)"; \ + gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ + gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ + \ +# clean up fetch dependencies + apk del --no-network .gosu-deps; \ + \ + chmod +x /usr/local/bin/gosu; \ +# verify that the binary works + gosu --version; \ + gosu nobody true + +# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default +# alpine doesn't require explicit locale-file generation +ENV LANG en_US.utf8 + +RUN mkdir /docker-entrypoint-initdb.d + +ENV PG_MAJOR 18 +ENV PG_VERSION 18beta2 +ENV PG_SHA256 1d16b58244b630194432b88d9ff25f5fea85a001ff2c715a157d4be6787f3075 + +ENV DOCKER_PG_LLVM_DEPS \ + llvm19-dev \ + clang19 + +RUN set -eux; \ + \ + wget -O postgresql.tar.bz2 "https://ftp.postgresql.org/pub/source/v$PG_VERSION/postgresql-$PG_VERSION.tar.bz2"; \ + echo "$PG_SHA256 *postgresql.tar.bz2" | sha256sum -c -; \ + mkdir -p /usr/src/postgresql; \ + tar \ + --extract \ + --file postgresql.tar.bz2 \ + --directory /usr/src/postgresql \ + --strip-components 1 \ + ; \ + rm postgresql.tar.bz2; \ + \ + apk add --no-cache --virtual .build-deps \ + $DOCKER_PG_LLVM_DEPS \ + bison \ + coreutils \ + dpkg-dev dpkg \ + flex \ + g++ \ + gcc \ + krb5-dev \ + libc-dev \ + libedit-dev \ + libxml2-dev \ + libxslt-dev \ + linux-headers \ + make \ + openldap-dev \ + openssl-dev \ + perl-dev \ + perl-ipc-run \ + perl-utils \ + python3-dev \ + tcl-dev \ + util-linux-dev \ + zlib-dev \ +# https://www.postgresql.org/docs/10/static/release-10.html#id-1.11.6.9.5.13 + icu-dev \ +# https://www.postgresql.org/docs/14/release-14.html#id-1.11.6.5.5.3.7 + lz4-dev \ +# https://www.postgresql.org/docs/15/release-15.html "--with-zstd to enable Zstandard builds" + zstd-dev \ + ; \ + \ + cd /usr/src/postgresql; \ +# update "DEFAULT_PGSOCKET_DIR" to "/var/run/postgresql" (matching Debian) +# see https://anonscm.debian.org/git/pkg-postgresql/postgresql.git/tree/debian/patches/51-default-sockets-in-var.patch?id=8b539fcb3e093a521c095e70bdfa76887217b89f + awk '$1 == "#define" && $2 == "DEFAULT_PGSOCKET_DIR" && $3 == "\"/tmp\"" { $3 = "\"/var/run/postgresql\""; print; next } { print }' src/include/pg_config_manual.h > src/include/pg_config_manual.h.new; \ + grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \ + mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \ + gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ + \ +# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n176 ("export LLVM_CONFIG") + export LLVM_CONFIG="/usr/lib/llvm19/bin/llvm-config"; \ +# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n180 ("older clang versions don't have a 'clang' exe anymore.") + export CLANG=clang-19; \ + \ +# configure options taken from: +# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5 + ./configure \ + --enable-option-checking=fatal \ + --build="$gnuArch" \ +# "/usr/src/postgresql/src/backend/access/common/tupconvert.c:105: undefined reference to `libintl_gettext'" +# --enable-nls \ + --enable-integer-datetimes \ + --enable-tap-tests \ +# skip debugging info -- we want tiny size instead +# --enable-debug \ + --disable-rpath \ + --with-uuid=e2fs \ + --with-pgport=5432 \ + --with-system-tzdata=/usr/share/zoneinfo \ + --prefix=/usr/local \ + --with-includes=/usr/local/include \ + --with-libraries=/usr/local/lib \ + --with-gssapi \ + --with-ldap \ + --with-tcl \ + --with-perl \ + --with-python \ +# --with-pam \ + --with-openssl \ + --with-libxml \ + --with-libxslt \ + --with-icu \ + --with-llvm \ + --with-lz4 \ + --with-zstd \ + ; \ + make -j "$(nproc)" world-bin; \ + make install-world-bin; \ + make -C contrib install; \ + \ + runDeps="$( \ + scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \ + | tr ',' '\n' \ + | sort -u \ + | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ +# Remove plperl, plpython and pltcl dependencies by default to save image size +# To use the pl extensions, those have to be installed in a derived image + | grep -v -e perl -e python -e tcl \ + )"; \ + apk add --no-cache --virtual .postgresql-rundeps \ + $runDeps \ + bash \ + tzdata \ + zstd \ +# https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split + icu-data-full \ +# https://git.alpinelinux.org/aports/tree/community/nss_wrapper/APKBUILD?h=3.22-stable#n7 ("ppc64le: test case segfaults") + $([ "$(apk --print-arch)" != 'ppc64le' ] && echo 'nss_wrapper') \ + ; \ + apk del --no-network .build-deps; \ + cd /; \ + rm -rf \ + /usr/src/postgresql \ + /usr/local/share/doc \ + /usr/local/share/man \ + ; \ + \ + postgres --version + +# make the sample config easier to munge (and "correct by default") +RUN set -eux; \ + cp -v /usr/local/share/postgresql/postgresql.conf.sample /usr/local/share/postgresql/postgresql.conf.sample.orig; \ + sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \ + grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample + +RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql + +# +# NOTE: in 18+, PGDATA has changed to match the pg_ctlcluster standard directory structure, and the VOLUME has moved from /var/lib/postgresql/data to /var/lib/postgresql +# +ENV PGDATA /var/lib/postgresql/18/docker +RUN ln -svT . /var/lib/postgresql/data # https://github.com/docker-library/postgres/pull/1259#issuecomment-2215477494 +VOLUME /var/lib/postgresql +# ("/var/lib/postgresql" is already pre-created with suitably usable permissions above) + +COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/ +RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh +ENTRYPOINT ["docker-entrypoint.sh"] + +# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL +# calls "Fast Shutdown mode" wherein new connections are disallowed and any +# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and +# flush tables to disk. +# +# See https://www.postgresql.org/docs/current/server-shutdown.html for more details +# about available PostgreSQL server shutdown signals. +# +# See also https://www.postgresql.org/docs/current/server-start.html for further +# justification of this as the default value, namely that the example (and +# shipped) systemd service files use the "Fast Shutdown mode" for service +# termination. +# +STOPSIGNAL SIGINT +# +# An additional setting that is recommended for all users regardless of this +# value is the runtime "--stop-timeout" (or your orchestrator/runtime's +# equivalent) for controlling how long to wait between sending the defined +# STOPSIGNAL and sending SIGKILL. +# +# The default in most runtimes (such as Docker) is 10 seconds, and the +# documentation at https://www.postgresql.org/docs/current/server-start.html notes +# that even 90 seconds may not be long enough in many instances. + +EXPOSE 5432 +CMD ["postgres"] diff --git a/18/alpine3.21/docker-ensure-initdb.sh b/18/alpine3.21/docker-ensure-initdb.sh new file mode 100755 index 0000000000..e9b15ef77d --- /dev/null +++ b/18/alpine3.21/docker-ensure-initdb.sh @@ -0,0 +1,72 @@ +#!/usr/bin/env bash +set -Eeuo pipefail + +# +# This script is intended for three main use cases: +# +# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior +# +# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution +# (no-op if database is already initialized) +# +# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use +# (error if database is already initialized) +# + +source /usr/local/bin/docker-entrypoint.sh + +# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there) +if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then + set -- postgres "$@" +fi + +# see also "_main" in "docker-entrypoint.sh" + +docker_setup_env +# setup data directories and permissions (when run as root) +docker_create_db_directories +if [ "$(id -u)" = '0' ]; then + # then restart script as postgres user + exec gosu postgres "$BASH_SOURCE" "$@" +fi + +# only run initialization on an empty data directory +if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + docker_verify_minimum_env + docker_error_old_databases + + # check dir permissions to reduce likelihood of half-initialized database + ls /docker-entrypoint-initdb.d/ > /dev/null + + docker_init_database_dir + pg_setup_hba_conf "$@" + + # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless + # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS + export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" + docker_temp_server_start "$@" + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + + docker_temp_server_stop + unset PGPASSWORD +else + self="$(basename "$0")" + case "$self" in + docker-ensure-initdb.sh) + echo >&2 "$self: note: database already initialized in '$PGDATA'!" + exit 0 + ;; + + docker-enforce-initdb.sh) + echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!" + exit 1 + ;; + + *) + echo >&2 "$self: error: unknown file name: $self" + exit 99 + ;; + esac +fi diff --git a/18/alpine3.21/docker-entrypoint.sh b/18/alpine3.21/docker-entrypoint.sh new file mode 100755 index 0000000000..5a62870b50 --- /dev/null +++ b/18/alpine3.21/docker-entrypoint.sh @@ -0,0 +1,391 @@ +#!/usr/bin/env bash +set -Eeo pipefail +# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables) + +# usage: file_env VAR [DEFAULT] +# ie: file_env 'XYZ_DB_PASSWORD' 'example' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then + printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar" + exit 1 + fi + local val="$def" + if [ "${!var:-}" ]; then + val="${!var}" + elif [ "${!fileVar:-}" ]; then + val="$(< "${!fileVar}")" + fi + export "$var"="$val" + unset "$fileVar" +} + +# check to see if this file is being run or sourced from another script +_is_sourced() { + # https://unix.stackexchange.com/a/215279 + [ "${#FUNCNAME[@]}" -ge 2 ] \ + && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ + && [ "${FUNCNAME[1]}" = 'source' ] +} + +# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user +docker_create_db_directories() { + local user; user="$(id -u)" + + mkdir -p "$PGDATA" + # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory) + chmod 00700 "$PGDATA" || : + + # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 + mkdir -p /var/run/postgresql || : + chmod 03775 /var/run/postgresql || : + + # Create the transaction log directory before initdb is run so the directory is owned by the correct user + if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then + mkdir -p "$POSTGRES_INITDB_WALDIR" + if [ "$user" = '0' ]; then + find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' + + fi + chmod 700 "$POSTGRES_INITDB_WALDIR" + fi + + # allow the container to be started with `--user` + if [ "$user" = '0' ]; then + find "$PGDATA" \! -user postgres -exec chown postgres '{}' + + find /var/run/postgresql \! -user postgres -exec chown postgres '{}' + + fi +} + +# initialize empty PGDATA directory with new database via 'initdb' +# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function +# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames +# this is also where the database user is created, specified by `POSTGRES_USER` env +docker_init_database_dir() { + # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary + # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html + local uid; uid="$(id -u)" + if ! getent passwd "$uid" &> /dev/null; then + # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15) + local wrapper + for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do + if [ -s "$wrapper" ]; then + NSS_WRAPPER_PASSWD="$(mktemp)" + NSS_WRAPPER_GROUP="$(mktemp)" + export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + local gid; gid="$(id -g)" + printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD" + printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP" + break + fi + done + fi + + if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then + set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@" + fi + + # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025 + eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' + + # unset/cleanup "nss_wrapper" bits + if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then + rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" + unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + fi +} + +# print large warning if POSTGRES_PASSWORD is long +# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust' +# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust' +# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ] +docker_verify_minimum_env() { + case "${PG_MAJOR:-}" in + 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 + # check password first so we can output the warning before postgres + # messes it up + if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then + cat >&2 <<-'EOWARN' + + WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. + + This will not work if used via PGPASSWORD with "psql". + + https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) + https://github.com/docker-library/postgres/issues/507 + + EOWARN + fi + ;; + esac + if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then + # The - option suppresses leading tabs but *not* spaces. :) + cat >&2 <<-'EOE' + Error: Database is uninitialized and superuser password is not specified. + You must specify POSTGRES_PASSWORD to a non-empty value for the + superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run". + + You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all + connections without a password. This is *not* recommended. + + See PostgreSQL documentation about "trust": + https://www.postgresql.org/docs/current/auth-trust.html + EOE + exit 1 + fi + if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then + cat >&2 <<-'EOWARN' + ******************************************************************************** + WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow + anyone with access to the Postgres port to access your database without + a password, even if POSTGRES_PASSWORD is set. See PostgreSQL + documentation about "trust": + https://www.postgresql.org/docs/current/auth-trust.html + In Docker's default configuration, this is effectively any other + container on the same system. + + It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace + it with "-e POSTGRES_PASSWORD=password" instead to set a password in + "docker run". + ******************************************************************************** + EOWARN + fi +} +# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade) +docker_error_old_databases() { + if [ -n "${OLD_DATABASES[0]:-}" ]; then + cat >&2 <<-EOE + Error: in 18+, these Docker images are configured to store database data in a + format which is compatible with "pg_ctlcluster" (specifically, using + major-version-specific directory names). This better reflects how + PostgreSQL itself works, and how upgrades are to be performed. + + See also https://github.com/docker-library/postgres/pull/1259 + + Counter to that, there appears to be PostgreSQL data in: + ${OLD_DATABASES[*]} + + This is usually the result of upgrading the Docker image without upgrading + the underlying database using "pg_upgrade" (which requires both versions). + + See https://github.com/docker-library/postgres/issues/37 for a (long) + discussion around this process, and suggestions for how to do so. + EOE + exit 1 + fi +} + +# usage: docker_process_init_files [file [file [...]]] +# ie: docker_process_init_files /always-initdb.d/* +# process initializer files, based on file extensions and permissions +docker_process_init_files() { + # psql here for backwards compatibility "${psql[@]}" + psql=( docker_process_sql ) + + printf '\n' + local f + for f; do + case "$f" in + *.sh) + # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 + # https://github.com/docker-library/postgres/pull/452 + if [ -x "$f" ]; then + printf '%s: running %s\n' "$0" "$f" + "$f" + else + printf '%s: sourcing %s\n' "$0" "$f" + . "$f" + fi + ;; + *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;; + *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;; + *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;; + *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;; + *) printf '%s: ignoring %s\n' "$0" "$f" ;; + esac + printf '\n' + done +} + +# Execute sql script, passed via stdin (or -f flag of pqsl) +# usage: docker_process_sql [psql-cli-args] +# ie: docker_process_sql --dbname=mydb <<<'INSERT ...' +# ie: docker_process_sql -f my-file.sql +# ie: docker_process_sql > "$PGDATA/pg_hba.conf" +} + +# start socket-only postgresql server for setting up or running scripts +# all arguments will be passed along as arguments to `postgres` (via pg_ctl) +docker_temp_server_start() { + if [ "$1" = 'postgres' ]; then + shift + fi + + # internal start of server in order to allow setup using psql client + # does not listen on external TCP/IP and waits until start finishes + set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}" + + # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify + # any process supervisor. + NOTIFY_SOCKET= \ + PGUSER="${PGUSER:-$POSTGRES_USER}" \ + pg_ctl -D "$PGDATA" \ + -o "$(printf '%q ' "$@")" \ + -w start +} + +# stop postgresql server after done setting up user and running scripts +docker_temp_server_stop() { + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" -m fast -w stop +} + +# check arguments for an option that would cause postgres to stop +# return true if there is one +_pg_want_help() { + local arg + for arg; do + case "$arg" in + # postgres --help | grep 'then exit' + # leaving out -C on purpose since it always fails and is unhelpful: + # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory + -'?'|--help|--describe-config|-V|--version) + return 0 + ;; + esac + done + return 1 +} + +_main() { + # if first arg looks like a flag, assume we want to run postgres server + if [ "${1:0:1}" = '-' ]; then + set -- postgres "$@" + fi + + if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then + docker_setup_env + # setup data directories and permissions (when run as root) + docker_create_db_directories + if [ "$(id -u)" = '0' ]; then + # then restart script as postgres user + exec gosu postgres "$BASH_SOURCE" "$@" + fi + + # only run initialization on an empty data directory + if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + docker_verify_minimum_env + docker_error_old_databases + + # check dir permissions to reduce likelihood of half-initialized database + ls /docker-entrypoint-initdb.d/ > /dev/null + + docker_init_database_dir + pg_setup_hba_conf "$@" + + # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless + # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS + export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" + docker_temp_server_start "$@" + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + + docker_temp_server_stop + unset PGPASSWORD + + cat <<-'EOM' + + PostgreSQL init process complete; ready for start up. + + EOM + else + cat <<-'EOM' + + PostgreSQL Database directory appears to contain a database; Skipping initialization + + EOM + fi + fi + + exec "$@" +} + +if ! _is_sourced; then + _main "$@" +fi diff --git a/18/alpine3.22/Dockerfile b/18/alpine3.22/Dockerfile new file mode 100644 index 0000000000..b310639404 --- /dev/null +++ b/18/alpine3.22/Dockerfile @@ -0,0 +1,230 @@ +# +# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh" +# +# PLEASE DO NOT EDIT IT DIRECTLY. +# + +FROM alpine:3.22 + +# 70 is the standard uid/gid for "postgres" in Alpine +# https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.22-stable +RUN set -eux; \ + addgroup -g 70 -S postgres; \ + adduser -u 70 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \ +# also create the postgres user's home directory with appropriate permissions +# see https://github.com/docker-library/postgres/issues/274 + install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql + +# grab gosu for easy step-down from root +# https://github.com/tianon/gosu/releases +ENV GOSU_VERSION 1.17 +RUN set -eux; \ + \ + apk add --no-cache --virtual .gosu-deps \ + ca-certificates \ + dpkg \ + gnupg \ + ; \ + \ + dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ + wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \ + wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \ + \ +# verify the signature + export GNUPGHOME="$(mktemp -d)"; \ + gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ + gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ + gpgconf --kill all; \ + rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ + \ +# clean up fetch dependencies + apk del --no-network .gosu-deps; \ + \ + chmod +x /usr/local/bin/gosu; \ +# verify that the binary works + gosu --version; \ + gosu nobody true + +# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default +# alpine doesn't require explicit locale-file generation +ENV LANG en_US.utf8 + +RUN mkdir /docker-entrypoint-initdb.d + +ENV PG_MAJOR 18 +ENV PG_VERSION 18beta2 +ENV PG_SHA256 1d16b58244b630194432b88d9ff25f5fea85a001ff2c715a157d4be6787f3075 + +ENV DOCKER_PG_LLVM_DEPS \ + llvm19-dev \ + clang19 + +RUN set -eux; \ + \ + wget -O postgresql.tar.bz2 "https://ftp.postgresql.org/pub/source/v$PG_VERSION/postgresql-$PG_VERSION.tar.bz2"; \ + echo "$PG_SHA256 *postgresql.tar.bz2" | sha256sum -c -; \ + mkdir -p /usr/src/postgresql; \ + tar \ + --extract \ + --file postgresql.tar.bz2 \ + --directory /usr/src/postgresql \ + --strip-components 1 \ + ; \ + rm postgresql.tar.bz2; \ + \ + apk add --no-cache --virtual .build-deps \ + $DOCKER_PG_LLVM_DEPS \ + bison \ + coreutils \ + dpkg-dev dpkg \ + flex \ + g++ \ + gcc \ + krb5-dev \ + libc-dev \ + libedit-dev \ + libxml2-dev \ + libxslt-dev \ + linux-headers \ + make \ + openldap-dev \ + openssl-dev \ + perl-dev \ + perl-ipc-run \ + perl-utils \ + python3-dev \ + tcl-dev \ + util-linux-dev \ + zlib-dev \ +# https://www.postgresql.org/docs/10/static/release-10.html#id-1.11.6.9.5.13 + icu-dev \ +# https://www.postgresql.org/docs/14/release-14.html#id-1.11.6.5.5.3.7 + lz4-dev \ +# https://www.postgresql.org/docs/15/release-15.html "--with-zstd to enable Zstandard builds" + zstd-dev \ + ; \ + \ + cd /usr/src/postgresql; \ +# update "DEFAULT_PGSOCKET_DIR" to "/var/run/postgresql" (matching Debian) +# see https://anonscm.debian.org/git/pkg-postgresql/postgresql.git/tree/debian/patches/51-default-sockets-in-var.patch?id=8b539fcb3e093a521c095e70bdfa76887217b89f + awk '$1 == "#define" && $2 == "DEFAULT_PGSOCKET_DIR" && $3 == "\"/tmp\"" { $3 = "\"/var/run/postgresql\""; print; next } { print }' src/include/pg_config_manual.h > src/include/pg_config_manual.h.new; \ + grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \ + mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \ + gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ + \ +# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n176 ("export LLVM_CONFIG") + export LLVM_CONFIG="/usr/lib/llvm19/bin/llvm-config"; \ +# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n180 ("older clang versions don't have a 'clang' exe anymore.") + export CLANG=clang-19; \ + \ +# configure options taken from: +# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5 + ./configure \ + --enable-option-checking=fatal \ + --build="$gnuArch" \ +# "/usr/src/postgresql/src/backend/access/common/tupconvert.c:105: undefined reference to `libintl_gettext'" +# --enable-nls \ + --enable-integer-datetimes \ + --enable-tap-tests \ +# skip debugging info -- we want tiny size instead +# --enable-debug \ + --disable-rpath \ + --with-uuid=e2fs \ + --with-pgport=5432 \ + --with-system-tzdata=/usr/share/zoneinfo \ + --prefix=/usr/local \ + --with-includes=/usr/local/include \ + --with-libraries=/usr/local/lib \ + --with-gssapi \ + --with-ldap \ + --with-tcl \ + --with-perl \ + --with-python \ +# --with-pam \ + --with-openssl \ + --with-libxml \ + --with-libxslt \ + --with-icu \ + --with-llvm \ + --with-lz4 \ + --with-zstd \ + ; \ + make -j "$(nproc)" world-bin; \ + make install-world-bin; \ + make -C contrib install; \ + \ + runDeps="$( \ + scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \ + | tr ',' '\n' \ + | sort -u \ + | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ +# Remove plperl, plpython and pltcl dependencies by default to save image size +# To use the pl extensions, those have to be installed in a derived image + | grep -v -e perl -e python -e tcl \ + )"; \ + apk add --no-cache --virtual .postgresql-rundeps \ + $runDeps \ + bash \ + tzdata \ + zstd \ +# https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split + icu-data-full \ +# https://git.alpinelinux.org/aports/tree/community/nss_wrapper/APKBUILD?h=3.22-stable#n7 ("ppc64le: test case segfaults") + $([ "$(apk --print-arch)" != 'ppc64le' ] && echo 'nss_wrapper') \ + ; \ + apk del --no-network .build-deps; \ + cd /; \ + rm -rf \ + /usr/src/postgresql \ + /usr/local/share/doc \ + /usr/local/share/man \ + ; \ + \ + postgres --version + +# make the sample config easier to munge (and "correct by default") +RUN set -eux; \ + cp -v /usr/local/share/postgresql/postgresql.conf.sample /usr/local/share/postgresql/postgresql.conf.sample.orig; \ + sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \ + grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample + +RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql + +# +# NOTE: in 18+, PGDATA has changed to match the pg_ctlcluster standard directory structure, and the VOLUME has moved from /var/lib/postgresql/data to /var/lib/postgresql +# +ENV PGDATA /var/lib/postgresql/18/docker +RUN ln -svT . /var/lib/postgresql/data # https://github.com/docker-library/postgres/pull/1259#issuecomment-2215477494 +VOLUME /var/lib/postgresql +# ("/var/lib/postgresql" is already pre-created with suitably usable permissions above) + +COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/ +RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh +ENTRYPOINT ["docker-entrypoint.sh"] + +# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL +# calls "Fast Shutdown mode" wherein new connections are disallowed and any +# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and +# flush tables to disk. +# +# See https://www.postgresql.org/docs/current/server-shutdown.html for more details +# about available PostgreSQL server shutdown signals. +# +# See also https://www.postgresql.org/docs/current/server-start.html for further +# justification of this as the default value, namely that the example (and +# shipped) systemd service files use the "Fast Shutdown mode" for service +# termination. +# +STOPSIGNAL SIGINT +# +# An additional setting that is recommended for all users regardless of this +# value is the runtime "--stop-timeout" (or your orchestrator/runtime's +# equivalent) for controlling how long to wait between sending the defined +# STOPSIGNAL and sending SIGKILL. +# +# The default in most runtimes (such as Docker) is 10 seconds, and the +# documentation at https://www.postgresql.org/docs/current/server-start.html notes +# that even 90 seconds may not be long enough in many instances. + +EXPOSE 5432 +CMD ["postgres"] diff --git a/18/alpine3.22/docker-ensure-initdb.sh b/18/alpine3.22/docker-ensure-initdb.sh new file mode 100755 index 0000000000..e9b15ef77d --- /dev/null +++ b/18/alpine3.22/docker-ensure-initdb.sh @@ -0,0 +1,72 @@ +#!/usr/bin/env bash +set -Eeuo pipefail + +# +# This script is intended for three main use cases: +# +# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior +# +# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution +# (no-op if database is already initialized) +# +# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use +# (error if database is already initialized) +# + +source /usr/local/bin/docker-entrypoint.sh + +# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there) +if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then + set -- postgres "$@" +fi + +# see also "_main" in "docker-entrypoint.sh" + +docker_setup_env +# setup data directories and permissions (when run as root) +docker_create_db_directories +if [ "$(id -u)" = '0' ]; then + # then restart script as postgres user + exec gosu postgres "$BASH_SOURCE" "$@" +fi + +# only run initialization on an empty data directory +if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + docker_verify_minimum_env + docker_error_old_databases + + # check dir permissions to reduce likelihood of half-initialized database + ls /docker-entrypoint-initdb.d/ > /dev/null + + docker_init_database_dir + pg_setup_hba_conf "$@" + + # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless + # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS + export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" + docker_temp_server_start "$@" + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + + docker_temp_server_stop + unset PGPASSWORD +else + self="$(basename "$0")" + case "$self" in + docker-ensure-initdb.sh) + echo >&2 "$self: note: database already initialized in '$PGDATA'!" + exit 0 + ;; + + docker-enforce-initdb.sh) + echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!" + exit 1 + ;; + + *) + echo >&2 "$self: error: unknown file name: $self" + exit 99 + ;; + esac +fi diff --git a/18/alpine3.22/docker-entrypoint.sh b/18/alpine3.22/docker-entrypoint.sh new file mode 100755 index 0000000000..5a62870b50 --- /dev/null +++ b/18/alpine3.22/docker-entrypoint.sh @@ -0,0 +1,391 @@ +#!/usr/bin/env bash +set -Eeo pipefail +# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables) + +# usage: file_env VAR [DEFAULT] +# ie: file_env 'XYZ_DB_PASSWORD' 'example' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then + printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar" + exit 1 + fi + local val="$def" + if [ "${!var:-}" ]; then + val="${!var}" + elif [ "${!fileVar:-}" ]; then + val="$(< "${!fileVar}")" + fi + export "$var"="$val" + unset "$fileVar" +} + +# check to see if this file is being run or sourced from another script +_is_sourced() { + # https://unix.stackexchange.com/a/215279 + [ "${#FUNCNAME[@]}" -ge 2 ] \ + && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ + && [ "${FUNCNAME[1]}" = 'source' ] +} + +# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user +docker_create_db_directories() { + local user; user="$(id -u)" + + mkdir -p "$PGDATA" + # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory) + chmod 00700 "$PGDATA" || : + + # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 + mkdir -p /var/run/postgresql || : + chmod 03775 /var/run/postgresql || : + + # Create the transaction log directory before initdb is run so the directory is owned by the correct user + if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then + mkdir -p "$POSTGRES_INITDB_WALDIR" + if [ "$user" = '0' ]; then + find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' + + fi + chmod 700 "$POSTGRES_INITDB_WALDIR" + fi + + # allow the container to be started with `--user` + if [ "$user" = '0' ]; then + find "$PGDATA" \! -user postgres -exec chown postgres '{}' + + find /var/run/postgresql \! -user postgres -exec chown postgres '{}' + + fi +} + +# initialize empty PGDATA directory with new database via 'initdb' +# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function +# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames +# this is also where the database user is created, specified by `POSTGRES_USER` env +docker_init_database_dir() { + # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary + # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html + local uid; uid="$(id -u)" + if ! getent passwd "$uid" &> /dev/null; then + # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15) + local wrapper + for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do + if [ -s "$wrapper" ]; then + NSS_WRAPPER_PASSWD="$(mktemp)" + NSS_WRAPPER_GROUP="$(mktemp)" + export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + local gid; gid="$(id -g)" + printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD" + printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP" + break + fi + done + fi + + if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then + set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@" + fi + + # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025 + eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' + + # unset/cleanup "nss_wrapper" bits + if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then + rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" + unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + fi +} + +# print large warning if POSTGRES_PASSWORD is long +# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust' +# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust' +# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ] +docker_verify_minimum_env() { + case "${PG_MAJOR:-}" in + 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 + # check password first so we can output the warning before postgres + # messes it up + if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then + cat >&2 <<-'EOWARN' + + WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. + + This will not work if used via PGPASSWORD with "psql". + + https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) + https://github.com/docker-library/postgres/issues/507 + + EOWARN + fi + ;; + esac + if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then + # The - option suppresses leading tabs but *not* spaces. :) + cat >&2 <<-'EOE' + Error: Database is uninitialized and superuser password is not specified. + You must specify POSTGRES_PASSWORD to a non-empty value for the + superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run". + + You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all + connections without a password. This is *not* recommended. + + See PostgreSQL documentation about "trust": + https://www.postgresql.org/docs/current/auth-trust.html + EOE + exit 1 + fi + if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then + cat >&2 <<-'EOWARN' + ******************************************************************************** + WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow + anyone with access to the Postgres port to access your database without + a password, even if POSTGRES_PASSWORD is set. See PostgreSQL + documentation about "trust": + https://www.postgresql.org/docs/current/auth-trust.html + In Docker's default configuration, this is effectively any other + container on the same system. + + It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace + it with "-e POSTGRES_PASSWORD=password" instead to set a password in + "docker run". + ******************************************************************************** + EOWARN + fi +} +# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade) +docker_error_old_databases() { + if [ -n "${OLD_DATABASES[0]:-}" ]; then + cat >&2 <<-EOE + Error: in 18+, these Docker images are configured to store database data in a + format which is compatible with "pg_ctlcluster" (specifically, using + major-version-specific directory names). This better reflects how + PostgreSQL itself works, and how upgrades are to be performed. + + See also https://github.com/docker-library/postgres/pull/1259 + + Counter to that, there appears to be PostgreSQL data in: + ${OLD_DATABASES[*]} + + This is usually the result of upgrading the Docker image without upgrading + the underlying database using "pg_upgrade" (which requires both versions). + + See https://github.com/docker-library/postgres/issues/37 for a (long) + discussion around this process, and suggestions for how to do so. + EOE + exit 1 + fi +} + +# usage: docker_process_init_files [file [file [...]]] +# ie: docker_process_init_files /always-initdb.d/* +# process initializer files, based on file extensions and permissions +docker_process_init_files() { + # psql here for backwards compatibility "${psql[@]}" + psql=( docker_process_sql ) + + printf '\n' + local f + for f; do + case "$f" in + *.sh) + # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 + # https://github.com/docker-library/postgres/pull/452 + if [ -x "$f" ]; then + printf '%s: running %s\n' "$0" "$f" + "$f" + else + printf '%s: sourcing %s\n' "$0" "$f" + . "$f" + fi + ;; + *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;; + *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;; + *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;; + *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;; + *) printf '%s: ignoring %s\n' "$0" "$f" ;; + esac + printf '\n' + done +} + +# Execute sql script, passed via stdin (or -f flag of pqsl) +# usage: docker_process_sql [psql-cli-args] +# ie: docker_process_sql --dbname=mydb <<<'INSERT ...' +# ie: docker_process_sql -f my-file.sql +# ie: docker_process_sql > "$PGDATA/pg_hba.conf" +} + +# start socket-only postgresql server for setting up or running scripts +# all arguments will be passed along as arguments to `postgres` (via pg_ctl) +docker_temp_server_start() { + if [ "$1" = 'postgres' ]; then + shift + fi + + # internal start of server in order to allow setup using psql client + # does not listen on external TCP/IP and waits until start finishes + set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}" + + # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify + # any process supervisor. + NOTIFY_SOCKET= \ + PGUSER="${PGUSER:-$POSTGRES_USER}" \ + pg_ctl -D "$PGDATA" \ + -o "$(printf '%q ' "$@")" \ + -w start +} + +# stop postgresql server after done setting up user and running scripts +docker_temp_server_stop() { + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" -m fast -w stop +} + +# check arguments for an option that would cause postgres to stop +# return true if there is one +_pg_want_help() { + local arg + for arg; do + case "$arg" in + # postgres --help | grep 'then exit' + # leaving out -C on purpose since it always fails and is unhelpful: + # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory + -'?'