From 48f2ad1b73abdfe08d0e4e3feb4934177929d9b5 Mon Sep 17 00:00:00 2001 From: Joe Ferguson Date: Mon, 10 Sep 2018 16:46:22 -0700 Subject: [PATCH 1/7] Functionalize the entrypoint to allow outside sourcing for extreme customizing of startup --- docker-entrypoint.sh | 318 +++++++++++++++++++++++++++---------------- 1 file changed, 201 insertions(+), 117 deletions(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 93ee4fba4d..2f9a92ffcb 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -24,153 +24,237 @@ file_env() { unset "$fileVar" } -if [ "${1:0:1}" = '-' ]; then - set -- postgres "$@" -fi +# check to see if this file is being run or sourced from another script +_is_sourced() { + # https://unix.stackexchange.com/a/215279 + [ "${FUNCNAME[${#FUNCNAME[@]} - 1]}" == 'source' ] +} + +# used to create initial posgres directories and if run as root, ensure ownership to the "postgres" user +create_postgres_dirs() { + local user="$(id -u)" -# allow the container to be started with `--user` -if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then mkdir -p "$PGDATA" - chown -R postgres "$PGDATA" chmod 700 "$PGDATA" - mkdir -p /var/run/postgresql - chown -R postgres /var/run/postgresql - chmod 775 /var/run/postgresql + # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 + mkdir -p /var/run/postgresql || : + chmod 775 /var/run/postgresql || : - # Create the transaction log directory before initdb is run (below) so the directory is owned by the correct user + # Create the transaction log directory before initdb is run so the directory is owned by the correct user if [ "$POSTGRES_INITDB_WALDIR" ]; then mkdir -p "$POSTGRES_INITDB_WALDIR" - chown -R postgres "$POSTGRES_INITDB_WALDIR" + [ "$user" = '0' ] && find "$POSTGRES_INITDB_WALDIR" \! -user postgres - exec chown postgres '{}' + chmod 700 "$POSTGRES_INITDB_WALDIR" fi - exec gosu postgres "$BASH_SOURCE" "$@" -fi + # allow the container to be started with `--user` + if [ "$user" = '0' ]; then + find "$PGDATA" \! -user postgres -exec chown postgres '{}' + + find /var/run/postgresql \! -user postgres -exec chown postgres '{}' + + fi +} -if [ "$1" = 'postgres' ]; then - mkdir -p "$PGDATA" - chown -R "$(id -u)" "$PGDATA" 2>/dev/null || : - chmod 700 "$PGDATA" 2>/dev/null || : - - # look specifically for PG_VERSION, as it is expected in the DB dir - if [ ! -s "$PGDATA/PG_VERSION" ]; then - # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary - # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html - if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then - export LD_PRELOAD='/usr/lib/libnss_wrapper.so' - export NSS_WRAPPER_PASSWD="$(mktemp)" - export NSS_WRAPPER_GROUP="$(mktemp)" - echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" - echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" - fi +# initialize empty PGDATA directory with new database via 'initdb' +init_pgdata() { + # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary + # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html + if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then + export LD_PRELOAD='/usr/lib/libnss_wrapper.so' + export NSS_WRAPPER_PASSWD="$(mktemp)" + export NSS_WRAPPER_GROUP="$(mktemp)" + echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" + echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" + fi - file_env 'POSTGRES_USER' 'postgres' - file_env 'POSTGRES_PASSWORD' + file_env 'POSTGRES_INITDB_ARGS' + if [ "$POSTGRES_INITDB_WALDIR" ]; then + export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --waldir $POSTGRES_INITDB_WALDIR" + fi - file_env 'POSTGRES_INITDB_ARGS' - if [ "$POSTGRES_INITDB_WALDIR" ]; then - export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --waldir $POSTGRES_INITDB_WALDIR" - fi - eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS" + eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS" - # unset/cleanup "nss_wrapper" bits - if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then - rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" - unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP - fi + # unset/cleanup "nss_wrapper" bits + if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then + rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" + unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + fi +} - # check password first so we can output the warning before postgres - # messes it up - if [ -n "$POSTGRES_PASSWORD" ]; then - authMethod=md5 +# print large warning if POSTGRES_PASSWORD is empty +print_password_warning() { + # check password first so we can output the warning before postgres + # messes it up + if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then + cat >&2 <<-'EOWARN' - if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then - cat >&2 <<-'EOWARN' + WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. - WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. + This will not work if used via PGPASSWORD with "psql". - This will not work if used via PGPASSWORD with "psql". + https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) + https://github.com/docker-library/postgres/issues/507 - https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) - https://github.com/docker-library/postgres/issues/507 + EOWARN + fi + if [ -z "$POSTGRES_PASSWORD" ]; then + # The - option suppresses leading tabs but *not* spaces. :) + cat >&2 <<-'EOWARN' + **************************************************** + WARNING: No password has been set for the database. + This will allow anyone with access to the + Postgres port to access your database. In + Docker's default configuration, this is + effectively any other container on the same + system. - EOWARN - fi - else - # The - option suppresses leading tabs but *not* spaces. :) - cat >&2 <<-'EOWARN' - **************************************************** - WARNING: No password has been set for the database. - This will allow anyone with access to the - Postgres port to access your database. In - Docker's default configuration, this is - effectively any other container on the same - system. - - Use "-e POSTGRES_PASSWORD=password" to set - it in "docker run". - **************************************************** - EOWARN - - authMethod=trust - fi + Use "-e POSTGRES_PASSWORD=password" to set + it in "docker run". + **************************************************** + EOWARN - { - echo - echo "host all all all $authMethod" - } >> "$PGDATA/pg_hba.conf" + fi +} - # internal start of server in order to allow set-up using psql-client - # does not listen on external TCP/IP and waits until start finishes - PGUSER="${PGUSER:-$POSTGRES_USER}" \ - pg_ctl -D "$PGDATA" \ - -o "-c listen_addresses=''" \ - -w start +# run, source, or read files from /docker-entrypoint-initdb.d (or specified directory) +process_init_files() { + # psql here for backwards compatiblilty "${psql[@]}" + psql=( psql_run ) - file_env 'POSTGRES_DB' "$POSTGRES_USER" + local initDir="${1:-/docker-entrypoint-initdb.d}" - export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" - psql=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password ) + echo + for f in "${initDir%/}"/*; do + case "$f" in + *.sh) + # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 + # https://github.com/docker-library/postgres/pull/452 + if [ -x "$f" ]; then + echo "$0: running $f" + "$f" + else + echo "$0: sourcing $f" + . "$f" + fi + ;; + *.sql) echo "$0: running $f"; psql_run -f "$f"; echo ;; + *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | psql_run; echo ;; + *) echo "$0: ignoring $f" ;; + esac + echo + done +} - if [ "$POSTGRES_DB" != 'postgres' ]; then - "${psql[@]}" --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL' - CREATE DATABASE :"db" ; - EOSQL - echo - fi - psql+=( --dbname "$POSTGRES_DB" ) +# run `psql` with proper arguments for user and db +psql_run() { + local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password ) + if [ -n "$POSTGRES_DB" ]; then + query_runner+=( --dbname "$POSTGRES_DB" ) + fi + + "${query_runner[@]}" "$@" +} +# create initial postgresql superuser with password and database +# uses environment variables for input: POSTGRES_USER, POSTGRES_PASSWORD, POSTGRES_DB +setup_database() { + if [ "$POSTGRES_DB" != 'postgres' ]; then + POSTGRES_DB= psql_run --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL' + CREATE DATABASE :"db" ; + EOSQL echo - for f in /docker-entrypoint-initdb.d/*; do - case "$f" in - *.sh) - # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 - # https://github.com/docker-library/postgres/pull/452 - if [ -x "$f" ]; then - echo "$0: running $f" - "$f" - else - echo "$0: sourcing $f" - . "$f" - fi - ;; - *.sql) echo "$0: running $f"; "${psql[@]}" -f "$f"; echo ;; - *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | "${psql[@]}"; echo ;; - *) echo "$0: ignoring $f" ;; - esac - echo - done + fi +} - PGUSER="${PGUSER:-$POSTGRES_USER}" \ - pg_ctl -D "$PGDATA" -m fast -w stop +# get user/pass and db from env vars or via file +setup_env_vars() { + file_env 'POSTGRES_PASSWORD' - unset PGPASSWORD + file_env 'POSTGRES_USER' 'postgres' + file_env 'POSTGRES_DB' "$POSTGRES_USER" +} +# append md5 or trust auth to pg_hba.conf based on existence of POSTGRES_PASSWORD +setup_pg_hba() { + local authMethod + if [ "$POSTGRES_PASSWORD" ]; then + authMethod='md5' + else + authMethod='trust' + fi + + { echo - echo 'PostgreSQL init process complete; ready for start up.' - echo + echo "host all all all $authMethod" + } >> "$PGDATA/pg_hba.conf" +} + +# start socket-only postgresql server for setting up user or running scripts +temporary_pgserver_start() { + # internal start of server in order to allow set-up using psql-client + # does not listen on external TCP/IP and waits until start finishes + PGUSER="${PGUSER:-$POSTGRES_USER}" \ + pg_ctl -D "$PGDATA" \ + -o "-c listen_addresses=''" \ + -w start + #??? "$@" +} + +# stop postgresql server after done setting up user and running scripts +temporary_pgserver_stop() { + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" -m fast -w stop +} + +main() { + # if first arg looks like a flag, assume we want to run postgres server + if [ "${1:0:1}" = '-' ]; then + set -- postgres "$@" fi -fi -exec "$@" + # setup data directories and permissions, then restart script as postgres user + if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then + create_postgres_dirs + exec gosu postgres "$BASH_SOURCE" "$@" + fi + + if [ "$1" = 'postgres' ]; then + create_postgres_dirs + + # only run initialization on an empty data directory + # look specifically for PG_VERSION, as it is expected in the DB dir + if [ ! -s "$PGDATA/PG_VERSION" ]; then + init_pgdata + + setup_env_vars + print_password_warning + setup_pg_hba + + # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless + # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS + export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" + temporary_pgserver_start + + setup_database + + process_init_files + + temporary_pgserver_stop + unset PGPASSWORD + + echo + echo 'PostgreSQL init process complete; ready for start up.' + echo + else + echo + echo 'PostgreSQL Database directory appears to contain a database; Skipping initialization' + echo + fi + fi + + exec "$@" +} + +if ! _is_sourced; then + main "$@" +fi From 49fb87619b0b001579d5d7668286b92b1d08c67a Mon Sep 17 00:00:00 2001 From: Joe Ferguson Date: Thu, 13 Sep 2018 10:56:38 -0700 Subject: [PATCH 2/7] Namespace functions for less conflict when sourced --- docker-entrypoint.sh | 58 ++++++++++++++++++++++---------------------- 1 file changed, 29 insertions(+), 29 deletions(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 2f9a92ffcb..ba59a9ccb9 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -31,7 +31,7 @@ _is_sourced() { } # used to create initial posgres directories and if run as root, ensure ownership to the "postgres" user -create_postgres_dirs() { +docker_create_database_dirs() { local user="$(id -u)" mkdir -p "$PGDATA" @@ -56,7 +56,7 @@ create_postgres_dirs() { } # initialize empty PGDATA directory with new database via 'initdb' -init_pgdata() { +docker_init_database_dir() { # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then @@ -82,7 +82,7 @@ init_pgdata() { } # print large warning if POSTGRES_PASSWORD is empty -print_password_warning() { +docker_print_password_warning() { # check password first so we can output the warning before postgres # messes it up if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then @@ -117,9 +117,9 @@ print_password_warning() { } # run, source, or read files from /docker-entrypoint-initdb.d (or specified directory) -process_init_files() { +docker_process_init_files() { # psql here for backwards compatiblilty "${psql[@]}" - psql=( psql_run ) + psql=( docker_psql_run ) local initDir="${1:-/docker-entrypoint-initdb.d}" @@ -137,8 +137,8 @@ process_init_files() { . "$f" fi ;; - *.sql) echo "$0: running $f"; psql_run -f "$f"; echo ;; - *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | psql_run; echo ;; + *.sql) echo "$0: running $f"; docker_psql_run -f "$f"; echo ;; + *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | docker_psql_run; echo ;; *) echo "$0: ignoring $f" ;; esac echo @@ -146,7 +146,7 @@ process_init_files() { } # run `psql` with proper arguments for user and db -psql_run() { +docker_psql_run() { local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password ) if [ -n "$POSTGRES_DB" ]; then query_runner+=( --dbname "$POSTGRES_DB" ) @@ -157,9 +157,9 @@ psql_run() { # create initial postgresql superuser with password and database # uses environment variables for input: POSTGRES_USER, POSTGRES_PASSWORD, POSTGRES_DB -setup_database() { +docker_setup_database() { if [ "$POSTGRES_DB" != 'postgres' ]; then - POSTGRES_DB= psql_run --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL' + POSTGRES_DB= docker_psql_run --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL' CREATE DATABASE :"db" ; EOSQL echo @@ -167,7 +167,7 @@ setup_database() { } # get user/pass and db from env vars or via file -setup_env_vars() { +docker_setup_env_vars() { file_env 'POSTGRES_PASSWORD' file_env 'POSTGRES_USER' 'postgres' @@ -175,7 +175,7 @@ setup_env_vars() { } # append md5 or trust auth to pg_hba.conf based on existence of POSTGRES_PASSWORD -setup_pg_hba() { +docker_setup_pg_hba() { local authMethod if [ "$POSTGRES_PASSWORD" ]; then authMethod='md5' @@ -190,23 +190,23 @@ setup_pg_hba() { } # start socket-only postgresql server for setting up user or running scripts -temporary_pgserver_start() { +# all arguments will be passed along as arguments to `postgres` (via pg_ctl) +docker_temporary_pgserver_start() { # internal start of server in order to allow set-up using psql-client - # does not listen on external TCP/IP and waits until start finishes + # does not listen on external TCP/IP and waits until start finishes (can be overridden via args) PGUSER="${PGUSER:-$POSTGRES_USER}" \ pg_ctl -D "$PGDATA" \ - -o "-c listen_addresses=''" \ + -o "-c listen_addresses='' $([ "$#" -gt 0 ] && printf '%q ' "$@")" \ -w start - #??? "$@" } # stop postgresql server after done setting up user and running scripts -temporary_pgserver_stop() { +docker_temporary_pgserver_stop() { PGUSER="${PGUSER:-postgres}" \ pg_ctl -D "$PGDATA" -m fast -w stop } -main() { +_main() { # if first arg looks like a flag, assume we want to run postgres server if [ "${1:0:1}" = '-' ]; then set -- postgres "$@" @@ -214,32 +214,32 @@ main() { # setup data directories and permissions, then restart script as postgres user if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then - create_postgres_dirs + docker_create_database_dirs exec gosu postgres "$BASH_SOURCE" "$@" fi if [ "$1" = 'postgres' ]; then - create_postgres_dirs + docker_create_database_dirs # only run initialization on an empty data directory # look specifically for PG_VERSION, as it is expected in the DB dir if [ ! -s "$PGDATA/PG_VERSION" ]; then - init_pgdata + docker_init_database_dir - setup_env_vars - print_password_warning - setup_pg_hba + docker_setup_env_vars + docker_print_password_warning + docker_setup_pg_hba # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" - temporary_pgserver_start + docker_temporary_pgserver_start "${@:2}" - setup_database + docker_setup_database - process_init_files + docker_process_init_files - temporary_pgserver_stop + docker_temporary_pgserver_stop unset PGPASSWORD echo @@ -256,5 +256,5 @@ main() { } if ! _is_sourced; then - main "$@" + _main "$@" fi From 2e70e7103eb5bbd823e1a40d093833694a3f07c8 Mon Sep 17 00:00:00 2001 From: Joe Ferguson Date: Mon, 1 Jul 2019 16:50:05 -0700 Subject: [PATCH 3/7] Apply function name changes as discussed in https://github.com/docker-library/mysql/pull/471 --- docker-entrypoint.sh | 48 ++++++++++++++++++++++---------------------- 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index ba59a9ccb9..ec3d647c5d 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -31,7 +31,7 @@ _is_sourced() { } # used to create initial posgres directories and if run as root, ensure ownership to the "postgres" user -docker_create_database_dirs() { +docker_create_db_directories() { local user="$(id -u)" mkdir -p "$PGDATA" @@ -82,7 +82,7 @@ docker_init_database_dir() { } # print large warning if POSTGRES_PASSWORD is empty -docker_print_password_warning() { +docker_verify_minimum_env() { # check password first so we can output the warning before postgres # messes it up if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then @@ -119,7 +119,7 @@ docker_print_password_warning() { # run, source, or read files from /docker-entrypoint-initdb.d (or specified directory) docker_process_init_files() { # psql here for backwards compatiblilty "${psql[@]}" - psql=( docker_psql_run ) + psql=( docker_process_sql ) local initDir="${1:-/docker-entrypoint-initdb.d}" @@ -137,8 +137,8 @@ docker_process_init_files() { . "$f" fi ;; - *.sql) echo "$0: running $f"; docker_psql_run -f "$f"; echo ;; - *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | docker_psql_run; echo ;; + *.sql) echo "$0: running $f"; docker_process_sql -f "$f"; echo ;; + *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | docker_process_sql; echo ;; *) echo "$0: ignoring $f" ;; esac echo @@ -146,7 +146,7 @@ docker_process_init_files() { } # run `psql` with proper arguments for user and db -docker_psql_run() { +docker_process_sql() { local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password ) if [ -n "$POSTGRES_DB" ]; then query_runner+=( --dbname "$POSTGRES_DB" ) @@ -157,9 +157,9 @@ docker_psql_run() { # create initial postgresql superuser with password and database # uses environment variables for input: POSTGRES_USER, POSTGRES_PASSWORD, POSTGRES_DB -docker_setup_database() { +docker_setup_db() { if [ "$POSTGRES_DB" != 'postgres' ]; then - POSTGRES_DB= docker_psql_run --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL' + POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL' CREATE DATABASE :"db" ; EOSQL echo @@ -167,7 +167,7 @@ docker_setup_database() { } # get user/pass and db from env vars or via file -docker_setup_env_vars() { +docker_setup_env() { file_env 'POSTGRES_PASSWORD' file_env 'POSTGRES_USER' 'postgres' @@ -175,7 +175,7 @@ docker_setup_env_vars() { } # append md5 or trust auth to pg_hba.conf based on existence of POSTGRES_PASSWORD -docker_setup_pg_hba() { +pg_setup_hba_conf() { local authMethod if [ "$POSTGRES_PASSWORD" ]; then authMethod='md5' @@ -191,7 +191,7 @@ docker_setup_pg_hba() { # start socket-only postgresql server for setting up user or running scripts # all arguments will be passed along as arguments to `postgres` (via pg_ctl) -docker_temporary_pgserver_start() { +docker_temp_server_start() { # internal start of server in order to allow set-up using psql-client # does not listen on external TCP/IP and waits until start finishes (can be overridden via args) PGUSER="${PGUSER:-$POSTGRES_USER}" \ @@ -201,7 +201,7 @@ docker_temporary_pgserver_start() { } # stop postgresql server after done setting up user and running scripts -docker_temporary_pgserver_stop() { +docker_temp_server_stop() { PGUSER="${PGUSER:-postgres}" \ pg_ctl -D "$PGDATA" -m fast -w stop } @@ -212,34 +212,34 @@ _main() { set -- postgres "$@" fi - # setup data directories and permissions, then restart script as postgres user - if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then - docker_create_database_dirs - exec gosu postgres "$BASH_SOURCE" "$@" - fi if [ "$1" = 'postgres' ]; then - docker_create_database_dirs + # setup data directories and permissions (when run as root) + docker_create_db_directories + if [ "$(id -u)" = '0' ]; then + # then restart script as postgres user + exec gosu postgres "$BASH_SOURCE" "$@" + fi # only run initialization on an empty data directory # look specifically for PG_VERSION, as it is expected in the DB dir if [ ! -s "$PGDATA/PG_VERSION" ]; then docker_init_database_dir - docker_setup_env_vars - docker_print_password_warning - docker_setup_pg_hba + docker_setup_env + docker_verify_minimum_env + pg_setup_hba_conf # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" - docker_temporary_pgserver_start "${@:2}" + docker_temp_server_start "${@:2}" - docker_setup_database + docker_setup_db docker_process_init_files - docker_temporary_pgserver_stop + docker_temp_server_stop unset PGPASSWORD echo From 6e85168bb0d256284281a5f59f1b3afc4032e6b9 Mon Sep 17 00:00:00 2001 From: Joe Ferguson Date: Mon, 8 Jul 2019 17:09:59 -0700 Subject: [PATCH 4/7] Resync function interfaces with MySQL, improve comments add `DATABASE_ALREADY_EXISTS` variable --- docker-entrypoint.sh | 57 ++++++++++++++++++++++++++++---------------- 1 file changed, 36 insertions(+), 21 deletions(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index ec3d647c5d..895d1631ef 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -56,6 +56,9 @@ docker_create_db_directories() { } # initialize empty PGDATA directory with new database via 'initdb' +# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function +# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames +# this is also where the database user is created, specified by `POSTGRES_USER` env docker_init_database_dir() { # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html @@ -67,12 +70,11 @@ docker_init_database_dir() { echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" fi - file_env 'POSTGRES_INITDB_ARGS' if [ "$POSTGRES_INITDB_WALDIR" ]; then - export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --waldir $POSTGRES_INITDB_WALDIR" + set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@" fi - eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS" + eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' # unset/cleanup "nss_wrapper" bits if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then @@ -116,15 +118,16 @@ docker_verify_minimum_env() { fi } -# run, source, or read files from /docker-entrypoint-initdb.d (or specified directory) +# usage: docker_process_init_files [file [file [...]]] +# ie: docker_process_init_files /always-initdb.d/* +# process initializer files, based on file extensions and permissions docker_process_init_files() { # psql here for backwards compatiblilty "${psql[@]}" psql=( docker_process_sql ) - local initDir="${1:-/docker-entrypoint-initdb.d}" - echo - for f in "${initDir%/}"/*; do + local f + for f; do case "$f" in *.sh) # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 @@ -145,7 +148,11 @@ docker_process_init_files() { done } -# run `psql` with proper arguments for user and db +# Execute sql script, passed via stdin (or -f flag of pqsl) +# usage: docker_process_sql [psql-cli-args] +# ie: docker_process_sql --dbname=mydb <<<'INSERT ...' +# ie: docker_process_sql -f my-file.sql +# ie: docker_process_sql > "$PGDATA/pg_hba.conf" } -# start socket-only postgresql server for setting up user or running scripts +# start socket-only postgresql server for setting up or running scripts # all arguments will be passed along as arguments to `postgres` (via pg_ctl) docker_temp_server_start() { - # internal start of server in order to allow set-up using psql-client + if [ "$1" = 'postgres' ]; then + shift + fi + # internal start of server in order to allow setup using psql client # does not listen on external TCP/IP and waits until start finishes (can be overridden via args) PGUSER="${PGUSER:-$POSTGRES_USER}" \ pg_ctl -D "$PGDATA" \ @@ -214,6 +232,7 @@ _main() { if [ "$1" = 'postgres' ]; then + docker_setup_env # setup data directories and permissions (when run as root) docker_create_db_directories if [ "$(id -u)" = '0' ]; then @@ -222,22 +241,18 @@ _main() { fi # only run initialization on an empty data directory - # look specifically for PG_VERSION, as it is expected in the DB dir - if [ ! -s "$PGDATA/PG_VERSION" ]; then - docker_init_database_dir - - docker_setup_env + if [ -z "$DATABASE_ALREADY_EXISTS" ]; then docker_verify_minimum_env + docker_init_database_dir pg_setup_hba_conf # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" - docker_temp_server_start "${@:2}" + docker_temp_server_start "$@" docker_setup_db - - docker_process_init_files + docker_process_init_files /docker-entrypoint-initdb.d/* docker_temp_server_stop unset PGPASSWORD From d1cc08935c360ea576943708d8766b33c9b1e1f9 Mon Sep 17 00:00:00 2001 From: Joe Ferguson Date: Fri, 11 Oct 2019 13:14:57 -0700 Subject: [PATCH 5/7] Improve _is_sourced check --- docker-entrypoint.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 895d1631ef..75fcb02a07 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -27,7 +27,9 @@ file_env() { # check to see if this file is being run or sourced from another script _is_sourced() { # https://unix.stackexchange.com/a/215279 - [ "${FUNCNAME[${#FUNCNAME[@]} - 1]}" == 'source' ] + [ "${#FUNCNAME[@]}" -ge 2 ] \ + && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ + && [ "${FUNCNAME[1]}" = 'source' ] } # used to create initial posgres directories and if run as root, ensure ownership to the "postgres" user From 7c84645f2d38953e1aee1742e8f607ffa9ac5884 Mon Sep 17 00:00:00 2001 From: Joe Ferguson Date: Fri, 11 Oct 2019 13:17:39 -0700 Subject: [PATCH 6/7] Apply update.sh for new entrypoint --- 10/alpine/docker-entrypoint.sh | 335 +++++++++++++++++++++----------- 10/docker-entrypoint.sh | 335 +++++++++++++++++++++----------- 11/alpine/docker-entrypoint.sh | 335 +++++++++++++++++++++----------- 11/docker-entrypoint.sh | 335 +++++++++++++++++++++----------- 12/alpine/docker-entrypoint.sh | 335 +++++++++++++++++++++----------- 12/docker-entrypoint.sh | 335 +++++++++++++++++++++----------- 9.4/alpine/docker-entrypoint.sh | 335 +++++++++++++++++++++----------- 9.4/docker-entrypoint.sh | 335 +++++++++++++++++++++----------- 9.5/alpine/docker-entrypoint.sh | 335 +++++++++++++++++++++----------- 9.5/docker-entrypoint.sh | 335 +++++++++++++++++++++----------- 9.6/alpine/docker-entrypoint.sh | 335 +++++++++++++++++++++----------- 9.6/docker-entrypoint.sh | 335 +++++++++++++++++++++----------- 12 files changed, 2616 insertions(+), 1404 deletions(-) diff --git a/10/alpine/docker-entrypoint.sh b/10/alpine/docker-entrypoint.sh index 6dce8a15c6..764c33275f 100755 --- a/10/alpine/docker-entrypoint.sh +++ b/10/alpine/docker-entrypoint.sh @@ -24,153 +24,254 @@ file_env() { unset "$fileVar" } -if [ "${1:0:1}" = '-' ]; then - set -- postgres "$@" -fi +# check to see if this file is being run or sourced from another script +_is_sourced() { + # https://unix.stackexchange.com/a/215279 + [ "${#FUNCNAME[@]}" -ge 2 ] \ + && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ + && [ "${FUNCNAME[1]}" = 'source' ] +} + +# used to create initial posgres directories and if run as root, ensure ownership to the "postgres" user +docker_create_db_directories() { + local user="$(id -u)" -# allow the container to be started with `--user` -if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then mkdir -p "$PGDATA" - chown -R postgres "$PGDATA" chmod 700 "$PGDATA" - mkdir -p /var/run/postgresql - chown -R postgres /var/run/postgresql - chmod 775 /var/run/postgresql + # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 + mkdir -p /var/run/postgresql || : + chmod 775 /var/run/postgresql || : - # Create the transaction log directory before initdb is run (below) so the directory is owned by the correct user + # Create the transaction log directory before initdb is run so the directory is owned by the correct user if [ "$POSTGRES_INITDB_WALDIR" ]; then mkdir -p "$POSTGRES_INITDB_WALDIR" - chown -R postgres "$POSTGRES_INITDB_WALDIR" + [ "$user" = '0' ] && find "$POSTGRES_INITDB_WALDIR" \! -user postgres - exec chown postgres '{}' + chmod 700 "$POSTGRES_INITDB_WALDIR" fi - exec su-exec postgres "$BASH_SOURCE" "$@" -fi - -if [ "$1" = 'postgres' ]; then - mkdir -p "$PGDATA" - chown -R "$(id -u)" "$PGDATA" 2>/dev/null || : - chmod 700 "$PGDATA" 2>/dev/null || : + # allow the container to be started with `--user` + if [ "$user" = '0' ]; then + find "$PGDATA" \! -user postgres -exec chown postgres '{}' + + find /var/run/postgresql \! -user postgres -exec chown postgres '{}' + + fi +} - # look specifically for PG_VERSION, as it is expected in the DB dir - if [ ! -s "$PGDATA/PG_VERSION" ]; then - # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary - # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html - if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then - export LD_PRELOAD='/usr/lib/libnss_wrapper.so' - export NSS_WRAPPER_PASSWD="$(mktemp)" - export NSS_WRAPPER_GROUP="$(mktemp)" - echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" - echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" - fi +# initialize empty PGDATA directory with new database via 'initdb' +# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function +# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames +# this is also where the database user is created, specified by `POSTGRES_USER` env +docker_init_database_dir() { + # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary + # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html + if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then + export LD_PRELOAD='/usr/lib/libnss_wrapper.so' + export NSS_WRAPPER_PASSWD="$(mktemp)" + export NSS_WRAPPER_GROUP="$(mktemp)" + echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" + echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" + fi - file_env 'POSTGRES_USER' 'postgres' - file_env 'POSTGRES_PASSWORD' + if [ "$POSTGRES_INITDB_WALDIR" ]; then + set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@" + fi - file_env 'POSTGRES_INITDB_ARGS' - if [ "$POSTGRES_INITDB_WALDIR" ]; then - export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --waldir $POSTGRES_INITDB_WALDIR" - fi - eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS" + eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' - # unset/cleanup "nss_wrapper" bits - if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then - rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" - unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP - fi + # unset/cleanup "nss_wrapper" bits + if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then + rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" + unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + fi +} - # check password first so we can output the warning before postgres - # messes it up - if [ -n "$POSTGRES_PASSWORD" ]; then - authMethod=md5 +# print large warning if POSTGRES_PASSWORD is empty +docker_verify_minimum_env() { + # check password first so we can output the warning before postgres + # messes it up + if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then + cat >&2 <<-'EOWARN' - if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then - cat >&2 <<-'EOWARN' + WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. - WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. + This will not work if used via PGPASSWORD with "psql". - This will not work if used via PGPASSWORD with "psql". + https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) + https://github.com/docker-library/postgres/issues/507 - https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) - https://github.com/docker-library/postgres/issues/507 + EOWARN + fi + if [ -z "$POSTGRES_PASSWORD" ]; then + # The - option suppresses leading tabs but *not* spaces. :) + cat >&2 <<-'EOWARN' + **************************************************** + WARNING: No password has been set for the database. + This will allow anyone with access to the + Postgres port to access your database. In + Docker's default configuration, this is + effectively any other container on the same + system. - EOWARN - fi - else - # The - option suppresses leading tabs but *not* spaces. :) - cat >&2 <<-'EOWARN' - **************************************************** - WARNING: No password has been set for the database. - This will allow anyone with access to the - Postgres port to access your database. In - Docker's default configuration, this is - effectively any other container on the same - system. - - Use "-e POSTGRES_PASSWORD=password" to set - it in "docker run". - **************************************************** - EOWARN - - authMethod=trust - fi + Use "-e POSTGRES_PASSWORD=password" to set + it in "docker run". + **************************************************** + EOWARN - { - echo - echo "host all all all $authMethod" - } >> "$PGDATA/pg_hba.conf" + fi +} - # internal start of server in order to allow set-up using psql-client - # does not listen on external TCP/IP and waits until start finishes - PGUSER="${PGUSER:-$POSTGRES_USER}" \ - pg_ctl -D "$PGDATA" \ - -o "-c listen_addresses=''" \ - -w start +# usage: docker_process_init_files [file [file [...]]] +# ie: docker_process_init_files /always-initdb.d/* +# process initializer files, based on file extensions and permissions +docker_process_init_files() { + # psql here for backwards compatiblilty "${psql[@]}" + psql=( docker_process_sql ) - file_env 'POSTGRES_DB' "$POSTGRES_USER" + echo + local f + for f; do + case "$f" in + *.sh) + # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 + # https://github.com/docker-library/postgres/pull/452 + if [ -x "$f" ]; then + echo "$0: running $f" + "$f" + else + echo "$0: sourcing $f" + . "$f" + fi + ;; + *.sql) echo "$0: running $f"; docker_process_sql -f "$f"; echo ;; + *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | docker_process_sql; echo ;; + *) echo "$0: ignoring $f" ;; + esac + echo + done +} - export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" - psql=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password ) +# Execute sql script, passed via stdin (or -f flag of pqsl) +# usage: docker_process_sql [psql-cli-args] +# ie: docker_process_sql --dbname=mydb <<<'INSERT ...' +# ie: docker_process_sql -f my-file.sql +# ie: docker_process_sql > "$PGDATA/pg_hba.conf" +} + +# start socket-only postgresql server for setting up or running scripts +# all arguments will be passed along as arguments to `postgres` (via pg_ctl) +docker_temp_server_start() { + if [ "$1" = 'postgres' ]; then + shift fi -fi + # internal start of server in order to allow setup using psql client + # does not listen on external TCP/IP and waits until start finishes (can be overridden via args) + PGUSER="${PGUSER:-$POSTGRES_USER}" \ + pg_ctl -D "$PGDATA" \ + -o "-c listen_addresses='' $([ "$#" -gt 0 ] && printf '%q ' "$@")" \ + -w start +} + +# stop postgresql server after done setting up user and running scripts +docker_temp_server_stop() { + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" -m fast -w stop +} + +_main() { + # if first arg looks like a flag, assume we want to run postgres server + if [ "${1:0:1}" = '-' ]; then + set -- postgres "$@" + fi + + + if [ "$1" = 'postgres' ]; then + docker_setup_env + # setup data directories and permissions (when run as root) + docker_create_db_directories + if [ "$(id -u)" = '0' ]; then + # then restart script as postgres user + exec su-exec postgres "$BASH_SOURCE" "$@" + fi + + # only run initialization on an empty data directory + if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + docker_verify_minimum_env + docker_init_database_dir + pg_setup_hba_conf + + # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless + # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS + export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" + docker_temp_server_start "$@" + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + + docker_temp_server_stop + unset PGPASSWORD + + echo + echo 'PostgreSQL init process complete; ready for start up.' + echo + else + echo + echo 'PostgreSQL Database directory appears to contain a database; Skipping initialization' + echo + fi + fi + + exec "$@" +} -exec "$@" +if ! _is_sourced; then + _main "$@" +fi diff --git a/10/docker-entrypoint.sh b/10/docker-entrypoint.sh index 93ee4fba4d..75fcb02a07 100755 --- a/10/docker-entrypoint.sh +++ b/10/docker-entrypoint.sh @@ -24,153 +24,254 @@ file_env() { unset "$fileVar" } -if [ "${1:0:1}" = '-' ]; then - set -- postgres "$@" -fi +# check to see if this file is being run or sourced from another script +_is_sourced() { + # https://unix.stackexchange.com/a/215279 + [ "${#FUNCNAME[@]}" -ge 2 ] \ + && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ + && [ "${FUNCNAME[1]}" = 'source' ] +} + +# used to create initial posgres directories and if run as root, ensure ownership to the "postgres" user +docker_create_db_directories() { + local user="$(id -u)" -# allow the container to be started with `--user` -if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then mkdir -p "$PGDATA" - chown -R postgres "$PGDATA" chmod 700 "$PGDATA" - mkdir -p /var/run/postgresql - chown -R postgres /var/run/postgresql - chmod 775 /var/run/postgresql + # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 + mkdir -p /var/run/postgresql || : + chmod 775 /var/run/postgresql || : - # Create the transaction log directory before initdb is run (below) so the directory is owned by the correct user + # Create the transaction log directory before initdb is run so the directory is owned by the correct user if [ "$POSTGRES_INITDB_WALDIR" ]; then mkdir -p "$POSTGRES_INITDB_WALDIR" - chown -R postgres "$POSTGRES_INITDB_WALDIR" + [ "$user" = '0' ] && find "$POSTGRES_INITDB_WALDIR" \! -user postgres - exec chown postgres '{}' + chmod 700 "$POSTGRES_INITDB_WALDIR" fi - exec gosu postgres "$BASH_SOURCE" "$@" -fi - -if [ "$1" = 'postgres' ]; then - mkdir -p "$PGDATA" - chown -R "$(id -u)" "$PGDATA" 2>/dev/null || : - chmod 700 "$PGDATA" 2>/dev/null || : + # allow the container to be started with `--user` + if [ "$user" = '0' ]; then + find "$PGDATA" \! -user postgres -exec chown postgres '{}' + + find /var/run/postgresql \! -user postgres -exec chown postgres '{}' + + fi +} - # look specifically for PG_VERSION, as it is expected in the DB dir - if [ ! -s "$PGDATA/PG_VERSION" ]; then - # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary - # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html - if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then - export LD_PRELOAD='/usr/lib/libnss_wrapper.so' - export NSS_WRAPPER_PASSWD="$(mktemp)" - export NSS_WRAPPER_GROUP="$(mktemp)" - echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" - echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" - fi +# initialize empty PGDATA directory with new database via 'initdb' +# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function +# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames +# this is also where the database user is created, specified by `POSTGRES_USER` env +docker_init_database_dir() { + # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary + # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html + if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then + export LD_PRELOAD='/usr/lib/libnss_wrapper.so' + export NSS_WRAPPER_PASSWD="$(mktemp)" + export NSS_WRAPPER_GROUP="$(mktemp)" + echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" + echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" + fi - file_env 'POSTGRES_USER' 'postgres' - file_env 'POSTGRES_PASSWORD' + if [ "$POSTGRES_INITDB_WALDIR" ]; then + set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@" + fi - file_env 'POSTGRES_INITDB_ARGS' - if [ "$POSTGRES_INITDB_WALDIR" ]; then - export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --waldir $POSTGRES_INITDB_WALDIR" - fi - eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS" + eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' - # unset/cleanup "nss_wrapper" bits - if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then - rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" - unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP - fi + # unset/cleanup "nss_wrapper" bits + if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then + rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" + unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + fi +} - # check password first so we can output the warning before postgres - # messes it up - if [ -n "$POSTGRES_PASSWORD" ]; then - authMethod=md5 +# print large warning if POSTGRES_PASSWORD is empty +docker_verify_minimum_env() { + # check password first so we can output the warning before postgres + # messes it up + if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then + cat >&2 <<-'EOWARN' - if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then - cat >&2 <<-'EOWARN' + WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. - WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. + This will not work if used via PGPASSWORD with "psql". - This will not work if used via PGPASSWORD with "psql". + https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) + https://github.com/docker-library/postgres/issues/507 - https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) - https://github.com/docker-library/postgres/issues/507 + EOWARN + fi + if [ -z "$POSTGRES_PASSWORD" ]; then + # The - option suppresses leading tabs but *not* spaces. :) + cat >&2 <<-'EOWARN' + **************************************************** + WARNING: No password has been set for the database. + This will allow anyone with access to the + Postgres port to access your database. In + Docker's default configuration, this is + effectively any other container on the same + system. - EOWARN - fi - else - # The - option suppresses leading tabs but *not* spaces. :) - cat >&2 <<-'EOWARN' - **************************************************** - WARNING: No password has been set for the database. - This will allow anyone with access to the - Postgres port to access your database. In - Docker's default configuration, this is - effectively any other container on the same - system. - - Use "-e POSTGRES_PASSWORD=password" to set - it in "docker run". - **************************************************** - EOWARN - - authMethod=trust - fi + Use "-e POSTGRES_PASSWORD=password" to set + it in "docker run". + **************************************************** + EOWARN - { - echo - echo "host all all all $authMethod" - } >> "$PGDATA/pg_hba.conf" + fi +} - # internal start of server in order to allow set-up using psql-client - # does not listen on external TCP/IP and waits until start finishes - PGUSER="${PGUSER:-$POSTGRES_USER}" \ - pg_ctl -D "$PGDATA" \ - -o "-c listen_addresses=''" \ - -w start +# usage: docker_process_init_files [file [file [...]]] +# ie: docker_process_init_files /always-initdb.d/* +# process initializer files, based on file extensions and permissions +docker_process_init_files() { + # psql here for backwards compatiblilty "${psql[@]}" + psql=( docker_process_sql ) - file_env 'POSTGRES_DB' "$POSTGRES_USER" + echo + local f + for f; do + case "$f" in + *.sh) + # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 + # https://github.com/docker-library/postgres/pull/452 + if [ -x "$f" ]; then + echo "$0: running $f" + "$f" + else + echo "$0: sourcing $f" + . "$f" + fi + ;; + *.sql) echo "$0: running $f"; docker_process_sql -f "$f"; echo ;; + *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | docker_process_sql; echo ;; + *) echo "$0: ignoring $f" ;; + esac + echo + done +} - export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" - psql=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password ) +# Execute sql script, passed via stdin (or -f flag of pqsl) +# usage: docker_process_sql [psql-cli-args] +# ie: docker_process_sql --dbname=mydb <<<'INSERT ...' +# ie: docker_process_sql -f my-file.sql +# ie: docker_process_sql > "$PGDATA/pg_hba.conf" +} + +# start socket-only postgresql server for setting up or running scripts +# all arguments will be passed along as arguments to `postgres` (via pg_ctl) +docker_temp_server_start() { + if [ "$1" = 'postgres' ]; then + shift fi -fi + # internal start of server in order to allow setup using psql client + # does not listen on external TCP/IP and waits until start finishes (can be overridden via args) + PGUSER="${PGUSER:-$POSTGRES_USER}" \ + pg_ctl -D "$PGDATA" \ + -o "-c listen_addresses='' $([ "$#" -gt 0 ] && printf '%q ' "$@")" \ + -w start +} + +# stop postgresql server after done setting up user and running scripts +docker_temp_server_stop() { + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" -m fast -w stop +} + +_main() { + # if first arg looks like a flag, assume we want to run postgres server + if [ "${1:0:1}" = '-' ]; then + set -- postgres "$@" + fi + + + if [ "$1" = 'postgres' ]; then + docker_setup_env + # setup data directories and permissions (when run as root) + docker_create_db_directories + if [ "$(id -u)" = '0' ]; then + # then restart script as postgres user + exec gosu postgres "$BASH_SOURCE" "$@" + fi + + # only run initialization on an empty data directory + if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + docker_verify_minimum_env + docker_init_database_dir + pg_setup_hba_conf + + # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless + # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS + export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" + docker_temp_server_start "$@" + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + + docker_temp_server_stop + unset PGPASSWORD + + echo + echo 'PostgreSQL init process complete; ready for start up.' + echo + else + echo + echo 'PostgreSQL Database directory appears to contain a database; Skipping initialization' + echo + fi + fi + + exec "$@" +} -exec "$@" +if ! _is_sourced; then + _main "$@" +fi diff --git a/11/alpine/docker-entrypoint.sh b/11/alpine/docker-entrypoint.sh index 6dce8a15c6..764c33275f 100755 --- a/11/alpine/docker-entrypoint.sh +++ b/11/alpine/docker-entrypoint.sh @@ -24,153 +24,254 @@ file_env() { unset "$fileVar" } -if [ "${1:0:1}" = '-' ]; then - set -- postgres "$@" -fi +# check to see if this file is being run or sourced from another script +_is_sourced() { + # https://unix.stackexchange.com/a/215279 + [ "${#FUNCNAME[@]}" -ge 2 ] \ + && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ + && [ "${FUNCNAME[1]}" = 'source' ] +} + +# used to create initial posgres directories and if run as root, ensure ownership to the "postgres" user +docker_create_db_directories() { + local user="$(id -u)" -# allow the container to be started with `--user` -if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then mkdir -p "$PGDATA" - chown -R postgres "$PGDATA" chmod 700 "$PGDATA" - mkdir -p /var/run/postgresql - chown -R postgres /var/run/postgresql - chmod 775 /var/run/postgresql + # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 + mkdir -p /var/run/postgresql || : + chmod 775 /var/run/postgresql || : - # Create the transaction log directory before initdb is run (below) so the directory is owned by the correct user + # Create the transaction log directory before initdb is run so the directory is owned by the correct user if [ "$POSTGRES_INITDB_WALDIR" ]; then mkdir -p "$POSTGRES_INITDB_WALDIR" - chown -R postgres "$POSTGRES_INITDB_WALDIR" + [ "$user" = '0' ] && find "$POSTGRES_INITDB_WALDIR" \! -user postgres - exec chown postgres '{}' + chmod 700 "$POSTGRES_INITDB_WALDIR" fi - exec su-exec postgres "$BASH_SOURCE" "$@" -fi - -if [ "$1" = 'postgres' ]; then - mkdir -p "$PGDATA" - chown -R "$(id -u)" "$PGDATA" 2>/dev/null || : - chmod 700 "$PGDATA" 2>/dev/null || : + # allow the container to be started with `--user` + if [ "$user" = '0' ]; then + find "$PGDATA" \! -user postgres -exec chown postgres '{}' + + find /var/run/postgresql \! -user postgres -exec chown postgres '{}' + + fi +} - # look specifically for PG_VERSION, as it is expected in the DB dir - if [ ! -s "$PGDATA/PG_VERSION" ]; then - # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary - # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html - if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then - export LD_PRELOAD='/usr/lib/libnss_wrapper.so' - export NSS_WRAPPER_PASSWD="$(mktemp)" - export NSS_WRAPPER_GROUP="$(mktemp)" - echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" - echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" - fi +# initialize empty PGDATA directory with new database via 'initdb' +# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function +# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames +# this is also where the database user is created, specified by `POSTGRES_USER` env +docker_init_database_dir() { + # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary + # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html + if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then + export LD_PRELOAD='/usr/lib/libnss_wrapper.so' + export NSS_WRAPPER_PASSWD="$(mktemp)" + export NSS_WRAPPER_GROUP="$(mktemp)" + echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" + echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" + fi - file_env 'POSTGRES_USER' 'postgres' - file_env 'POSTGRES_PASSWORD' + if [ "$POSTGRES_INITDB_WALDIR" ]; then + set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@" + fi - file_env 'POSTGRES_INITDB_ARGS' - if [ "$POSTGRES_INITDB_WALDIR" ]; then - export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --waldir $POSTGRES_INITDB_WALDIR" - fi - eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS" + eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' - # unset/cleanup "nss_wrapper" bits - if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then - rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" - unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP - fi + # unset/cleanup "nss_wrapper" bits + if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then + rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" + unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + fi +} - # check password first so we can output the warning before postgres - # messes it up - if [ -n "$POSTGRES_PASSWORD" ]; then - authMethod=md5 +# print large warning if POSTGRES_PASSWORD is empty +docker_verify_minimum_env() { + # check password first so we can output the warning before postgres + # messes it up + if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then + cat >&2 <<-'EOWARN' - if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then - cat >&2 <<-'EOWARN' + WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. - WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. + This will not work if used via PGPASSWORD with "psql". - This will not work if used via PGPASSWORD with "psql". + https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) + https://github.com/docker-library/postgres/issues/507 - https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) - https://github.com/docker-library/postgres/issues/507 + EOWARN + fi + if [ -z "$POSTGRES_PASSWORD" ]; then + # The - option suppresses leading tabs but *not* spaces. :) + cat >&2 <<-'EOWARN' + **************************************************** + WARNING: No password has been set for the database. + This will allow anyone with access to the + Postgres port to access your database. In + Docker's default configuration, this is + effectively any other container on the same + system. - EOWARN - fi - else - # The - option suppresses leading tabs but *not* spaces. :) - cat >&2 <<-'EOWARN' - **************************************************** - WARNING: No password has been set for the database. - This will allow anyone with access to the - Postgres port to access your database. In - Docker's default configuration, this is - effectively any other container on the same - system. - - Use "-e POSTGRES_PASSWORD=password" to set - it in "docker run". - **************************************************** - EOWARN - - authMethod=trust - fi + Use "-e POSTGRES_PASSWORD=password" to set + it in "docker run". + **************************************************** + EOWARN - { - echo - echo "host all all all $authMethod" - } >> "$PGDATA/pg_hba.conf" + fi +} - # internal start of server in order to allow set-up using psql-client - # does not listen on external TCP/IP and waits until start finishes - PGUSER="${PGUSER:-$POSTGRES_USER}" \ - pg_ctl -D "$PGDATA" \ - -o "-c listen_addresses=''" \ - -w start +# usage: docker_process_init_files [file [file [...]]] +# ie: docker_process_init_files /always-initdb.d/* +# process initializer files, based on file extensions and permissions +docker_process_init_files() { + # psql here for backwards compatiblilty "${psql[@]}" + psql=( docker_process_sql ) - file_env 'POSTGRES_DB' "$POSTGRES_USER" + echo + local f + for f; do + case "$f" in + *.sh) + # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 + # https://github.com/docker-library/postgres/pull/452 + if [ -x "$f" ]; then + echo "$0: running $f" + "$f" + else + echo "$0: sourcing $f" + . "$f" + fi + ;; + *.sql) echo "$0: running $f"; docker_process_sql -f "$f"; echo ;; + *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | docker_process_sql; echo ;; + *) echo "$0: ignoring $f" ;; + esac + echo + done +} - export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" - psql=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password ) +# Execute sql script, passed via stdin (or -f flag of pqsl) +# usage: docker_process_sql [psql-cli-args] +# ie: docker_process_sql --dbname=mydb <<<'INSERT ...' +# ie: docker_process_sql -f my-file.sql +# ie: docker_process_sql > "$PGDATA/pg_hba.conf" +} + +# start socket-only postgresql server for setting up or running scripts +# all arguments will be passed along as arguments to `postgres` (via pg_ctl) +docker_temp_server_start() { + if [ "$1" = 'postgres' ]; then + shift fi -fi + # internal start of server in order to allow setup using psql client + # does not listen on external TCP/IP and waits until start finishes (can be overridden via args) + PGUSER="${PGUSER:-$POSTGRES_USER}" \ + pg_ctl -D "$PGDATA" \ + -o "-c listen_addresses='' $([ "$#" -gt 0 ] && printf '%q ' "$@")" \ + -w start +} + +# stop postgresql server after done setting up user and running scripts +docker_temp_server_stop() { + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" -m fast -w stop +} + +_main() { + # if first arg looks like a flag, assume we want to run postgres server + if [ "${1:0:1}" = '-' ]; then + set -- postgres "$@" + fi + + + if [ "$1" = 'postgres' ]; then + docker_setup_env + # setup data directories and permissions (when run as root) + docker_create_db_directories + if [ "$(id -u)" = '0' ]; then + # then restart script as postgres user + exec su-exec postgres "$BASH_SOURCE" "$@" + fi + + # only run initialization on an empty data directory + if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + docker_verify_minimum_env + docker_init_database_dir + pg_setup_hba_conf + + # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless + # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS + export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" + docker_temp_server_start "$@" + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + + docker_temp_server_stop + unset PGPASSWORD + + echo + echo 'PostgreSQL init process complete; ready for start up.' + echo + else + echo + echo 'PostgreSQL Database directory appears to contain a database; Skipping initialization' + echo + fi + fi + + exec "$@" +} -exec "$@" +if ! _is_sourced; then + _main "$@" +fi diff --git a/11/docker-entrypoint.sh b/11/docker-entrypoint.sh index 93ee4fba4d..75fcb02a07 100755 --- a/11/docker-entrypoint.sh +++ b/11/docker-entrypoint.sh @@ -24,153 +24,254 @@ file_env() { unset "$fileVar" } -if [ "${1:0:1}" = '-' ]; then - set -- postgres "$@" -fi +# check to see if this file is being run or sourced from another script +_is_sourced() { + # https://unix.stackexchange.com/a/215279 + [ "${#FUNCNAME[@]}" -ge 2 ] \ + && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ + && [ "${FUNCNAME[1]}" = 'source' ] +} + +# used to create initial posgres directories and if run as root, ensure ownership to the "postgres" user +docker_create_db_directories() { + local user="$(id -u)" -# allow the container to be started with `--user` -if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then mkdir -p "$PGDATA" - chown -R postgres "$PGDATA" chmod 700 "$PGDATA" - mkdir -p /var/run/postgresql - chown -R postgres /var/run/postgresql - chmod 775 /var/run/postgresql + # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 + mkdir -p /var/run/postgresql || : + chmod 775 /var/run/postgresql || : - # Create the transaction log directory before initdb is run (below) so the directory is owned by the correct user + # Create the transaction log directory before initdb is run so the directory is owned by the correct user if [ "$POSTGRES_INITDB_WALDIR" ]; then mkdir -p "$POSTGRES_INITDB_WALDIR" - chown -R postgres "$POSTGRES_INITDB_WALDIR" + [ "$user" = '0' ] && find "$POSTGRES_INITDB_WALDIR" \! -user postgres - exec chown postgres '{}' + chmod 700 "$POSTGRES_INITDB_WALDIR" fi - exec gosu postgres "$BASH_SOURCE" "$@" -fi - -if [ "$1" = 'postgres' ]; then - mkdir -p "$PGDATA" - chown -R "$(id -u)" "$PGDATA" 2>/dev/null || : - chmod 700 "$PGDATA" 2>/dev/null || : + # allow the container to be started with `--user` + if [ "$user" = '0' ]; then + find "$PGDATA" \! -user postgres -exec chown postgres '{}' + + find /var/run/postgresql \! -user postgres -exec chown postgres '{}' + + fi +} - # look specifically for PG_VERSION, as it is expected in the DB dir - if [ ! -s "$PGDATA/PG_VERSION" ]; then - # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary - # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html - if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then - export LD_PRELOAD='/usr/lib/libnss_wrapper.so' - export NSS_WRAPPER_PASSWD="$(mktemp)" - export NSS_WRAPPER_GROUP="$(mktemp)" - echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" - echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" - fi +# initialize empty PGDATA directory with new database via 'initdb' +# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function +# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames +# this is also where the database user is created, specified by `POSTGRES_USER` env +docker_init_database_dir() { + # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary + # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html + if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then + export LD_PRELOAD='/usr/lib/libnss_wrapper.so' + export NSS_WRAPPER_PASSWD="$(mktemp)" + export NSS_WRAPPER_GROUP="$(mktemp)" + echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" + echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" + fi - file_env 'POSTGRES_USER' 'postgres' - file_env 'POSTGRES_PASSWORD' + if [ "$POSTGRES_INITDB_WALDIR" ]; then + set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@" + fi - file_env 'POSTGRES_INITDB_ARGS' - if [ "$POSTGRES_INITDB_WALDIR" ]; then - export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --waldir $POSTGRES_INITDB_WALDIR" - fi - eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS" + eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' - # unset/cleanup "nss_wrapper" bits - if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then - rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" - unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP - fi + # unset/cleanup "nss_wrapper" bits + if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then + rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" + unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + fi +} - # check password first so we can output the warning before postgres - # messes it up - if [ -n "$POSTGRES_PASSWORD" ]; then - authMethod=md5 +# print large warning if POSTGRES_PASSWORD is empty +docker_verify_minimum_env() { + # check password first so we can output the warning before postgres + # messes it up + if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then + cat >&2 <<-'EOWARN' - if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then - cat >&2 <<-'EOWARN' + WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. - WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. + This