diff --git a/10/alpine/docker-entrypoint.sh b/10/alpine/docker-entrypoint.sh
index 3498032b00..f53fa6134a 100755
--- a/10/alpine/docker-entrypoint.sh
+++ b/10/alpine/docker-entrypoint.sh
@@ -44,7 +44,7 @@ docker_create_db_directories() {
chmod 775 /var/run/postgresql || :
# Create the transaction log directory before initdb is run so the directory is owned by the correct user
- if [ "$POSTGRES_INITDB_WALDIR" ]; then
+ if [ -n "$POSTGRES_INITDB_WALDIR" ]; then
mkdir -p "$POSTGRES_INITDB_WALDIR"
if [ "$user" = '0' ]; then
find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
@@ -74,7 +74,7 @@ docker_init_database_dir() {
echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"
fi
- if [ "$POSTGRES_INITDB_WALDIR" ]; then
+ if [ -n "$POSTGRES_INITDB_WALDIR" ]; then
set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
fi
@@ -87,7 +87,10 @@ docker_init_database_dir() {
fi
}
-# print large warning if POSTGRES_PASSWORD is empty
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is unset and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
docker_verify_minimum_env() {
# check password first so we can output the warning before postgres
# messes it up
@@ -103,22 +106,36 @@ docker_verify_minimum_env() {
EOWARN
fi
- if [ -z "$POSTGRES_PASSWORD" ]; then
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
# The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD for the superuser. Use
+ "-e POSTGRES_PASSWORD=password" to set it in "docker run".
+
+ You may also use POSTGRES_HOST_AUTH_METHOD=trust to allow all connections
+ without a password. This is *not* recommended. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
cat >&2 <<-'EOWARN'
- ****************************************************
- WARNING: No password has been set for the database.
- This will allow anyone with access to the
- Postgres port to access your database. In
- Docker's default configuration, this is
- effectively any other container on the same
- system.
-
- Use "-e POSTGRES_PASSWORD=password" to set
- it in "docker run".
- ****************************************************
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
EOWARN
-
fi
}
@@ -185,6 +202,8 @@ docker_setup_env() {
file_env 'POSTGRES_USER' 'postgres'
file_env 'POSTGRES_DB' "$POSTGRES_USER"
file_env 'POSTGRES_INITDB_ARGS'
+ # default authentication method is md5
+ : "${POSTGRES_HOST_AUTH_METHOD:=md5}"
declare -g DATABASE_ALREADY_EXISTS
# look specifically for PG_VERSION, as it is expected in the DB dir
@@ -193,16 +212,15 @@ docker_setup_env() {
fi
}
-# append md5 or trust auth to pg_hba.conf based on existence of POSTGRES_PASSWORD
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
pg_setup_hba_conf() {
- local authMethod='md5'
- if [ -z "$POSTGRES_PASSWORD" ]; then
- authMethod='trust'
- fi
-
{
echo
- echo "host all all all $authMethod"
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ echo '# warning trust is enabled for all connections'
+ echo '# see https://www.postgresql.org/docs/12/auth-trust.html'
+ fi
+ echo "host all all all $POSTGRES_HOST_AUTH_METHOD"
} >> "$PGDATA/pg_hba.conf"
}
diff --git a/10/docker-entrypoint.sh b/10/docker-entrypoint.sh
index 698ce9f48c..406a971cfc 100755
--- a/10/docker-entrypoint.sh
+++ b/10/docker-entrypoint.sh
@@ -44,7 +44,7 @@ docker_create_db_directories() {
chmod 775 /var/run/postgresql || :
# Create the transaction log directory before initdb is run so the directory is owned by the correct user
- if [ "$POSTGRES_INITDB_WALDIR" ]; then
+ if [ -n "$POSTGRES_INITDB_WALDIR" ]; then
mkdir -p "$POSTGRES_INITDB_WALDIR"
if [ "$user" = '0' ]; then
find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
@@ -74,7 +74,7 @@ docker_init_database_dir() {
echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"
fi
- if [ "$POSTGRES_INITDB_WALDIR" ]; then
+ if [ -n "$POSTGRES_INITDB_WALDIR" ]; then
set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
fi
@@ -87,7 +87,10 @@ docker_init_database_dir() {
fi
}
-# print large warning if POSTGRES_PASSWORD is empty
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is unset and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
docker_verify_minimum_env() {
# check password first so we can output the warning before postgres
# messes it up
@@ -103,22 +106,36 @@ docker_verify_minimum_env() {
EOWARN
fi
- if [ -z "$POSTGRES_PASSWORD" ]; then
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
# The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD for the superuser. Use
+ "-e POSTGRES_PASSWORD=password" to set it in "docker run".
+
+ You may also use POSTGRES_HOST_AUTH_METHOD=trust to allow all connections
+ without a password. This is *not* recommended. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
cat >&2 <<-'EOWARN'
- ****************************************************
- WARNING: No password has been set for the database.
- This will allow anyone with access to the
- Postgres port to access your database. In
- Docker's default configuration, this is
- effectively any other container on the same
- system.
-
- Use "-e POSTGRES_PASSWORD=password" to set
- it in "docker run".