|--help|--describe-config|-V|--version) + return 0 + ;; + esac + done + return 1 +} + +_main() { + # if first arg looks like a flag, assume we want to run postgres server + if [ "${1:0:1}" = '-' ]; then + set -- postgres "$@" + fi + + if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then + docker_setup_env + # setup data directories and permissions (when run as root) + docker_create_db_directories + if [ "$(id -u)" = '0' ]; then + # then restart script as postgres user + exec gosu postgres "$BASH_SOURCE" "$@" + fi + + # only run initialization on an empty data directory + if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + docker_verify_minimum_env + docker_error_old_databases + + # check dir permissions to reduce likelihood of half-initialized database + ls /docker-entrypoint-initdb.d/ > /dev/null + + docker_init_database_dir + pg_setup_hba_conf "$@" + + # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless + # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS + export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" + docker_temp_server_start "$@" + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + + docker_temp_server_stop + unset PGPASSWORD + + cat <<-'EOM' + + PostgreSQL init process complete; ready for start up. + + EOM + else + cat <<-'EOM' + + PostgreSQL Database directory appears to contain a database; Skipping initialization + + EOM + fi + fi + + exec "$@" +} + +if ! _is_sourced; then + _main "$@" +fi diff --git a/12/bookworm/Dockerfile b/18/bookworm/Dockerfile similarity index 85% rename from 12/bookworm/Dockerfile rename to 18/bookworm/Dockerfile index d80c0a4345..91e060b8b7 100644 --- a/12/bookworm/Dockerfile +++ b/18/bookworm/Dockerfile @@ -86,10 +86,10 @@ RUN set -ex; \ gpgconf --kill all; \ rm -rf "$GNUPGHOME" -ENV PG_MAJOR 12 +ENV PG_MAJOR 18 ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin -ENV PG_VERSION 12.20-1.pgdg120+1 +ENV PG_VERSION 18~beta2-1.pgdg120+1 RUN set -ex; \ \ @@ -99,7 +99,7 @@ RUN set -ex; \ dpkgArch="$(dpkg --print-architecture)"; \ aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ bookworm-pgdg main $PG_MAJOR"; \ case "$dpkgArch" in \ - amd64 | arm64 | ppc64el | s390x) \ + amd64 | arm64 | ppc64el) \ # arches officialy built by upstream echo "deb $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \ apt-get update; \ @@ -131,10 +131,9 @@ RUN set -ex; \ # build .deb files from upstream's source packages (which are verified by apt-get) nproc="$(nproc)"; \ export DEB_BUILD_OPTIONS="nocheck parallel=$nproc"; \ -# we have to build postgresql-common first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/99f44476e258cae6bf9e919219fa2c5414fa2876 -# (and it "Depends: pgdg-keyring") - apt-get build-dep -y postgresql-common pgdg-keyring; \ - apt-get source --compile postgresql-common pgdg-keyring; \ +# we have to build postgresql-common-dev first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/f4338a0d28cf4541956bddb0f4e444ba9dba81b9 + apt-get build-dep -y postgresql-common-dev; \ + apt-get source --compile postgresql-common-dev; \ _update_repo; \ apt-get build-dep -y "postgresql-$PG_MAJOR=$PG_VERSION"; \ apt-get source --compile "postgresql-$PG_MAJOR=$PG_VERSION"; \ @@ -158,6 +157,10 @@ RUN set -ex; \ apt-get install -y --no-install-recommends \ "postgresql-$PG_MAJOR=$PG_VERSION" \ ; \ +# https://github.com/docker-library/postgres/pull/1344#issuecomment-2936578203 (JIT is a separate package in 18+, but only supported for a subset of architectures) + if apt-get install -s "postgresql-$PG_MAJOR-jit" > /dev/null 2>&1; then \ + apt-get install -y --no-install-recommends "postgresql-$PG_MAJOR-jit=$PG_VERSION"; \ + fi; \ \ rm -rf /var/lib/apt/lists/*; \ \ @@ -182,10 +185,13 @@ RUN set -eux; \ RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql -ENV PGDATA /var/lib/postgresql/data -# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values) -RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA" -VOLUME /var/lib/postgresql/data +# +# NOTE: in 18+, PGDATA has changed to match the pg_ctlcluster standard directory structure, and the VOLUME has moved from /var/lib/postgresql/data to /var/lib/postgresql +# +ENV PGDATA /var/lib/postgresql/18/docker +RUN ln -svT . /var/lib/postgresql/data # https://github.com/docker-library/postgres/pull/1259#issuecomment-2215477494 +VOLUME /var/lib/postgresql +# ("/var/lib/postgresql" is already pre-created with suitably usable permissions above) COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/ RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh @@ -194,18 +200,12 @@ ENTRYPOINT ["docker-entrypoint.sh"] # We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL # calls "Fast Shutdown mode" wherein new connections are disallowed and any # in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and -# flush tables to disk, which is the best compromise available to avoid data -# corruption. -# -# Users who know their applications do not keep open long-lived idle connections -# may way to use a value of SIGTERM instead, which corresponds to "Smart -# Shutdown mode" in which any existing sessions are allowed to finish and the -# server stops when all sessions are terminated. +# flush tables to disk. # -# See https://www.postgresql.org/docs/12/server-shutdown.html for more details +# See https://www.postgresql.org/docs/current/server-shutdown.html for more details # about available PostgreSQL server shutdown signals. # -# See also https://www.postgresql.org/docs/12/server-start.html for further +# See also https://www.postgresql.org/docs/current/server-start.html for further # justification of this as the default value, namely that the example (and # shipped) systemd service files use the "Fast Shutdown mode" for service # termination. @@ -215,10 +215,10 @@ STOPSIGNAL SIGINT # An additional setting that is recommended for all users regardless of this # value is the runtime "--stop-timeout" (or your orchestrator/runtime's # equivalent) for controlling how long to wait between sending the defined -# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption). +# STOPSIGNAL and sending SIGKILL. # # The default in most runtimes (such as Docker) is 10 seconds, and the -# documentation at https://www.postgresql.org/docs/12/server-start.html notes +# documentation at https://www.postgresql.org/docs/current/server-start.html notes # that even 90 seconds may not be long enough in many instances. EXPOSE 5432 diff --git a/18/bookworm/docker-ensure-initdb.sh b/18/bookworm/docker-ensure-initdb.sh new file mode 100755 index 0000000000..e9b15ef77d --- /dev/null +++ b/18/bookworm/docker-ensure-initdb.sh @@ -0,0 +1,72 @@ +#!/usr/bin/env bash +set -Eeuo pipefail + +# +# This script is intended for three main use cases: +# +# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior +# +# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution +# (no-op if database is already initialized) +# +# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use +# (error if database is already initialized) +# + +source /usr/local/bin/docker-entrypoint.sh + +# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there) +if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then + set -- postgres "$@" +fi + +# see also "_main" in "docker-entrypoint.sh" + +docker_setup_env +# setup data directories and permissions (when run as root) +docker_create_db_directories +if [ "$(id -u)" = '0' ]; then + # then restart script as postgres user + exec gosu postgres "$BASH_SOURCE" "$@" +fi + +# only run initialization on an empty data directory +if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + docker_verify_minimum_env + docker_error_old_databases + + # check dir permissions to reduce likelihood of half-initialized database + ls /docker-entrypoint-initdb.d/ > /dev/null + + docker_init_database_dir + pg_setup_hba_conf "$@" + + # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless + # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS + export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" + docker_temp_server_start "$@" + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + + docker_temp_server_stop + unset PGPASSWORD +else + self="$(basename "$0")" + case "$self" in + docker-ensure-initdb.sh) + echo >&2 "$self: note: database already initialized in '$PGDATA'!" + exit 0 + ;; + + docker-enforce-initdb.sh) + echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!" + exit 1 + ;; + + *) + echo >&2 "$self: error: unknown file name: $self" + exit 99 + ;; + esac +fi diff --git a/18/bookworm/docker-entrypoint.sh b/18/bookworm/docker-entrypoint.sh new file mode 100755 index 0000000000..5a62870b50 --- /dev/null +++ b/18/bookworm/docker-entrypoint.sh @@ -0,0 +1,391 @@ +#!