will not work if used via PGPASSWORD with "psql". - This will not work if used via PGPASSWORD with "psql". + https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) + https://github.com/docker-library/postgres/issues/507 - https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) - https://github.com/docker-library/postgres/issues/507 + EOWARN + fi + if [ -z "$POSTGRES_PASSWORD" ]; then + # The - option suppresses leading tabs but *not* spaces. :) + cat >&2 <<-'EOWARN' + **************************************************** + WARNING: No password has been set for the database. + This will allow anyone with access to the + Postgres port to access your database. In + Docker's default configuration, this is + effectively any other container on the same + system. - EOWARN - fi - else - # The - option suppresses leading tabs but *not* spaces. :) - cat >&2 <<-'EOWARN' - **************************************************** - WARNING: No password has been set for the database. - This will allow anyone with access to the - Postgres port to access your database. In - Docker's default configuration, this is - effectively any other container on the same - system. - - Use "-e POSTGRES_PASSWORD=password" to set - it in "docker run". - **************************************************** - EOWARN - - authMethod=trust - fi + Use "-e POSTGRES_PASSWORD=password" to set + it in "docker run". + **************************************************** + EOWARN - { - echo - echo "host all all all $authMethod" - } >> "$PGDATA/pg_hba.conf" + fi +} - # internal start of server in order to allow set-up using psql-client - # does not listen on external TCP/IP and waits until start finishes - PGUSER="${PGUSER:-$POSTGRES_USER}" \ - pg_ctl -D "$PGDATA" \ - -o "-c listen_addresses=''" \ - -w start +# usage: docker_process_init_files [file [file [...]]] +# ie: docker_process_init_files /always-initdb.d/* +# process initializer files, based on file extensions and permissions +docker_process_init_files() { + # psql here for backwards compatiblilty "${psql[@]}" + psql=( docker_process_sql ) - file_env 'POSTGRES_DB' "$POSTGRES_USER" + echo + local f + for f; do + case "$f" in + *.sh) + # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 + # https://github.com/docker-library/postgres/pull/452 + if [ -x "$f" ]; then + echo "$0: running $f" + "$f" + else + echo "$0: sourcing $f" + . "$f" + fi + ;; + *.sql) echo "$0: running $f"; docker_process_sql -f "$f"; echo ;; + *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | docker_process_sql; echo ;; + *) echo "$0: ignoring $f" ;; + esac + echo + done +} - export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" - psql=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password ) +# Execute sql script, passed via stdin (or -f flag of pqsl) +# usage: docker_process_sql [psql-cli-args] +# ie: docker_process_sql --dbname=mydb <<<'INSERT ...' +# ie: docker_process_sql -f my-file.sql +# ie: docker_process_sql > "$PGDATA/pg_hba.conf" +} + +# start socket-only postgresql server for setting up or running scripts +# all arguments will be passed along as arguments to `postgres` (via pg_ctl) +docker_temp_server_start() { + if [ "$1" = 'postgres' ]; then + shift fi -fi + # internal start of server in order to allow setup using psql client + # does not listen on external TCP/IP and waits until start finishes (can be overridden via args) + PGUSER="${PGUSER:-$POSTGRES_USER}" \ + pg_ctl -D "$PGDATA" \ + -o "-c listen_addresses='' $([ "$#" -gt 0 ] && printf '%q ' "$@")" \ + -w start +} + +# stop postgresql server after done setting up user and running scripts +docker_temp_server_stop() { + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" -m fast -w stop +} + +_main() { + # if first arg looks like a flag, assume we want to run postgres server + if [ "${1:0:1}" = '-' ]; then + set -- postgres "$@" + fi + + + if [ "$1" = 'postgres' ]; then + docker_setup_env + # setup data directories and permissions (when run as root) + docker_create_db_directories + if [ "$(id -u)" = '0' ]; then + # then restart script as postgres user + exec gosu postgres "$BASH_SOURCE" "$@" + fi + + # only run initialization on an empty data directory + if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + docker_verify_minimum_env + docker_init_database_dir + pg_setup_hba_conf + + # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless + # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS + export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" + docker_temp_server_start "$@" + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + + docker_temp_server_stop + unset PGPASSWORD + + echo + echo 'PostgreSQL init process complete; ready for start up.' + echo + else + echo + echo 'PostgreSQL Database directory appears to contain a database; Skipping initialization' + echo + fi + fi + + exec "$@" +} -exec "$@" +if ! _is_sourced; then + _main "$@" +fi diff --git a/12/alpine/docker-entrypoint.sh b/12/alpine/docker-entrypoint.sh index 6dce8a15c6..764c33275f 100755 --- a/12/alpine/docker-entrypoint.sh +++ b/12/alpine/docker-entrypoint.sh @@ -24,153 +24,254 @@ file_env() { unset "$fileVar" } -if [ "${1:0:1}" = '-' ]; then - set -- postgres "$@" -fi +# check to see if this file is being run or sourced from another script +_is_sourced() { + # https://unix.stackexchange.com/a/215279 + [ "${#FUNCNAME[@]}" -ge 2 ] \ + && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ + && [ "${FUNCNAME[1]}" = 'source' ] +} + +# used to create initial posgres directories and if run as root, ensure ownership to the "postgres" user +docker_create_db_directories() { + local user="$(id -u)" -# allow the container to be started with `--user` -if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then mkdir -p "$PGDATA" - chown -R postgres "$PGDATA" chmod 700 "$PGDATA" - mkdir -p /var/run/postgresql - chown -R postgres /var/run/postgresql - chmod 775 /var/run/postgresql + # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 + mkdir -p /var/run/postgresql || : + chmod 775 /var/run/postgresql || : - # Create the transaction log directory before initdb is run (below) so the directory is owned by the correct user + # Create the transaction log directory before initdb is run so the directory is owned by the correct user if [ "$POSTGRES_INITDB_WALDIR" ]; then mkdir -p "$POSTGRES_INITDB_WALDIR" - chown -R postgres "$POSTGRES_INITDB_WALDIR" + [ "$user" = '0' ] && find "$POSTGRES_INITDB_WALDIR" \! -user postgres - exec chown postgres '{}' + chmod 700 "$POSTGRES_INITDB_WALDIR" fi - exec su-exec postgres "$BASH_SOURCE" "$@" -fi - -if [ "$1" = 'postgres' ]; then - mkdir -p "$PGDATA" - chown -R "$(id -u)" "$PGDATA" 2>/dev/null || : - chmod 700 "$PGDATA" 2>/dev/null || : + # allow the container to be started with `--user` + if [ "$user" = '0' ]; then + find "$PGDATA" \! -user postgres -exec chown postgres '{}' + + find /var/run/postgresql \! -user postgres -exec chown postgres '{}' + + fi +} - # look specifically for PG_VERSION, as it is expected in the DB dir - if [ ! -s "$PGDATA/PG_VERSION" ]; then - # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary - # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html - if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then - export LD_PRELOAD='/usr/lib/libnss_wrapper.so' - export NSS_WRAPPER_PASSWD="$(mktemp)" - export NSS_WRAPPER_GROUP="$(mktemp)" - echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" - echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" - fi +# initialize empty PGDATA directory with new database via 'initdb' +# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function +# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames +# this is also where the database user is created, specified by `POSTGRES_USER` env +docker_init_database_dir() { + # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary + # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html + if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then + export LD_PRELOAD='/usr/lib/libnss_wrapper.so' + export NSS_WRAPPER_PASSWD="$(mktemp)" + export NSS_WRAPPER_GROUP="$(mktemp)" + echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" + echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" + fi - file_env 'POSTGRES_USER' 'postgres' - file_env 'POSTGRES_PASSWORD' + if [ "$POSTGRES_INITDB_WALDIR" ]; then + set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@" + fi - file_env 'POSTGRES_INITDB_ARGS' - if [ "$POSTGRES_INITDB_WALDIR" ]; then - export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --waldir $POSTGRES_INITDB_WALDIR" - fi - eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS" + eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' - # unset/cleanup "nss_wrapper" bits - if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then - rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" - unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP - fi + # unset/cleanup "nss_wrapper" bits + if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then + rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" + unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + fi +} - # check password first so we can output the warning before postgres - # messes it up - if [ -n "$POSTGRES_PASSWORD" ]; then - authMethod=md5 +# print large warning if POSTGRES_PASSWORD is empty +docker_verify_minimum_env() { + # check password first so we can output the warning before postgres + # messes it up + if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then + cat >&2 <<-'EOWARN' - if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then - cat >&2 <<-'EOWARN' + WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. - WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. + This will not work if used via PGPASSWORD with "psql". - This will not work if used via PGPASSWORD with "psql". + https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) + https://github.com/docker-library/postgres/issues/507 - https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) - https://github.com/docker-library/postgres/issues/507 + EOWARN + fi + if [ -z "$POSTGRES_PASSWORD" ]; then + # The - option suppresses leading tabs but *not* spaces. :) + cat >&2 <<-'EOWARN' + **************************************************** + WARNING: No password has been set for the database. + This will allow anyone with access to the + Postgres port to access your database. In + Docker's default configuration, this is + effectively any other container on the same + system. - EOWARN - fi - else - # The - option suppresses leading tabs but *not* spaces. :) - cat >&2 <<-'EOWARN' - **************************************************** - WARNING: No password has been set for the database. - This will allow anyone with access to the - Postgres port to access your database. In - Docker's default configuration, this is - effectively any other container on the same - system. - - Use "-e POSTGRES_PASSWORD=password" to set - it in "docker run". - **************************************************** - EOWARN - - authMethod=trust - fi + Use "-e POSTGRES_PASSWORD=password" to set + it in "docker run". + **************************************************** + EOWARN - { - echo - echo "host all all all $authMethod" - } >> "$PGDATA/pg_hba.conf" + fi +} - # internal start of server in order to allow set-up using psql-client - # does not listen on external TCP/IP and waits until start finishes - PGUSER="${PGUSER:-$POSTGRES_USER}" \ - pg_ctl -D "$PGDATA" \ - -o "-c listen_addresses=''" \ - -w start +# usage: docker_process_init_files [file [file [...]]] +# ie: docker_process_init_files /always-initdb.d/* +# process initializer files, based on file extensions and permissions +docker_process_init_files() { + # psql here for backwards compatiblilty "${psql[@]}" + psql=( docker_process_sql ) - file_env 'POSTGRES_DB' "$POSTGRES_USER" + echo + local f + for f; do + case "$f" in + *.sh) + # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 + # https://github.com/docker-library/postgres/pull/452 + if [ -x "$f" ]; then + echo "$0: running $f" + "$f" + else + echo "$0: sourcing $f" + . "$f" + fi + ;; + *.sql) echo "$0: running $f"; docker_process_sql -f "$f"; echo ;; + *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | docker_process_sql; echo ;; + *) echo "$0: ignoring $f" ;; + esac + echo + done +} - export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" - psql=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password ) +# Execute sql script, passed via stdin (or -f flag of pqsl) +# usage: docker_process_sql [psql-cli-args] +# ie: docker_process_sql --dbname=mydb <<<'INSERT ...' +# ie: docker_process_sql -f my-file.sql +# ie: docker_process_sql > "$PGDATA/pg_hba.conf" +} + +# start socket-only postgresql server for setting up or running scripts +# all arguments will be passed along as arguments to `postgres` (via pg_ctl) +docker_temp_server_start() { + if [ "$1" = 'postgres' ]; then + shift fi -fi + # internal start of server in order to allow setup using psql client + # does not listen on external TCP/IP and waits until start finishes (can be overridden via args) + PGUSER="${PGUSER:-$POSTGRES_USER}" \ + pg_ctl -D "$PGDATA" \ + -o "-c listen_addresses='' $([ "$#" -gt 0 ] && printf '%q ' "$@")" \ + -w start +} + +# stop postgresql server after done setting up user and running scripts +docker_temp_server_stop() { + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" -m fast -w stop +} + +_main() { + # if first arg looks like a flag, assume we want to run postgres server + if [ "${1:0:1}" = '-' ]; then + set -- postgres "$@" + fi + + + if [ "$1" = 'postgres' ]; then + docker_setup_env + # setup data directories and permissions (when run as root) + docker_create_db_directories + if [ "$(id -u)" = '0' ]; then + # then restart script as postgres user + exec su-exec postgres "$BASH_SOURCE" "$@" + fi + + # only run initialization on an empty data directory + if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + docker_verify_minimum_env + docker_init_database_dir + pg_setup_hba_conf + + # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless + # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS + export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" + docker_temp_server_start "$@" + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + + docker_temp_server_stop + unset PGPASSWORD + + echo + echo 'PostgreSQL init process complete; ready for start up.' + echo + else + echo + echo 'PostgreSQL Database directory appears to contain a database; Skipping initialization' + echo + fi + fi + + exec "$@" +} -exec "$@" +if ! _is_sourced; then + _main "$@" +fi diff --git a/12/docker-entrypoint.sh b/12/docker-entrypoint.sh index 93ee4fba4d..75fcb02a07 100755 --- a/12/docker-entrypoint.sh +++ b/12/docker-entrypoint.sh @@ -24,153 +24,254 @@ file_env() { unset "$fileVar" } -if [ "${1:0:1}" = '-' ]; then - set -- postgres "$@" -fi +# check to see if this file is being run or sourced from another script +_is_sourced() { + # https://unix.stackexchange.com/a/215279 + [ "${#FUNCNAME[@]}" -ge 2 ] \ + && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ + && [ "${FUNCNAME[1]}" = 'source' ] +} + +# used to create initial posgres directories and if run as root, ensure ownership to the "postgres" user +docker_create_db_directories() { + local user="$(id -u)" -# allow the container to be started with `--user` -if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then mkdir -p "$PGDATA" - chown -R postgres "$PGDATA" chmod 700 "$PGDATA" - mkdir -p /var/run/postgresql - chown -R postgres /var/run/postgresql - chmod 775 /var/run/postgresql + # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 + mkdir -p /var/run/postgresql || : + chmod 775 /var/run/postgresql || : - # Create the transaction log directory before initdb is run (below) so the directory is owned by the correct user + # Create the transaction log directory before initdb is run so the directory is owned by the correct user if [ "$POSTGRES_INITDB_WALDIR" ]; then mkdir -p "$POSTGRES_INITDB_WALDIR" - chown -R postgres "$POSTGRES_INITDB_WALDIR" + [ "$user" = '0' ] && find "$POSTGRES_INITDB_WALDIR" \! -user postgres - exec chown postgres '{}' + chmod 700 "$POSTGRES_INITDB_WALDIR" fi - exec gosu postgres "$BASH_SOURCE" "$@" -fi - -if [ "$1" = 'postgres' ]; then - mkdir -p "$PGDATA" - chown -R "$(id -u)" "$PGDATA" 2>/dev/null || : - chmod 700 "$PGDATA" 2>/dev/null || : + # allow the container to be started with `--user` + if [ "$user" = '0' ]; then + find "$PGDATA" \! -user postgres -exec chown postgres '{}' + + find /var/run/postgresql \! -user postgres -exec chown postgres '{}' + + fi +} - # look specifically for PG_VERSION, as it is expected in the DB dir - if [ ! -s "$PGDATA/PG_VERSION" ]; then - # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary - # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html - if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then - export LD_PRELOAD='/usr/lib/libnss_wrapper.so' - export NSS_WRAPPER_PASSWD="$(mktemp)" - export NSS_WRAPPER_GROUP="$(mktemp)" - echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" - echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" - fi +# initialize empty PGDATA directory with new database via 'initdb' +# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function +# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames +# this is also where the database user is created, specified by `POSTGRES_USER` env +docker_init_database_dir() { + # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary + # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html + if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then + export LD_PRELOAD='/usr/lib/libnss_wrapper.so' + export NSS_WRAPPER_PASSWD="$(mktemp)" + export NSS_WRAPPER_GROUP="$(mktemp)" + echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" + echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" + fi - file_env 'POSTGRES_USER' 'postgres' - file_env 'POSTGRES_PASSWORD' + if [ "$POSTGRES_INITDB_WALDIR" ]; then + set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@" + fi - file_env 'POSTGRES_INITDB_ARGS' - if [ "$POSTGRES_INITDB_WALDIR" ]; then - export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --waldir $POSTGRES_INITDB_WALDIR" - fi - eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS" + eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' - # unset/cleanup "nss_wrapper" bits - if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then - rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" - unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP - fi + # unset/cleanup "nss_wrapper" bits + if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then + rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" + unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + fi +} - # check password first so we can output the warning before postgres - # messes it up - if [ -n "$POSTGRES_PASSWORD" ]; then - authMethod=md5 +# print large warning if POSTGRES_PASSWORD is empty +docker_verify_minimum_env() { + # check password first so we can output the warning before postgres + # messes it up + if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then + cat >&2 <<-'EOWARN' - if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then - cat >&2 <<-'EOWARN' + WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. - WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. + This will not work if used via PGPASSWORD with "psql". - This will not work if used via PGPASSWORD with "psql". + https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) + https://github.com/docker-library/postgres/issues/507 - https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) - https://github.com/docker-library/postgres/issues/507 + EOWARN + fi + if [ -z "$POSTGRES_PASSWORD" ]; then + # The - option suppresses leading tabs but *not* spaces. :) + cat >&2 <<-'EOWARN' + **************************************************** + WARNING: No password has been set for the database. + This will allow anyone with access to the + Postgres port to access your database. In + Docker's default configuration, this is + effectively any other container on the same + system. - EOWARN - fi - else - # The - option suppresses leading tabs but *not* spaces. :) - cat >&2 <<-'EOWARN' - **************************************************** - WARNING: No password has been set for the database. - This will allow anyone with access to the - Postgres port to access your database. In - Docker's default configuration, this is - effectively any other container on the same - system. - - Use "-e POSTGRES_PASSWORD=password" to set - it in "docker run". - **************************************************** - EOWARN - - authMethod=trust - fi + Use "-e POSTGRES_PASSWORD=password" to set + it in "docker run". + **************************************************** + EOWARN - { - echo - echo "host all all all $authMethod" - } >> "$PGDATA/pg_hba.conf" + fi +} - # internal start of server in order to allow set-up using psql-client - # does not listen on external TCP/IP and waits until start finishes - PGUSER="${PGUSER:-$POSTGRES_USER}" \ - pg_ctl -D "$PGDATA" \ - -o "-c listen_addresses=''" \ - -w start +# usage: docker_process_init_files [file [file [...]]] +# ie: docker_process_init_files /always-initdb.d/* +# process initializer files, based on file extensions and permissions +docker_process_init_files() { + # psql here for backwards compatiblilty "${psql[@]}" + psql=( docker_process_sql ) - file_env 'POSTGRES_DB' "$POSTGRES_USER" + echo + local f + for f; do + case "$f" in + *.sh) + # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 + # https://github.com/docker-library/postgres/pull/452 + if [ -x "$f" ]; then + echo "$0: running $f" + "$f" + else + echo "$0: sourcing $f" + . "$f" + fi + ;; + *.sql) echo "$0: running $f"; docker_process_sql -f "$f"; echo ;; + *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | docker_process_sql; echo ;; + *) echo "$0: ignoring $f" ;; + esac + echo + done +} - export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" - psql=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password ) +# Execute sql script, passed via stdin (or -f flag of pqsl) +# usage: docker_process_sql [psql-cli-args] +# ie: docker_process_sql --dbname=mydb <<<'INSERT ...' +# ie: docker_process_sql -f my-file.sql +# ie: docker_process_sql > "$PGDATA/pg_hba.conf" +} + +# start socket-only postgresql server for setting up or running scripts +# all arguments will be passed along as arguments to `postgres` (via pg_ctl) +docker_temp_server_start() { + if [ "$1" = 'postgres' ]; then + shift fi -fi + # internal start of server in order to allow setup using psql client + # does not listen on external TCP/IP and waits until start finishes (can be overridden via args) + PGUSER="${PGUSER:-$POSTGRES_USER}" \ + pg_ctl -D "$PGDATA" \ + -o "-c listen_addresses='' $([ "$#" -gt 0 ] && printf '%q ' "$@")" \ + -w start +} + +# stop postgresql server after done setting up user and running scripts +docker_temp_server_stop() { + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" -m fast -w stop +} + +_main() { + # if first arg looks like a flag, assume we want to run postgres server + if [ "${1:0:1}" = '-' ]; then + set -- postgres "$@" + fi + + + if [ "$1" = 'postgres' ]; then + docker_setup_env + # setup data directories and permissions (when run as root) + docker_create_db_directories + if [ "$(id -u)" = '0' ]; then + # then restart script as postgres user + exec gosu postgres "$BASH_SOURCE" "$@" + fi + + # only run initialization on an empty data directory + if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + docker_verify_minimum_env + docker_init_database_dir + pg_setup_hba_conf + + # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless + # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS + export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" + docker_temp_server_start "$@" + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + + docker_temp_server_stop + unset PGPASSWORD + + echo + echo 'PostgreSQL init process complete; ready for start up.' + echo + else + echo + echo 'PostgreSQL Database directory appears to contain a database; Skipping initialization' + echo + fi + fi + + exec "$@" +} -exec "$@" +if ! _is_sourced; then + _main "$@" +fi diff --git a/9.4/alpine/docker-entrypoint.sh b/9.4/alpine/docker-entrypoint.sh index 8f9cfcc92c..fdce2ecdbb 100755 --- a/9.4/alpine/docker-entrypoint.sh +++ b/9.4/alpine/docker-entrypoint.sh @@ -24,153 +24,254 @@ file_env() { unset "$fileVar" } -if [ "${1:0:1}" = '-' ]; then - set -- postgres "$@" -fi +# check to see if this file is being run or sourced from another script +_is_sourced() { + # https://unix.stackexchange.com/a/215279 + [ "${#FUNCNAME[@]}" -ge 2 ] \ + && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ + && [ "${FUNCNAME[1]}" = 'source' ] +} + +# used to create initial posgres directories and if run as root, ensure ownership to the "postgres" user +docker_create_db_directories() { + local user="$(id -u)" -# allow the container to be started with `--user` -if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then mkdir -p "$PGDATA" - chown -R postgres "$PGDATA" chmod 700 "$PGDATA" - mkdir -p /var/run/postgresql - chown -R postgres /var/run/postgresql - chmod 775 /var/run/postgresql + # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 + mkdir -p /var/run/postgresql || : + chmod 775 /var/run/postgresql || : - # Create the transaction log directory before initdb is run (below) so the directory is owned by the correct user + # Create the transaction log directory before initdb is run so the directory is owned by the correct user if [ "$POSTGRES_INITDB_XLOGDIR" ]; then mkdir -p "$POSTGRES_INITDB_XLOGDIR" - chown -R postgres "$POSTGRES_INITDB_XLOGDIR" + [ "$user" = '0' ] && find "$POSTGRES_INITDB_XLOGDIR" \! -user postgres - exec chown postgres '{}' + chmod 700 "$POSTGRES_INITDB_XLOGDIR" fi - exec su-exec postgres "$BASH_SOURCE" "$@" -fi - -if [ "$1" = 'postgres' ]; then - mkdir -p "$PGDATA" - chown -R "$(id -u)" "$PGDATA" 2>/dev/null || : - chmod 700 "$PGDATA" 2>/dev/null || : + # allow the container to be started with `--user` + if [ "$user" = '0' ]; then + find "$PGDATA" \! -user postgres -exec chown postgres '{}' + + find /var/run/postgresql \! -user postgres -exec chown postgres '{}' + + fi +} - # look specifically for PG_VERSION, as it is expected in the DB dir - if [ ! -s "$PGDATA/PG_VERSION" ]; then - # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary - # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html - if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then - export LD_PRELOAD='/usr/lib/libnss_wrapper.so' - export NSS_WRAPPER_PASSWD="$(mktemp)" - export NSS_WRAPPER_GROUP="$(mktemp)" - echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" - echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" - fi +# initialize empty PGDATA directory with new database via 'initdb' +# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function +# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames +# this is also where the database user is created, specified by `POSTGRES_USER` env +docker_init_database_dir() { + # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary + # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html + if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then + export LD_PRELOAD='/usr/lib/libnss_wrapper.so' + export NSS_WRAPPER_PASSWD="$(mktemp)" + export NSS_WRAPPER_GROUP="$(mktemp)" + echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" + echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" + fi - file_env 'POSTGRES_USER' 'postgres' - file_env 'POSTGRES_PASSWORD' + if [ "$POSTGRES_INITDB_XLOGDIR" ]; then + set -- --xlogdir "$POSTGRES_INITDB_XLOGDIR" "$@" + fi - file_env 'POSTGRES_INITDB_ARGS' - if [ "$POSTGRES_INITDB_XLOGDIR" ]; then - export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --xlogdir $POSTGRES_INITDB_XLOGDIR" - fi - eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS" + eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' - # unset/cleanup "nss_wrapper" bits - if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then - rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" - unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP - fi + # unset/cleanup "nss_wrapper" bits + if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then + rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" + unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + fi +} - # check password first so we can output the warning before postgres - # messes it up - if [ -n "$POSTGRES_PASSWORD" ]; then - authMethod=md5 +# print large warning if POSTGRES_PASSWORD is empty +docker_verify_minimum_env() { + # check password first so we can output the warning before postgres + # messes it up + if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then + cat >&2 <<-'EOWARN' - if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then - cat >&2 <<-'EOWARN' + WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. - WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. + This will not work if used via PGPASSWORD with "psql". - This will not work if used via PGPASSWORD with "psql". + https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) + https://github.com/docker-library/postgres/issues/507 - https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) - https://github.com/docker-library/postgres/issues/507 + EOWARN + fi + if [ -z "$POSTGRES_PASSWORD" ]; then + # The - option suppresses leading tabs but *not* spaces. :) + cat >&2 <<-'EOWARN' + **************************************************** + WARNING: No password has been set for the database. + This will allow anyone with access to the + Postgres port to access your database. In + Docker's default configuration, this is + effectively any other container on the same + system. - EOWARN - fi - else - # The - option suppresses leading tabs but *not* spaces. :) - cat >&2 <<-'EOWARN' - **************************************************** - WARNING: No password has been set for the database. - This will allow anyone with access to the - Postgres port to access your database. In - Docker's default configuration, this is - effectively any other container on the same - system. - - Use "-e POSTGRES_PASSWORD=password" to set - it in "docker run". - **************************************************** - EOWARN - - authMethod=trust - fi + Use "-e POSTGRES_PASSWORD=password" to set + it in "docker run". + **************************************************** + EOWARN - { - echo - echo "host all all all $authMethod" - } >> "$PGDATA/pg_hba.conf" + fi +} - # internal start of server in order to allow set-up using psql-client - # does not listen on external TCP/IP and waits until start finishes - PGUSER="${PGUSER:-$POSTGRES_USER}" \ - pg_ctl -D "$PGDATA" \ - -o "-c listen_addresses=''" \ - -w start +# usage: docker_process_init_files [file [file [...]]] +# ie: docker_process_init_files /always-initdb.d/* +# process initializer files, based on file extensions and permissions +docker_process_init_files() { + # psql here for backwards compatiblilty "${psql[@]}" + psql=( docker_process_sql ) - file_env 'POSTGRES_DB' "$POSTGRES_USER" + echo + local f + for f; do + case "$f" in + *.sh) + # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 + # https://github.com/docker-library/postgres/pull/452 + if [ -x "$f" ]; then + echo "$0: running $f" + "$f" + else + echo "$0: sourcing $f" + . "$f" + fi + ;; + *.sql) echo "$0: running $f"; docker_process_sql -f "$f"; echo ;; + *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | docker_process_sql; echo ;; + *) echo "$0: ignoring $f" ;; + esac + echo + done +} - export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" - psql=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password ) +# Execute sql script, passed via stdin (or -f flag of pqsl) +# usage: docker_process_sql [psql-cli-args] +# ie: docker_process_sql --dbname=mydb <<<'INSERT ...' +# ie: docker_process_sql -f my-file.sql +# ie: docker_process_sql > "$PGDATA/pg_hba.conf" +} + +# start socket-only postgresql server for setting up or running scripts +# all arguments will be passed along as arguments to `postgres` (via pg_ctl) +docker_temp_server_start() { + if [ "$1" = 'postgres' ]; then + shift fi -fi + # internal start of server in order to allow setup using psql client + # does not listen on external TCP/IP and waits until start finishes (can be overridden via args) + PGUSER="${PGUSER:-$POSTGRES_USER}" \ + pg_ctl -D "$PGDATA" \ + -o "-c listen_addresses='' $([ "$#" -gt 0 ] && printf '%q ' "$@")" \ + -w start +} + +# stop postgresql server after done setting up user and running scripts +docker_temp_server_stop() { + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" -m fast -w stop +} + +_main() { + # if first arg looks like a flag, assume we want to run postgres server + if [ "${1:0:1}" = '-' ]; then + set -- postgres "$@" + fi + + + if [ "$1" = 'postgres' ]; then + docker_setup_env + # setup data directories and permissions (when run as root) + docker_create_db_directories + if [ "$(id -u)" = '0' ]; then + # then restart script as postgres user + exec su-exec postgres "$BASH_SOURCE" "$@" + fi + + # only run initialization on an empty data directory + if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + docker_verify_minimum_env + docker_init_database_dir + pg_setup_hba_conf + + # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless + # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS + export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" + docker_temp_server_start "$@" + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + + docker_temp_server_stop + unset PGPASSWORD + + echo + echo 'PostgreSQL init process complete; ready for start up.' + echo + else + echo + echo 'PostgreSQL Database directory appears to contain a database; Skipping initialization' + echo + fi + fi + + exec "$@" +} -exec "$@" +if ! _is_sourced; then + _main "$@" +fi diff --git a/9.4/docker-entrypoint.sh b/9.4/docker-entrypoint.sh index 3f984a1649..e8051efe30 100755 --- a/9.4/docker-entrypoint.sh +++ b/9.4/docker-entrypoint.sh @@ -24,153 +24,254 @@ file_env() { unset "$fileVar" } -if [ "${1:0:1}" = '-' ]; then - set -- postgres "$@" -fi +# check to see if this file is being run or sourced from another script +_is_sourced() { + # https://unix.stackexchange.com/a/215279 + [ "${#FUNCNAME[@]}" -ge 2 ] \ + && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ + && [ "${FUNCNAME[1]}" = 'source' ] +} + +# used to create initial posgres directories and if run as root, ensure ownership to the "postgres" user +docker_create_db_directories() { + local user="$(id -u)" -# allow the container to be started with `--user` -if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then mkdir -p "$PGDATA" - chown -R postgres "$PGDATA" chmod 700 "$PGDATA" - mkdir -p /var/run/postgresql - chown -R postgres /var/run/postgresql - chmod 775 /var/run/postgresql + # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 + mkdir -p /var/run/postgresql || : + chmod 775 /var/run/postgresql || : - # Create the transaction log directory before initdb is run (below) so the directory is owned by the correct user + # Create the transaction log directory before initdb is run so the directory is owned by the correct user if [ "$POSTGRES_INITDB_XLOGDIR" ]; then mkdir -p "$POSTGRES_INITDB_XLOGDIR" - chown -R postgres "$POSTGRES_INITDB_XLOGDIR" + [ "$user" = '0' ] && find "$POSTGRES_INITDB_XLOGDIR" \! -user postgres - exec chown postgres '{}' + chmod 700 "$POSTGRES_INITDB_XLOGDIR" fi - exec gosu postgres "$BASH_SOURCE" "$@" -fi - -if [ "$1" = 'postgres' ]; then - mkdir -p "$PGDATA" - chown -R "$(id -u)" "$PGDATA" 2>/dev/null || : - chmod 700 "$PGDATA" 2>/dev/null || : + # allow the container to be started with `--user` + if [ "$user" = '0' ]; then + find "$PGDATA" \! -user postgres -exec chown postgres '{}' + + find /var/run/postgresql \! -user postgres -exec chown postgres '{}' + + fi +} - # look specifically for PG_VERSION, as it is expected in the DB dir - if [ ! -s "$PGDATA/PG_VERSION" ]; then - # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary - # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html - if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then - export LD_PRELOAD='/usr/lib/libnss_wrapper.so' - export NSS_WRAPPER_PASSWD="$(mktemp)" - export NSS_WRAPPER_GROUP="$(mktemp)" - echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" - echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" - fi +# initialize empty PGDATA directory with new database via 'initdb' +# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function +# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames +# this is also where the database user is created, specified by `POSTGRES_USER` env +docker_init_database_dir() { + # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary + # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html + if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then + export LD_PRELOAD='/usr/lib/libnss_wrapper.so' + export NSS_WRAPPER_PASSWD="$(mktemp)" + export NSS_WRAPPER_GROUP="$(mktemp)" + echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" + echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" + fi - file_env 'POSTGRES_USER' 'postgres' - file_env 'POSTGRES_PASSWORD' + if [ "$POSTGRES_INITDB_XLOGDIR" ]; then + set -- --xlogdir "$POSTGRES_INITDB_XLOGDIR" "$@" + fi - file_env 'POSTGRES_INITDB_ARGS' - if [ "$POSTGRES_INITDB_XLOGDIR" ]; then - export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --xlogdir $POSTGRES_INITDB_XLOGDIR" - fi - eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS" + eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' - # unset/cleanup "nss_wrapper" bits - if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then - rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" - unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP - fi + # unset/cleanup "nss_wrapper" bits + if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then + rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" + unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + fi +} - # check password first so we can output the warning before postgres - # messes it up - if [ -n "$POSTGRES_PASSWORD" ]; then - authMethod=md5 +# print large warning if POSTGRES_PASSWORD is empty +docker_verify_minimum_env() { + # check password first so we can output the warning before postgres + # messes it up + if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then + cat >&2 <<-'EOWARN' - if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then - cat >&2 <<-'EOWARN' + WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. - WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. + This will not work if used via PGPASSWORD with "psql". - This will not work if used via PGPASSWORD with "psql". + https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) + https://github.com/docker-library/postgres/issues/507 - https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) - https://github.com/docker-library/postgres/issues/507 + EOWARN + fi + if [ -z "$POSTGRES_PASSWORD" ]; then + # The - option suppresses leading tabs but *not* spaces. :) + cat >&2 <<-'EOWARN' + **************************************************** + WARNING: No password has been set for the database. + This will allow anyone with access to the + Postgres port to access your database. In + Docker's default configuration, this is + effectively any other container on the same + system. - EOWARN - fi - else - # The - option suppresses leading tabs but *not* spaces. :) - cat >&2 <<-'EOWARN' - **************************************************** - WARNING: No password has been set for the database. - This will allow anyone with access to the - Postgres port to access your database. In - Docker's default configuration, this is - effectively any other container on the same - system. - - Use "-e POSTGRES_PASSWORD=password" to set - it in "docker run". - **************************************************** - EOWARN - - authMethod=trust - fi + Use "-e POSTGRES_PASSWORD=password" to set + it in "docker run". + **************************************************** + EOWARN - { - echo - echo "host all all all $authMethod" - } >> "$PGDATA/pg_hba.conf" + fi +} - # internal start of server in order to allow set-up using psql-client - # does not listen on external TCP/IP and waits until start finishes - PGUSER="${PGUSER:-$POSTGRES_USER}" \ - pg_ctl -D "$PGDATA" \ - -o "-c listen_addresses=''" \ - -w start +# usage: docker_process_init_files [file [file [...]]] +# ie: docker_process_init_files /always-initdb.d/* +# process initializer files, based on file extensions and permissions +docker_process_init_files() { + # psql here for backwards compatiblilty "${psql[@]}" + psql=( docker_process_sql ) - file_env 'POSTGRES_DB' "$POSTGRES_USER" + echo + local f + for f; do + case "$f" in + *.sh) + # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 + # https://github.com/docker-library/postgres/pull/452 + if [ -x "$f" ]; then + echo "$0: running $f" + "$f" + else + echo "$0: sourcing $f" + . "$f" + fi + ;; + *.sql) echo "$0: running $f"; docker_process_sql -f "$f"; echo ;; + *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | docker_process_sql; echo ;; + *) echo "$0: ignoring $f" ;; + esac + echo + done +} - export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" - psql=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password ) +# Execute sql script, passed via stdin (or -f flag of pqsl) +# usage: docker_process_sql [psql-cli-args] +# ie: docker_process_sql --dbname=mydb <<<'INSERT ...' +# ie: docker_process_sql -f my-file.sql +# ie: docker_process_sql > "$PGDATA/pg_hba.conf" +} + +# start socket-only postgresql server for setting up or running scripts +# all arguments will be passed along as arguments to `postgres` (via pg_ctl) +docker_temp_server_start() { + if [ "$1" = 'postgres' ]; then + shift fi -fi + # internal start of server in order to allow setup using psql client + # does not listen on external TCP/IP and waits until start finishes (can be overridden via args) + PGUSER="${PGUSER:-$POSTGRES_USER}" \ + pg_ctl -D "$PGDATA" \ + -o "-c listen_addresses='' $([ "$#" -gt 0 ] && printf '%q ' "$@")" \ + -w start +} + +# stop postgresql server after done setting up user and running scripts +docker_temp_server_stop() { + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" -m fast -w stop +} + +_main() { + # if first arg looks like a flag, assume we want to run postgres server + if [ "${1:0:1}" = '-' ]; then + set -- postgres "$@" + fi + + + if [ "$1" = 'postgres' ]; then + docker_setup_env + # setup data directories and permissions (when run as root) + docker_create_db_directories + if [ "$(id -u)" = '0' ]; then + # then restart script as postgres user + exec gosu postgres "$BASH_SOURCE" "$@" + fi + + # only run initialization on an empty data directory + if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + docker_verify_minimum_env + docker_init_database_dir + pg_setup_hba_conf + + # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless + # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS + export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" + docker_temp_server_start "$@" + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + + docker_temp_server_stop + unset PGPASSWORD + + echo + echo 'PostgreSQL init process complete; ready for start up.' + echo + else + echo + echo 'PostgreSQL Database directory appears to contain a database; Skipping initialization' + echo + fi + fi + + exec "$@" +} -exec "$@" +if ! _is_sourced; then + _main "$@" +fi diff --git a/9.5/alpine/docker-entrypoint.sh b/9.5/alpine/docker-entrypoint.sh index 8f9cfcc92c..fdce2ecdbb 100755 --- a/9.5/alpine/docker-entrypoint.sh +++ b/9.5/alpine/docker-entrypoint.sh @@ -24,153 +24,254 @@ file_env() { unset "$fileVar" } -if [ "${1:0:1}" = '-' ]; then - set -- postgres "$@" -fi +# check to see if this file is being run or sourced from another script +_is_sourced() { + # https://unix.stackexchange.com/a/215279 + [ "${#FUNCNAME[@]}" -ge 2 ] \ + && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ + && [ "${FUNCNAME[1]}" = 'source' ] +} + +# used to create initial posgres directories and if run as root, ensure ownership to the "postgres" user +docker_create_db_directories() { + local user="$(id -u)" -# allow the container to be started with `--user` -if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then mkdir -p "$PGDATA" - chown -R postgres "$PGDATA" chmod 700 "$PGDATA" - mkdir -p /var/run/postgresql - chown -R postgres /var/run/postgresql - chmod 775 /var/run/postgresql + # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 + mkdir -p /var/run/postgresql || : + chmod 775 /var/run/postgresql || : - # Create the transaction log directory before initdb is run (below) so the directory is owned by the correct user + # Create the transaction log directory before initdb is run so the directory is owned by the correct user if [ "$POSTGRES_INITDB_XLOGDIR" ]; then mkdir -p "$POSTGRES_INITDB_XLOGDIR" - chown -R postgres "$POSTGRES_INITDB_XLOGDIR" + [ "$user" = '0' ] && find "$POSTGRES_INITDB_XLOGDIR" \! -user postgres - exec chown postgres '{}' + chmod 700 "$POSTGRES_INITDB_XLOGDIR" fi - exec su-exec postgres "$BASH_SOURCE" "$@" -fi - -if [ "$1" = 'postgres' ]; then - mkdir -p "$PGDATA" - chown -R "$(id -u)" "$PGDATA" 2>/dev/null || : - chmod 700 "$PGDATA" 2>/dev/null || : + # allow the container to be started with `--user` + if [ "$user" = '0' ]; then + find "$PGDATA" \! -user postgres -exec chown postgres '{}' + + find /var/run/postgresql \! -user postgres -exec chown postgres '{}' + + fi +} - # look specifically for PG_VERSION, as it is expected in the DB dir - if [ ! -s "$PGDATA/PG_VERSION" ]; then - # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary - # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html - if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then - export LD_PRELOAD='/usr/lib/libnss_wrapper.so' - export NSS_WRAPPER_PASSWD="$(mktemp)" - export NSS_WRAPPER_GROUP="$(mktemp)" - echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" - echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" - fi +# initialize empty PGDATA directory with new database via 'initdb' +# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function +# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames +# this is also where the database user is created, specified by `POSTGRES_USER` env +docker_init_database_dir() { + # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary + # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html + if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then + export LD_PRELOAD='/usr/lib/libnss_wrapper.so' + export NSS_WRAPPER_PASSWD="$(mktemp)" + export NSS_WRAPPER_GROUP="$(mktemp)" + echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" + echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" + fi - file_env 'POSTGRES_USER' 'postgres' - file_env 'POSTGRES_PASSWORD' + if [ "$POSTGRES_INITDB_XLOGDIR" ]; then + set -- --xlogdir "$POSTGRES_INITDB_XLOGDIR" "$@" + fi - file_env 'POSTGRES_INITDB_ARGS' - if [ "$POSTGRES_INITDB_XLOGDIR" ]; then - export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --xlogdir $POSTGRES_INITDB_XLOGDIR" - fi - eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS" + eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' - # unset/cleanup "nss_wrapper" bits - if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then - rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" - unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP - fi + # unset/cleanup "nss_wrapper" bits + if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then + rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" + unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + fi +} - # check password first so we can output the warning before postgres - # messes it up - if [ -n "$POSTGRES_PASSWORD" ]; then - authMethod=md5 +# print large warning if POSTGRES_PASSWORD is empty +docker_verify_minimum_env() { + # check password first so we can output the warning before postgres + # messes it up + if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then + cat >&2 <<-'EOWARN' - if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then - cat >&2 <<-'EOWARN' + WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. - WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. + This will not work if used via PGPASSWORD with "psql". - This will not work if used via PGPASSWORD with "psql". + https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) + https://github.com/docker-library/postgres/issues/507 - https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) - https://github.com/docker-library/postgres/issues/507 + EOWARN + fi + if [ -z "$POSTGRES_PASSWORD" ]; then + # The - option suppresses leading tabs but *not* spaces. :) + cat >&2 <<-'EOWARN' + **************************************************** + WARNING: No password has been set for the database. + This will allow anyone with access to the + Postgres port to access your database. In + Docker's default configuration, this is + effectively any other container on the same + system. - EOWARN - fi - else - # The - option suppresses leading tabs but *not* spaces. :) - cat >&2 <<-'EOWARN' - **************************************************** - WARNING: No password has been set for the database. - This will allow anyone with access to the - Postgres port to access your database. In - Docker's default configuration, this is - effectively any other container on the same - system. - - Use "-e POSTGRES_PASSWORD=password" to set - it in "docker run". - **************************************************** - EOWARN - - authMethod=trust - fi + Use "-e POSTGRES_PASSWORD=password" to set + it in "docker run". + **************************************************** + EOWARN - { - echo - echo "host all all all $authMethod" - } >> "$PGDATA/pg_hba.conf" + fi +} - # internal start of server in order to allow set-up using psql-client - # does not listen on external TCP/IP and waits until start finishes - PGUSER="${PGUSER:-$POSTGRES_USER}" \ - pg_ctl -D "$PGDATA" \ - -o "-c listen_addresses=''" \ - -w start +# usage: docker_process_init_files [file [file [...]]] +# ie: docker_process_init_files /always-initdb.d/* +# process initializer files, based on file extensions and permissions +docker_process_init_files() { + # psql here for backwards compatiblilty "${psql[@]}" + psql=( docker_process_sql ) - file_env 'POSTGRES_DB' "$POSTGRES_USER" + echo + local f + for f; do + case "$f" in + *.sh) + # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 + # https://github.com/docker-library/postgres/pull/452 + if [ -x "$f" ]; then + echo "$0: running $f" + "$f" + else + echo "$0: sourcing $f" + . "$f" + fi + ;; + *.sql) echo "$0: running $f"; docker_process_sql -f "$f"; echo ;; + *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | docker_process_sql; echo ;; + *) echo "$0: ignoring $f" ;; + esac + echo + done +} - export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" - psql=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password ) +# Execute sql script, passed via stdin (or -f flag of pqsl) +# usage: docker_process_sql [psql-cli-args] +# ie: docker_process_sql --dbname=mydb <<<'INSERT ...' +# ie: docker_process_sql -f my-file.sql +# ie: docker_process_sql > "$PGDATA/pg_hba.conf" +} + +# start socket-only postgresql server for setting up or running scripts +# all arguments will be passed along as arguments to `postgres` (via pg_ctl) +docker_temp_server_start() { + if [ "$1" = 'postgres' ]; then + shift fi -fi + # internal start of server in order to allow setup using psql client + # does not listen on external TCP/IP and waits until start finishes (can be overridden via args) + PGUSER="${PGUSER:-$POSTGRES_USER}" \ + pg_ctl -D "$PGDATA" \ + -o "-c listen_addresses='' $([ "$#" -gt 0 ] && printf '%q ' "$@")" \ + -w start +} + +# stop postgresql server after done setting up user and running scripts +docker_temp_server_stop() { + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" -m fast -w stop +} + +_main() { + # if first arg looks like a flag, assume we want to run postgres server + if [ "${1:0:1}" = '-' ]; then + set -- postgres "$@" + fi + + + if [ "$1" = 'postgres' ]; then + docker_setup_env + # setup data directories and permissions (when run as root) + docker_create_db_directories + if [ "$(id -u)" = '0' ]; then + # then restart script as postgres user + exec su-exec postgres "$BASH_SOURCE" "$@" + fi + + # only run initialization on an empty data directory + if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + docker_verify_minimum_env + docker_init_database_dir + pg_setup_hba_conf + + # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless + # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS + export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" + docker_temp_server_start "$@" + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + + docker_temp_server_stop + unset PGPASSWORD + + echo + echo 'PostgreSQL init process complete; ready for start up.' + echo + else + echo + echo 'PostgreSQL Database directory appears to contain a database; Skipping initialization' + echo + fi + fi + + exec "$@" +} -exec "$@" +if ! _is_sourced; then + _main "$@" +fi diff --git a/9.5/docker-entrypoint.sh b/9.5/docker-entrypoint.sh index 3f984a1649..e8051efe30 100755 --- a/9.5/docker-entrypoint.sh +++ b/9.5/docker-entrypoint.sh @@ -24,153 +24,254 @@ file_env() { unset "$fileVar" } -if [ "${1:0:1}" = '-' ]; then - set -- postgres "$@" -fi +# check to see if this file is being run or sourced from another script +_is_sourced() { + # https://unix.stackexchange.com/a/215279 + [ "${#FUNCNAME[@]}" -ge 2 ] \ + && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ + && [ "${FUNCNAME[1]}" = 'source' ] +} + +# used to create initial posgres directories and if run as root, ensure ownership to the "postgres" user +docker_create_db_directories() { + local user="$(id -u)" -# allow the container to be started with `--user` -if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then mkdir -p "$PGDATA" - chown -R postgres "$PGDATA" chmod 700 "$PGDATA" - mkdir -p /var/run/postgresql - chown -R postgres /var/run/postgresql - chmod 775 /var/run/postgresql + # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 + mkdir -p /var/run/postgresql || : + chmod 775 /var/run/postgresql || : - # Create the transaction log directory before initdb is run (below) so the directory is owned by the correct user + # Create the transaction log directory before initdb is run so the directory is owned by the correct user if [ "$POSTGRES_INITDB_XLOGDIR" ]; then mkdir -p "$POSTGRES_INITDB_XLOGDIR" - chown -R postgres "$POSTGRES_INITDB_XLOGDIR" + [ "$user" = '0' ] && find "$POSTGRES_INITDB_XLOGDIR" \! -user postgres - exec chown postgres '{}' + chmod 700 "$POSTGRES_INITDB_XLOGDIR" fi - exec gosu postgres "$BASH_SOURCE" "$@" -fi - -if [ "$1" = 'postgres' ]; then - mkdir -p "$PGDATA" - chown -R "$(id -u)" "$PGDATA" 2>/dev/null || : - chmod 700 "$PGDATA" 2>/dev/null || : + # allow the container to be started with `--user` + if [ "$user" = '0' ]; then + find "$PGDATA" \! -user postgres -exec chown postgres '{}' + + find /var/run/postgresql \! -user postgres -exec chown postgres '{}' + + fi +} - # look specifically for PG_VERSION, as it is expected in the DB dir - if [ ! -s "$PGDATA/PG_VERSION" ]; then - # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary - # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html - if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then - export LD_PRELOAD='/usr/lib/libnss_wrapper.so' - export NSS_WRAPPER_PASSWD="$(mktemp)" - export NSS_WRAPPER_GROUP="$(mktemp)" - echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" - echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" - fi +# initialize empty PGDATA directory with new database via 'initdb' +# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function +# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames +# this is also where the database user is created, specified by `POSTGRES_USER` env +docker_init_database_dir() { + # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary + # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html + if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then + export LD_PRELOAD='/usr/lib/libnss_wrapper.so' + export NSS_WRAPPER_PASSWD="$(mktemp)" + export NSS_WRAPPER_GROUP="$(mktemp)" + echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" + echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" + fi - file_env 'POSTGRES_USER' 'postgres' - file_env 'POSTGRES_PASSWORD' + if [ "$POSTGRES_INITDB_XLOGDIR" ]; then + set -- --xlogdir "$POSTGRES_INITDB_XLOGDIR" "$@" + fi - file_env 'POSTGRES_INITDB_ARGS' - if [ "$POSTGRES_INITDB_XLOGDIR" ]; then - export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --xlogdir $POSTGRES_INITDB_XLOGDIR" - fi - eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS" + eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' - # unset/cleanup "nss_wrapper" bits - if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then - rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" - unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP - fi + # unset/cleanup "nss_wrapper" bits + if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then + rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" + unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + fi +} - # check password first so we can output the warning before postgres - # messes it up - if [ -n "$POSTGRES_PASSWORD" ]; then - authMethod=md5 +# print large warning if POSTGRES_PASSWORD is empty +docker_verify_minimum_env() { + # check password first so we can output the warning before postgres + # messes it up + if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then + cat >&2 <<-'EOWARN' - if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then - cat >&2 <<-'EOWARN' + WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. - WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. + This will not work if used via PGPASSWORD with "psql". - This will not work if used via PGPASSWORD with "psql". + https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) + https://github.com/docker-library/postgres/issues/507 - https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) - https://github.com/docker-library/postgres/issues/507 + EOWARN + fi + if [ -z "$POSTGRES_PASSWORD" ]; then + # The - option suppresses leading tabs but *not* spaces. :) + cat >&2 <<-'EOWARN' + **************************************************** + WARNING: No password has been set for the database. + This will allow anyone with access to the + Postgres port to access your database. In + Docker's default configuration, this is + effectively any other container on the same + system. - EOWARN - fi - else - # The - option suppresses leading tabs but *not* spaces. :) - cat >&2 <<-'EOWARN' - **************************************************** - WARNING: No password has been set for the database. - This will allow anyone with access to the - Postgres port to access your database. In - Docker's default configuration, this is - effectively any other container on the same - system. - - Use "-e POSTGRES_PASSWORD=password" to set - it in "docker run". - **************************************************** - EOWARN - - authMethod=trust - fi + Use "-e POSTGRES_PASSWORD=password" to set + it in "docker run". + **************************************************** + EOWARN - { - echo - echo "host all all all $authMethod" - } >> "$PGDATA/pg_hba.conf" + fi +} - # internal start of server in order to allow set-up using psql-client - # does not listen on external TCP/IP and waits until start finishes - PGUSER="${PGUSER:-$POSTGRES_USER}" \ - pg_ctl -D "$PGDATA" \ - -o "-c listen_addresses=''" \ - -w start +# usage: docker_process_init_files [file [file [...]]] +# ie: docker_process_init_files /always-initdb.d/* +# process initializer files, based on file extensions and permissions +docker_process_init_files() { + # psql here for backwards compatiblilty "${psql[@]}" + psql=( docker_process_sql ) - file_env 'POSTGRES_DB' "$POSTGRES_USER" + echo + local f + for f; do + case "$f" in + *.sh) + # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 + # https://github.com/docker-library/postgres/pull/452 + if [ -x "$f" ]; then + echo "$0: running $f" + "$f" + else + echo "$0: sourcing $f" + . "$f" + fi + ;; + *.sql) echo "$0: running $f"; docker_process_sql -f "$f"; echo ;; + *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | docker_process_sql; echo ;; + *) echo "$0: ignoring $f" ;; + esac + echo + done +} - export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" - psql=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password ) +# Execute sql script, passed via stdin (or -f flag of pqsl) +# usage: docker_process_sql [psql-cli-args] +# ie: docker_process_sql --dbname=mydb <<<'INSERT ...' +# ie: docker_process_sql -f my-file.sql +# ie: docker_process_sql > "$PGDATA/pg_hba.conf" +} + +# start socket-only postgresql server for setting up or running scripts +# all arguments will be passed along as arguments to `postgres` (via pg_ctl) +docker_temp_server_start() { + if [ "$1" = 'postgres' ]; then + shift fi -fi + # internal start of server in order to allow setup using psql client + # does not listen on external TCP/IP and waits until start finishes (can be overridden via args) + PGUSER="${PGUSER:-$POSTGRES_USER}" \ + pg_ctl -D "$PGDATA" \ + -o "-c listen_addresses='' $([ "$#" -gt 0 ] && printf '%q ' "$@")" \ + -w start +} + +# stop postgresql server after done setting up user and running scripts +docker_temp_server_stop() { + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" -m fast -w stop +} + +_main() { + # if first arg looks like a flag, assume we want to run postgres server + if [ "${1:0:1}" = '-' ]; then + set -- postgres "$@" + fi + + + if [ "$1" = 'postgres' ]; then + docker_setup_env + # setup data directories and permissions (when run as root) + docker_create_db_directories + if [ "$(id -u)" = '0' ]; then + # then restart script as postgres user + exec gosu postgres "$BASH_SOURCE" "$@" + fi + + # only run initialization on an empty data directory + if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + docker_verify_minimum_env + docker_init_database_dir + pg_setup_hba_conf + + # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless + # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS + export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" + docker_temp_server_start "$@" + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + + docker_temp_server_stop + unset PGPASSWORD + + echo + echo 'PostgreSQL init process complete; ready for start up.' + echo + else + echo + echo 'PostgreSQL Database directory appears to contain a database; Skipping initialization' + echo + fi + fi + + exec "$@" +} -exec "$@" +if ! _is_sourced; then + _main "$@" +fi diff --git a/9.6/alpine/docker-entrypoint.sh b/9.6/alpine/docker-entrypoint.sh index 8f9cfcc92c..fdce2ecdbb 100755 --- a/9.6/alpine/docker-entrypoint.sh +++ b/9.6/alpine/docker-entrypoint.sh @@ -24,153 +24,254 @@ file_env() { unset "$fileVar" } -if [ "${1:0:1}" = '-' ]; then - set -- postgres "$@" -fi +# check to see if this file is being run or sourced from another script +_is_sourced() { + # https://unix.stackexchange.com/a/215279 + [ "${#FUNCNAME[@]}" -ge 2 ] \ + && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ + && [ "${FUNCNAME[1]}" = 'source' ] +} + +# used to create initial posgres directories and if run as root, ensure ownership to the "postgres" user +docker_create_db_directories() { + local user="$(id -u)" -# allow the container to be started with `--user` -if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then mkdir -p "$PGDATA" - chown -R postgres "$PGDATA" chmod 700 "$PGDATA" - mkdir -p /var/run/postgresql - chown -R postgres /var/run/postgresql - chmod 775 /var/run/postgresql + # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 + mkdir -p /var/run/postgresql || : + chmod 775 /var/run/postgresql || : - # Create the transaction log directory before initdb is run (below) so the directory is owned by the correct user + # Create the transaction log directory before initdb is run so the directory is owned by the correct user if [ "$POSTGRES_INITDB_XLOGDIR" ]; then mkdir -p "$POSTGRES_INITDB_XLOGDIR" - chown -R postgres "$POSTGRES_INITDB_XLOGDIR" + [ "$user" = '0' ] && find "$POSTGRES_INITDB_XLOGDIR" \! -user postgres - exec chown postgres '{}' + chmod 700 "$POSTGRES_INITDB_XLOGDIR" fi - exec su-exec postgres "$BASH_SOURCE" "$@" -fi - -if [ "$1" = 'postgres' ]; then - mkdir -p "$PGDATA" - chown -R "$(id -u)" "$PGDATA" 2>/dev/null || : - chmod 700 "$PGDATA" 2>/dev/null || : + # allow the container to be started with `--user` + if [ "$user" = '0' ]; then + find "$PGDATA" \! -user postgres -exec chown postgres '{}' + + find /var/run/postgresql \! -user postgres -exec chown postgres '{}' + + fi +} - # look specifically for PG_VERSION, as it is expected in the DB dir - if [ ! -s "$PGDATA/PG_VERSION" ]; then - # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary - # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html - if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then - export LD_PRELOAD='/usr/lib/libnss_wrapper.so' - export NSS_WRAPPER_PASSWD="$(mktemp)" - export NSS_WRAPPER_GROUP="$(mktemp)" - echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" - echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" - fi +# initialize empty PGDATA directory with new database via 'initdb' +# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function +# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames +# this is also where the database user is created, specified by `POSTGRES_USER` env +docker_init_database_dir() { + # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary + # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html + if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then + export LD_PRELOAD='/usr/lib/libnss_wrapper.so' + export NSS_WRAPPER_PASSWD="$(mktemp)" + export NSS_WRAPPER_GROUP="$(mktemp)" + echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" + echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" + fi - file_env 'POSTGRES_USER' 'postgres' - file_env 'POSTGRES_PASSWORD' + if [ "$POSTGRES_INITDB_XLOGDIR" ]; then + set -- --xlogdir "$POSTGRES_INITDB_XLOGDIR" "$@" + fi - file_env 'POSTGRES_INITDB_ARGS' - if [ "$POSTGRES_INITDB_XLOGDIR" ]; then - export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --xlogdir $POSTGRES_INITDB_XLOGDIR" - fi - eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS" + eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' - # unset/cleanup "nss_wrapper" bits - if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then - rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" - unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP - fi + # unset/cleanup "nss_wrapper" bits + if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then + rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" + unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + fi +} - # check password first so we can output the warning before postgres - # messes it up - if [ -n "$POSTGRES_PASSWORD" ]; then - authMethod=md5 +# print large warning if POSTGRES_PASSWORD is empty +docker_verify_minimum_env() { + # check password first so we can output the warning before postgres + # messes it up + if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then + cat >&2 <<-'EOWARN' - if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then - cat >&2 <<-'EOWARN' + WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. - WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. + This will not work if used via PGPASSWORD with "psql". - This will not work if used via PGPASSWORD with "psql". + https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) + https://github.com/docker-library/postgres/issues/507 - https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) - https://github.com/docker-library/postgres/issues/507 + EOWARN + fi + if [ -z "$POSTGRES_PASSWORD" ]; then + # The - option suppresses leading tabs but *not* spaces. :) + cat >&2 <<-'EOWARN' + **************************************************** + WARNING: No password has been set for the database. + This will allow anyone with access to the + Postgres port to access your database. In + Docker's default configuration, this is + effectively any other container on the same + system. - EOWARN - fi - else - # The - option suppresses leading tabs but *not* spaces. :) - cat >&2 <<-'EOWARN' - **************************************************** - WARNING: No password has been set for the database. - This will allow anyone with access to the - Postgres port to access your database. In - Docker's default configuration, this is - effectively any other container on the same - system. - - Use "-e POSTGRES_PASSWORD=password" to set - it in "docker run". - **************************************************** - EOWARN - - authMethod=trust - fi + Use "-e POSTGRES_PASSWORD=password" to set + it in "docker run". + **************************************************** + EOWARN - { - echo - echo "host all all all $authMethod" - } >> "$PGDATA/pg_hba.conf" + fi +} - # internal start of server in order to allow set-up using psql-client - # does not listen on external TCP/IP and waits until start finishes - PGUSER="${PGUSER:-$POSTGRES_USER}" \ - pg_ctl -D "$PGDATA" \ - -o "-c listen_addresses=''" \ - -w start +# usage: docker_process_init_files [file [file [...]]] +# ie: docker_process_init_files /always-initdb.d/* +# process initializer files, based on file extensions and permissions +docker_process_init_files() { + # psql here for backwards compatiblilty "${psql[@]}" + psql=( docker_process_sql ) - file_env 'POSTGRES_DB' "$POSTGRES_USER" + echo + local f + for f; do + case "$f" in + *.sh) + # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 + # https://github.com/docker-library/postgres/pull/452 + if [ -x "$f" ]; then + echo "$0: running $f" + "$f" + else + echo "$0: sourcing $f" + . "$f" + fi + ;; + *.sql) echo "$0: running $f"; docker_process_sql -f "$f"; echo ;; + *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | docker_process_sql; echo ;; + *) echo "$0: ignoring $f" ;; + esac + echo + done +} - export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" - psql=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password ) +# Execute sql script, passed via stdin (or -f flag of pqsl) +# usage: docker_process_sql [psql-cli-args] +# ie: docker_process_sql --dbname=mydb <<<'INSERT ...' +# ie: docker_process_sql -f my-file.sql +# ie: docker_process_sql > "$PGDATA/pg_hba.conf" +} + +# start socket-only postgresql server for setting up or running scripts +# all arguments will be passed along as arguments to `postgres` (via pg_ctl) +docker_temp_server_start() { + if [ "$1" = 'postgres' ]; then + shift fi -fi + # internal start of server in order to allow setup using psql client + # does not listen on external TCP/IP and waits until start finishes (can be overridden via args) + PGUSER="${PGUSER:-$POSTGRES_USER}" \ + pg_ctl -D "$PGDATA" \ + -o "-c listen_addresses='' $([ "$#" -gt 0 ] && printf '%q ' "$@")" \ + -w start +} + +# stop postgresql server after done setting up user and running scripts +docker_temp_server_stop() { + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" -m fast -w stop +} + +_main() { + # if first arg looks like a flag, assume we want to run postgres server + if [ "${1:0:1}" = '-' ]; then + set -- postgres "$@" + fi + + + if [ "$1" = 'postgres' ]; then + docker_setup_env + # setup data directories and permissions (when run as root) + docker_create_db_directories + if [ "$(id -u)" = '0' ]; then + # then restart script as postgres user + exec su-exec postgres "$BASH_SOURCE" "$@" + fi + + # only run initialization on an empty data directory + if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + docker_verify_minimum_env + docker_init_database_dir + pg_setup_hba_conf + + # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless + # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS + export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" + docker_temp_server_start "$@" + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + + docker_temp_server_stop + unset PGPASSWORD + + echo + echo 'PostgreSQL init process complete; ready for start up.' + echo + else + echo + echo 'PostgreSQL Database directory appears to contain a database; Skipping initialization' + echo + fi + fi + + exec "$@" +} -exec "$@" +if ! _is_sourced; then + _main "$@" +fi diff --git a/9.6/docker-entrypoint.sh b/9.6/docker-entrypoint.sh index 3f984a1649..e8051efe30 100755 --- a/9.6/docker-entrypoint.sh +++ b/9.6/docker-entrypoint.sh @@ -24,153 +24,254 @@ file_env() { unset "$fileVar" } -if [ "${1:0:1}" = '-' ]; then - set -- postgres "$@" -fi +# check to see if this file is being run or sourced from another script +_is_sourced() { + # https://unix.stackexchange.com/a/215279 + [ "${#FUNCNAME[@]}" -ge 2 ] \ + && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ + && [ "${FUNCNAME[1]}" = 'source' ] +} + +# used to create initial posgres directories and if run as root, ensure ownership to the "postgres" user +docker_create_db_directories() { + local user="$(id -u)" -# allow the container to be started with `--user` -if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then mkdir -p "$PGDATA" - chown -R postgres "$PGDATA" chmod 700 "$PGDATA" - mkdir -p /var/run/postgresql - chown -R postgres /var/run/postgresql - chmod 775 /var/run/postgresql + # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 + mkdir -p /var/run/postgresql || : + chmod 775 /var/run/postgresql || : - # Create the transaction log directory before initdb is run (below) so the directory is owned by the correct user + # Create the transaction log directory before initdb is run so the directory is owned by the correct user if [ "$POSTGRES_INITDB_XLOGDIR" ]; then mkdir -p "$POSTGRES_INITDB_XLOGDIR" - chown -R postgres "$POSTGRES_INITDB_XLOGDIR" + [ "$user" = '0' ] && find "$POSTGRES_INITDB_XLOGDIR" \! -user postgres - exec chown postgres '{}' + chmod 700 "$POSTGRES_INITDB_XLOGDIR" fi - exec gosu postgres "$BASH_SOURCE" "$@" -fi - -if [ "$1" = 'postgres' ]; then - mkdir -p "$PGDATA" - chown -R "$(id -u)" "$PGDATA" 2>/dev/null || : - chmod 700 "$PGDATA" 2>/dev/null || : + # allow the container to be started with `--user` + if [ "$user" = '0' ]; then + find "$PGDATA" \! -user postgres -exec chown postgres '{}' + + find /var/run/postgresql \! -user postgres -exec chown postgres '{}' + + fi +} - # look specifically for PG_VERSION, as it is expected in the DB dir - if [ ! -s "$PGDATA/PG_VERSION" ]; then - # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary - # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html - if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then - export LD_PRELOAD='/usr/lib/libnss_wrapper.so' - export NSS_WRAPPER_PASSWD="$(mktemp)" - export NSS_WRAPPER_GROUP="$(mktemp)" - echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" - echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" - fi +# initialize empty PGDATA directory with new database via 'initdb' +# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function +# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames +# this is also where the database user is created, specified by `POSTGRES_USER` env +docker_init_database_dir() { + # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary + # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html + if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then + export LD_PRELOAD='/usr/lib/libnss_wrapper.so' + export NSS_WRAPPER_PASSWD="$(mktemp)" + export NSS_WRAPPER_GROUP="$(mktemp)" + echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" + echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" + fi - file_env 'POSTGRES_USER' 'postgres' - file_env 'POSTGRES_PASSWORD' + if [ "$POSTGRES_INITDB_XLOGDIR" ]; then + set -- --xlogdir "$POSTGRES_INITDB_XLOGDIR" "$@" + fi - file_env 'POSTGRES_INITDB_ARGS' - if [ "$POSTGRES_INITDB_XLOGDIR" ]; then - export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --xlogdir $POSTGRES_INITDB_XLOGDIR" - fi - eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS" + eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' - # unset/cleanup "nss_wrapper" bits - if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then - rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" - unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP - fi + # unset/cleanup "nss_wrapper" bits + if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then + rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" + unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + fi +} - # check password first so we can output the warning before postgres - # messes it up - if [ -n "$POSTGRES_PASSWORD" ]; then - authMethod=md5 +# print large warning if POSTGRES_PASSWORD is empty +docker_verify_minimum_env() { + # check password first so we can output the warning before postgres + # messes it up + if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then + cat >&2 <<-'EOWARN' - if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then - cat >&2 <<-'EOWARN' + WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. - WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. + This will not work if used via PGPASSWORD with "psql". - This will not work if used via PGPASSWORD with "psql". + https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) + https://github.com/docker-library/postgres/issues/507 - https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) - https://github.com/docker-library/postgres/issues/507 + EOWARN + fi + if [ -z "$POSTGRES_PASSWORD" ]; then + # The - option suppresses leading tabs but *not* spaces. :) + cat >&2 <<-'EOWARN' + **************************************************** + WARNING: No password has been set for the database. + This will allow anyone with access to the + Postgres port to access your database. In + Docker's default configuration, this is + effectively any other container on the same + system. - EOWARN - fi - else - # The - option suppresses leading tabs but *not* spaces. :) - cat >&2 <<-'EOWARN' - **************************************************** - WARNING: No password has been set for the database. - This will allow anyone with access to the - Postgres port to access your database. In - Docker's default configuration, this is - effectively any other container on the same - system. - - Use "-e POSTGRES_PASSWORD=password" to set - it in "docker run". - **************************************************** - EOWARN - - authMethod=trust - fi + Use "-e POSTGRES_PASSWORD=password" to set + it in "docker run". + **************************************************** + EOWARN - { - echo - echo "host all all all $authMethod" - } >> "$PGDATA/pg_hba.conf" + fi +} - # internal start of server in order to allow set-up using psql-client - # does not listen on external TCP/IP and waits until start finishes - PGUSER="${PGUSER:-$POSTGRES_USER}" \ - pg_ctl -D "$PGDATA" \ - -o "-c listen_addresses=''" \ - -w start +# usage: docker_process_init_files [file [file [...]]] +# ie: docker_process_init_files /always-initdb.d/* +# process initializer files, based on file extensions and permissions +docker_process_init_files() { + # psql here for backwards compatiblilty "${psql[@]}" + psql=( docker_process_sql ) - file_env 'POSTGRES_DB' "$POSTGRES_USER" + echo + local f + for f; do + case "$f" in + *.sh) + # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 + # https://github.com/docker-library/postgres/pull/452 + if [ -x "$f" ]; then + echo "$0: running $f" + "$f" + else + echo "$0: sourcing $f" + . "$f" + fi + ;; + *.sql) echo "$0: running $f"; docker_process_sql -f "$f"; echo ;; + *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | docker_process_sql; echo ;; + *) echo "$0: ignoring $f" ;; + esac + echo + done +} - export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" - psql=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password ) +# Execute sql script, passed via stdin (or -f flag of pqsl) +# usage: docker_process_sql [psql-cli-args] +# ie: docker_process_sql --dbname=mydb <<<'INSERT ...' +# ie: docker_process_sql -f my-file.sql +# ie: docker_process_sql > "$PGDATA/pg_hba.conf" +} + +# start socket-only postgresql server for setting up or running scripts +# all arguments will be passed along as arguments to `postgres` (via pg_ctl) +docker_temp_server_start() { + if [ "$1" = 'postgres' ]; then + shift fi -fi + # internal start of server in order to allow setup using psql client + # does not listen on external TCP/IP and waits until start finishes (can be overridden via args) + PGUSER="${PGUSER:-$POSTGRES_USER}" \ + pg_ctl -D "$PGDATA" \ + -o "-c listen_addresses='' $([ "$#" -gt 0 ] && printf '%q ' "$@")" \ + -w start +} + +# stop postgresql server after done setting up user and running scripts +docker_temp_server_stop() { + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" -m fast -w stop +} + +_main() { + # if first arg looks like a flag, assume we want to run postgres server + if [ "${1:0:1}" = '-' ]; then + set -- postgres "$@" + fi + + + if [ "$1" = 'postgres' ]; then + docker_setup_env + # setup data directories and permissions (when run as root) + docker_create_db_directories + if [ "$(id -u)" = '0' ]; then + # then restart script as postgres user + exec gosu postgres "$BASH_SOURCE" "$@" + fi + + # only run initialization on an empty data directory + if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + docker_verify_minimum_env + docker_init_database_dir + pg_setup_hba_conf + + # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless + # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS + export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" + docker_temp_server_start "$@" + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + + docker_temp_server_stop + unset PGPASSWORD + + echo + echo 'PostgreSQL init process complete; ready for start up.' + echo + else + echo + echo 'PostgreSQL Database directory appears to contain a database; Skipping initialization' + echo + fi + fi + + exec "$@" +} -exec "$@" +if ! _is_sourced; then + _main "$@" +fi From 8fada98158d5d19b538f1b10b3ed56d08c998bf0 Mon Sep 17 00:00:00 2001 From: Joe Ferguson Date: Tue, 12 Nov 2019 15:48:44 -0800 Subject: [PATCH 7/7] Fixes from tianon's review --- 10/alpine/docker-entrypoint.sh | 13 ++++++------- 10/docker-entrypoint.sh | 13 ++++++------- 11/alpine/docker-entrypoint.sh | 13 ++++++------- 11/docker-entrypoint.sh | 13 ++++++------- 12/alpine/docker-entrypoint.sh | 13 ++++++------- 12/docker-entrypoint.sh | 13 ++++++------- 9.4/alpine/docker-entrypoint.sh | 13 ++++++------- 9.4/docker-entrypoint.sh | 13 ++++++------- 9.5/alpine/docker-entrypoint.sh | 13 ++++++------- 9.5/docker-entrypoint.sh | 13 ++++++------- 9.6/alpine/docker-entrypoint.sh | 13 ++++++------- 9.6/docker-entrypoint.sh | 13 ++++++------- docker-entrypoint.sh | 13 ++++++------- 13 files changed, 78 insertions(+), 91 deletions(-) diff --git a/10/alpine/docker-entrypoint.sh b/10/alpine/docker-entrypoint.sh index 764c33275f..857389d553 100755 --- a/10/alpine/docker-entrypoint.sh +++ b/10/alpine/docker-entrypoint.sh @@ -34,7 +34,7 @@ _is_sourced() { # used to create initial posgres directories and if run as root, ensure ownership to the "postgres" user docker_create_db_directories() { - local user="$(id -u)" + local user; user="$(id -u)" mkdir -p "$PGDATA" chmod 700 "$PGDATA" @@ -46,7 +46,9 @@ docker_create_db_directories() { # Create the transaction log directory before initdb is run so the directory is owned by the correct user if [ "$POSTGRES_INITDB_WALDIR" ]; then mkdir -p "$POSTGRES_INITDB_WALDIR" - [ "$user" = '0' ] && find "$POSTGRES_INITDB_WALDIR" \! -user postgres - exec chown postgres '{}' + + if [ "$user" = '0' ]; then + find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' + + fi chmod 700 "$POSTGRES_INITDB_WALDIR" fi @@ -193,10 +195,8 @@ docker_setup_env() { # append md5 or trust auth to pg_hba.conf based on existence of POSTGRES_PASSWORD pg_setup_hba_conf() { - local authMethod - if [ "$POSTGRES_PASSWORD" ]; then - authMethod='md5' - else + local authMethod='md5' + if [ -z "$POSTGRES_PASSWORD" ]; then authMethod='trust' fi @@ -232,7 +232,6 @@ _main() { set -- postgres "$@" fi - if [ "$1" = 'postgres' ]; then docker_setup_env # setup data directories and permissions (when run as root) diff --git a/10/docker-entrypoint.sh b/10/docker-entrypoint.sh index 75fcb02a07..02cb8e582a 100755 --- a/10/docker-entrypoint.sh +++ b/10/docker-entrypoint.sh @@ -34,7 +34,7 @@ _is_sourced() { # used to create initial posgres directories and if run as root, ensure ownership to the "postgres" user docker_create_db_directories() { - local user="$(id -u)" + local user; user="$(id -u)" mkdir -p "$PGDATA" chmod 700 "$PGDATA" @@ -46,7 +46,9 @@ docker_create_db_directories() { # Create the transaction log directory before initdb is run so the directory is owned by the correct user if [ "$POSTGRES_INITDB_WALDIR" ]; then mkdir -p "$POSTGRES_INITDB_WALDIR" - [ "$user" = '0' ] && find "$POSTGRES_INITDB_WALDIR" \! -user postgres - exec chown postgres '{}' + + if [ "$user" = '0' ]; then + find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' + + fi chmod 700 "$POSTGRES_INITDB_WALDIR" fi @@ -193,10 +195,8 @@ docker_setup_env() { # append md5 or trust auth to pg_hba.conf based on existence of POSTGRES_PASSWORD pg_setup_hba_conf() { - local authMethod - if [ "$POSTGRES_PASSWORD" ]; then - authMethod='md5' - else + local authMethod='md5' + if [ -z "$POSTGRES_PASSWORD" ]; then authMethod='trust' fi @@ -232,7 +232,6 @@ _main() { set -- postgres "$@" fi - if [ "$1" = 'postgres' ]; then docker_setup_env # setup data directories and permissions (when run as root) diff --git a/11/alpine/docker-entrypoint.sh b/11/alpine/docker-entrypoint.sh index 764c33275f..857389d553 100755 --- a/11/alpine/docker-entrypoint.sh +++ b/11/alpine/docker-entrypoint.sh @@ -34,7 +34,7 @@ _is_sourced() { # used to create initial posgres directories and if run as root, ensure ownership to the "postgres" user docker_create_db_directories() { - local user="$(id -u)" + local user; user="$(id -u)" mkdir -p "$PGDATA" chmod 700 "$PGDATA" @@ -46,7 +46,9 @@ docker_create_db_directories() { # Create the transaction log directory before initdb is run so the directory is owned by the correct user if [ "$POSTGRES_INITDB_WALDIR" ]; then mkdir -p "$POSTGRES_INITDB_WALDIR" - [ "$user" = '0' ] && find "$POSTGRES_INITDB_WALDIR" \! -user postgres - exec chown postgres '{}' + + if [ "$user" = '0' ]; then + find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' + + fi chmod 700 "$POSTGRES_INITDB_WALDIR" fi @@ -193,10 +195,8 @@ docker_setup_env() { # append md5 or trust auth to pg_hba.conf based on existence of POSTGRES_PASSWORD pg_setup_hba_conf() { - local authMethod - if [ "$POSTGRES_PASSWORD" ]; then - authMethod='md5' - else + local authMethod='md5' + if [ -z "$POSTGRES_PASSWORD" ]; then authMethod='trust' fi @@ -232,7 +232,6 @@ _main() { set -- postgres "$@" fi - if [ "$1" = 'postgres' ]; then docker_setup_env # setup data directories and permissions (when run as root) diff --git a/11/docker-entrypoint.sh b/11/docker-entrypoint.sh index 75fcb02a07..02cb8e582a 100755 --- a/11/docker-entrypoint.sh +++ b/11/docker-entrypoint.sh @@ -34,7 +34,7 @@ _is_sourced() { # used to create initial posgres directories and if run as root, ensure ownership to the "postgres" user docker_create_db_directories() { - local user="$(id -u)" + local user; user="$(id -u)" mkdir -p "$PGDATA" chmod 700 "$PGDATA" @@ -46,7 +46,9 @@ docker_create_db_directories() { # Create the transaction log directory before initdb is run so the directory is owned by the correct user if [ "$POSTGRES_INITDB_WALDIR" ]; then mkdir -p "$POSTGRES_INITDB_WALDIR" - [ "$user" = '0' ] && find "$POSTGRES_INITDB_WALDIR" \! -user postgres - exec chown postgres '{}' + + if [ "$user" = '0' ]; then + find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' + + fi chmod 700 "$POSTGRES_INITDB_WALDIR" fi @@ -193,10 +195,8 @@ docker_setup_env() { # append md5 or trust auth to pg_hba.conf based on existence of POSTGRES_PASSWORD pg_setup_hba_conf() { - local authMethod - if [ "$POSTGRES_PASSWORD" ]; then - authMethod='md5' - else + local authMethod='md5' + if [ -z "$POSTGRES_PASSWORD" ]; then authMethod='trust' fi @@ -232,7 +232,6 @@ _main() { set -- postgres "$@" fi - if [ "$1" = 'postgres' ]; then docker_setup_env # setup data directories and permissions (when run as root) diff --git a/12/alpine/docker-entrypoint.sh b/12/alpine/docker-entrypoint.sh index 764c33275f..857389d553 100755 --- a/12/alpine/docker-entrypoint.sh +++ b/12/alpine/docker-entrypoint.sh @@ -34,7 +34,7 @@ _is_sourced() { # used to create initial posgres directories and if run as root, ensure ownership to the "postgres" user docker_create_db_directories() { - local user="$(id -u)" + local user; user="$(id -u)" mkdir -p "$PGDATA" chmod 700 "$PGDATA" @@ -46,7 +46,9 @@ docker_create_db_directories() { # Create the transaction log directory before initdb is run so the directory is owned by the correct user if [ "$POSTGRES_INITDB_WALDIR" ]; then mkdir -p "$POSTGRES_INITDB_WALDIR" - [ "$user" = '0' ] && find "$POSTGRES_INITDB_WALDIR" \! -user postgres - exec chown postgres '{}' + + if [ "$user" = '0' ]; then + find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' + + fi chmod 700 "$POSTGRES_INITDB_WALDIR" fi @@ -193,10 +195,8 @@ docker_setup_env() { # append md5 or trust auth to pg_hba.conf based on existence of POSTGRES_PASSWORD pg_setup_hba_conf() { - local authMethod - if [ "$POSTGRES_PASSWORD" ]; then - authMethod='md5' - else + local authMethod='md5' + if [ -z "$POSTGRES_PASSWORD" ]; then authMethod='trust' fi @@ -232,7 +232,6 @@ _main() { set -- postgres "$@" fi - if [ "$1" = 'postgres' ]; then docker_setup_env # setup data directories and permissions (when run as root) diff --git a/12/docker-entrypoint.sh b/12/docker-entrypoint.sh index 75fcb02a07..02cb8e582a 100755 --- a/12/docker-entrypoint.sh +++ b/12/docker-entrypoint.sh @@ -34,7 +34,7 @@ _is_sourced() { # used to create initial posgres directories and if run as root, ensure ownership to the "postgres" user docker_create_db_directories() { - local user="$(id -u)" + local user; user="$(id -u)" mkdir -p "$PGDATA" chmod 700 "$PGDATA" @@ -46,7 +46,9 @@ docker_create_db_directories() { # Create the transaction log directory before initdb is run so the directory is owned by the correct user if [ "$POSTGRES_INITDB_WALDIR" ]; then mkdir -p "$POSTGRES_INITDB_WALDIR" - [ "$user" = '0' ] && find "$POSTGRES_INITDB_WALDIR" \! -user postgres - exec chown postgres '{}' + + if [ "$user" = '0' ]; then + find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' + + fi chmod 700 "$POSTGRES_INITDB_WALDIR" fi @@ -193,10 +195,8 @@ docker_setup_env() { # append md5 or trust auth to pg_hba.conf based on existence of POSTGRES_PASSWORD pg_setup_hba_conf() { - local authMethod - if [ "$POSTGRES_PASSWORD" ]; then - authMethod='md5' - else + local authMethod='md5' + if [ -z "$POSTGRES_PASSWORD" ]; then authMethod='trust' fi @@ -232,7 +232,6 @@ _main() { set -- postgres "$@" fi - if [ "$1" = 'postgres' ]; then docker_setup_env # setup data directories and permissions (when run as root) diff --git a/9.4/alpine/docker-entrypoint.sh b/9.4/alpine/docker-entrypoint.sh index fdce2ecdbb..45bb6e1f5e 100755 --- a/9.4/alpine/docker-entrypoint.sh +++ b/9.4/alpine/docker-entrypoint.sh @@ -34,7 +34,7 @@ _is_sourced() { # used to create initial posgres directories and if run as root, ensure ownership to the "postgres" user docker_create_db_directories() { - local user="$(id -u)" + local user; user="$(id -u)" mkdir -p "$PGDATA" chmod 700 "$PGDATA" @@ -46,7 +46,9 @@ docker_create_db_directories() { # Create the transaction log directory before initdb is run so the directory is owned by the correct user if [ "$POSTGRES_INITDB_XLOGDIR" ]; then mkdir -p "$POSTGRES_INITDB_XLOGDIR" - [ "$user" = '0' ] && find "$POSTGRES_INITDB_XLOGDIR" \! -user postgres - exec chown postgres '{}' + + if [ "$user" = '0' ]; then + find "$POSTGRES_INITDB_XLOGDIR" \! -user postgres -exec chown postgres '{}' + + fi chmod 700 "$POSTGRES_INITDB_XLOGDIR" fi @@ -193,10 +195,8 @@ docker_setup_env() { # append md5 or trust auth to pg_hba.conf based on existence of POSTGRES_PASSWORD pg_setup_hba_conf() { - local authMethod - if [ "$POSTGRES_PASSWORD" ]; then - authMethod='md5' - else + local authMethod='md5' + if [ -z "$POSTGRES_PASSWORD" ]; then authMethod='trust' fi @@ -232,7 +232,6 @@ _main() { set -- postgres "$@" fi - if [ "$1" = 'postgres' ]; then docker_setup_env # setup data directories and permissions (when run as root) diff --git a/9.4/docker-entrypoint.sh b/9.4/docker-entrypoint.sh index e8051efe30..17b0a6878f 100755 --- a/9.4/docker-entrypoint.sh +++ b/9.4/docker-entrypoint.sh @@ -34,7 +34,7 @@ _is_sourced() { # used to create initial posgres directories and if run as root, ensure ownership to the "postgres" user docker_create_db_directories() { - local user="$(id -u)" + local user; user="$(id -u)" mkdir -p "$PGDATA" chmod 700 "$PGDATA" @@ -46,7 +46,9 @@ docker_create_db_directories() { # Create the transaction log directory before initdb is run so the directory is owned by the correct user if [ "$POSTGRES_INITDB_XLOGDIR" ]; then mkdir -p "$POSTGRES_INITDB_XLOGDIR" - [ "$user" = '0' ] && find "$POSTGRES_INITDB_XLOGDIR" \! -user postgres - exec chown postgres '{}' + + if [ "$user" = '0' ]; then + find "$POSTGRES_INITDB_XLOGDIR" \! -user postgres -exec chown postgres '{}' + + fi chmod 700 "$POSTGRES_INITDB_XLOGDIR" fi @@ -193,10 +195,8 @@ docker_setup_env() { # append md5 or trust auth to pg_hba.conf based on existence of POSTGRES_PASSWORD pg_setup_hba_conf() { - local authMethod - if [ "$POSTGRES_PASSWORD" ]; then - authMethod='md5' - else + local authMethod='md5' + if [ -z "$POSTGRES_PASSWORD" ]; then authMethod='trust' fi @@ -232,7 +232,6 @@ _main() { set -- postgres "$@" fi - if [ "$1" = 'postgres' ]; then docker_setup_env # setup data directories and permissions (when run as root) diff --git a/9.5/alpine/docker-entrypoint.sh b/9.5/alpine/docker-entrypoint.sh index fdce2ecdbb..45bb6e1f5e 100755 --- a/9.5/alpine/docker-entrypoint.sh +++ b/9.5/alpine/docker-entrypoint.sh @@ -34,7 +34,7 @@ _is_sourced() { # used to create initial posgres directories and if run as root, ensure ownership to the "postgres" user docker_create_db_directories() { - local user="$(id -u)" + local user; user="$(id -u)" mkdir -p "$PGDATA" chmod 700 "$PGDATA" @@ -46,7 +46,9 @@ docker_create_db_directories() { # Create the transaction log directory before initdb is run so the directory is owned by the correct user if [ "$POSTGRES_INITDB_XLOGDIR" ]; then mkdir -p "$POSTGRES_INITDB_XLOGDIR" - [ "$user" = '0' ] && find "$POSTGRES_INITDB_XLOGDIR" \! -user postgres - exec chown postgres '{}' + + if [ "$user" = '0' ]; then + find "$POSTGRES_INITDB_XLOGDIR" \! -user postgres -exec chown postgres '{}' + + fi chmod 700 "$POSTGRES_INITDB_XLOGDIR" fi @@ -193,10 +195,8 @@ docker_setup_env() { # append md5 or trust auth to pg_hba.conf based on existence of POSTGRES_PASSWORD pg_setup_hba_conf() { - local authMethod - if [ "$POSTGRES_PASSWORD" ]; then - authMethod='md5' - else + local authMethod='md5' + if [ -z "$POSTGRES_PASSWORD" ]; then authMethod='trust' fi @@ -232,7 +232,6 @@ _main() { set -- postgres "$@" fi - if [ "$1" = 'postgres' ]; then docker_setup_env # setup data directories and permissions (when run as root) diff --git a/9.5/docker-entrypoint.sh b/9.5/docker-entrypoint.sh index e8051efe30..17b0a6878f 100755 --- a/9.5/docker-entrypoint.sh +++ b/9.5/docker-entrypoint.sh @@ -34,7 +34,7 @@ _is_sourced() { # used to create initial posgres directories and if run as root, ensure ownership to the "postgres" user docker_create_db_directories() { - local user="$(id -u)" + local user; user="$(id -u)" mkdir -p "$PGDATA" chmod 700 "$PGDATA" @@ -46,7 +46,9 @@ docker_create_db_directories() { # Create the transaction log directory before initdb is run so the directory is owned by the correct user if [ "$POSTGRES_INITDB_XLOGDIR" ]; then mkdir -p "$POSTGRES_INITDB_XLOGDIR" - [ "$user" = '0' ] && find "$POSTGRES_INITDB_XLOGDIR" \! -user postgres - exec chown postgres '{}' + + if [ "$user" = '0' ]; then + find "$POSTGRES_INITDB_XLOGDIR" \! -user postgres -exec chown postgres '{}' + + fi chmod 700 "$POSTGRES_INITDB_XLOGDIR" fi @@ -193,10 +195,8 @@ docker_setup_env() { # append md5 or trust auth to pg_hba.conf based on existence of POSTGRES_PASSWORD pg_setup_hba_conf() { - local authMethod - if [ "$POSTGRES_PASSWORD" ]; then - authMethod='md5' - else + local authMethod='md5' + if [ -z "$POSTGRES_PASSWORD" ]; then authMethod='trust' fi @@ -232,7 +232,6 @@ _main() { set -- postgres "$@" fi - if [ "$1" = 'postgres' ]; then docker_setup_env # setup data directories and permissions (when run as root) diff --git a/9.6/alpine/docker-entrypoint.sh b/9.6/alpine/docker-entrypoint.sh index fdce2ecdbb..45bb6e1f5e 100755 --- a/9.6/alpine/docker-entrypoint.sh +++ b/9.6/alpine/docker-entrypoint.sh @@ -34,7 +34,7 @@ _is_sourced() { # used to create initial posgres directories and if run as root, ensure ownership to the "postgres" user docker_create_db_directories() { - local user="$(id -u)" + local user; user="$(id -u)" mkdir -p "$PGDATA" chmod 700 "$PGDATA" @@ -46,7 +46,9 @@ docker_create_db_directories() { # Create the transaction log directory before initdb is run so the directory is owned by the correct user if [ "$POSTGRES_INITDB_XLOGDIR" ]; then mkdir -p "$POSTGRES_INITDB_XLOGDIR" - [ "$user" = '0' ] && find "$POSTGRES_INITDB_XLOGDIR" \! -user postgres - exec chown postgres '{}' + + if [ "$user" = '0' ]; then + find "$POSTGRES_INITDB_XLOGDIR" \! -user postgres -exec chown postgres '{}' + + fi chmod 700 "$POSTGRES_INITDB_XLOGDIR" fi @@ -193,10 +195,8 @@ docker_setup_env() { # append md5 or trust auth to pg_hba.conf based on existence of POSTGRES_PASSWORD pg_setup_hba_conf() { - local authMethod - if [ "$POSTGRES_PASSWORD" ]; then - authMethod='md5' - else + local authMethod='md5' + if [ -z "$POSTGRES_PASSWORD" ]; then authMethod='trust' fi @@ -232,7 +232,6 @@ _main() { set -- postgres "$@" fi - if [ "$1" = 'postgres' ]; then docker_setup_env # setup data directories and permissions (when run as root) diff --git a/9.6/docker-entrypoint.sh b/9.6/docker-entrypoint.sh index e8051efe30..17b0a6878f 100755 --- a/9.6/docker-entrypoint.sh +++ b/9.6/docker-entrypoint.sh @@ -34,7 +34,7 @@ _is_sourced() { # used to create initial posgres directories and if run as root, ensure ownership to the "postgres" user docker_create_db_directories() { - local user="$(id -u)" + local user; user="$(id -u)" mkdir -p "$PGDATA" chmod 700 "$PGDATA" @@ -46,7 +46,9 @@ docker_create_db_directories() { # Create the transaction log directory before initdb is run so the directory is owned by the correct user if [ "$POSTGRES_INITDB_XLOGDIR" ]; then mkdir -p "$POSTGRES_INITDB_XLOGDIR" - [ "$user" = '0' ] && find "$POSTGRES_INITDB_XLOGDIR" \! -user postgres - exec chown postgres '{}' + + if [ "$user" = '0' ]; then + find "$POSTGRES_INITDB_XLOGDIR" \! -user postgres -exec chown postgres '{}' + + fi chmod 700 "$POSTGRES_INITDB_XLOGDIR" fi @@ -193,10 +195,8 @@ docker_setup_env() { # append md5 or trust auth to pg_hba.conf based on existence of POSTGRES_PASSWORD pg_setup_hba_conf() { - local authMethod - if [ "$POSTGRES_PASSWORD" ]; then - authMethod='md5' - else + local authMethod='md5' + if [ -z "$POSTGRES_PASSWORD" ]; then authMethod='trust' fi @@ -232,7 +232,6 @@ _main() { set -- postgres "$@" fi - if [ "$1" = 'postgres' ]; then docker_setup_env # setup data directories and permissions (when run as root) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 75fcb02a07..02cb8e582a 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -34,7 +34,7 @@ _is_sourced() { # used to create initial posgres directories and if run as root, ensure ownership to the "postgres" user docker_create_db_directories() { - local user="$(id -u)" + local user; user="$(id -u)" mkdir -p "$PGDATA" chmod 700 "$PGDATA" @@ -46,7 +46,9 @@ docker_create_db_directories() { # Create the transaction log directory before initdb is run so the directory is owned by the correct user if [ "$POSTGRES_INITDB_WALDIR" ]; then mkdir -p "$POSTGRES_INITDB_WALDIR" - [ "$user" = '0' ] && find "$POSTGRES_INITDB_WALDIR" \! -user postgres - exec chown postgres '{}' + + if [ "$user" = '0' ]; then + find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' + + fi chmod 700 "$POSTGRES_INITDB_WALDIR" fi @@ -193,10 +195,8 @@ docker_setup_env() { # append md5 or trust auth to pg_hba.conf based on existence of POSTGRES_PASSWORD pg_setup_hba_conf() { - local authMethod - if [ "$POSTGRES_PASSWORD" ]; then - authMethod='md5' - else + local authMethod='md5' + if [ -z "$POSTGRES_PASSWORD" ]; then authMethod='trust' fi @@ -232,7 +232,6 @@ _main() { set -- postgres "$@" fi - if [ "$1" = 'postgres' ]; then docker_setup_env # setup data directories and permissions (when run as root)