- ****************************************************
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
EOWARN
-
fi
}
@@ -185,6 +202,8 @@ docker_setup_env() {
file_env 'POSTGRES_USER' 'postgres'
file_env 'POSTGRES_DB' "$POSTGRES_USER"
file_env 'POSTGRES_INITDB_ARGS'
+ # default authentication method is md5
+ : "${POSTGRES_HOST_AUTH_METHOD:=md5}"
declare -g DATABASE_ALREADY_EXISTS
# look specifically for PG_VERSION, as it is expected in the DB dir
@@ -193,16 +212,15 @@ docker_setup_env() {
fi
}
-# append md5 or trust auth to pg_hba.conf based on existence of POSTGRES_PASSWORD
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
pg_setup_hba_conf() {
- local authMethod='md5'
- if [ -z "$POSTGRES_PASSWORD" ]; then
- authMethod='trust'
- fi
-
{
echo
- echo "host all all all $authMethod"
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ echo '# warning trust is enabled for all connections'
+ echo '# see https://www.postgresql.org/docs/12/auth-trust.html'
+ fi
+ echo "host all all all $POSTGRES_HOST_AUTH_METHOD"
} >> "$PGDATA/pg_hba.conf"
}
diff --git a/11/alpine/docker-entrypoint.sh b/11/alpine/docker-entrypoint.sh
index 3498032b00..f53fa6134a 100755
--- a/11/alpine/docker-entrypoint.sh
+++ b/11/alpine/docker-entrypoint.sh
@@ -44,7 +44,7 @@ docker_create_db_directories() {
chmod 775 /var/run/postgresql || :
# Create the transaction log directory before initdb is run so the directory is owned by the correct user
- if [ "$POSTGRES_INITDB_WALDIR" ]; then
+ if [ -n "$POSTGRES_INITDB_WALDIR" ]; then
mkdir -p "$POSTGRES_INITDB_WALDIR"
if [ "$user" = '0' ]; then
find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
@@ -74,7 +74,7 @@ docker_init_database_dir() {
echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"
fi
- if [ "$POSTGRES_INITDB_WALDIR" ]; then
+ if [ -n "$POSTGRES_INITDB_WALDIR" ]; then
set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
fi
@@ -87,7 +87,10 @@ docker_init_database_dir() {
fi
}
-# print large warning if POSTGRES_PASSWORD is empty
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is unset and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
docker_verify_minimum_env() {
# check password first so we can output the warning before postgres
# messes it up
@@ -103,22 +106,36 @@ docker_verify_minimum_env() {
EOWARN
fi
- if [ -z "$POSTGRES_PASSWORD" ]; then
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
# The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD for the superuser. Use
+ "-e POSTGRES_PASSWORD=password" to set it in "docker run".
+
+ You may also use POSTGRES_HOST_AUTH_METHOD=trust to allow all connections
+ without a password. This is *not* recommended. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
cat >&2 <<-'EOWARN'
- ****************************************************
- WARNING: No password has been set for the database.
- This will allow anyone with access to the
- Postgres port to access your database. In
- Docker's default configuration, this is
- effectively any other container on the same
- system.
-
- Use "-e POSTGRES_PASSWORD=password" to set
- it in "docker run".
- ****************************************************
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
EOWARN
-
fi
}
@@ -185,6 +202,8 @@ docker_setup_env() {
file_env 'POSTGRES_USER' 'postgres'
file_env 'POSTGRES_DB' "$POSTGRES_USER"
file_env 'POSTGRES_INITDB_ARGS'
+ # default authentication method is md5
+ : "${POSTGRES_HOST_AUTH_METHOD:=md5}"
declare -g DATABASE_ALREADY_EXISTS
# look specifically for PG_VERSION, as it is expected in the DB dir
@@ -193,16 +212,15 @@ docker_setup_env() {
fi
}
-# append md5 or trust auth to pg_hba.conf based on existence of POSTGRES_PASSWORD
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
pg_setup_hba_conf() {
- local authMethod='md5'
- if [ -z "$POSTGRES_PASSWORD" ]; then
- authMethod='trust'
- fi
-
{
echo
- echo "host all all all $authMethod"
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ echo '# warning trust is enabled for all connections'
+ echo '# see https://www.postgresql.org/docs/12/auth-trust.html'
+ fi
+ echo "host all all all $POSTGRES_HOST_AUTH_METHOD"
} >> "$PGDATA/pg_hba.conf"
}
diff --git a/11/docker-entrypoint.sh b/11/docker-entrypoint.sh
index 698ce9f48c..406a971cfc 100755
--- a/11/docker-entrypoint.sh
+++ b/11/docker-entrypoint.sh
@@ -44,7 +44,7 @@ docker_create_db_directories() {
chmod 775 /var/run/postgresql || :
# Create the transaction log directory before initdb is run so the directory is owned by the correct user
- if [ "$POSTGRES_INITDB_WALDIR" ]; then
+ if [ -n "$POSTGRES_INITDB_WALDIR" ]; then
mkdir -p "$POSTGRES_INITDB_WALDIR"
if [ "$user" = '0' ]; then
find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
@@ -74,7 +74,7 @@ docker_init_database_dir() {
echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"
fi
- if [ "$POSTGRES_INITDB_WALDIR" ]; then
+ if [ -n "$POSTGRES_INITDB_WALDIR" ]; then
set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
fi
@@ -87,7 +87,10 @@ docker_init_database_dir() {
fi
}
-# print large warning if POSTGRES_PASSWORD is empty
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is unset and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
docker_verify_minimum_env() {
# check password first so we can output the warning before postgres
# messes it up
@@ -103,22 +106,36 @@ docker_verify_minimum_env() {
EOWARN
fi
- if [ -z "$POSTGRES_PASSWORD" ]; then
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
# The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD for the superuser. Use
+ "-e POSTGRES_PASSWORD=password" to set it in "docker run".