/usr/bin/env bash +set -Eeo pipefail +# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables) + +# usage: file_env VAR [DEFAULT] +# ie: file_env 'XYZ_DB_PASSWORD' 'example' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then + printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar" + exit 1 + fi + local val="$def" + if [ "${!var:-}" ]; then + val="${!var}" + elif [ "${!fileVar:-}" ]; then + val="$(< "${!fileVar}")" + fi + export "$var"="$val" + unset "$fileVar" +} + +# check to see if this file is being run or sourced from another script +_is_sourced() { + # https://unix.stackexchange.com/a/215279 + [ "${#FUNCNAME[@]}" -ge 2 ] \ + && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ + && [ "${FUNCNAME[1]}" = 'source' ] +} + +# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user +docker_create_db_directories() { + local user; user="$(id -u)" + + mkdir -p "$PGDATA" + # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory) + chmod 00700 "$PGDATA" || : + + # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 + mkdir -p /var/run/postgresql || : + chmod 03775 /var/run/postgresql || : + + # Create the transaction log directory before initdb is run so the directory is owned by the correct user + if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then + mkdir -p "$POSTGRES_INITDB_WALDIR" + if [ "$user" = '0' ]; then + find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' + + fi + chmod 700 "$POSTGRES_INITDB_WALDIR" + fi + + # allow the container to be started with `--user` + if [ "$user" = '0' ]; then + find "$PGDATA" \! -user postgres -exec chown postgres '{}' + + find /var/run/postgresql \! -user postgres -exec chown postgres '{}' + + fi +} + +# initialize empty PGDATA directory with new database via 'initdb' +# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function +# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames +# this is also where the database user is created, specified by `POSTGRES_USER` env +docker_init_database_dir() { + # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary + # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html + local uid; uid="$(id -u)" + if ! getent passwd "$uid" &> /dev/null; then + # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15) + local wrapper + for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do + if [ -s "$wrapper" ]; then + NSS_WRAPPER_PASSWD="$(mktemp)" + NSS_WRAPPER_GROUP="$(mktemp)" + export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + local gid; gid="$(id -g)" + printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD" + printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP" + break + fi + done + fi + + if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then + set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@" + fi + + # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025 + eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' + + # unset/cleanup "nss_wrapper" bits + if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then + rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" + unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + fi +} + +# print large warning if POSTGRES_PASSWORD is long +# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust' +# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust' +# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ] +docker_verify_minimum_env() { + case "${PG_MAJOR:-}" in + 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 + # check password first so we can output the warning before postgres + # messes it up + if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then + cat >&2 <<-'EOWARN' + + WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. + + This will not work if used via PGPASSWORD with "psql". + + https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) + https://github.com/docker-library/postgres/issues/507 + + EOWARN + fi + ;; + esac + if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then + # The - option suppresses leading tabs but *not* spaces. :) + cat >&2 <<-'EOE' + Error: Database is uninitialized and superuser password is not specified. + You must specify POSTGRES_PASSWORD to a non-empty value for the + superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run". + + You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all + connections without a password. This is *not* recommended. + + See PostgreSQL documentation about "trust": + https://www.postgresql.org/docs/current/auth-trust.html + EOE + exit 1 + fi + if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then + cat >&2 <<-'EOWARN' + ******************************************************************************** + WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow + anyone with access to the Postgres port to access your database without + a password, even if POSTGRES_PASSWORD is set. See PostgreSQL + documentation about "trust": + https://www.postgresql.org/docs/current/auth-trust.html + In Docker's default configuration, this is effectively any other + container on the same system. + + It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace + it with "-e POSTGRES_PASSWORD=password" instead to set a password in + "docker run". + ******************************************************************************** + EOWARN + fi +} +# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade) +docker_error_old_databases() { + if [ -n "${OLD_DATABASES[0]:-}" ]; then + cat >&2 <<-EOE + Error: in 18+, these Docker images are configured to store database data in a + format which is compatible with "pg_ctlcluster" (specifically, using + major-version-specific directory names). This better reflects how + PostgreSQL itself works, and how upgrades are to be performed. + + See also https://github.com/docker-library/postgres/pull/1259 + + Counter to that, there appears to be PostgreSQL data in: + ${OLD_DATABASES[*]} + + This is usually the result of upgrading the Docker image without upgrading + the underlying database using "pg_upgrade" (which requires both versions). + + See https://github.com/docker-library/postgres/issues/37 for a (long) + discussion around this process, and suggestions for how to do so. + EOE + exit 1 + fi +} + +# usage: docker_process_init_files [file [file [...]]] +# ie: docker_process_init_files /always-initdb.d/* +# process initializer files, based on file extensions and permissions +docker_process_init_files() { + # psql here for backwards compatibility "${psql[@]}" + psql=( docker_process_sql ) + + printf '\n' + local f + for f; do + case "$f" in + *.sh) + # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 + # https://github.com/docker-library/postgres/pull/452 + if [ -x "$f" ]; then + printf '%s: running %s\n' "$0" "$f" + "$f" + else + printf '%s: sourcing %s\n' "$0" "$f" + . "$f" + fi + ;; + *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;; + *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;; + *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;; + *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;; + *) printf '%s: ignoring %s\n' "$0" "$f" ;; + esac + printf '\n' + done +} + +# Execute sql script, passed via stdin (or -f flag of pqsl) +# usage: docker_process_sql [psql-cli-args] +# ie: docker_process_sql --dbname=mydb <<<'INSERT ...' +# ie: docker_process_sql -f my-file.sql +# ie: docker_process_sql > "$PGDATA/pg_hba.conf" +} + +# start socket-only postgresql server for setting up or running scripts +# all arguments will be passed along as arguments to `postgres` (via pg_ctl) +docker_temp_server_start() { + if [ "$1" = 'postgres' ]; then + shift + fi + + # internal start of server in order to allow setup using psql client + # does not listen on external TCP/IP and waits until start finishes + set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}" + + # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify + # any process supervisor. + NOTIFY_SOCKET= \ + PGUSER="${PGUSER:-$POSTGRES_USER}" \ + pg_ctl -D "$PGDATA" \ + -o "$(printf '%q ' "$@")" \ + -w start +} + +# stop postgresql server after done setting up user and running scripts +docker_temp_server_stop() { + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" -m fast -w stop +} + +# check arguments for an option that would cause postgres to stop +# return true if there is one +_pg_want_help() { + local arg + for arg; do + case "$arg" in + # postgres --help | grep 'then exit' + # leaving out -C on purpose since it always fails and is unhelpful: + # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory + -'?'|--help|--describe-config|-V|--version) + return 0 + ;; + esac + done + return 1 +} + +_main() { + # if first arg looks like a flag, assume we want to run postgres server + if [ "${1:0:1}" = '-' ]; then + set -- postgres "$@" + fi + + if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then + docker_setup_env + # setup data directories and permissions (when run as root) + docker_create_db_directories + if [ "$(id -u)" = '0' ]; then + # then restart script as postgres user + exec gosu postgres "$BASH_SOURCE" "$@" + fi + + # only run initialization on an empty data directory + if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + docker_verify_minimum_env + docker_error_old_databases + + # check dir permissions to reduce likelihood of half-initialized database + ls /docker-entrypoint-initdb.d/ > /dev/null + + docker_init_database_dir + pg_setup_hba_conf "$@" + + # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless + # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS + export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" + docker_temp_server_start "$@" + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + + docker_temp_server_stop + unset PGPASSWORD + + cat <<-'EOM' + + PostgreSQL init process complete; ready for start up. + + EOM + else + cat <<-'EOM' + + PostgreSQL Database directory appears to contain a database; Skipping initialization + + EOM + fi + fi + + exec "$@" +} + +if ! _is_sourced; then + _main "$@" +fi diff --git a/12/bullseye/Dockerfile b/18/bullseye/Dockerfile similarity index 85% rename from 12/bullseye/Dockerfile rename to 18/bullseye/Dockerfile index f11f9db297..896dd4475f 100644 --- a/12/bullseye/Dockerfile +++ b/18/bullseye/Dockerfile @@ -86,10 +86,10 @@ RUN set -ex; \ gpgconf --kill all; \ rm -rf "$GNUPGHOME" -ENV PG_MAJOR 12 +ENV PG_MAJOR 18 ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin -ENV PG_VERSION 12.20-1.pgdg110+1 +ENV PG_VERSION 18~beta2-1.pgdg110+1 RUN set -ex; \ \ @@ -99,7 +99,7 @@ RUN set -ex; \ dpkgArch="$(dpkg --print-architecture)"; \ aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ bullseye-pgdg main $PG_MAJOR"; \ case "$dpkgArch" in \ - amd64 | arm64 | ppc64el | s390x) \ + amd64 | arm64 | ppc64el) \ # arches officialy built by upstream echo "deb $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \ apt-get update; \ @@ -131,10 +131,9 @@ RUN set -ex; \ # build .deb files from upstream's source packages (which are verified by apt-get) nproc="$(nproc)"; \ export DEB_BUILD_OPTIONS="nocheck parallel=$nproc"; \ -# we have to build postgresql-common first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/99f44476e258cae6bf9e919219fa2c5414fa2876 -# (and it "Depends: pgdg-keyring") - apt-get build-dep -y postgresql-common pgdg-keyring; \ - apt-get source --compile postgresql-common pgdg-keyring; \ +# we have to build postgresql-common-dev first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/f4338a0d28cf4541956bddb0f4e444ba9dba81b9 + apt-get build-dep -y postgresql-common-dev; \ + apt-get source --compile postgresql-common-dev; \ _update_repo; \ apt-get build-dep -y "postgresql-$PG_MAJOR=$PG_VERSION"; \ apt-get source --compile "postgresql-$PG_MAJOR=$PG_VERSION"; \ @@ -158,6 +157,10 @@ RUN set -ex; \ apt-get install -y --no-install-recommends \ "postgresql-$PG_MAJOR=$PG_VERSION" \ ; \ +# https://github.com/docker-library/postgres/pull/1344#issuecomment-2936578203 (JIT is a separate package in 18+, but only supported for a subset of architectures) + if apt-get install -s "postgresql-$PG_MAJOR-jit" > /dev/null 2>&1; then \ + apt-get install -y --no-install-recommends "postgresql-$PG_MAJOR-jit=$PG_VERSION"; \ + fi; \ \ rm -rf /var/lib/apt/lists/*; \ \ @@ -182,10 +185,13 @@ RUN set -eux; \ RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql -ENV PGDATA /var/lib/postgresql/data -# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values) -RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA" -VOLUME /var/lib/postgresql/data +# +# NOTE: in 18+, PGDATA has changed to match the pg_ctlcluster standard directory structure, and the VOLUME has moved from /var/lib/postgresql/data to /var/lib/postgresql +# +ENV PGDATA /var/lib/postgresql/18/docker +RUN ln -svT . /var/lib/postgresql/data # https://github.com/docker-library/postgres/pull/1259#issuecomment-2215477494 +VOLUME /var/lib/postgresql +# ("/var/lib/postgresql" is already pre-created with suitably usable permissions above) COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/ RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh @@ -194,18 +200,12 @@ ENTRYPOINT ["docker-entrypoint.sh"] # We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL # calls "Fast Shutdown mode" wherein new connections are disallowed and any # in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and -# flush tables to disk, which is the best compromise available to avoid data -# corruption. -# -# Users who know their applications do not keep open long-lived idle connections -# may way to use a value of SIGTERM instead, which corresponds to "Smart -# Shutdown mode" in which any existing sessions are allowed to finish and the -# server stops when all sessions are terminated. +# flush tables to disk. # -# See https://www.postgresql.org/docs/12/server-shutdown.html for more details +# See https://www.postgresql.org/docs/current/server-shutdown.html for more details # about available PostgreSQL server shutdown signals. # -# See also https://www.postgresql.org/docs/12/server-start.html for further +# See also https://www.postgresql.org/docs/current/server-start.html for further # justification of this as the default value, namely that the example (and # shipped) systemd service files use the "Fast Shutdown mode" for service # termination. @@ -215,10 +215,10 @@ STOPSIGNAL SIGINT # An additional setting that is recommended for all users regardless of this # value is the runtime "--stop-timeout" (or your orchestrator/runtime's # equivalent) for controlling how long to wait between sending the defined -# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption). +# STOPSIGNAL and sending SIGKILL. # # The default in most runtimes (such as Docker) is 10 seconds, and the -# documentation at https://www.postgresql.org/docs/12/server-start.html notes +# documentation at https://www.postgresql.org/docs/current/server-start.html notes # that even 90 seconds may not be long enough in many instances. EXPOSE 5432 diff --git a/18/bullseye/docker-ensure-initdb.sh b/18/bullseye/docker-ensure-initdb.sh new file mode 100755 index 0000000000..e9b15ef77d --- /dev/null +++ b/18/bullseye/docker-ensure-initdb.sh @@ -0,0 +1,72 @@ +#!