From 169c0f0185d2b9d2221bbebe1343a8c20062a93a Mon Sep 17 00:00:00 2001 From: RTann Date: Fri, 23 Feb 2024 17:22:53 -0800 Subject: [PATCH] chore(db): postgresql 15 --- image/db/rhel/Dockerfile | 2 +- image/db/rhel/Dockerfile.slim | 2 +- image/db/rhel/konflux.Dockerfile | 4 +- image/db/rhel/scripts/docker-entrypoint.sh | 96 ++++++++++++---------- 4 files changed, 57 insertions(+), 47 deletions(-) diff --git a/image/db/rhel/Dockerfile b/image/db/rhel/Dockerfile index 301f43235..4b6aac330 100644 --- a/image/db/rhel/Dockerfile +++ b/image/db/rhel/Dockerfile @@ -16,7 +16,7 @@ LABEL name="scanner-db" \ summary="Image scanner database for the StackRox Kubernetes Security Platform" \ description="This image supports image scanning in the StackRox Kubernetes Security Platform." -ENV PG_MAJOR=12 +ENV PG_MAJOR=15 ENV PATH="$PATH:/usr/pgsql-$PG_MAJOR/bin/" \ PGDATA="/var/lib/postgresql/data/pgdata" diff --git a/image/db/rhel/Dockerfile.slim b/image/db/rhel/Dockerfile.slim index f01fc7ace..f1439939d 100644 --- a/image/db/rhel/Dockerfile.slim +++ b/image/db/rhel/Dockerfile.slim @@ -16,7 +16,7 @@ LABEL name="scanner-db-slim" \ summary="Image scanner database for the StackRox Kubernetes Security Platform" \ description="This image supports image scanning in the StackRox Kubernetes Security Platform." -ENV PG_MAJOR=12 +ENV PG_MAJOR=15 ENV PATH="$PATH:/usr/pgsql-$PG_MAJOR/bin/" \ PGDATA="/var/lib/postgresql/data/pgdata" diff --git a/image/db/rhel/konflux.Dockerfile b/image/db/rhel/konflux.Dockerfile index 7077477e5..0c37b572c 100644 --- a/image/db/rhel/konflux.Dockerfile +++ b/image/db/rhel/konflux.Dockerfile @@ -1,4 +1,4 @@ -FROM registry.redhat.io/rhel8/postgresql-12:latest AS scanner-db-common +FROM registry.redhat.io/rhel8/postgresql-15:latest AS scanner-db-common LABEL \ com.redhat.license_terms="https://www.redhat.com/agreements" \ @@ -35,7 +35,7 @@ RUN dnf upgrade -y --nobest && \ rm -rf /var/cache/dnf /var/cache/yum && \ chmod +x /usr/local/bin/docker-entrypoint.sh -ENV PG_MAJOR=12 \ +ENV PG_MAJOR=15 \ PGDATA="/var/lib/postgresql/data/pgdata" ENTRYPOINT ["docker-entrypoint.sh"] diff --git a/image/db/rhel/scripts/docker-entrypoint.sh b/image/db/rhel/scripts/docker-entrypoint.sh index 27491bb91..0fa992498 100755 --- a/image/db/rhel/scripts/docker-entrypoint.sh +++ b/image/db/rhel/scripts/docker-entrypoint.sh @@ -4,7 +4,7 @@ ### Community][1]. Any stackrox modification or comments are tagged with this ### comment. ### -### [1]: https://github.com/docker-library/postgres/blob/master/12/bullseye/docker-entrypoint.sh +### [1]: https://github.com/docker-library/postgres/blob/44ef8b226a40f86cf9df3f9299067db6779a3aa3/15/bookworm/docker-entrypoint.sh set -Eeo pipefail # TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables) @@ -18,7 +18,7 @@ file_env() { local fileVar="${var}_FILE" local def="${2:-}" if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then - echo >&2 "error: both $var and $fileVar are set (but are exclusive)" + printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar" exit 1 fi local val="$def" @@ -45,11 +45,11 @@ docker_create_db_directories() { mkdir -p "$PGDATA" # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory) - chmod 700 "$PGDATA" || : + chmod 00700 "$PGDATA" || : # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 mkdir -p /var/run/postgresql || : - chmod 775 /var/run/postgresql || : + chmod 03775 /var/run/postgresql || : # Create the transaction log directory before initdb is run so the directory is owned by the correct user if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then @@ -84,8 +84,8 @@ docker_init_database_dir() { NSS_WRAPPER_GROUP="$(mktemp)" export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP local gid; gid="$(id -g)" - echo "postgres:x:$uid:$gid:PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" - echo "postgres:x:$gid:" > "$NSS_WRAPPER_GROUP" + printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD" + printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP" break fi done @@ -95,7 +95,8 @@ docker_init_database_dir() { set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@" fi - eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' + # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025 + eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' # unset/cleanup "nss_wrapper" bits if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then @@ -109,20 +110,24 @@ docker_init_database_dir() { # print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust' # assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ] docker_verify_minimum_env() { - # check password first so we can output the warning before postgres - # messes it up - if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then - cat >&2 <<-'EOWARN' + case "${PG_MAJOR:-}" in + 12 | 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98 + # check password first so we can output the warning before postgres + # messes it up + if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then + cat >&2 <<-'EOWARN' - WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. + WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. - This will not work if used via PGPASSWORD with "psql". + This will not work if used via PGPASSWORD with "psql". - https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) - https://github.com/docker-library/postgres/issues/507 + https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) + https://github.com/docker-library/postgres/issues/507 - EOWARN - fi + EOWARN + fi + ;; + esac if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then # The - option suppresses leading tabs but *not* spaces. :) cat >&2 <<-'EOE' @@ -164,7 +169,7 @@ docker_process_init_files() { # psql here for backwards compatibility "${psql[@]}" psql=( docker_process_sql ) - echo + printf '\n' local f for f; do case "$f" in @@ -172,20 +177,20 @@ docker_process_init_files() { # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 # https://github.com/docker-library/postgres/pull/452 if [ -x "$f" ]; then - echo "$0: running $f" + printf '%s: running %s\n' "$0" "$f" "$f" else - echo "$0: sourcing $f" + printf '%s: sourcing %s\n' "$0" "$f" . "$f" fi ;; - *.sql) echo "$0: running $f"; docker_process_sql -f "$f"; echo ;; - *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | docker_process_sql; echo ;; - *.sql.xz) echo "$0: running $f"; xzcat "$f" | docker_process_sql; echo ;; - *.sql.zst) echo "$0: running $f"; zstd -dc "$f" | docker_process_sql; echo ;; - *) echo "$0: ignoring $f" ;; + *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;; + *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;; + *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;; + *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;; + *) printf '%s: ignoring %s\n' "$0" "$f" ;; esac - echo + printf '\n' done } @@ -216,7 +221,7 @@ docker_setup_db() { POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL' CREATE DATABASE :"db" ; EOSQL - echo + printf '\n' fi } @@ -231,6 +236,7 @@ docker_setup_env() { : "${POSTGRES_HOST_AUTH_METHOD:=}" declare -g DATABASE_ALREADY_EXISTS + : "${DATABASE_ALREADY_EXISTS:=}" # look specifically for PG_VERSION, as it is expected in the DB dir if [ -s "$PGDATA/PG_VERSION" ]; then DATABASE_ALREADY_EXISTS='true' @@ -250,12 +256,12 @@ pg_setup_hba_conf() { auth="$(postgres -C password_encryption "$@")" : "${POSTGRES_HOST_AUTH_METHOD:=$auth}" { - echo + printf '\n' if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then - echo '# warning trust is enabled for all connections' - echo '# see https://www.postgresql.org/docs/12/auth-trust.html' + printf '# warning trust is enabled for all connections\n' + printf '# see https://www.postgresql.org/docs/12/auth-trust.html\n' fi - echo "host all all all $POSTGRES_HOST_AUTH_METHOD" + printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD" } >> "$PGDATA/pg_hba.conf" } @@ -308,9 +314,9 @@ _main() { if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then ### STACKROX MODIFIED - If we are initializing, then ensure we start from scratch. if [ -n "$ROX_SCANNER_DB_INIT" ]; then - echo - echo 'Initializing... Clearing any previous data from directories' - echo + printf '\n' + printf 'Initializing... Clearing any previous data from directories\n' + printf '\n' rm -rf "$PGDATA" if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then @@ -332,9 +338,9 @@ _main() { ### STACKROX MODIFIED - Sanity check the database does not exist ### upon initialization. if [ -n "$ROX_SCANNER_DB_INIT" ] && [ -n "$DATABASE_ALREADY_EXISTS" ]; then - echo - echo 'PostgreSQL Database appears to already exist upon initialization; Exiting with error...' - echo + printf '\n' + printf 'PostgreSQL Database appears to already exist upon initialization; Exiting with error...\n' + printf '\n' exit 1 fi @@ -360,16 +366,20 @@ _main() { docker_temp_server_stop unset PGPASSWORD - echo - echo 'PostgreSQL init process complete; ready for start up.' - echo + cat <<-'EOM' + + PostgreSQL init process complete; ready for start up. + + EOM ### STACKROX MODIFIED - Exit once DB is initialized. exit 0 else - echo - echo 'PostgreSQL Database directory appears to contain a database; Skipping initialization' - echo + cat <<-'EOM' + + PostgreSQL Database directory appears to contain a database; Skipping initialization + + EOM fi fi