+
+ You may also use POSTGRES_HOST_AUTH_METHOD=trust to allow all connections
+ without a password. This is *not* recommended. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
cat >&2 <<-'EOWARN'
- ****************************************************
- WARNING: No password has been set for the database.
- This will allow anyone with access to the
- Postgres port to access your database. In
- Docker's default configuration, this is
- effectively any other container on the same
- system.
-
- Use "-e POSTGRES_PASSWORD=password" to set
- it in "docker run".
- ****************************************************
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
EOWARN
-
fi
}
@@ -185,6 +202,8 @@ docker_setup_env() {
file_env 'POSTGRES_USER' 'postgres'
file_env 'POSTGRES_DB' "$POSTGRES_USER"
file_env 'POSTGRES_INITDB_ARGS'
+ # default authentication method is md5
+ : "${POSTGRES_HOST_AUTH_METHOD:=md5}"
declare -g DATABASE_ALREADY_EXISTS
# look specifically for PG_VERSION, as it is expected in the DB dir
@@ -193,16 +212,15 @@ docker_setup_env() {
fi
}
-# append md5 or trust auth to pg_hba.conf based on existence of POSTGRES_PASSWORD
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
pg_setup_hba_conf() {
- local authMethod='md5'
- if [ -z "$POSTGRES_PASSWORD" ]; then
- authMethod='trust'
- fi
-
{
echo
- echo "host all all all $authMethod"
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ echo '# warning trust is enabled for all connections'
+ echo '# see https://www.postgresql.org/docs/12/auth-trust.html'
+ fi
+ echo "host all all all $POSTGRES_HOST_AUTH_METHOD"
} >> "$PGDATA/pg_hba.conf"
}
diff --git a/12/alpine/docker-entrypoint.sh b/12/alpine/docker-entrypoint.sh
index 3498032b00..f53fa6134a 100755
--- a/12/alpine/docker-entrypoint.sh
+++ b/12/alpine/docker-entrypoint.sh
@@ -44,7 +44,7 @@ docker_create_db_directories() {
chmod 775 /var/run/postgresql || :
# Create the transaction log directory before initdb is run so the directory is owned by the correct user
- if [ "$POSTGRES_INITDB_WALDIR" ]; then
+ if [ -n "$POSTGRES_INITDB_WALDIR" ]; then
mkdir -p "$POSTGRES_INITDB_WALDIR"
if [ "$user" = '0' ]; then
find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
@@ -74,7 +74,7 @@ docker_init_database_dir() {
echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"
fi
- if [ "$POSTGRES_INITDB_WALDIR" ]; then
+ if [ -n "$POSTGRES_INITDB_WALDIR" ]; then
set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
fi
@@ -87,7 +87,10 @@ docker_init_database_dir() {
fi
}
-# print large warning if POSTGRES_PASSWORD is empty
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is unset and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
docker_verify_minimum_env() {
# check password first so we can output the warning before postgres
# messes it up
@@ -103,22 +106,36 @@ docker_verify_minimum_env() {
EOWARN
fi
- if [ -z "$POSTGRES_PASSWORD" ]; then
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
# The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD for the superuser. Use
+ "-e POSTGRES_PASSWORD=password" to set it in "docker run".
+
+ You may also use POSTGRES_HOST_AUTH_METHOD=trust to allow all connections
+ without a password. This is *not* recommended. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
cat >&2 <<-'EOWARN'
- ****************************************************
- WARNING: No password has been set for the database.
- This will allow anyone with access to the
- Postgres port to access your database. In
- Docker's default configuration, this is
- effectively any other container on the same
- system.
-
- Use "-e POSTGRES_PASSWORD=password" to set
- it in "docker run".