/usr/bin/env bash +set -Eeuo pipefail + +# +# This script is intended for three main use cases: +# +# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior +# +# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution +# (no-op if database is already initialized) +# +# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use +# (error if database is already initialized) +# + +source /usr/local/bin/docker-entrypoint.sh + +# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there) +if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then + set -- postgres "$@" +fi + +# see also "_main" in "docker-entrypoint.sh" + +docker_setup_env +# setup data directories and permissions (when run as root) +docker_create_db_directories +if [ "$(id -u)" = '0' ]; then + # then restart script as postgres user + exec gosu postgres "$BASH_SOURCE" "$@" +fi + +# only run initialization on an empty data directory +if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + docker_verify_minimum_env + docker_error_old_databases + + # check dir permissions to reduce likelihood of half-initialized database + ls /docker-entrypoint-initdb.d/ > /dev/null + + docker_init_database_dir + pg_setup_hba_conf "$@" + + # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless + # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS + export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" + docker_temp_server_start "$@" + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + + docker_temp_server_stop + unset PGPASSWORD +else + self="$(basename "$0")" + case "$self" in + docker-ensure-initdb.sh) + echo >&2 "$self: note: database already initialized in '$PGDATA'!" + exit 0 + ;; + + docker-enforce-initdb.sh) + echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!" + exit 1 + ;; + + *) + echo >&2 "$self: error: unknown file name: $self" + exit 99 + ;; + esac +fi diff --git a/18/bullseye/docker-entrypoint.sh b/18/bullseye/docker-entrypoint.sh new file mode 100755 index 0000000000..5a62870b50 --- /dev/null +++ b/18/bullseye/docker-entrypoint.sh @@ -0,0 +1,391 @@ +#!/usr/bin/env bash +set -Eeo pipefail +# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables) + +# usage: file_env VAR [DEFAULT] +# ie: file_env 'XYZ_DB_PASSWORD' 'example' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then + printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar" + exit 1 + fi + local val="$def" + if [ "${!var:-}" ]; then + val="${!var}" + elif [ "${!fileVar:-}" ]; then + val="$(< "${!fileVar}")" + fi + export "$var"="$val" + unset "$fileVar" +} + +# check to see if this file is being run or sourced from another script +_is_sourced() { + # https://unix.stackexchange.com/a/215279 + [ "${#FUNCNAME[@]}" -ge 2 ] \ + && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ + && [ "${FUNCNAME[1]}" = 'source' ] +} + +# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user +docker_create_db_directories() { + local user; user="$(id -u)" + + mkdir -p "$PGDATA" + # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory) + chmod 00700 "$PGDATA" || : + + # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 + mkdir -p /var/run/postgresql || : + chmod 03775 /var/run/postgresql || : + + # Create the transaction log directory before initdb is run so the directory is owned by the correct user + if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then + mkdir -p "$POSTGRES_INITDB_WALDIR" + if [ "$user" = '0' ]; then + find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' + + fi + chmod 700 "$POSTGRES_INITDB_WALDIR" + fi + + # allow the container to be started with `--user` + if [ "$user" = '0' ]; then + find "$PGDATA" \! -user postgres -exec chown postgres '{}' + + find /var/run/postgresql \! -user postgres -exec chown postgres '{}' + + fi +} + +# initialize empty PGDATA directory with new database via 'initdb' +# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function +# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames +# this is also where the database user is created, specified by `POSTGRES_USER` env +docker_init_database_dir() { + # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary + # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html + local uid; uid="$(id -u)" + if ! getent passwd "$uid" &> /dev/null; then + # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15) + local wrapper + for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do + if [ -s "$wrapper" ]; then + NSS_WRAPPER_PASSWD="$(mktemp)" + NSS_WRAPPER_GROUP="$(mktemp)" + export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + local gid; gid="$(id -g)" + printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD" + printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP" + break + fi + done + fi + + if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then + set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@" + fi + + # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025 + eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' + + # unset/cleanup "nss_wrapper" bits + if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then + rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" + unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + fi +} + +# print large warning if POSTGRES_PASSWORD is long +# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust' +# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust' +# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ] +docker_verify_minimum_env() { + case "${PG_MAJOR:-}" in + 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 + # check password first so we can output the warning before postgres + # messes it up + if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then + cat >&2 <<-'EOWARN' + + WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. + + This will not work if used via PGPASSWORD with "psql". + + https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) + https://github.com/docker-library/postgres/issues/507 + + EOWARN + fi + ;; + esac + if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then + # The - option suppresses leading tabs but *not* spaces. :) + cat >&2 <<-'EOE' + Error: Database is uninitialized and superuser password is not specified. + You must specify POSTGRES_PASSWORD to a non-empty value for the + superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run". + + You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all + connections without a password. This is *not* recommended. + + See PostgreSQL documentation about "trust": + https://www.postgresql.org/docs/current/auth-trust.html + EOE + exit 1 + fi + if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then + cat >&2 <<-'EOWARN' + ******************************************************************************** + WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow + anyone with access to the Postgres port to access your database without + a password, even if POSTGRES_PASSWORD is set. See PostgreSQL + documentation about "trust": + https://www.postgresql.org/docs/current/auth-trust.html + In Docker's default configuration, this is effectively any other + container on the same system. + + It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace + it with "-e POSTGRES_PASSWORD=password" instead to set a password in + "docker run". + ******************************************************************************** + EOWARN + fi +} +# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade) +docker_error_old_databases() { + if [ -n "${OLD_DATABASES[0]:-}" ]; then + cat >&2 <<-EOE + Error: in 18+, these Docker images are configured to store database data in a + format which is compatible with "pg_ctlcluster" (specifically, using + major-version-specific directory names). This better reflects how + PostgreSQL itself works, and how upgrades are to be performed. + + See also https://github.com/docker-library/postgres/pull/1259 + + Counter to that, there appears to be PostgreSQL data in: + ${OLD_DATABASES[*]} + + This is usually the result of upgrading the Docker image without upgrading + the underlying database using "pg_upgrade" (which requires both versions). + + See https://github.com/docker-library/postgres/issues/37 for a (long) + discussion around this process, and suggestions for how to do so. + EOE + exit 1 + fi +} + +# usage: docker_process_init_files [file [file [...]]] +# ie: docker_process_init_files /always-initdb.d/* +# process initializer files, based on file extensions and permissions +docker_process_init_files() { + # psql here for backwards compatibility "${psql[@]}" + psql=( docker_process_sql ) + + printf '\n' + local f + for f; do + case "$f" in + *.sh) + # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 + # https://github.com/docker-library/postgres/pull/452 + if [ -x "$f" ]; then + printf '%s: running %s\n' "$0" "$f" + "$f" + else + printf '%s: sourcing %s\n' "$0" "$f" + . "$f" + fi + ;; + *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;; + *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;; + *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;; + *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;; + *) printf '%s: ignoring %s\n' "$0" "$f" ;; + esac + printf '\n' + done +} + +# Execute sql script, passed via stdin (or -f flag of pqsl) +# usage: docker_process_sql [psql-cli-args] +# ie: docker_process_sql --dbname=mydb <<<'INSERT ...' +# ie: docker_process_sql -f my-file.sql +# ie: docker_process_sql > "$PGDATA/pg_hba.conf" +} + +# start socket-only postgresql server for setting up or running scripts +# all arguments will be passed along as arguments to `postgres` (via pg_ctl) +docker_temp_server_start() { + if [ "$1" = 'postgres' ]; then + shift + fi + + # internal start of server in order to allow setup using psql client + # does not listen on external TCP/IP and waits until start finishes + set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}" + + # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify + # any process supervisor. + NOTIFY_SOCKET= \ + PGUSER="${PGUSER:-$POSTGRES_USER}" \ + pg_ctl -D "$PGDATA" \ + -o "$(printf '%q ' "$@")" \ + -w start +} + +# stop postgresql server after done setting up user and running scripts +docker_temp_server_stop() { + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" -m fast -w stop +} + +# check arguments for an option that would cause postgres to stop +# return true if there is one +_pg_want_help() { + local arg + for arg; do + case "$arg" in + # postgres --help | grep 'then exit' + # leaving out -C on purpose since it always fails and is unhelpful: + # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory + -'?'