Skip to content

Commit

Permalink
chore(db): postgresql 15
Browse files Browse the repository at this point in the history
  • Loading branch information
RTann committed Mar 13, 2024
1 parent 9d59a9f commit 169c0f0
Show file tree
Hide file tree
Showing 4 changed files with 57 additions and 47 deletions.
2 changes: 1 addition & 1 deletion image/db/rhel/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ LABEL name="scanner-db" \
summary="Image scanner database for the StackRox Kubernetes Security Platform" \
description="This image supports image scanning in the StackRox Kubernetes Security Platform."

ENV PG_MAJOR=12
ENV PG_MAJOR=15
ENV PATH="$PATH:/usr/pgsql-$PG_MAJOR/bin/" \
PGDATA="/var/lib/postgresql/data/pgdata"

Expand Down
2 changes: 1 addition & 1 deletion image/db/rhel/Dockerfile.slim
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ LABEL name="scanner-db-slim" \
summary="Image scanner database for the StackRox Kubernetes Security Platform" \
description="This image supports image scanning in the StackRox Kubernetes Security Platform."

ENV PG_MAJOR=12
ENV PG_MAJOR=15
ENV PATH="$PATH:/usr/pgsql-$PG_MAJOR/bin/" \
PGDATA="/var/lib/postgresql/data/pgdata"

Expand Down
4 changes: 2 additions & 2 deletions image/db/rhel/konflux.Dockerfile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM registry.redhat.io/rhel8/postgresql-12:latest AS scanner-db-common
FROM registry.redhat.io/rhel8/postgresql-15:latest AS scanner-db-common

LABEL \
com.redhat.license_terms="https://www.redhat.com/agreements" \
Expand Down Expand Up @@ -35,7 +35,7 @@ RUN dnf upgrade -y --nobest && \
rm -rf /var/cache/dnf /var/cache/yum && \
chmod +x /usr/local/bin/docker-entrypoint.sh

ENV PG_MAJOR=12 \
ENV PG_MAJOR=15 \
PGDATA="/var/lib/postgresql/data/pgdata"

ENTRYPOINT ["docker-entrypoint.sh"]
Expand Down
96 changes: 53 additions & 43 deletions image/db/rhel/scripts/docker-entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@
### Community][1]. Any stackrox modification or comments are tagged with this
### comment.
###
### [1]: https://github.com/docker-library/postgres/blob/master/12/bullseye/docker-entrypoint.sh
### [1]: https://github.com/docker-library/postgres/blob/44ef8b226a40f86cf9df3f9299067db6779a3aa3/15/bookworm/docker-entrypoint.sh

set -Eeo pipefail
# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
Expand All @@ -18,7 +18,7 @@ file_env() {
local fileVar="${var}_FILE"
local def="${2:-}"
if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
exit 1
fi
local val="$def"
Expand All @@ -45,11 +45,11 @@ docker_create_db_directories() {

mkdir -p "$PGDATA"
# ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
chmod 700 "$PGDATA" || :
chmod 00700 "$PGDATA" || :

# ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
mkdir -p /var/run/postgresql || :
chmod 775 /var/run/postgresql || :
chmod 03775 /var/run/postgresql || :

# Create the transaction log directory before initdb is run so the directory is owned by the correct user
if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
Expand Down Expand Up @@ -84,8 +84,8 @@ docker_init_database_dir() {
NSS_WRAPPER_GROUP="$(mktemp)"
export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
local gid; gid="$(id -g)"
echo "postgres:x:$uid:$gid:PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD"
echo "postgres:x:$gid:" > "$NSS_WRAPPER_GROUP"
printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
break
fi
done
Expand All @@ -95,7 +95,8 @@ docker_init_database_dir() {
set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
fi

eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
# --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'