- ****************************************************
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
EOWARN
-
fi
}
@@ -185,6 +202,8 @@ docker_setup_env() {
file_env 'POSTGRES_USER' 'postgres'
file_env 'POSTGRES_DB' "$POSTGRES_USER"
file_env 'POSTGRES_INITDB_ARGS'
+ # default authentication method is md5
+ : "${POSTGRES_HOST_AUTH_METHOD:=md5}"
declare -g DATABASE_ALREADY_EXISTS
# look specifically for PG_VERSION, as it is expected in the DB dir
@@ -193,16 +212,15 @@ docker_setup_env() {
fi
}
-# append md5 or trust auth to pg_hba.conf based on existence of POSTGRES_PASSWORD
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
pg_setup_hba_conf() {
- local authMethod='md5'
- if [ -z "$POSTGRES_PASSWORD" ]; then
- authMethod='trust'
- fi
-
{
echo
- echo "host all all all $authMethod"
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ echo '# warning trust is enabled for all connections'
+ echo '# see https://www.postgresql.org/docs/12/auth-trust.html'
+ fi
+ echo "host all all all $POSTGRES_HOST_AUTH_METHOD"
} >> "$PGDATA/pg_hba.conf"
}
diff --git a/12/docker-entrypoint.sh b/12/docker-entrypoint.sh
index 698ce9f48c..406a971cfc 100755
--- a/12/docker-entrypoint.sh
+++ b/12/docker-entrypoint.sh
@@ -44,7 +44,7 @@ docker_create_db_directories() {
chmod 775 /var/run/postgresql || :
# Create the transaction log directory before initdb is run so the directory is owned by the correct user
- if [ "$POSTGRES_INITDB_WALDIR" ]; then
+ if [ -n "$POSTGRES_INITDB_WALDIR" ]; then
mkdir -p "$POSTGRES_INITDB_WALDIR"
if [ "$user" = '0' ]; then
find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
@@ -74,7 +74,7 @@ docker_init_database_dir() {
echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"
fi
- if [ "$POSTGRES_INITDB_WALDIR" ]; then
+ if [ -n "$POSTGRES_INITDB_WALDIR" ]; then
set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
fi
@@ -87,7 +87,10 @@ docker_init_database_dir() {
fi
}
-# print large warning if POSTGRES_PASSWORD is empty
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is unset and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
docker_verify_minimum_env() {
# check password first so we can output the warning before postgres
# messes it up
@@ -103,22 +106,36 @@ docker_verify_minimum_env() {
EOWARN
fi
- if [ -z "$POSTGRES_PASSWORD" ]; then
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
# The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD for the superuser. Use
+ "-e POSTGRES_PASSWORD=password" to set it in "docker run".
+
+ You may also use POSTGRES_HOST_AUTH_METHOD=trust to allow all connections
+ without a password. This is *not* recommended. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
cat >&2 <<-'EOWARN'
- ****************************************************
- WARNING: No password has been set for the database.
- This will allow anyone with access to the
- Postgres port to access your database. In
- Docker's default configuration, this is
- effectively any other container on the same
- system.
-
- Use "-e POSTGRES_PASSWORD=password" to set
- it in "docker run".
- ****************************************************
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
EOWARN
-
fi
}
@@ -185,6 +202,8 @@ docker_setup_env() {
file_env 'POSTGRES_USER' 'postgres'
file_env 'POSTGRES_DB' "$POSTGRES_USER"
file_env 'POSTGRES_INITDB_ARGS'
+ # default authentication method is md5
+ : "${POSTGRES_HOST_AUTH_METHOD:=md5}"
declare -g DATABASE_ALREADY_EXISTS
# look specifically for PG_VERSION, as it is expected in the DB dir
@@ -193,16 +212,15 @@ docker_setup_env() {
fi
}
-# append md5 or trust auth to pg_hba.conf based on existence of POSTGRES_PASSWORD
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
pg_setup_hba_conf() {
- local authMethod='md5'
- if [ -z "$POSTGRES_PASSWORD" ]; then
- authMethod='trust'
- fi
-
{
echo
- echo "host all all all $authMethod"
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ echo '# warning trust is enabled for all connections'
+ echo '# see https://www.postgresql.org/docs/12/auth-trust.html'
+ fi
+ echo "host all all all $POSTGRES_HOST_AUTH_METHOD"
} >> "$PGDATA/pg_hba.conf"
}
diff --git a/9.4/alpine/docker-entrypoint.sh b/9.4/alpine/docker-entrypoint.sh
index b86e2fd509..8539acd673 100755
--- a/9.4/alpine/docker-entrypoint.sh
+++ b/9.4/alpine/docker-entrypoint.sh
@@ -44,7 +44,7 @@ docker_create_db_directories() {
chmod 775 /var/run/postgresql || :
# Create the transaction log directory before initdb is run so the directory is owned by the correct user
- if [ "$POSTGRES_INITDB_XLOGDIR" ]; then
+ if [ -n "$POSTGRES_INITDB_XLOGDIR" ]; then
mkdir -p "$POSTGRES_INITDB_XLOGDIR"
if [ "$user" = '0' ]; then
find "$POSTGRES_INITDB_XLOGDIR" \! -user postgres -exec chown postgres '{}' +
@@ -74,7 +74,7 @@ docker_init_database_dir() {
echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"
fi
- if [ "$POSTGRES_INITDB_XLOGDIR" ]; then
+ if [ -n "$POSTGRES_INITDB_XLOGDIR" ]; then
set -- --xlogdir "$POSTGRES_INITDB_XLOGDIR" "$@"
fi
@@ -87,7 +87,10 @@ docker_init_database_dir() {
fi
}
-# print large warning if POSTGRES_PASSWORD is empty
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is unset and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
docker_verify_minimum_env() {
# check password first so we can output the warning before postgres
# messes it up
@@ -103,22 +106,36 @@ docker_verify_minimum_env() {
EOWARN
fi
- if [ -z "$POSTGRES_PASSWORD" ]; then
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
# The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD for the superuser. Use
+ "-e POSTGRES_PASSWORD=password" to set it in "docker run".
+
+ You may also use POSTGRES_HOST_AUTH_METHOD=trust to allow all connections
+ without a password. This is *not* recommended. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
cat >&2 <<-'EOWARN'
- ****************************************************
- WARNING: No password has been set for the database.
- This will allow anyone with access to the
- Postgres port to access your database. In
- Docker's default configuration, this is
- effectively any other container on the same
- system.
-
- Use "-e POSTGRES_PASSWORD=password" to set
- it in "docker run".