|--help|--describe-config|-V|--version) + return 0 + ;; + esac + done + return 1 +} + +_main() { + # if first arg looks like a flag, assume we want to run postgres server + if [ "${1:0:1}" = '-' ]; then + set -- postgres "$@" + fi + + if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then + docker_setup_env + # setup data directories and permissions (when run as root) + docker_create_db_directories + if [ "$(id -u)" = '0' ]; then + # then restart script as postgres user + exec gosu postgres "$BASH_SOURCE" "$@" + fi + + # only run initialization on an empty data directory + if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + docker_verify_minimum_env + docker_error_old_databases + + # check dir permissions to reduce likelihood of half-initialized database + ls /docker-entrypoint-initdb.d/ > /dev/null + + docker_init_database_dir + pg_setup_hba_conf "$@" + + # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless + # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS + export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" + docker_temp_server_start "$@" + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + + docker_temp_server_stop + unset PGPASSWORD + + cat <<-'EOM' + + PostgreSQL init process complete; ready for start up. + + EOM + else + cat <<-'EOM' + + PostgreSQL Database directory appears to contain a database; Skipping initialization + + EOM + fi + fi + + exec "$@" +} + +if ! _is_sourced; then + _main "$@" +fi diff --git a/Dockerfile-alpine.template b/Dockerfile-alpine.template index 767923f895..e64ad2fc2f 100644 --- a/Dockerfile-alpine.template +++ b/Dockerfile-alpine.template @@ -1,7 +1,11 @@ -FROM alpine:{{ env.variant | ltrimstr("alpine") }} +{{ + def alpine_version: + env.variant | ltrimstr("alpine") +-}} +FROM alpine:{{ alpine_version }} # 70 is the standard uid/gid for "postgres" in Alpine -# https://git.alpinelinux.org/aports/tree/main/postgresql/postgresql.pre-install?h=3.12-stable +# https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.22-stable RUN set -eux; \ addgroup -g 70 -S postgres; \ adduser -u 70 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \ @@ -38,7 +42,7 @@ RUN set -eux; \ # verify that the binary works gosu --version; \ gosu nobody true -{{ if env.version | IN("12", "13", "14", "15", "16") then ( -}} +{{ if env.version | IN("13", "14", "15", "16") then ( -}} RUN set -eux; ln -svf gosu /usr/local/bin/su-exec; su-exec nobody true # backwards compatibility (removed in PostgreSQL 17+) {{ ) else "" end -}} @@ -52,7 +56,10 @@ ENV PG_MAJOR {{ env.version }} ENV PG_VERSION {{ .version }} ENV PG_SHA256 {{ .sha256 }} -{{ def llvmver: "15" -}} +{{ + def llvmver: + "19" +-}} ENV DOCKER_PG_LLVM_DEPS \ llvm{{ llvmver }}-dev \ clang{{ llvmver }} @@ -113,13 +120,10 @@ RUN set -eux; \ grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \ mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \ gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ -# explicitly update autoconf config.guess and config.sub so they support more arches/libcs - wget -O config/config.guess 'https://git.savannah.gnu.org/cgit/config.git/plain/config.guess?id=7d3d27baf8107b630586c962c057e22149653deb'; \ - wget -O config/config.sub 'https://git.savannah.gnu.org/cgit/config.git/plain/config.sub?id=7d3d27baf8107b630586c962c057e22149653deb'; \ \ -# https://git.alpinelinux.org/aports/tree/community/postgresql12/APKBUILD?h=3.18-stable&id=a470294e6d6ca7059e41c54769b7c3c26ec901d4#n158 +# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n176 ("export LLVM_CONFIG") export LLVM_CONFIG="/usr/lib/llvm{{ llvmver }}/bin/llvm-config"; \ -# https://git.alpinelinux.org/aports/tree/community/postgresql12/APKBUILD?h=3.18-stable&id=a470294e6d6ca7059e41c54769b7c3c26ec901d4#n163 +# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n180 ("older clang versions don't have a 'clang' exe anymore.") export CLANG=clang-{{ llvmver }}; \ \ # configure options taken from: @@ -187,8 +191,7 @@ RUN set -eux; \ zstd \ # https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split icu-data-full \ -# nss_wrapper is not availble on ppc64le: "test case segfaults in ppc64le" -# https://git.alpinelinux.org/aports/commit/testing/nss_wrapper/APKBUILD?h=3.17-stable&id=94d81ceeb58cff448d489bbcbe9a6d40c9991663 +# https://git.alpinelinux.org/aports/tree/community/nss_wrapper/APKBUILD?h=3.22-stable#n7 ("ppc64le: test case segfaults") $([ "$(apk --print-arch)" != 'ppc64le' ] && echo 'nss_wrapper') \ ; \ apk del --no-network .build-deps; \ @@ -209,10 +212,20 @@ RUN set -eux; \ RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql +{{ if .major >= 18 then ( -}} +# +# NOTE: in 18+, PGDATA has changed to match the pg_ctlcluster standard directory structure, and the VOLUME has moved from /var/lib/postgresql/data to /var/lib/postgresql +# +ENV PGDATA /var/lib/postgresql/{{ .major | tostring }}/docker +RUN ln -svT . /var/lib/postgresql/data # https://github.com/docker-library/postgres/pull/1259#issuecomment-2215477494 +VOLUME /var/lib/postgresql +# ("/var/lib/postgresql" is already pre-created with suitably usable permissions above) +{{ ) else ( -}} ENV PGDATA /var/lib/postgresql/data # this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values) RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA" VOLUME /var/lib/postgresql/data +{{ ) end -}} COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/ RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh @@ -221,18 +234,12 @@ ENTRYPOINT ["docker-entrypoint.sh"] # We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL # calls "Fast Shutdown mode" wherein new connections are disallowed and any # in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and -# flush tables to disk, which is the best compromise available to avoid data -# corruption. -# -# Users who know their applications do not keep open long-lived idle connections -# may way to use a value of SIGTERM instead, which corresponds to "Smart -# Shutdown mode" in which any existing sessions are allowed to finish and the -# server stops when all sessions are terminated. +# flush tables to disk. # -# See https://www.postgresql.org/docs/12/server-shutdown.html for more details +# See https://www.postgresql.org/docs/current/server-shutdown.html for more details # about available PostgreSQL server shutdown signals. # -# See also https://www.postgresql.org/docs/12/server-start.html for further +# See also https://www.postgresql.org/docs/current/server-start.html for further # justification of this as the default value, namely that the example (and # shipped) systemd service files use the "Fast Shutdown mode" for service # termination. @@ -242,10 +249,10 @@ STOPSIGNAL SIGINT # An additional setting that is recommended for all users regardless of this # value is the runtime "--stop-timeout" (or your orchestrator/runtime's # equivalent) for controlling how long to wait between sending the defined -# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption). +# STOPSIGNAL and sending SIGKILL. # # The default in most runtimes (such as Docker) is 10 seconds, and the -# documentation at https://www.postgresql.org/docs/12/server-start.html notes +# documentation at https://www.postgresql.org/docs/current/server-start.html notes # that even 90 seconds may not be long enough in many instances. EXPOSE 5432 diff --git a/Dockerfile-debian.template b/Dockerfile-debian.template index 1fa84903ac..81a6a0a0c5 100644 --- a/Dockerfile-debian.template +++ b/Dockerfile-debian.template @@ -125,10 +125,9 @@ RUN set -ex; \ # build .deb files from upstream's source packages (which are verified by apt-get) nproc="$(nproc)"; \ export DEB_BUILD_OPTIONS="nocheck parallel=$nproc"; \ -# we have to build postgresql-common first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/99f44476e258cae6bf9e919219fa2c5414fa2876 -# (and it "Depends: pgdg-keyring") - apt-get build-dep -y postgresql-common pgdg-keyring; \ - apt-get source --compile postgresql-common pgdg-keyring; \ +# we have to build postgresql-common-dev first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/f4338a0d28cf4541956bddb0f4e444ba9dba81b9 + apt-get build-dep -y postgresql-common-dev; \ + apt-get source --compile postgresql-common-dev; \ _update_repo; \ {{ if .major == 13 then ( -}} # we need DEBIAN_FRONTEND on postgresql-13 for slapd ("Please enter the password for the admin entry in your LDAP directory."); see https://bugs.debian.org/929417 @@ -156,6 +155,12 @@ RUN set -ex; \ apt-get install -y --no-install-recommends \ "postgresql-$PG_MAJOR=$PG_VERSION" \ ; \ +{{ if .major >= 18 then ( -}} +# https://github.com/docker-library/postgres/pull/1344#issuecomment-2936578203 (JIT is a separate package in 18+, but only supported for a subset of architectures) + if apt-get install -s "postgresql-$PG_MAJOR-jit" > /dev/null 2>&1; then \ + apt-get install -y --no-install-recommends "postgresql-$PG_MAJOR-jit=$PG_VERSION"; \ + fi; \ +{{ ) else "" end -}} \ rm -rf /var/lib/apt/lists/*; \ \ @@ -180,10 +185,20 @@ RUN set -eux; \ RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql +{{ if .major >= 18 then ( -}} +# +# NOTE: in 18+, PGDATA has changed to match the pg_ctlcluster standard directory structure, and the VOLUME has moved from /var/lib/postgresql/data to /var/lib/postgresql +# +ENV PGDATA /var/lib/postgresql/{{ .major | tostring }}/docker +RUN ln -svT . /var/lib/postgresql/data # https://github.com/docker-library/postgres/pull/1259#issuecomment-2215477494 +VOLUME /var/lib/postgresql +# ("/var/lib/postgresql" is already pre-created with suitably usable permissions above) +{{ ) else ( -}} ENV PGDATA /var/lib/postgresql/data # this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values) RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA" VOLUME /var/lib/postgresql/data +{{ ) end -}} COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/ RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh @@ -192,18 +207,12 @@ ENTRYPOINT ["docker-entrypoint.sh"] # We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL # calls "Fast Shutdown mode" wherein new connections are disallowed and any # in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and -# flush tables to disk, which is the best compromise available to avoid data -# corruption. -# -# Users who know their applications do not keep open long-lived idle connections -# may way to use a value of SIGTERM instead, which corresponds to "Smart -# Shutdown mode" in which any existing sessions are allowed to finish and the -# server stops when all sessions are terminated. +# flush tables to disk. # -# See https://www.postgresql.org/docs/12/server-shutdown.html for more details +# See https://www.postgresql.org/docs/current/server-shutdown.html for more details # about available PostgreSQL server shutdown signals. # -# See also https://www.postgresql.org/docs/12/server-start.html for further +# See also https://www.postgresql.org/docs/current/server-start.html for further # justification of this as the default value, namely that the example (and # shipped) systemd service files use the "Fast Shutdown mode" for service # termination. @@ -213,10 +222,10 @@ STOPSIGNAL SIGINT # An additional setting that is recommended for all users regardless of this # value is the runtime "--stop-timeout" (or your orchestrator/runtime's # equivalent) for controlling how long to wait between sending the defined -# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption). +# STOPSIGNAL and sending SIGKILL. # # The default in most runtimes (such as Docker) is 10 seconds, and the -# documentation at https://www.postgresql.org/docs/12/server-start.html notes +# documentation at https://www.postgresql.org/docs/current/server-start.html