# unset/cleanup "nss_wrapper" bits
if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
Expand All @@ -109,20 +110,24 @@ docker_init_database_dir() {
# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
docker_verify_minimum_env() {
# check password first so we can output the warning before postgres
# messes it up
if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
cat >&2 <<-'EOWARN'
case "${PG_MAJOR:-}" in
12 | 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
# check password first so we can output the warning before postgres
# messes it up
if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
cat >&2 <<-'EOWARN'
WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
This will not work if used via PGPASSWORD with "psql".
This will not work if used via PGPASSWORD with "psql".
https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
https://github.com/docker-library/postgres/issues/507
https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
https://github.com/docker-library/postgres/issues/507
EOWARN
fi
EOWARN
fi
;;
esac
if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
# The - option suppresses leading tabs but *not* spaces. :)
cat >&2 <<-'EOE'
Expand Down Expand Up @@ -164,28 +169,28 @@ docker_process_init_files() {
# psql here for backwards compatibility "${psql[@]}"
psql=( docker_process_sql )

echo
printf '\n'
local f
for f; do
case "$f" in
*.sh)
# https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
# https://github.com/docker-library/postgres/pull/452
if [ -x "$f" ]; then
echo "$0: running $f"
printf '%s: running %s\n' "$0" "$f"
"$f"
else
echo "$0: sourcing $f"
printf '%s: sourcing %s\n' "$0" "$f"
. "$f"
fi
;;
*.sql) echo "$0: running $f"; docker_process_sql -f "$f"; echo ;;
*.sql.gz) echo "$0: running $f"; gunzip -c "$f" | docker_process_sql; echo ;;
*.sql.xz) echo "$0: running $f"; xzcat "$f" | docker_process_sql; echo ;;
*.sql.zst) echo "$0: running $f"; zstd -dc "$f" | docker_process_sql; echo ;;
*) echo "$0: ignoring $f" ;;
*.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
*.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
*.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
*.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
*) printf '%s: ignoring %s\n' "$0" "$f" ;;
esac
echo
printf '\n'
done
}

Expand Down Expand Up @@ -216,7 +221,7 @@ docker_setup_db() {
POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
CREATE DATABASE :"db" ;
EOSQL
echo
printf '\n'
fi
}

Expand All @@ -231,6 +236,7 @@ docker_setup_env() {
: "${POSTGRES_HOST_AUTH_METHOD:=}"

declare -g DATABASE_ALREADY_EXISTS
: "${DATABASE_ALREADY_EXISTS:=}"
# look specifically for PG_VERSION, as it is expected in the DB dir
if [ -s "$PGDATA/PG_VERSION" ]; then
DATABASE_ALREADY_EXISTS='true'
Expand All @@ -250,12 +256,12 @@ pg_setup_hba_conf() {
auth="$(postgres -C password_encryption "$@")"
: "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
{
echo
printf '\n'
if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
echo '# warning trust is enabled for all connections'
echo '# see https://www.postgresql.org/docs/12/auth-trust.html'
printf '# warning trust is enabled for all connections\n'
printf '# see https://www.postgresql.org/docs/12/auth-trust.html\n'
fi
echo "host all all all $POSTGRES_HOST_AUTH_METHOD"
printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
} >> "$PGDATA/pg_hba.conf"
}

Expand Down Expand Up @@ -308,9 +314,9 @@ _main() {
if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
### STACKROX MODIFIED - If we are initializing, then ensure we start from scratch.
if [ -n "$ROX_SCANNER_DB_INIT" ]; then
echo
echo 'Initializing... Clearing any previous data from directories'
echo
printf '\n'
printf 'Initializing... Clearing any previous data from directories\n'
printf '\n'

rm -rf "$PGDATA"
if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
Expand All @@ -332,9 +338,9 @@ _main() {
### STACKROX MODIFIED - Sanity check the database does not exist
### upon initialization.
if [ -n "$ROX_SCANNER_DB_INIT" ] && [ -n "$DATABASE_ALREADY_EXISTS" ]; then
echo
echo 'PostgreSQL Database appears to already exist upon initialization; Exiting with error...'
echo
printf '\n'
printf 'PostgreSQL Database appears to already exist upon initialization; Exiting with error...\n'
printf '\n'

exit 1
fi
Expand All @@ -360,16 +366,20 @@ _main() {
docker_temp_server_stop
unset PGPASSWORD

echo
echo 'PostgreSQL init process complete; ready for start up.'
echo
cat <<-'EOM'
PostgreSQL init process complete; ready for start up.
EOM

### STACKROX MODIFIED - Exit once DB is initialized.
exit 0
else
echo
echo 'PostgreSQL Database directory appears to contain a database; Skipping initialization'
echo
cat <<-'EOM'
PostgreSQL Database directory appears to contain a database; Skipping initialization
EOM
fi
fi

Expand Down

0 comments on commit 169c0f0

Please sign in to comment.