- ****************************************************
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
EOWARN
-
fi
}
@@ -185,6 +202,8 @@ docker_setup_env() {
file_env 'POSTGRES_USER' 'postgres'
file_env 'POSTGRES_DB' "$POSTGRES_USER"
file_env 'POSTGRES_INITDB_ARGS'
+ # default authentication method is md5
+ : "${POSTGRES_HOST_AUTH_METHOD:=md5}"
declare -g DATABASE_ALREADY_EXISTS
# look specifically for PG_VERSION, as it is expected in the DB dir
@@ -193,16 +212,15 @@ docker_setup_env() {
fi
}
-# append md5 or trust auth to pg_hba.conf based on existence of POSTGRES_PASSWORD
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
pg_setup_hba_conf() {
- local authMethod='md5'
- if [ -z "$POSTGRES_PASSWORD" ]; then
- authMethod='trust'
- fi
-
{
echo
- echo "host all all all $authMethod"
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ echo '# warning trust is enabled for all connections'
+ echo '# see https://www.postgresql.org/docs/12/auth-trust.html'
+ fi
+ echo "host all all all $POSTGRES_HOST_AUTH_METHOD"
} >> "$PGDATA/pg_hba.conf"
}
diff --git a/9.4/docker-entrypoint.sh b/9.4/docker-entrypoint.sh
index cd3140393b..ae5de79e98 100755
--- a/9.4/docker-entrypoint.sh
+++ b/9.4/docker-entrypoint.sh
@@ -44,7 +44,7 @@ docker_create_db_directories() {
chmod 775 /var/run/postgresql || :
# Create the transaction log directory before initdb is run so the directory is owned by the correct user
- if [ "$POSTGRES_INITDB_XLOGDIR" ]; then
+ if [ -n "$POSTGRES_INITDB_XLOGDIR" ]; then
mkdir -p "$POSTGRES_INITDB_XLOGDIR"
if [ "$user" = '0' ]; then
find "$POSTGRES_INITDB_XLOGDIR" \! -user postgres -exec chown postgres '{}' +
@@ -74,7 +74,7 @@ docker_init_database_dir() {
echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"
fi
- if [ "$POSTGRES_INITDB_XLOGDIR" ]; then
+ if [ -n "$POSTGRES_INITDB_XLOGDIR" ]; then
set -- --xlogdir "$POSTGRES_INITDB_XLOGDIR" "$@"
fi
@@ -87,7 +87,10 @@ docker_init_database_dir() {
fi
}
-# print large warning if POSTGRES_PASSWORD is empty
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is unset and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
docker_verify_minimum_env() {
# check password first so we can output the warning before postgres
# messes it up
@@ -103,22 +106,36 @@ docker_verify_minimum_env() {
EOWARN
fi
- if [ -z "$POSTGRES_PASSWORD" ]; then
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
# The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD for the superuser. Use
+ "-e POSTGRES_PASSWORD=password" to set it in "docker run".
+
+ You may also use POSTGRES_HOST_AUTH_METHOD=trust to allow all connections
+ without a password. This is *not* recommended. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
cat >&2 <<-'EOWARN'
- ****************************************************
- WARNING: No password has been set for the database.
- This will allow anyone with access to the
- Postgres port to access your database. In
- Docker's default configuration, this is
- effectively any other container on the same
- system.
-
- Use "-e POSTGRES_PASSWORD=password" to set
- it in "docker run".
- ****************************************************
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
EOWARN
-
fi
}
@@ -185,6 +202,8 @@ docker_setup_env() {
file_env 'POSTGRES_USER' 'postgres'
file_env 'POSTGRES_DB' "$POSTGRES_USER"
file_env 'POSTGRES_INITDB_ARGS'
+ # default authentication method is md5
+ : "${POSTGRES_HOST_AUTH_METHOD:=md5}"
declare -g DATABASE_ALREADY_EXISTS
# look specifically for PG_VERSION, as it is expected in the DB dir
@@ -193,16 +212,15 @@ docker_setup_env() {
fi
}
-# append md5 or trust auth to pg_hba.conf based on existence of POSTGRES_PASSWORD
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
pg_setup_hba_conf() {
- local authMethod='md5'
- if [ -z "$POSTGRES_PASSWORD" ]; then
- authMethod='trust'
- fi
-
{
echo
- echo "host all all all $authMethod"
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ echo '# warning trust is enabled for all connections'
+ echo '# see https://www.postgresql.org/docs/12/auth-trust.html'
+ fi
+ echo "host all all all $POSTGRES_HOST_AUTH_METHOD"
} >> "$PGDATA/pg_hba.conf"
}
diff --git a/9.5/alpine/docker-entrypoint.sh b/9.5/alpine/docker-entrypoint.sh
index b86e2fd509..8539acd673 100755
--- a/9.5/alpine/docker-entrypoint.sh
+++ b/9.5/alpine/docker-entrypoint.sh
@@ -44,7 +44,7 @@ docker_create_db_directories() {
chmod 775 /var/run/postgresql || :
# Create the transaction log directory before initdb is run so the directory is owned by the correct user
- if [ "$POSTGRES_INITDB_XLOGDIR" ]; then
+ if [ -n "$POSTGRES_INITDB_XLOGDIR" ]; then
mkdir -p "$POSTGRES_INITDB_XLOGDIR"
if [ "$user" = '0' ]; then
find "$POSTGRES_INITDB_XLOGDIR" \! -user postgres -exec chown postgres '{}' +
@@ -74,7 +74,7 @@ docker_init_database_dir() {
echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"
fi
- if [ "$POSTGRES_INITDB_XLOGDIR" ]; then
+ if [ -n "$POSTGRES_INITDB_XLOGDIR" ]; then
set -- --xlogdir "$POSTGRES_INITDB_XLOGDIR" "$@"
fi
@@ -87,7 +87,10 @@ docker_init_database_dir() {
fi
}
-# print large warning if POSTGRES_PASSWORD is empty
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is unset and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
docker_verify_minimum_env() {
# check password first so we can output the warning before postgres
# messes it up
@@ -103,22 +106,36 @@ docker_verify_minimum_env() {
EOWARN
fi
- if [ -z "$POSTGRES_PASSWORD" ]; then
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
# The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD for the superuser. Use
+ "-e POSTGRES_PASSWORD=password" to set it in "docker run".
+
+ You may also use POSTGRES_HOST_AUTH_METHOD=trust to allow all connections
+ without a password. This is *not* recommended. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
cat >&2 <<-'EOWARN'
- ****************************************************
- WARNING: No password has been set for the database.
- This will allow anyone with access to the
- Postgres port to access your database. In
- Docker's default configuration, this is
- effectively any other container on the same
- system.
-
- Use "-e POSTGRES_PASSWORD=password" to set
- it in "docker run".
- ****************************************************
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
EOWARN
-
fi
}
@@ -185,6 +202,8 @@ docker_setup_env() {
file_env 'POSTGRES_USER' 'postgres'
file_env 'POSTGRES_DB' "$POSTGRES_USER"
file_env 'POSTGRES_INITDB_ARGS'
+ # default authentication method is md5
+ : "${POSTGRES_HOST_AUTH_METHOD:=md5}"
declare -g DATABASE_ALREADY_EXISTS
# look specifically for PG_VERSION, as it is expected in the DB dir
@@ -193,16 +212,15 @@ docker_setup_env() {
fi
}
-# append md5 or trust auth to pg_hba.conf based on existence of POSTGRES_PASSWORD
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
pg_setup_hba_conf() {
- local authMethod='md5'
- if [ -z "$POSTGRES_PASSWORD" ]; then
- authMethod='trust'
- fi
-
{
echo
- echo "host all all all $authMethod"
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ echo '# warning trust is enabled for all connections'
+ echo '# see https://www.postgresql.org/docs/12/auth-trust.html'
+ fi
+ echo "host all all all $POSTGRES_HOST_AUTH_METHOD"
} >> "$PGDATA/pg_hba.conf"
}
diff --git a/9.5/docker-entrypoint.sh b/9.5/docker-entrypoint.sh
index cd3140393b..ae5de79e98 100755
--- a/9.5/docker-entrypoint.sh
+++ b/9.5/docker-entrypoint.sh
@@ -44,7 +44,7 @@ docker_create_db_directories() {
chmod 775 /var/run/postgresql || :
# Create the transaction log directory before initdb is run so the directory is owned by the correct user
- if [ "$POSTGRES_INITDB_XLOGDIR" ]; then
+ if [ -n "$POSTGRES_INITDB_XLOGDIR" ]; then
mkdir -p "$POSTGRES_INITDB_XLOGDIR"
if [ "$user" = '0' ]; then
find "$POSTGRES_INITDB_XLOGDIR" \! -user postgres -exec chown postgres '{}' +
@@ -74,7 +74,7 @@ docker_init_database_dir() {
echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"
fi
- if [ "$POSTGRES_INITDB_XLOGDIR" ]; then
+ if [ -n "$POSTGRES_INITDB_XLOGDIR" ]; then
set -- --xlogdir "$POSTGRES_INITDB_XLOGDIR" "$@"
fi
@@ -87,7 +87,10 @@ docker_init_database_dir() {
fi
}
-# print large warning if POSTGRES_PASSWORD is empty
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is unset and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
docker_verify_minimum_env() {
# check password first so we can output the warning before postgres
# messes it up
@@ -103,22 +106,36 @@ docker_verify_minimum_env() {
EOWARN
fi
- if [ -z "$POSTGRES_PASSWORD" ]; then
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
# The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD for the superuser. Use
+ "-e POSTGRES_PASSWORD=password" to set it in "docker run".
+
+ You may also use POSTGRES_HOST_AUTH_METHOD=trust to allow all connections
+ without a password. This is *not* recommended. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
cat >&2 <<-'EOWARN'
- ****************************************************
- WARNING: No password has been set for the database.
- This will allow anyone with access to the
- Postgres port to access your database. In
- Docker's default configuration, this is
- effectively any other container on the same
- system.
-
- Use "-e POSTGRES_PASSWORD=password" to set
- it in "docker run".
- ****************************************************
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
EOWARN
-
fi
}
@@ -185,6 +202,8 @@ docker_setup_env() {
file_env 'POSTGRES_USER' 'postgres'
file_env 'POSTGRES_DB' "$POSTGRES_USER"
file_env 'POSTGRES_INITDB_ARGS'
+ # default authentication method is md5
+ : "${POSTGRES_HOST_AUTH_METHOD:=md5}"
declare -g DATABASE_ALREADY_EXISTS
# look specifically for PG_VERSION, as it is expected in the DB dir
@@ -193,16 +212,15 @@ docker_setup_env() {
fi
}
-# append md5 or trust auth to pg_hba.conf based on existence of POSTGRES_PASSWORD
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
pg_setup_hba_conf() {
- local authMethod='md5'
- if [ -z "$POSTGRES_PASSWORD" ]; then
- authMethod='trust'
- fi
-
{
echo
- echo "host all all all $authMethod"
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ echo '# warning trust is enabled for all connections'
+ echo '# see https://www.postgresql.org/docs/12/auth-trust.html'
+ fi
+ echo "host all all all $POSTGRES_HOST_AUTH_METHOD"
} >> "$PGDATA/pg_hba.conf"
}
diff --git a/9.6/alpine/docker-entrypoint.sh b/9.6/alpine/docker-entrypoint.sh
index b86e2fd509..8539acd673 100755
--- a/9.6/alpine/docker-entrypoint.sh
+++ b/9.6/alpine/docker-entrypoint.sh
@@ -44,7 +44,7 @@ docker_create_db_directories() {
chmod 775 /var/run/postgresql || :
# Create the transaction log directory before initdb is run so the directory is owned by the correct user
- if [ "$POSTGRES_INITDB_XLOGDIR" ]; then
+ if [ -n "$POSTGRES_INITDB_XLOGDIR" ]; then
mkdir -p "$POSTGRES_INITDB_XLOGDIR"
if [ "$user" = '0' ]; then
find "$POSTGRES_INITDB_XLOGDIR" \! -user postgres -exec chown postgres '{}' +
@@ -74,7 +74,7 @@ docker_init_database_dir() {
echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"
fi
- if [ "$POSTGRES_INITDB_XLOGDIR" ]; then
+ if [ -n "$POSTGRES_INITDB_XLOGDIR" ]; then
set -- --xlogdir "$POSTGRES_INITDB_XLOGDIR" "$@"
fi
@@ -87,7 +87,10 @@ docker_init_database_dir() {
fi
}
-# print large warning if POSTGRES_PASSWORD is empty
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is unset and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
docker_verify_minimum_env() {
# check password first so we can output the warning before postgres
# messes it up
@@ -103,22 +106,36 @@ docker_verify_minimum_env() {
EOWARN
fi
- if [ -z "$POSTGRES_PASSWORD" ]; then
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
# The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD for the superuser. Use
+ "-e POSTGRES_PASSWORD=password" to set it in "docker run".
+
+ You may also use POSTGRES_HOST_AUTH_METHOD=trust to allow all connections
+ without a password. This is *not* recommended. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
cat >&2 <<-'EOWARN'
- ****************************************************
- WARNING: No password has been set for the database.
- This will allow anyone with access to the
- Postgres port to access your database. In
- Docker's default configuration, this is
- effectively any other container on the same
- system.
-
- Use "-e POSTGRES_PASSWORD=password" to set
- it in "docker run".
- ****************************************************
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
EOWARN
-
fi
}
@@ -185,6 +202,8 @@ docker_setup_env() {
file_env 'POSTGRES_USER' 'postgres'
file_env 'POSTGRES_DB' "$POSTGRES_USER"
file_env 'POSTGRES_INITDB_ARGS'
+ # default authentication method is md5
+ : "${POSTGRES_HOST_AUTH_METHOD:=md5}"
declare -g DATABASE_ALREADY_EXISTS
# look specifically for PG_VERSION, as it is expected in the DB dir
@@ -193,16 +212,15 @@ docker_setup_env() {
fi
}
-# append md5 or trust auth to pg_hba.conf based on existence of POSTGRES_PASSWORD
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
pg_setup_hba_conf() {
- local authMethod='md5'
- if [ -z "$POSTGRES_PASSWORD" ]; then
- authMethod='trust'
- fi
-
{
echo
- echo "host all all all $authMethod"
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ echo '# warning trust is enabled for all connections'
+ echo '# see https://www.postgresql.org/docs/12/auth-trust.html'
+ fi
+ echo "host all all all $POSTGRES_HOST_AUTH_METHOD"
} >> "$PGDATA/pg_hba.conf"
}
diff --git a/9.6/docker-entrypoint.sh b/9.6/docker-entrypoint.sh
index cd3140393b..ae5de79e98 100755
--- a/9.6/docker-entrypoint.sh
+++ b/9.6/docker-entrypoint.sh
@@ -44,7 +44,7 @@ docker_create_db_directories() {
chmod 775 /var/run/postgresql || :
# Create the transaction log directory before initdb is run so the directory is owned by the correct user
- if [ "$POSTGRES_INITDB_XLOGDIR" ]; then
+ if [ -n "$POSTGRES_INITDB_XLOGDIR" ]; then
mkdir -p "$POSTGRES_INITDB_XLOGDIR"
if [ "$user" = '0' ]; then
find "$POSTGRES_INITDB_XLOGDIR" \! -user postgres -exec chown postgres '{}' +
@@ -74,7 +74,7 @@ docker_init_database_dir() {
echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"
fi
- if [ "$POSTGRES_INITDB_XLOGDIR" ]; then
+ if [ -n "$POSTGRES_INITDB_XLOGDIR" ]; then
set -- --xlogdir "$POSTGRES_INITDB_XLOGDIR" "$@"
fi
@@ -87,7 +87,10 @@ docker_init_database_dir() {
fi
}
-# print large warning if POSTGRES_PASSWORD is empty
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is unset and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
docker_verify_minimum_env() {
# check password first so we can output the warning before postgres
# messes it up
@@ -103,22 +106,36 @@ docker_verify_minimum_env() {
EOWARN
fi
- if [ -z "$POSTGRES_PASSWORD" ]; then
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
# The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD for the superuser. Use
+ "-e POSTGRES_PASSWORD=password" to set it in "docker run".
+
+ You may also use POSTGRES_HOST_AUTH_METHOD=trust to allow all connections
+ without a password. This is *not* recommended. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
cat >&2 <<-'EOWARN'
- ****************************************************
- WARNING: No password has been set for the database.
- This will allow anyone with access to the
- Postgres port to access your database. In
- Docker's default configuration, this is
- effectively any other container on the same
- system.
-
- Use "-e POSTGRES_PASSWORD=password" to set
- it in "docker run".
- ****************************************************
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
EOWARN
-
fi
}
@@ -185,6 +202,8 @@ docker_setup_env() {
file_env 'POSTGRES_USER' 'postgres'
file_env 'POSTGRES_DB' "$POSTGRES_USER"
file_env 'POSTGRES_INITDB_ARGS'
+ # default authentication method is md5
+ : "${POSTGRES_HOST_AUTH_METHOD:=md5}"
declare -g DATABASE_ALREADY_EXISTS
# look specifically for PG_VERSION, as it is expected in the DB dir
@@ -193,16 +212,15 @@ docker_setup_env() {
fi
}
-# append md5 or trust auth to pg_hba.conf based on existence of POSTGRES_PASSWORD
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
pg_setup_hba_conf() {
- local authMethod='md5'
- if [ -z "$POSTGRES_PASSWORD" ]; then
- authMethod='trust'
- fi
-
{
echo
- echo "host all all all $authMethod"
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ echo '# warning trust is enabled for all connections'
+ echo '# see https://www.postgresql.org/docs/12/auth-trust.html'
+ fi
+ echo "host all all all $POSTGRES_HOST_AUTH_METHOD"
} >> "$PGDATA/pg_hba.conf"
}
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
index 698ce9f48c..406a971cfc 100755
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@@ -44,7 +44,7 @@ docker_create_db_directories() {
chmod 775 /var/run/postgresql || :
# Create the transaction log directory before initdb is run so the directory is owned by the correct user
- if [ "$POSTGRES_INITDB_WALDIR" ]; then
+ if [ -n "$POSTGRES_INITDB_WALDIR" ]; then
mkdir -p "$POSTGRES_INITDB_WALDIR"
if [ "$user" = '0' ]; then
find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
@@ -74,7 +74,7 @@ docker_init_database_dir() {
echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"
fi
- if [ "$POSTGRES_INITDB_WALDIR" ]; then
+ if [ -n "$POSTGRES_INITDB_WALDIR" ]; then
set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
fi
@@ -87,7 +87,10 @@ docker_init_database_dir() {
fi
}
-# print large warning if POSTGRES_PASSWORD is empty
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is unset and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
docker_verify_minimum_env() {
# check password first so we can output the warning before postgres
# messes it up
@@ -103,22 +106,36 @@ docker_verify_minimum_env() {
EOWARN
fi
- if [ -z "$POSTGRES_PASSWORD" ]; then
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
# The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD for the superuser. Use
+ "-e POSTGRES_PASSWORD=password" to set it in "docker run".
+
+ You may also use POSTGRES_HOST_AUTH_METHOD=trust to allow all connections
+ without a password. This is *not* recommended. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
cat >&2 <<-'EOWARN'
- ****************************************************
- WARNING: No password has been set for the database.
- This will allow anyone with access to the
- Postgres port to access your database. In
- Docker's default configuration, this is
- effectively any other container on the same
- system.
-
- Use "-e POSTGRES_PASSWORD=password" to set
- it in "docker run".
- ****************************************************
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
EOWARN
-
fi
}
@@ -185,6 +202,8 @@ docker_setup_env() {
file_env 'POSTGRES_USER' 'postgres'
file_env 'POSTGRES_DB' "$POSTGRES_USER"
file_env 'POSTGRES_INITDB_ARGS'
+ # default authentication method is md5
+ : "${POSTGRES_HOST_AUTH_METHOD:=md5}"
declare -g DATABASE_ALREADY_EXISTS
# look specifically for PG_VERSION, as it is expected in the DB dir
@@ -193,16 +212,15 @@ docker_setup_env() {
fi
}
-# append md5 or trust auth to pg_hba.conf based on existence of POSTGRES_PASSWORD
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
pg_setup_hba_conf() {
- local authMethod='md5'
- if [ -z "$POSTGRES_PASSWORD" ]; then
- authMethod='trust'
- fi
-
{
echo
- echo "host all all all $authMethod"
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ echo '# warning trust is enabled for all connections'
+ echo '# see https://www.postgresql.org/docs/12/auth-trust.html'
+ fi
+ echo "host all all all $POSTGRES_HOST_AUTH_METHOD"
} >> "$PGDATA/pg_hba.conf"
}
pFad - Phonifier reborn
Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.
Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.
Alternative Proxies:
Alternative Proxy
pFad Proxy
pFad v3 Proxy
pFad v4 Proxy