notes # that even 90 seconds may not be long enough in many instances. EXPOSE 5432 diff --git a/README.md b/README.md index 09b82c90c2..883f0701e9 100644 --- a/README.md +++ b/README.md @@ -12,15 +12,4 @@ For more information about the full official images change lifecycle, see [the " For outstanding `postgres` image PRs, check [PRs with the "library/postgres" label on the official-images repository](https://github.com/docker-library/official-images/labels/library%2Fpostgres). For the current "source of truth" for [`postgres`](https://hub.docker.com/_/postgres/), see [the `library/postgres` file in the official-images repository](https://github.com/docker-library/official-images/blob/master/library/postgres). ---- - -- [![build status badge](https://img.shields.io/github/actions/workflow/status/docker-library/postgres/ci.yml?branch=master&label=GitHub%20CI)](https://github.com/docker-library/postgres/actions?query=workflow%3A%22GitHub+CI%22+branch%3Amaster) -- [![build status badge](https://img.shields.io/jenkins/s/https/doi-janky.infosiftr.net/job/update.sh/job/postgres.svg?label=Automated%20update.sh)](https://doi-janky.infosiftr.net/job/update.sh/job/postgres/) - -| Build | Status | Badges | (per-arch) | -|:-:|:-:|:-:|:-:| -| [![amd64 build status badge](https://img.shields.io/jenkins/s/https/doi-janky.infosiftr.net/job/multiarch/job/amd64/job/postgres.svg?label=amd64)](https://doi-janky.infosiftr.net/job/multiarch/job/amd64/job/postgres/) | [![arm32v5 build status badge](https://img.shields.io/jenkins/s/https/doi-janky.infosiftr.net/job/multiarch/job/arm32v5/job/postgres.svg?label=arm32v5)](https://doi-janky.infosiftr.net/job/multiarch/job/arm32v5/job/postgres/) | [![arm32v6 build status badge](https://img.shields.io/jenkins/s/https/doi-janky.infosiftr.net/job/multiarch/job/arm32v6/job/postgres.svg?label=arm32v6)](https://doi-janky.infosiftr.net/job/multiarch/job/arm32v6/job/postgres/) | [![arm32v7 build status badge](https://img.shields.io/jenkins/s/https/doi-janky.infosiftr.net/job/multiarch/job/arm32v7/job/postgres.svg?label=arm32v7)](https://doi-janky.infosiftr.net/job/multiarch/job/arm32v7/job/postgres/) | -| [![arm64v8 build status badge](https://img.shields.io/jenkins/s/https/doi-janky.infosiftr.net/job/multiarch/job/arm64v8/job/postgres.svg?label=arm64v8)](https://doi-janky.infosiftr.net/job/multiarch/job/arm64v8/job/postgres/) | [![i386 build status badge](https://img.shields.io/jenkins/s/https/doi-janky.infosiftr.net/job/multiarch/job/i386/job/postgres.svg?label=i386)](https://doi-janky.infosiftr.net/job/multiarch/job/i386/job/postgres/) | [![mips64le build status badge](https://img.shields.io/jenkins/s/https/doi-janky.infosiftr.net/job/multiarch/job/mips64le/job/postgres.svg?label=mips64le)](https://doi-janky.infosiftr.net/job/multiarch/job/mips64le/job/postgres/) | [![ppc64le build status badge](https://img.shields.io/jenkins/s/https/doi-janky.infosiftr.net/job/multiarch/job/ppc64le/job/postgres.svg?label=ppc64le)](https://doi-janky.infosiftr.net/job/multiarch/job/ppc64le/job/postgres/) | -| [![s390x build status badge](https://img.shields.io/jenkins/s/https/doi-janky.infosiftr.net/job/multiarch/job/s390x/job/postgres.svg?label=s390x)](https://doi-janky.infosiftr.net/job/multiarch/job/s390x/job/postgres/) | [![put-shared build status badge](https://img.shields.io/jenkins/s/https/doi-janky.infosiftr.net/job/put-shared/job/light/job/postgres.svg?label=put-shared)](https://doi-janky.infosiftr.net/job/put-shared/job/light/job/postgres/) | - diff --git a/docker-ensure-initdb.sh b/docker-ensure-initdb.sh index ae1f6b6b90..e9b15ef77d 100755 --- a/docker-ensure-initdb.sh +++ b/docker-ensure-initdb.sh @@ -33,6 +33,7 @@ fi # only run initialization on an empty data directory if [ -z "$DATABASE_ALREADY_EXISTS" ]; then docker_verify_minimum_env + docker_error_old_databases # check dir permissions to reduce likelihood of half-initialized database ls /docker-entrypoint-initdb.d/ > /dev/null diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 6f59993e08..5a62870b50 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -104,7 +104,7 @@ docker_init_database_dir() { # assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ] docker_verify_minimum_env() { case "${PG_MAJOR:-}" in - 12 | 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 + 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 # check password first so we can output the warning before postgres # messes it up if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then @@ -154,6 +154,29 @@ docker_verify_minimum_env() { EOWARN fi } +# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade) +docker_error_old_databases() { + if [ -n "${OLD_DATABASES[0]:-}" ]; then + cat >&2 <<-EOE + Error: in 18+, these Docker images are configured to store database data in a + format which is compatible with "pg_ctlcluster" (specifically, using + major-version-specific directory names). This better reflects how + PostgreSQL itself works, and how upgrades are to be performed. + + See also https://github.com/docker-library/postgres/pull/1259 + + Counter to that, there appears to be PostgreSQL data in: + ${OLD_DATABASES[*]} + + This is usually the result of upgrading the Docker image without upgrading + the underlying database using "pg_upgrade" (which requires both versions). + + See https://github.com/docker-library/postgres/issues/37 for a (long) + discussion around this process, and suggestions for how to do so. + EOE + exit 1 + fi +} # usage: docker_process_init_files [file [file [...]]] # ie: docker_process_init_files /always-initdb.d/* @@ -230,9 +253,17 @@ docker_setup_env() { declare -g DATABASE_ALREADY_EXISTS : "${DATABASE_ALREADY_EXISTS:=}" + declare -ag OLD_DATABASES=() # look specifically for PG_VERSION, as it is expected in the DB dir if [ -s "$PGDATA/PG_VERSION" ]; then DATABASE_ALREADY_EXISTS='true' + elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then + # https://github.com/docker-library/postgres/pull/1259 + for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do + if [ -s "$d/PG_VERSION" ]; then + OLD_DATABASES+=( "$d" ) + fi + done fi } @@ -252,7 +283,7 @@ pg_setup_hba_conf() { printf '\n' if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then printf '# warning trust is enabled for all connections\n' - printf '# see https://www.postgresql.org/docs/12/auth-trust.html\n' + printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n' fi printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD" } >> "$PGDATA/pg_hba.conf" @@ -269,6 +300,9 @@ docker_temp_server_start() { # does not listen on external TCP/IP and waits until start finishes set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}" + # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify + # any process supervisor. + NOTIFY_SOCKET= \ PGUSER="${PGUSER:-$POSTGRES_USER}" \ pg_ctl -D "$PGDATA" \ -o "$(printf '%q ' "$@")" \ @@ -316,6 +350,7 @@ _main() { # only run initialization on an empty data directory if [ -z "$DATABASE_ALREADY_EXISTS" ]; then docker_verify_minimum_env + docker_error_old_databases # check dir permissions to reduce likelihood of half-initialized database ls /docker-entrypoint-initdb.d/ > /dev/null diff --git a/versions.json b/versions.json index 680d43c409..dc49222596 100644 --- a/versions.json +++ b/versions.json @@ -1,188 +1,176 @@ { - "12": { - "alpine": "3.20", + "13": { + "alpine": "3.22", "bookworm": { "arches": [ "amd64", "arm64", - "ppc64el", - "s390x" + "ppc64el" ], - "version": "12.20-1.pgdg120+1" + "version": "13.21-1.pgdg120+1" }, "bullseye": { "arches": [ "amd64", "arm64", - "ppc64el", - "s390x" + "ppc64el" ], - "version": "12.20-1.pgdg110+1" + "version": "13.21-1.pgdg110+1" }, "debian": "bookworm", - "major": 12, - "sha256": "2d543af3009fec7fd5af35f7a70c95085d3eef6b508e517aa9493e99b15e9ea9", + "major": 13, + "sha256": "dcda1294df45f033b0656cf7a8e4afbbc624c25e1b144aec79530f74d7ef4ab4", "variants": [ "bookworm", "bullseye", - "alpine3.20", - "alpine3.19" + "alpine3.22", + "alpine3.21" ], - "version": "12.20" + "version": "13.21" }, - "13": { - "alpine": "3.20", + "14": { + "alpine": "3.22", "bookworm": { "arches": [ "amd64", "arm64", - "ppc64el", - "s390x" + "ppc64el" ], - "version": "13.16-1.pgdg120+1" + "version": "14.18-1.pgdg120+1" }, "bullseye": { "arches": [ "amd64", "arm64", - "ppc64el", - "s390x" + "ppc64el" ], - "version": "13.16-1.pgdg110+1" + "version": "14.18-1.pgdg110+1" }, "debian": "bookworm", - "major": 13, - "sha256": "c9cbbb6129f02328204828066bb3785c00a85c8ca8fd329c2a8a53c1f5cd8865", + "major": 14, + "sha256": "83ab29d6bfc3dc58b2ed3c664114fdfbeb6a0450c4b8d7fa69aee91e3ca14f8e", "variants": [ "bookworm", "bullseye", - "alpine3.20", - "alpine3.19" + "alpine3.22", + "alpine3.21" ], - "version": "13.16" + "version": "14.18" }, - "14": { - "alpine": "3.20", + "15": { + "alpine": "3.22", "bookworm": { "arches": [ "amd64", "arm64", - "ppc64el", - "s390x" + "ppc64el" ], - "version": "14.13-1.pgdg120+1" + "version": "15.13-1.pgdg120+1" }, "bullseye": { "arches": [ "amd64", "arm64", - "ppc64el", - "s390x" + "ppc64el" ], - "version": "14.13-1.pgdg110+1" + "version": "15.13-1.pgdg110+1" }, "debian": "bookworm", - "major": 14, - "sha256": "59aa3c4b495ab26a9ec69f3ad0a0228c51f0fe6facf3634dfad4d1197d613a56", + "major": 15, + "sha256": "4f62e133d22ea08a0401b0840920e26698644d01a80c34341fb732dd0a90ca5d", "variants": [ "bookworm", "bullseye", - "alpine3.20", - "alpine3.19" + "alpine3.22", + "alpine3.21" ], - "version": "14.13" + "version": "15.13" }, - "15": { - "alpine": "3.20", + "16": { + "alpine": "3.22", "bookworm": { "arches": [ "amd64", "arm64", - "ppc64el", - "s390x" + "ppc64el" ], - "version": "15.8-1.pgdg120+1" + "version": "16.9-1.pgdg120+1" }, "bullseye": { "arches": [ "amd64", "arm64", - "ppc64el", - "s390x" + "ppc64el" ], - "version": "15.8-1.pgdg110+1" + "version": "16.9-1.pgdg110+1" }, "debian": "bookworm", - "major": 15, - "sha256": "4403515f9a69eeb3efebc98f30b8c696122bfdf895e92b3b23f5b8e769edcb6a", + "major": 16, + "sha256": "07c00fb824df0a0c295f249f44691b86e3266753b380c96f633c3311e10bd005", "variants": [ "bookworm", "bullseye", - "alpine3.20", - "alpine3.19" + "alpine3.22", + "alpine3.21" ], - "version": "15.8" + "version": "16.9" }, - "16": { - "alpine": "3.20", + "17": { + "alpine": "3.22", "bookworm": { "arches": [ "amd64", "arm64", - "ppc64el", - "s390x" + "ppc64el" ], - "version": "16.4-1.pgdg120+2" + "version": "17.5-1.pgdg120+1" }, "bullseye": { "arches": [ "amd64", "arm64", - "ppc64el", - "s390x" + "ppc64el" ], - "version": "16.4-1.pgdg110+2" + "version": "17.5-1.pgdg110+1" }, "debian": "bookworm", - "major": 16, - "sha256": "971766d645aa73e93b9ef4e3be44201b4f45b5477095b049125403f9f3386d6f", + "major": 17, + "sha256": "fcb7ab38e23b264d1902cb25e6adafb4525a6ebcbd015434aeef9eda80f528d8", "variants": [ "bookworm", "bullseye", - "alpine3.20", - "alpine3.19" + "alpine3.22", + "alpine3.21" ], - "version": "16.4" + "version": "17.5" }, - "17": { - "alpine": "3.20", + "18": { + "alpine": "3.22", "bookworm": { "arches": [ "amd64", "arm64", - "ppc64el", - "s390x" + "ppc64el" ], - "version": "17.0-1.pgdg120+1" + "version": "18~beta2-1.pgdg120+1" }, "bullseye": { "arches": [ "amd64", "arm64", - "ppc64el", - "s390x" + "ppc64el" ], - "version": "17.0-1.pgdg110+1" + "version": "18~beta2-1.pgdg110+1" }, "debian": "bookworm", - "major": 17, - "sha256": "7e276131c0fdd6b62588dbad9b3bb24b8c3498d5009328dba59af16e819109de", + "major": 18, + "sha256": "1d16b58244b630194432b88d9ff25f5fea85a001ff2c715a157d4be6787f3075", "variants": [ "bookworm", "bullseye", - "alpine3.20", - "alpine3.19" + "alpine3.22", + "alpine3.21" ], - "version": "17.0" + "version": "18beta2" } } diff --git a/versions.sh b/versions.sh index e8c1225d53..f466ac57a9 100755 --- a/versions.sh +++ b/versions.sh @@ -7,8 +7,8 @@ supportedDebianSuites=( bullseye ) supportedAlpineVersions=( - 3.20 - 3.19 + 3.22 + 3.21 ) defaultDebianSuite="${supportedDebianSuites[0]}" declare -A debianSuites=( pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy