diff --git a/.gitattributes b/.gitattributes
index 14a112269e..4d1ee06a43 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,3 +1,4 @@
-/*/**/Dockerfile linguist-generated
-/*/**/docker-entrypoint.sh linguist-generated
-/Dockerfile*.template linguist-language=Dockerfile
+/*/**/Dockerfile linguist-generated
+/*/**/docker-ensure-initdb.sh linguist-generated
+/*/**/docker-entrypoint.sh linguist-generated
+/Dockerfile*.template linguist-language=Dockerfile
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7bc4fdff0b..ccc7fd8955 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -5,6 +5,7 @@ on:
push:
schedule:
- cron: 0 0 * * 0
+ workflow_dispatch:
defaults:
run:
@@ -18,7 +19,7 @@ jobs:
outputs:
strategy: ${{ steps.generate-jobs.outputs.strategy }}
steps:
- - uses: actions/checkout@v3
+ - uses: actions/checkout@v4
- uses: docker-library/bashbrew@HEAD
- id: generate-jobs
name: Generate Jobs
@@ -34,7 +35,7 @@ jobs:
name: ${{ matrix.name }}
runs-on: ${{ matrix.os }}
steps:
- - uses: actions/checkout@v3
+ - uses: actions/checkout@v4
- name: Prepare Environment
run: ${{ matrix.runs.prepare }}
- name: Pull Dependencies
diff --git a/.github/workflows/verify-templating.yml b/.github/workflows/verify-templating.yml
index 14497bec68..e822ba6bb9 100644
--- a/.github/workflows/verify-templating.yml
+++ b/.github/workflows/verify-templating.yml
@@ -3,6 +3,7 @@ name: Verify Templating
on:
pull_request:
push:
+ workflow_dispatch:
defaults:
run:
@@ -13,10 +14,6 @@ jobs:
name: Check For Uncomitted Changes
runs-on: ubuntu-latest
steps:
- - uses: actions/checkout@v3
- - name: Apply Templates
- run: ./apply-templates.sh
- - name: Check Git Status
- run: |
- status="$(git status --short)"
- [ -z "$status" ]
+ - uses: actions/checkout@v4
+ - run: ./apply-templates.sh
+ - run: git diff --exit-code
diff --git a/13/alpine/docker-entrypoint.sh b/13/alpine/docker-entrypoint.sh
deleted file mode 100755
index a383a36487..0000000000
--- a/13/alpine/docker-entrypoint.sh
+++ /dev/null
@@ -1,351 +0,0 @@
-#!/usr/bin/env bash
-set -Eeo pipefail
-# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
-
-# usage: file_env VAR [DEFAULT]
-# ie: file_env 'XYZ_DB_PASSWORD' 'example'
-# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
-# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
-file_env() {
- local var="$1"
- local fileVar="${var}_FILE"
- local def="${2:-}"
- if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
- printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
- exit 1
- fi
- local val="$def"
- if [ "${!var:-}" ]; then
- val="${!var}"
- elif [ "${!fileVar:-}" ]; then
- val="$(< "${!fileVar}")"
- fi
- export "$var"="$val"
- unset "$fileVar"
-}
-
-# check to see if this file is being run or sourced from another script
-_is_sourced() {
- # https://unix.stackexchange.com/a/215279
- [ "${#FUNCNAME[@]}" -ge 2 ] \
- && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
- && [ "${FUNCNAME[1]}" = 'source' ]
-}
-
-# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
-docker_create_db_directories() {
- local user; user="$(id -u)"
-
- mkdir -p "$PGDATA"
- # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
- chmod 00700 "$PGDATA" || :
-
- # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
- mkdir -p /var/run/postgresql || :
- chmod 03775 /var/run/postgresql || :
-
- # Create the transaction log directory before initdb is run so the directory is owned by the correct user
- if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
- mkdir -p "$POSTGRES_INITDB_WALDIR"
- if [ "$user" = '0' ]; then
- find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
- fi
- chmod 700 "$POSTGRES_INITDB_WALDIR"
- fi
-
- # allow the container to be started with `--user`
- if [ "$user" = '0' ]; then
- find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
- find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
- fi
-}
-
-# initialize empty PGDATA directory with new database via 'initdb'
-# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
-# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
-# this is also where the database user is created, specified by `POSTGRES_USER` env
-docker_init_database_dir() {
- # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
- # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
- local uid; uid="$(id -u)"
- if ! getent passwd "$uid" &> /dev/null; then
- # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
- local wrapper
- for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
- if [ -s "$wrapper" ]; then
- NSS_WRAPPER_PASSWD="$(mktemp)"
- NSS_WRAPPER_GROUP="$(mktemp)"
- export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
- local gid; gid="$(id -g)"
- printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
- printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
- break
- fi
- done
- fi
-
- if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
- set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
- fi
-
- # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
- eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
-
- # unset/cleanup "nss_wrapper" bits
- if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
- rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
- unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
- fi
-}
-
-# print large warning if POSTGRES_PASSWORD is long
-# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
-# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
-# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
-docker_verify_minimum_env() {
- # check password first so we can output the warning before postgres
- # messes it up
- if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
- cat >&2 <<-'EOWARN'
-
- WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
-
- This will not work if used via PGPASSWORD with "psql".
-
- https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
- https://github.com/docker-library/postgres/issues/507
-
- EOWARN
- fi
- if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
- # The - option suppresses leading tabs but *not* spaces. :)
- cat >&2 <<-'EOE'
- Error: Database is uninitialized and superuser password is not specified.
- You must specify POSTGRES_PASSWORD to a non-empty value for the
- superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
-
- You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
- connections without a password. This is *not* recommended.
-
- See PostgreSQL documentation about "trust":
- https://www.postgresql.org/docs/current/auth-trust.html
- EOE
- exit 1
- fi
- if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
- cat >&2 <<-'EOWARN'
- ********************************************************************************
- WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
- anyone with access to the Postgres port to access your database without
- a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
- documentation about "trust":
- https://www.postgresql.org/docs/current/auth-trust.html
- In Docker's default configuration, this is effectively any other
- container on the same system.
-
- It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
- it with "-e POSTGRES_PASSWORD=password" instead to set a password in
- "docker run".
- ********************************************************************************
- EOWARN
- fi
-}
-
-# usage: docker_process_init_files [file [file [...]]]
-# ie: docker_process_init_files /always-initdb.d/*
-# process initializer files, based on file extensions and permissions
-docker_process_init_files() {
- # psql here for backwards compatibility "${psql[@]}"
- psql=( docker_process_sql )
-
- printf '\n'
- local f
- for f; do
- case "$f" in
- *.sh)
- # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
- # https://github.com/docker-library/postgres/pull/452
- if [ -x "$f" ]; then
- printf '%s: running %s\n' "$0" "$f"
- "$f"
- else
- printf '%s: sourcing %s\n' "$0" "$f"
- . "$f"
- fi
- ;;
- *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
- *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
- *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
- *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
- *) printf '%s: ignoring %s\n' "$0" "$f" ;;
- esac
- printf '\n'
- done
-}
-
-# Execute sql script, passed via stdin (or -f flag of pqsl)
-# usage: docker_process_sql [psql-cli-args]
-# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
-# ie: docker_process_sql -f my-file.sql
-# ie: docker_process_sql <my-file.sql
-docker_process_sql() {
- local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
- if [ -n "$POSTGRES_DB" ]; then
- query_runner+=( --dbname "$POSTGRES_DB" )
- fi
-
- PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
-}
-
-# create initial database
-# uses environment variables for input: POSTGRES_DB
-docker_setup_db() {
- local dbAlreadyExists
- dbAlreadyExists="$(
- POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
- SELECT 1 FROM pg_database WHERE datname = :'db' ;
- EOSQL
- )"
- if [ -z "$dbAlreadyExists" ]; then
- POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
- CREATE DATABASE :"db" ;
- EOSQL
- printf '\n'
- fi
-}
-
-# Loads various settings that are used elsewhere in the script
-# This should be called before any other functions
-docker_setup_env() {
- file_env 'POSTGRES_PASSWORD'
-
- file_env 'POSTGRES_USER' 'postgres'
- file_env 'POSTGRES_DB' "$POSTGRES_USER"
- file_env 'POSTGRES_INITDB_ARGS'
- : "${POSTGRES_HOST_AUTH_METHOD:=}"
-
- declare -g DATABASE_ALREADY_EXISTS
- # look specifically for PG_VERSION, as it is expected in the DB dir
- if [ -s "$PGDATA/PG_VERSION" ]; then
- DATABASE_ALREADY_EXISTS='true'
- fi
-}
-
-# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
-# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
-pg_setup_hba_conf() {
- # default authentication method is md5 on versions before 14
- # https://www.postgresql.org/about/news/postgresql-14-released-2318/
- if [ "$1" = 'postgres' ]; then
- shift
- fi
- local auth
- # check the default/configured encryption and use that as the auth method
- auth="$(postgres -C password_encryption "$@")"
- : "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
- {
- printf '\n'
- if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
- printf '# warning trust is enabled for all connections\n'
- printf '# see https://www.postgresql.org/docs/12/auth-trust.html\n'
- fi
- printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
- } >> "$PGDATA/pg_hba.conf"
-}
-
-# start socket-only postgresql server for setting up or running scripts
-# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
-docker_temp_server_start() {
- if [ "$1" = 'postgres' ]; then
- shift
- fi
-
- # internal start of server in order to allow setup using psql client
- # does not listen on external TCP/IP and waits until start finishes
- set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
-
- PGUSER="${PGUSER:-$POSTGRES_USER}" \
- pg_ctl -D "$PGDATA" \
- -o "$(printf '%q ' "$@")" \
- -w start
-}
-
-# stop postgresql server after done setting up user and running scripts
-docker_temp_server_stop() {
- PGUSER="${PGUSER:-postgres}" \
- pg_ctl -D "$PGDATA" -m fast -w stop
-}
-
-# check arguments for an option that would cause postgres to stop
-# return true if there is one
-_pg_want_help() {
- local arg
- for arg; do
- case "$arg" in
- # postgres --help | grep 'then exit'
- # leaving out -C on purpose since it always fails and is unhelpful:
- # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
- -'?'|--help|--describe-config|-V|--version)
- return 0
- ;;
- esac
- done
- return 1
-}
-
-_main() {
- # if first arg looks like a flag, assume we want to run postgres server
- if [ "${1:0:1}" = '-' ]; then
- set -- postgres "$@"
- fi
-
- if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
- docker_setup_env
- # setup data directories and permissions (when run as root)
- docker_create_db_directories
- if [ "$(id -u)" = '0' ]; then
- # then restart script as postgres user
- exec su-exec postgres "$BASH_SOURCE" "$@"
- fi
-
- # only run initialization on an empty data directory
- if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
- docker_verify_minimum_env
-
- # check dir permissions to reduce likelihood of half-initialized database
- ls /docker-entrypoint-initdb.d/ > /dev/null
-
- docker_init_database_dir
- pg_setup_hba_conf "$@"
-
- # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
- # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
- export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
- docker_temp_server_start "$@"
-
- docker_setup_db
- docker_process_init_files /docker-entrypoint-initdb.d/*
-
- docker_temp_server_stop
- unset PGPASSWORD
-
- cat <<-'EOM'
-
- PostgreSQL init process complete; ready for start up.
-
- EOM
- else
- cat <<-'EOM'
-
- PostgreSQL Database directory appears to contain a database; Skipping initialization
-
- EOM
- fi
- fi
-
- exec "$@"
-}
-
-if ! _is_sourced; then
- _main "$@"
-fi
diff --git a/13/alpine/Dockerfile b/13/alpine3.21/Dockerfile
similarity index 63%
rename from 13/alpine/Dockerfile
rename to 13/alpine3.21/Dockerfile
index 4cd84cdc74..c79dfd0bb7 100644
--- a/13/alpine/Dockerfile
+++ b/13/alpine3.21/Dockerfile
@@ -4,17 +4,47 @@
# PLEASE DO NOT EDIT IT DIRECTLY.
#
-FROM alpine:3.17
+FROM alpine:3.21
# 70 is the standard uid/gid for "postgres" in Alpine
-# https://git.alpinelinux.org/aports/tree/main/postgresql/postgresql.pre-install?h=3.12-stable
+# https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.22-stable
RUN set -eux; \
addgroup -g 70 -S postgres; \
adduser -u 70 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \
- mkdir -p /var/lib/postgresql; \
- chown -R postgres:postgres /var/lib/postgresql
+# also create the postgres user's home directory with appropriate permissions
+# see https://github.com/docker-library/postgres/issues/274
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
-# su-exec (gosu-compatible) is installed further down
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ \
+ apk add --no-cache --virtual .gosu-deps \
+ ca-certificates \
+ dpkg \
+ gnupg \
+ ; \
+ \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ \
+# verify the signature
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ \
+# clean up fetch dependencies
+ apk del --no-network .gosu-deps; \
+ \
+ chmod +x /usr/local/bin/gosu; \
+# verify that the binary works
+ gosu --version; \
+ gosu nobody true
+RUN set -eux; ln -svf gosu /usr/local/bin/su-exec; su-exec nobody true # backwards compatibility (removed in PostgreSQL 17+)
# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
# alpine doesn't require explicit locale-file generation
@@ -23,8 +53,12 @@ ENV LANG en_US.utf8
RUN mkdir /docker-entrypoint-initdb.d
ENV PG_MAJOR 13
-ENV PG_VERSION 13.10
-ENV PG_SHA256 5bbcf5a56d85c44f3a8b058fb46862ff49cbc91834d07e295d02e6de3c216df2
+ENV PG_VERSION 13.21
+ENV PG_SHA256 dcda1294df45f033b0656cf7a8e4afbbc624c25e1b144aec79530f74d7ef4ab4
+
+ENV DOCKER_PG_LLVM_DEPS \
+ llvm19-dev \
+ clang19
RUN set -eux; \
\
@@ -40,10 +74,12 @@ RUN set -eux; \
rm postgresql.tar.bz2; \
\
apk add --no-cache --virtual .build-deps \
+ $DOCKER_PG_LLVM_DEPS \
bison \
coreutils \
dpkg-dev dpkg \
flex \
+ g++ \
gcc \
krb5-dev \
libc-dev \
@@ -51,7 +87,6 @@ RUN set -eux; \
libxml2-dev \
libxslt-dev \
linux-headers \
- llvm-dev clang g++ \
make \
openldap-dev \
openssl-dev \
@@ -73,12 +108,16 @@ RUN set -eux; \
grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \
mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \
gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
-# explicitly update autoconf config.guess and config.sub so they support more arches/libcs
- wget -O config/config.guess 'https://git.savannah.gnu.org/cgit/config.git/plain/config.guess?id=7d3d27baf8107b630586c962c057e22149653deb'; \
- wget -O config/config.sub 'https://git.savannah.gnu.org/cgit/config.git/plain/config.sub?id=7d3d27baf8107b630586c962c057e22149653deb'; \
+ \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n176 ("export LLVM_CONFIG")
+ export LLVM_CONFIG="/usr/lib/llvm19/bin/llvm-config"; \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n180 ("older clang versions don't have a 'clang' exe anymore.")
+ export CLANG=clang-19; \
+ \
# configure options taken from:
# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
./configure \
+ --enable-option-checking=fatal \
--build="$gnuArch" \
# "/usr/src/postgresql/src/backend/access/common/tupconvert.c:105: undefined reference to `libintl_gettext'"
# --enable-nls \
@@ -95,7 +134,6 @@ RUN set -eux; \
--prefix=/usr/local \
--with-includes=/usr/local/include \
--with-libraries=/usr/local/lib \
- --with-krb5 \
--with-gssapi \
--with-ldap \
--with-tcl \
@@ -108,8 +146,8 @@ RUN set -eux; \
--with-icu \
--with-llvm \
; \
- make -j "$(nproc)" world; \
- make install-world; \
+ make -j "$(nproc)" world-bin; \
+ make install-world-bin; \
make -C contrib install; \
\
runDeps="$( \
@@ -124,13 +162,11 @@ RUN set -eux; \
apk add --no-cache --virtual .postgresql-rundeps \
$runDeps \
bash \
- su-exec \
tzdata \
zstd \
# https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split
icu-data-full \
-# nss_wrapper is not availble on ppc64le: "test case segfaults in ppc64le"
-# https://git.alpinelinux.org/aports/commit/testing/nss_wrapper/APKBUILD?h=3.17-stable&id=94d81ceeb58cff448d489bbcbe9a6d40c9991663
+# https://git.alpinelinux.org/aports/tree/community/nss_wrapper/APKBUILD?h=3.22-stable#n7 ("ppc64le: test case segfaults")
$([ "$(apk --print-arch)" != 'ppc64le' ] && echo 'nss_wrapper') \
; \
apk del --no-network .build-deps; \
@@ -149,31 +185,26 @@ RUN set -eux; \
sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \
grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample
-RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 3777 /var/run/postgresql
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
ENV PGDATA /var/lib/postgresql/data
-# this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values)
-RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 1777 "$PGDATA"
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
VOLUME /var/lib/postgresql/data
-COPY docker-entrypoint.sh /usr/local/bin/
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
ENTRYPOINT ["docker-entrypoint.sh"]
# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
# calls "Fast Shutdown mode" wherein new connections are disallowed and any
# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
-# flush tables to disk, which is the best compromise available to avoid data
-# corruption.
-#
-# Users who know their applications do not keep open long-lived idle connections
-# may way to use a value of SIGTERM instead, which corresponds to "Smart
-# Shutdown mode" in which any existing sessions are allowed to finish and the
-# server stops when all sessions are terminated.
+# flush tables to disk.
#
-# See https://www.postgresql.org/docs/12/server-shutdown.html for more details
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
# about available PostgreSQL server shutdown signals.
#
-# See also https://www.postgresql.org/docs/12/server-start.html for further
+# See also https://www.postgresql.org/docs/current/server-start.html for further
# justification of this as the default value, namely that the example (and
# shipped) systemd service files use the "Fast Shutdown mode" for service
# termination.
@@ -183,10 +214,10 @@ STOPSIGNAL SIGINT
# An additional setting that is recommended for all users regardless of this
# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
# equivalent) for controlling how long to wait between sending the defined
-# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption).
+# STOPSIGNAL and sending SIGKILL.
#
# The default in most runtimes (such as Docker) is 10 seconds, and the
-# documentation at https://www.postgresql.org/docs/12/server-start.html notes
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
# that even 90 seconds may not be long enough in many instances.
EXPOSE 5432
diff --git a/13/alpine3.21/docker-ensure-initdb.sh b/13/alpine3.21/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..e9b15ef77d
--- /dev/null
+++ b/13/alpine3.21/docker-ensure-initdb.sh
@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/12/bullseye/docker-entrypoint.sh b/13/alpine3.21/docker-entrypoint.sh
similarity index 84%
rename from 12/bullseye/docker-entrypoint.sh
rename to 13/alpine3.21/docker-entrypoint.sh
index 0ae0ecf8c2..5a62870b50 100755
--- a/12/bullseye/docker-entrypoint.sh
+++ b/13/alpine3.21/docker-entrypoint.sh
@@ -103,20 +103,24 @@ docker_init_database_dir() {
# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
docker_verify_minimum_env() {
- # check password first so we can output the warning before postgres
- # messes it up
- if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
- cat >&2 <<-'EOWARN'
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
- WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
- This will not work if used via PGPASSWORD with "psql".
+ This will not work if used via PGPASSWORD with "psql".
- https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
- https://github.com/docker-library/postgres/issues/507
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
- EOWARN
- fi
+ EOWARN
+ fi
+ ;;
+ esac
if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
# The - option suppresses leading tabs but *not* spaces. :)
cat >&2 <<-'EOE'
@@ -150,6 +154,29 @@ docker_verify_minimum_env() {
EOWARN
fi
}
+# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade)
+docker_error_old_databases() {
+ if [ -n "${OLD_DATABASES[0]:-}" ]; then
+ cat >&2 <<-EOE
+ Error: in 18+, these Docker images are configured to store database data in a
+ format which is compatible with "pg_ctlcluster" (specifically, using
+ major-version-specific directory names). This better reflects how
+ PostgreSQL itself works, and how upgrades are to be performed.
+
+ See also https://github.com/docker-library/postgres/pull/1259
+
+ Counter to that, there appears to be PostgreSQL data in:
+ ${OLD_DATABASES[*]}
+
+ This is usually the result of upgrading the Docker image without upgrading
+ the underlying database using "pg_upgrade" (which requires both versions).
+
+ See https://github.com/docker-library/postgres/issues/37 for a (long)
+ discussion around this process, and suggestions for how to do so.
+ EOE
+ exit 1
+ fi
+}
# usage: docker_process_init_files [file [file [...]]]
# ie: docker_process_init_files /always-initdb.d/*
@@ -225,9 +252,18 @@ docker_setup_env() {
: "${POSTGRES_HOST_AUTH_METHOD:=}"
declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ declare -ag OLD_DATABASES=()
# look specifically for PG_VERSION, as it is expected in the DB dir
if [ -s "$PGDATA/PG_VERSION" ]; then
DATABASE_ALREADY_EXISTS='true'
+ elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then
+ # https://github.com/docker-library/postgres/pull/1259
+ for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do
+ if [ -s "$d/PG_VERSION" ]; then
+ OLD_DATABASES+=( "$d" )
+ fi
+ done
fi
}
@@ -247,7 +283,7 @@ pg_setup_hba_conf() {
printf '\n'
if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
printf '# warning trust is enabled for all connections\n'
- printf '# see https://www.postgresql.org/docs/12/auth-trust.html\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
fi
printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
} >> "$PGDATA/pg_hba.conf"
@@ -264,6 +300,9 @@ docker_temp_server_start() {
# does not listen on external TCP/IP and waits until start finishes
set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
PGUSER="${PGUSER:-$POSTGRES_USER}" \
pg_ctl -D "$PGDATA" \
-o "$(printf '%q ' "$@")" \
@@ -311,6 +350,7 @@ _main() {
# only run initialization on an empty data directory
if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
docker_verify_minimum_env
+ docker_error_old_databases
# check dir permissions to reduce likelihood of half-initialized database
ls /docker-entrypoint-initdb.d/ > /dev/null
diff --git a/11/alpine/Dockerfile b/13/alpine3.22/Dockerfile
similarity index 62%
rename from 11/alpine/Dockerfile
rename to 13/alpine3.22/Dockerfile
index 51c03ad1ed..ece37e9796 100644
--- a/11/alpine/Dockerfile
+++ b/13/alpine3.22/Dockerfile
@@ -4,17 +4,47 @@
# PLEASE DO NOT EDIT IT DIRECTLY.
#
-FROM alpine:3.17
+FROM alpine:3.22
# 70 is the standard uid/gid for "postgres" in Alpine
-# https://git.alpinelinux.org/aports/tree/main/postgresql/postgresql.pre-install?h=3.12-stable
+# https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.22-stable
RUN set -eux; \
addgroup -g 70 -S postgres; \
adduser -u 70 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \
- mkdir -p /var/lib/postgresql; \
- chown -R postgres:postgres /var/lib/postgresql
+# also create the postgres user's home directory with appropriate permissions
+# see https://github.com/docker-library/postgres/issues/274
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
-# su-exec (gosu-compatible) is installed further down
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ \
+ apk add --no-cache --virtual .gosu-deps \
+ ca-certificates \
+ dpkg \
+ gnupg \
+ ; \
+ \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ \
+# verify the signature
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ \
+# clean up fetch dependencies
+ apk del --no-network .gosu-deps; \
+ \
+ chmod +x /usr/local/bin/gosu; \
+# verify that the binary works
+ gosu --version; \
+ gosu nobody true
+RUN set -eux; ln -svf gosu /usr/local/bin/su-exec; su-exec nobody true # backwards compatibility (removed in PostgreSQL 17+)
# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
# alpine doesn't require explicit locale-file generation
@@ -22,9 +52,13 @@ ENV LANG en_US.utf8
RUN mkdir /docker-entrypoint-initdb.d
-ENV PG_MAJOR 11
-ENV PG_VERSION 11.19
-ENV PG_SHA256 13109e2b71f1139405c27201da3733a61ace72ee1c228d9c9f0320e06aee14c2
+ENV PG_MAJOR 13
+ENV PG_VERSION 13.21
+ENV PG_SHA256 dcda1294df45f033b0656cf7a8e4afbbc624c25e1b144aec79530f74d7ef4ab4
+
+ENV DOCKER_PG_LLVM_DEPS \
+ llvm19-dev \
+ clang19
RUN set -eux; \
\
@@ -40,10 +74,12 @@ RUN set -eux; \
rm postgresql.tar.bz2; \
\
apk add --no-cache --virtual .build-deps \
+ $DOCKER_PG_LLVM_DEPS \
bison \
coreutils \
dpkg-dev dpkg \
flex \
+ g++ \
gcc \
krb5-dev \
libc-dev \
@@ -51,7 +87,6 @@ RUN set -eux; \
libxml2-dev \
libxslt-dev \
linux-headers \
- llvm-dev clang g++ \
make \
openldap-dev \
openssl-dev \
@@ -73,12 +108,16 @@ RUN set -eux; \
grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \
mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \
gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
-# explicitly update autoconf config.guess and config.sub so they support more arches/libcs
- wget -O config/config.guess 'https://git.savannah.gnu.org/cgit/config.git/plain/config.guess?id=7d3d27baf8107b630586c962c057e22149653deb'; \
- wget -O config/config.sub 'https://git.savannah.gnu.org/cgit/config.git/plain/config.sub?id=7d3d27baf8107b630586c962c057e22149653deb'; \
+ \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n176 ("export LLVM_CONFIG")
+ export LLVM_CONFIG="/usr/lib/llvm19/bin/llvm-config"; \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n180 ("older clang versions don't have a 'clang' exe anymore.")
+ export CLANG=clang-19; \
+ \
# configure options taken from:
# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
./configure \
+ --enable-option-checking=fatal \
--build="$gnuArch" \
# "/usr/src/postgresql/src/backend/access/common/tupconvert.c:105: undefined reference to `libintl_gettext'"
# --enable-nls \
@@ -95,7 +134,6 @@ RUN set -eux; \
--prefix=/usr/local \
--with-includes=/usr/local/include \
--with-libraries=/usr/local/lib \
- --with-krb5 \
--with-gssapi \
--with-ldap \
--with-tcl \
@@ -108,8 +146,8 @@ RUN set -eux; \
--with-icu \
--with-llvm \
; \
- make -j "$(nproc)" world; \
- make install-world; \
+ make -j "$(nproc)" world-bin; \
+ make install-world-bin; \
make -C contrib install; \
\
runDeps="$( \
@@ -124,13 +162,11 @@ RUN set -eux; \
apk add --no-cache --virtual .postgresql-rundeps \
$runDeps \
bash \
- su-exec \
tzdata \
zstd \
# https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split
icu-data-full \
-# nss_wrapper is not availble on ppc64le: "test case segfaults in ppc64le"
-# https://git.alpinelinux.org/aports/commit/testing/nss_wrapper/APKBUILD?h=3.17-stable&id=94d81ceeb58cff448d489bbcbe9a6d40c9991663
+# https://git.alpinelinux.org/aports/tree/community/nss_wrapper/APKBUILD?h=3.22-stable#n7 ("ppc64le: test case segfaults")
$([ "$(apk --print-arch)" != 'ppc64le' ] && echo 'nss_wrapper') \
; \
apk del --no-network .build-deps; \
@@ -149,31 +185,26 @@ RUN set -eux; \
sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \
grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample
-RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 3777 /var/run/postgresql
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
ENV PGDATA /var/lib/postgresql/data
-# this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values)
-RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 1777 "$PGDATA"
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
VOLUME /var/lib/postgresql/data
-COPY docker-entrypoint.sh /usr/local/bin/
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
ENTRYPOINT ["docker-entrypoint.sh"]
# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
# calls "Fast Shutdown mode" wherein new connections are disallowed and any
# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
-# flush tables to disk, which is the best compromise available to avoid data
-# corruption.
-#
-# Users who know their applications do not keep open long-lived idle connections
-# may way to use a value of SIGTERM instead, which corresponds to "Smart
-# Shutdown mode" in which any existing sessions are allowed to finish and the
-# server stops when all sessions are terminated.
+# flush tables to disk.
#
-# See https://www.postgresql.org/docs/12/server-shutdown.html for more details
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
# about available PostgreSQL server shutdown signals.
#
-# See also https://www.postgresql.org/docs/12/server-start.html for further
+# See also https://www.postgresql.org/docs/current/server-start.html for further
# justification of this as the default value, namely that the example (and
# shipped) systemd service files use the "Fast Shutdown mode" for service
# termination.
@@ -183,10 +214,10 @@ STOPSIGNAL SIGINT
# An additional setting that is recommended for all users regardless of this
# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
# equivalent) for controlling how long to wait between sending the defined
-# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption).
+# STOPSIGNAL and sending SIGKILL.
#
# The default in most runtimes (such as Docker) is 10 seconds, and the
-# documentation at https://www.postgresql.org/docs/12/server-start.html notes
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
# that even 90 seconds may not be long enough in many instances.
EXPOSE 5432
diff --git a/13/alpine3.22/docker-ensure-initdb.sh b/13/alpine3.22/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..e9b15ef77d
--- /dev/null
+++ b/13/alpine3.22/docker-ensure-initdb.sh
@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/11/bullseye/docker-entrypoint.sh b/13/alpine3.22/docker-entrypoint.sh
similarity index 84%
rename from 11/bullseye/docker-entrypoint.sh
rename to 13/alpine3.22/docker-entrypoint.sh
index 0ae0ecf8c2..5a62870b50 100755
--- a/11/bullseye/docker-entrypoint.sh
+++ b/13/alpine3.22/docker-entrypoint.sh
@@ -103,20 +103,24 @@ docker_init_database_dir() {
# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
docker_verify_minimum_env() {
- # check password first so we can output the warning before postgres
- # messes it up
- if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
- cat >&2 <<-'EOWARN'
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
- WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
- This will not work if used via PGPASSWORD with "psql".
+ This will not work if used via PGPASSWORD with "psql".
- https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
- https://github.com/docker-library/postgres/issues/507
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
- EOWARN
- fi
+ EOWARN
+ fi
+ ;;
+ esac
if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
# The - option suppresses leading tabs but *not* spaces. :)
cat >&2 <<-'EOE'
@@ -150,6 +154,29 @@ docker_verify_minimum_env() {
EOWARN
fi
}
+# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade)
+docker_error_old_databases() {
+ if [ -n "${OLD_DATABASES[0]:-}" ]; then
+ cat >&2 <<-EOE
+ Error: in 18+, these Docker images are configured to store database data in a
+ format which is compatible with "pg_ctlcluster" (specifically, using
+ major-version-specific directory names). This better reflects how
+ PostgreSQL itself works, and how upgrades are to be performed.
+
+ See also https://github.com/docker-library/postgres/pull/1259
+
+ Counter to that, there appears to be PostgreSQL data in:
+ ${OLD_DATABASES[*]}
+
+ This is usually the result of upgrading the Docker image without upgrading
+ the underlying database using "pg_upgrade" (which requires both versions).
+
+ See https://github.com/docker-library/postgres/issues/37 for a (long)
+ discussion around this process, and suggestions for how to do so.
+ EOE
+ exit 1
+ fi
+}
# usage: docker_process_init_files [file [file [...]]]
# ie: docker_process_init_files /always-initdb.d/*
@@ -225,9 +252,18 @@ docker_setup_env() {
: "${POSTGRES_HOST_AUTH_METHOD:=}"
declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ declare -ag OLD_DATABASES=()
# look specifically for PG_VERSION, as it is expected in the DB dir
if [ -s "$PGDATA/PG_VERSION" ]; then
DATABASE_ALREADY_EXISTS='true'
+ elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then
+ # https://github.com/docker-library/postgres/pull/1259
+ for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do
+ if [ -s "$d/PG_VERSION" ]; then
+ OLD_DATABASES+=( "$d" )
+ fi
+ done
fi
}
@@ -247,7 +283,7 @@ pg_setup_hba_conf() {
printf '\n'
if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
printf '# warning trust is enabled for all connections\n'
- printf '# see https://www.postgresql.org/docs/12/auth-trust.html\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
fi
printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
} >> "$PGDATA/pg_hba.conf"
@@ -264,6 +300,9 @@ docker_temp_server_start() {
# does not listen on external TCP/IP and waits until start finishes
set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
PGUSER="${PGUSER:-$POSTGRES_USER}" \
pg_ctl -D "$PGDATA" \
-o "$(printf '%q ' "$@")" \
@@ -311,6 +350,7 @@ _main() {
# only run initialization on an empty data directory
if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
docker_verify_minimum_env
+ docker_error_old_databases
# check dir permissions to reduce likelihood of half-initialized database
ls /docker-entrypoint-initdb.d/ > /dev/null
diff --git a/13/bookworm/Dockerfile b/13/bookworm/Dockerfile
new file mode 100644
index 0000000000..721ad94d09
--- /dev/null
+++ b/13/bookworm/Dockerfile
@@ -0,0 +1,220 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM debian:bookworm-slim
+
+# explicitly set user/group IDs
+RUN set -eux; \
+ groupadd -r postgres --gid=999; \
+# https://salsa.debian.org/postgresql/postgresql-common/blob/997d842ee744687d99a2b2d95c1083a2615c79e8/debian/postgresql-common.postinst#L32-35
+ useradd -r -g postgres --uid=999 --home-dir=/var/lib/postgresql --shell=/bin/bash postgres; \
+# also create the postgres user's home directory with appropriate permissions
+# see https://github.com/docker-library/postgres/issues/274
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
+
+RUN set -ex; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ gnupg \
+# https://www.postgresql.org/docs/16/app-psql.html#APP-PSQL-META-COMMAND-PSET-PAGER
+# https://github.com/postgres/postgres/blob/REL_16_1/src/include/fe_utils/print.h#L25
+# (if "less" is available, it gets used as the default pager for psql, and it only adds ~1.5MiB to our image size)
+ less \
+ ; \
+ rm -rf /var/lib/apt/lists/*
+
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ savedAptMark="$(apt-mark showmanual)"; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends ca-certificates wget; \
+ rm -rf /var/lib/apt/lists/*; \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ apt-mark auto '.*' > /dev/null; \
+ [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \
+ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+ chmod +x /usr/local/bin/gosu; \
+ gosu --version; \
+ gosu nobody true
+
+# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
+RUN set -eux; \
+ if [ -f /etc/dpkg/dpkg.cfg.d/docker ]; then \
+# if this file exists, we're likely in "debian:xxx-slim", and locales are thus being excluded so we need to remove that exclusion (since we need locales)
+ grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
+ sed -ri '/\/usr\/share\/locale/d' /etc/dpkg/dpkg.cfg.d/docker; \
+ ! grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
+ fi; \
+ apt-get update; apt-get install -y --no-install-recommends locales; rm -rf /var/lib/apt/lists/*; \
+ echo 'en_US.UTF-8 UTF-8' >> /etc/locale.gen; \
+ locale-gen; \
+ locale -a | grep 'en_US.utf8'
+ENV LANG en_US.utf8
+
+RUN set -eux; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ libnss-wrapper \
+ xz-utils \
+ zstd \
+ ; \
+ rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /docker-entrypoint-initdb.d
+
+RUN set -ex; \
+# pub 4096R/ACCC4CF8 2011-10-13 [expires: 2019-07-02]
+# Key fingerprint = B97B 0AFC AA1A 47F0 44F2 44A0 7FCC 7D46 ACCC 4CF8
+# uid PostgreSQL Debian Repository
+ key='B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8'; \
+ export GNUPGHOME="$(mktemp -d)"; \
+ mkdir -p /usr/local/share/keyrings/; \
+ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \
+ gpg --batch --export --armor "$key" > /usr/local/share/keyrings/postgres.gpg.asc; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME"
+
+ENV PG_MAJOR 13
+ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
+
+ENV PG_VERSION 13.21-1.pgdg120+1
+
+RUN set -ex; \
+ \
+# see note below about "*.pyc" files
+ export PYTHONDONTWRITEBYTECODE=1; \
+ \
+ dpkgArch="$(dpkg --print-architecture)"; \
+ aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ bookworm-pgdg main $PG_MAJOR"; \
+ case "$dpkgArch" in \
+ amd64 | arm64 | ppc64el) \
+# arches officialy built by upstream
+ echo "deb $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \
+ apt-get update; \
+ ;; \
+ *) \
+# we're on an architecture upstream doesn't officially build for
+# let's build binaries from their published source packages
+ echo "deb-src $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \
+ \
+ savedAptMark="$(apt-mark showmanual)"; \
+ \
+ tempDir="$(mktemp -d)"; \
+ cd "$tempDir"; \
+ \
+# create a temporary local APT repo to install from (so that dependency resolution can be handled by APT, as it should be)
+ apt-get update; \
+ apt-get install -y --no-install-recommends dpkg-dev; \
+ echo "deb [ trusted=yes ] file://$tempDir ./" > /etc/apt/sources.list.d/temp.list; \
+ _update_repo() { \
+ dpkg-scanpackages . > Packages; \
+# work around the following APT issue by using "Acquire::GzipIndexes=false" (overriding "/etc/apt/apt.conf.d/docker-gzip-indexes")
+# Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+# ...
+# E: Failed to fetch store:/var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+ apt-get -o Acquire::GzipIndexes=false update; \
+ }; \
+ _update_repo; \
+ \
+# build .deb files from upstream's source packages (which are verified by apt-get)
+ nproc="$(nproc)"; \
+ export DEB_BUILD_OPTIONS="nocheck parallel=$nproc"; \
+# we have to build postgresql-common-dev first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/f4338a0d28cf4541956bddb0f4e444ba9dba81b9
+ apt-get build-dep -y postgresql-common-dev; \
+ apt-get source --compile postgresql-common-dev; \
+ _update_repo; \
+# we need DEBIAN_FRONTEND on postgresql-13 for slapd ("Please enter the password for the admin entry in your LDAP directory."); see https://bugs.debian.org/929417
+ DEBIAN_FRONTEND=noninteractive \
+ apt-get build-dep -y "postgresql-$PG_MAJOR=$PG_VERSION"; \
+ apt-get source --compile "postgresql-$PG_MAJOR=$PG_VERSION"; \
+ \
+# we don't remove APT lists here because they get re-downloaded and removed later
+ \
+# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
+# (which is done after we install the built packages so we don't have to redownload any overlapping dependencies)
+ apt-mark showmanual | xargs apt-mark auto > /dev/null; \
+ apt-mark manual $savedAptMark; \
+ \
+ ls -lAFh; \
+ _update_repo; \
+ grep '^Package: ' Packages; \
+ cd /; \
+ ;; \
+ esac; \
+ \
+ apt-get install -y --no-install-recommends postgresql-common; \
+ sed -ri 's/#(create_main_cluster) .*$/\1 = false/' /etc/postgresql-common/createcluster.conf; \
+ apt-get install -y --no-install-recommends \
+ "postgresql-$PG_MAJOR=$PG_VERSION" \
+ ; \
+ \
+ rm -rf /var/lib/apt/lists/*; \
+ \
+ if [ -n "$tempDir" ]; then \
+# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
+ apt-get purge -y --auto-remove; \
+ rm -rf "$tempDir" /etc/apt/sources.list.d/temp.list; \
+ fi; \
+ \
+# some of the steps above generate a lot of "*.pyc" files (and setting "PYTHONDONTWRITEBYTECODE" beforehand doesn't propagate properly for some reason), so we clean them up manually (as long as they aren't owned by a package)
+ find /usr -name '*.pyc' -type f -exec bash -c 'for pyc; do dpkg -S "$pyc" &> /dev/null || rm -vf "$pyc"; done' -- '{}' +; \
+ \
+ postgres --version
+
+# make the sample config easier to munge (and "correct by default")
+RUN set -eux; \
+ dpkg-divert --add --rename --divert "/usr/share/postgresql/postgresql.conf.sample.dpkg" "/usr/share/postgresql/$PG_MAJOR/postgresql.conf.sample"; \
+ cp -v /usr/share/postgresql/postgresql.conf.sample.dpkg /usr/share/postgresql/postgresql.conf.sample; \
+ ln -sv ../postgresql.conf.sample "/usr/share/postgresql/$PG_MAJOR/"; \
+ sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/share/postgresql/postgresql.conf.sample; \
+ grep -F "listen_addresses = '*'" /usr/share/postgresql/postgresql.conf.sample
+
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
+
+ENV PGDATA /var/lib/postgresql/data
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
+VOLUME /var/lib/postgresql/data
+
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
+# calls "Fast Shutdown mode" wherein new connections are disallowed and any
+# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
+# flush tables to disk.
+#
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
+# about available PostgreSQL server shutdown signals.
+#
+# See also https://www.postgresql.org/docs/current/server-start.html for further
+# justification of this as the default value, namely that the example (and
+# shipped) systemd service files use the "Fast Shutdown mode" for service
+# termination.
+#
+STOPSIGNAL SIGINT
+#
+# An additional setting that is recommended for all users regardless of this
+# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
+# equivalent) for controlling how long to wait between sending the defined
+# STOPSIGNAL and sending SIGKILL.
+#
+# The default in most runtimes (such as Docker) is 10 seconds, and the
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
+# that even 90 seconds may not be long enough in many instances.
+
+EXPOSE 5432
+CMD ["postgres"]
diff --git a/13/bookworm/docker-ensure-initdb.sh b/13/bookworm/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..e9b15ef77d
--- /dev/null
+++ b/13/bookworm/docker-ensure-initdb.sh
@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/12/alpine/docker-entrypoint.sh b/13/bookworm/docker-entrypoint.sh
similarity index 84%
rename from 12/alpine/docker-entrypoint.sh
rename to 13/bookworm/docker-entrypoint.sh
index a383a36487..5a62870b50 100755
--- a/12/alpine/docker-entrypoint.sh
+++ b/13/bookworm/docker-entrypoint.sh
@@ -103,20 +103,24 @@ docker_init_database_dir() {
# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
docker_verify_minimum_env() {
- # check password first so we can output the warning before postgres
- # messes it up
- if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
- cat >&2 <<-'EOWARN'
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
- WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
- This will not work if used via PGPASSWORD with "psql".
+ This will not work if used via PGPASSWORD with "psql".
- https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
- https://github.com/docker-library/postgres/issues/507
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
- EOWARN
- fi
+ EOWARN
+ fi
+ ;;
+ esac
if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
# The - option suppresses leading tabs but *not* spaces. :)
cat >&2 <<-'EOE'
@@ -150,6 +154,29 @@ docker_verify_minimum_env() {
EOWARN
fi
}
+# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade)
+docker_error_old_databases() {
+ if [ -n "${OLD_DATABASES[0]:-}" ]; then
+ cat >&2 <<-EOE
+ Error: in 18+, these Docker images are configured to store database data in a
+ format which is compatible with "pg_ctlcluster" (specifically, using
+ major-version-specific directory names). This better reflects how
+ PostgreSQL itself works, and how upgrades are to be performed.
+
+ See also https://github.com/docker-library/postgres/pull/1259
+
+ Counter to that, there appears to be PostgreSQL data in:
+ ${OLD_DATABASES[*]}
+
+ This is usually the result of upgrading the Docker image without upgrading
+ the underlying database using "pg_upgrade" (which requires both versions).
+
+ See https://github.com/docker-library/postgres/issues/37 for a (long)
+ discussion around this process, and suggestions for how to do so.
+ EOE
+ exit 1
+ fi
+}
# usage: docker_process_init_files [file [file [...]]]
# ie: docker_process_init_files /always-initdb.d/*
@@ -225,9 +252,18 @@ docker_setup_env() {
: "${POSTGRES_HOST_AUTH_METHOD:=}"
declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ declare -ag OLD_DATABASES=()
# look specifically for PG_VERSION, as it is expected in the DB dir
if [ -s "$PGDATA/PG_VERSION" ]; then
DATABASE_ALREADY_EXISTS='true'
+ elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then
+ # https://github.com/docker-library/postgres/pull/1259
+ for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do
+ if [ -s "$d/PG_VERSION" ]; then
+ OLD_DATABASES+=( "$d" )
+ fi
+ done
fi
}
@@ -247,7 +283,7 @@ pg_setup_hba_conf() {
printf '\n'
if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
printf '# warning trust is enabled for all connections\n'
- printf '# see https://www.postgresql.org/docs/12/auth-trust.html\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
fi
printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
} >> "$PGDATA/pg_hba.conf"
@@ -264,6 +300,9 @@ docker_temp_server_start() {
# does not listen on external TCP/IP and waits until start finishes
set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
PGUSER="${PGUSER:-$POSTGRES_USER}" \
pg_ctl -D "$PGDATA" \
-o "$(printf '%q ' "$@")" \
@@ -305,12 +344,13 @@ _main() {
docker_create_db_directories
if [ "$(id -u)" = '0' ]; then
# then restart script as postgres user
- exec su-exec postgres "$BASH_SOURCE" "$@"
+ exec gosu postgres "$BASH_SOURCE" "$@"
fi
# only run initialization on an empty data directory
if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
docker_verify_minimum_env
+ docker_error_old_databases
# check dir permissions to reduce likelihood of half-initialized database
ls /docker-entrypoint-initdb.d/ > /dev/null
diff --git a/13/bullseye/Dockerfile b/13/bullseye/Dockerfile
index 733f6dde47..b914b71ff0 100644
--- a/13/bullseye/Dockerfile
+++ b/13/bullseye/Dockerfile
@@ -6,16 +6,6 @@
FROM debian:bullseye-slim
-RUN set -ex; \
- if ! command -v gpg > /dev/null; then \
- apt-get update; \
- apt-get install -y --no-install-recommends \
- gnupg \
- dirmngr \
- ; \
- rm -rf /var/lib/apt/lists/*; \
- fi
-
# explicitly set user/group IDs
RUN set -eux; \
groupadd -r postgres --gid=999; \
@@ -23,12 +13,22 @@ RUN set -eux; \
useradd -r -g postgres --uid=999 --home-dir=/var/lib/postgresql --shell=/bin/bash postgres; \
# also create the postgres user's home directory with appropriate permissions
# see https://github.com/docker-library/postgres/issues/274
- mkdir -p /var/lib/postgresql; \
- chown -R postgres:postgres /var/lib/postgresql
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
+
+RUN set -ex; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ gnupg \
+# https://www.postgresql.org/docs/16/app-psql.html#APP-PSQL-META-COMMAND-PSET-PAGER
+# https://github.com/postgres/postgres/blob/REL_16_1/src/include/fe_utils/print.h#L25
+# (if "less" is available, it gets used as the default pager for psql, and it only adds ~1.5MiB to our image size)
+ less \
+ ; \
+ rm -rf /var/lib/apt/lists/*
# grab gosu for easy step-down from root
# https://github.com/tianon/gosu/releases
-ENV GOSU_VERSION 1.16
+ENV GOSU_VERSION 1.17
RUN set -eux; \
savedAptMark="$(apt-mark showmanual)"; \
apt-get update; \
@@ -58,7 +58,9 @@ RUN set -eux; \
! grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
fi; \
apt-get update; apt-get install -y --no-install-recommends locales; rm -rf /var/lib/apt/lists/*; \
- localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
+ echo 'en_US.UTF-8 UTF-8' >> /etc/locale.gen; \
+ locale-gen; \
+ locale -a | grep 'en_US.utf8'
ENV LANG en_US.utf8
RUN set -eux; \
@@ -81,13 +83,13 @@ RUN set -ex; \
mkdir -p /usr/local/share/keyrings/; \
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \
gpg --batch --export --armor "$key" > /usr/local/share/keyrings/postgres.gpg.asc; \
- command -v gpgconf > /dev/null && gpgconf --kill all; \
+ gpgconf --kill all; \
rm -rf "$GNUPGHOME"
ENV PG_MAJOR 13
ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
-ENV PG_VERSION 13.10-1.pgdg110+1
+ENV PG_VERSION 13.21-1.pgdg110+1
RUN set -ex; \
\
@@ -129,10 +131,9 @@ RUN set -ex; \
# build .deb files from upstream's source packages (which are verified by apt-get)
nproc="$(nproc)"; \
export DEB_BUILD_OPTIONS="nocheck parallel=$nproc"; \
-# we have to build postgresql-common first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/99f44476e258cae6bf9e919219fa2c5414fa2876
-# (and it "Depends: pgdg-keyring")
- apt-get build-dep -y postgresql-common pgdg-keyring; \
- apt-get source --compile postgresql-common pgdg-keyring; \
+# we have to build postgresql-common-dev first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/f4338a0d28cf4541956bddb0f4e444ba9dba81b9
+ apt-get build-dep -y postgresql-common-dev; \
+ apt-get source --compile postgresql-common-dev; \
_update_repo; \
# we need DEBIAN_FRONTEND on postgresql-13 for slapd ("Please enter the password for the admin entry in your LDAP directory."); see https://bugs.debian.org/929417
DEBIAN_FRONTEND=noninteractive \
@@ -180,31 +181,26 @@ RUN set -eux; \
sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/share/postgresql/postgresql.conf.sample; \
grep -F "listen_addresses = '*'" /usr/share/postgresql/postgresql.conf.sample
-RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
ENV PGDATA /var/lib/postgresql/data
-# this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values)
-RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA"
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
VOLUME /var/lib/postgresql/data
-COPY docker-entrypoint.sh /usr/local/bin/
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
ENTRYPOINT ["docker-entrypoint.sh"]
# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
# calls "Fast Shutdown mode" wherein new connections are disallowed and any
# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
-# flush tables to disk, which is the best compromise available to avoid data
-# corruption.
-#
-# Users who know their applications do not keep open long-lived idle connections
-# may way to use a value of SIGTERM instead, which corresponds to "Smart
-# Shutdown mode" in which any existing sessions are allowed to finish and the
-# server stops when all sessions are terminated.
+# flush tables to disk.
#
-# See https://www.postgresql.org/docs/12/server-shutdown.html for more details
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
# about available PostgreSQL server shutdown signals.
#
-# See also https://www.postgresql.org/docs/12/server-start.html for further
+# See also https://www.postgresql.org/docs/current/server-start.html for further
# justification of this as the default value, namely that the example (and
# shipped) systemd service files use the "Fast Shutdown mode" for service
# termination.
@@ -214,10 +210,10 @@ STOPSIGNAL SIGINT
# An additional setting that is recommended for all users regardless of this
# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
# equivalent) for controlling how long to wait between sending the defined
-# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption).
+# STOPSIGNAL and sending SIGKILL.
#
# The default in most runtimes (such as Docker) is 10 seconds, and the
-# documentation at https://www.postgresql.org/docs/12/server-start.html notes
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
# that even 90 seconds may not be long enough in many instances.
EXPOSE 5432
diff --git a/13/bullseye/docker-ensure-initdb.sh b/13/bullseye/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..e9b15ef77d
--- /dev/null
+++ b/13/bullseye/docker-ensure-initdb.sh
@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/13/bullseye/docker-entrypoint.sh b/13/bullseye/docker-entrypoint.sh
index 0ae0ecf8c2..5a62870b50 100755
--- a/13/bullseye/docker-entrypoint.sh
+++ b/13/bullseye/docker-entrypoint.sh
@@ -103,20 +103,24 @@ docker_init_database_dir() {
# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
docker_verify_minimum_env() {
- # check password first so we can output the warning before postgres
- # messes it up
- if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
- cat >&2 <<-'EOWARN'
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
- WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
- This will not work if used via PGPASSWORD with "psql".
+ This will not work if used via PGPASSWORD with "psql".
- https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
- https://github.com/docker-library/postgres/issues/507
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
- EOWARN
- fi
+ EOWARN
+ fi
+ ;;
+ esac
if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
# The - option suppresses leading tabs but *not* spaces. :)
cat >&2 <<-'EOE'
@@ -150,6 +154,29 @@ docker_verify_minimum_env() {
EOWARN
fi
}
+# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade)
+docker_error_old_databases() {
+ if [ -n "${OLD_DATABASES[0]:-}" ]; then
+ cat >&2 <<-EOE
+ Error: in 18+, these Docker images are configured to store database data in a
+ format which is compatible with "pg_ctlcluster" (specifically, using
+ major-version-specific directory names). This better reflects how
+ PostgreSQL itself works, and how upgrades are to be performed.
+
+ See also https://github.com/docker-library/postgres/pull/1259
+
+ Counter to that, there appears to be PostgreSQL data in:
+ ${OLD_DATABASES[*]}
+
+ This is usually the result of upgrading the Docker image without upgrading
+ the underlying database using "pg_upgrade" (which requires both versions).
+
+ See https://github.com/docker-library/postgres/issues/37 for a (long)
+ discussion around this process, and suggestions for how to do so.
+ EOE
+ exit 1
+ fi
+}
# usage: docker_process_init_files [file [file [...]]]
# ie: docker_process_init_files /always-initdb.d/*
@@ -225,9 +252,18 @@ docker_setup_env() {
: "${POSTGRES_HOST_AUTH_METHOD:=}"
declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ declare -ag OLD_DATABASES=()
# look specifically for PG_VERSION, as it is expected in the DB dir
if [ -s "$PGDATA/PG_VERSION" ]; then
DATABASE_ALREADY_EXISTS='true'
+ elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then
+ # https://github.com/docker-library/postgres/pull/1259
+ for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do
+ if [ -s "$d/PG_VERSION" ]; then
+ OLD_DATABASES+=( "$d" )
+ fi
+ done
fi
}
@@ -247,7 +283,7 @@ pg_setup_hba_conf() {
printf '\n'
if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
printf '# warning trust is enabled for all connections\n'
- printf '# see https://www.postgresql.org/docs/12/auth-trust.html\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
fi
printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
} >> "$PGDATA/pg_hba.conf"
@@ -264,6 +300,9 @@ docker_temp_server_start() {
# does not listen on external TCP/IP and waits until start finishes
set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
PGUSER="${PGUSER:-$POSTGRES_USER}" \
pg_ctl -D "$PGDATA" \
-o "$(printf '%q ' "$@")" \
@@ -311,6 +350,7 @@ _main() {
# only run initialization on an empty data directory
if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
docker_verify_minimum_env
+ docker_error_old_databases
# check dir permissions to reduce likelihood of half-initialized database
ls /docker-entrypoint-initdb.d/ > /dev/null
diff --git a/14/alpine/docker-entrypoint.sh b/14/alpine/docker-entrypoint.sh
deleted file mode 100755
index a383a36487..0000000000
--- a/14/alpine/docker-entrypoint.sh
+++ /dev/null
@@ -1,351 +0,0 @@
-#!/usr/bin/env bash
-set -Eeo pipefail
-# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
-
-# usage: file_env VAR [DEFAULT]
-# ie: file_env 'XYZ_DB_PASSWORD' 'example'
-# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
-# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
-file_env() {
- local var="$1"
- local fileVar="${var}_FILE"
- local def="${2:-}"
- if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
- printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
- exit 1
- fi
- local val="$def"
- if [ "${!var:-}" ]; then
- val="${!var}"
- elif [ "${!fileVar:-}" ]; then
- val="$(< "${!fileVar}")"
- fi
- export "$var"="$val"
- unset "$fileVar"
-}
-
-# check to see if this file is being run or sourced from another script
-_is_sourced() {
- # https://unix.stackexchange.com/a/215279
- [ "${#FUNCNAME[@]}" -ge 2 ] \
- && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
- && [ "${FUNCNAME[1]}" = 'source' ]
-}
-
-# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
-docker_create_db_directories() {
- local user; user="$(id -u)"
-
- mkdir -p "$PGDATA"
- # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
- chmod 00700 "$PGDATA" || :
-
- # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
- mkdir -p /var/run/postgresql || :
- chmod 03775 /var/run/postgresql || :
-
- # Create the transaction log directory before initdb is run so the directory is owned by the correct user
- if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
- mkdir -p "$POSTGRES_INITDB_WALDIR"
- if [ "$user" = '0' ]; then
- find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
- fi
- chmod 700 "$POSTGRES_INITDB_WALDIR"
- fi
-
- # allow the container to be started with `--user`
- if [ "$user" = '0' ]; then
- find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
- find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
- fi
-}
-
-# initialize empty PGDATA directory with new database via 'initdb'
-# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
-# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
-# this is also where the database user is created, specified by `POSTGRES_USER` env
-docker_init_database_dir() {
- # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
- # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
- local uid; uid="$(id -u)"
- if ! getent passwd "$uid" &> /dev/null; then
- # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
- local wrapper
- for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
- if [ -s "$wrapper" ]; then
- NSS_WRAPPER_PASSWD="$(mktemp)"
- NSS_WRAPPER_GROUP="$(mktemp)"
- export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
- local gid; gid="$(id -g)"
- printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
- printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
- break
- fi
- done
- fi
-
- if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
- set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
- fi
-
- # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
- eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
-
- # unset/cleanup "nss_wrapper" bits
- if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
- rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
- unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
- fi
-}
-
-# print large warning if POSTGRES_PASSWORD is long
-# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
-# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
-# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
-docker_verify_minimum_env() {
- # check password first so we can output the warning before postgres
- # messes it up
- if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
- cat >&2 <<-'EOWARN'
-
- WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
-
- This will not work if used via PGPASSWORD with "psql".
-
- https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
- https://github.com/docker-library/postgres/issues/507
-
- EOWARN
- fi
- if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
- # The - option suppresses leading tabs but *not* spaces. :)
- cat >&2 <<-'EOE'
- Error: Database is uninitialized and superuser password is not specified.
- You must specify POSTGRES_PASSWORD to a non-empty value for the
- superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
-
- You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
- connections without a password. This is *not* recommended.
-
- See PostgreSQL documentation about "trust":
- https://www.postgresql.org/docs/current/auth-trust.html
- EOE
- exit 1
- fi
- if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
- cat >&2 <<-'EOWARN'
- ********************************************************************************
- WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
- anyone with access to the Postgres port to access your database without
- a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
- documentation about "trust":
- https://www.postgresql.org/docs/current/auth-trust.html
- In Docker's default configuration, this is effectively any other
- container on the same system.
-
- It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
- it with "-e POSTGRES_PASSWORD=password" instead to set a password in
- "docker run".
- ********************************************************************************
- EOWARN
- fi
-}
-
-# usage: docker_process_init_files [file [file [...]]]
-# ie: docker_process_init_files /always-initdb.d/*
-# process initializer files, based on file extensions and permissions
-docker_process_init_files() {
- # psql here for backwards compatibility "${psql[@]}"
- psql=( docker_process_sql )
-
- printf '\n'
- local f
- for f; do
- case "$f" in
- *.sh)
- # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
- # https://github.com/docker-library/postgres/pull/452
- if [ -x "$f" ]; then
- printf '%s: running %s\n' "$0" "$f"
- "$f"
- else
- printf '%s: sourcing %s\n' "$0" "$f"
- . "$f"
- fi
- ;;
- *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
- *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
- *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
- *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
- *) printf '%s: ignoring %s\n' "$0" "$f" ;;
- esac
- printf '\n'
- done
-}
-
-# Execute sql script, passed via stdin (or -f flag of pqsl)
-# usage: docker_process_sql [psql-cli-args]
-# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
-# ie: docker_process_sql -f my-file.sql
-# ie: docker_process_sql <my-file.sql
-docker_process_sql() {
- local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
- if [ -n "$POSTGRES_DB" ]; then
- query_runner+=( --dbname "$POSTGRES_DB" )
- fi
-
- PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
-}
-
-# create initial database
-# uses environment variables for input: POSTGRES_DB
-docker_setup_db() {
- local dbAlreadyExists
- dbAlreadyExists="$(
- POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
- SELECT 1 FROM pg_database WHERE datname = :'db' ;
- EOSQL
- )"
- if [ -z "$dbAlreadyExists" ]; then
- POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
- CREATE DATABASE :"db" ;
- EOSQL
- printf '\n'
- fi
-}
-
-# Loads various settings that are used elsewhere in the script
-# This should be called before any other functions
-docker_setup_env() {
- file_env 'POSTGRES_PASSWORD'
-
- file_env 'POSTGRES_USER' 'postgres'
- file_env 'POSTGRES_DB' "$POSTGRES_USER"
- file_env 'POSTGRES_INITDB_ARGS'
- : "${POSTGRES_HOST_AUTH_METHOD:=}"
-
- declare -g DATABASE_ALREADY_EXISTS
- # look specifically for PG_VERSION, as it is expected in the DB dir
- if [ -s "$PGDATA/PG_VERSION" ]; then
- DATABASE_ALREADY_EXISTS='true'
- fi
-}
-
-# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
-# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
-pg_setup_hba_conf() {
- # default authentication method is md5 on versions before 14
- # https://www.postgresql.org/about/news/postgresql-14-released-2318/
- if [ "$1" = 'postgres' ]; then
- shift
- fi
- local auth
- # check the default/configured encryption and use that as the auth method
- auth="$(postgres -C password_encryption "$@")"
- : "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
- {
- printf '\n'
- if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
- printf '# warning trust is enabled for all connections\n'
- printf '# see https://www.postgresql.org/docs/12/auth-trust.html\n'
- fi
- printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
- } >> "$PGDATA/pg_hba.conf"
-}
-
-# start socket-only postgresql server for setting up or running scripts
-# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
-docker_temp_server_start() {
- if [ "$1" = 'postgres' ]; then
- shift
- fi
-
- # internal start of server in order to allow setup using psql client
- # does not listen on external TCP/IP and waits until start finishes
- set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
-
- PGUSER="${PGUSER:-$POSTGRES_USER}" \
- pg_ctl -D "$PGDATA" \
- -o "$(printf '%q ' "$@")" \
- -w start
-}
-
-# stop postgresql server after done setting up user and running scripts
-docker_temp_server_stop() {
- PGUSER="${PGUSER:-postgres}" \
- pg_ctl -D "$PGDATA" -m fast -w stop
-}
-
-# check arguments for an option that would cause postgres to stop
-# return true if there is one
-_pg_want_help() {
- local arg
- for arg; do
- case "$arg" in
- # postgres --help | grep 'then exit'
- # leaving out -C on purpose since it always fails and is unhelpful:
- # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
- -'?'|--help|--describe-config|-V|--version)
- return 0
- ;;
- esac
- done
- return 1
-}
-
-_main() {
- # if first arg looks like a flag, assume we want to run postgres server
- if [ "${1:0:1}" = '-' ]; then
- set -- postgres "$@"
- fi
-
- if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
- docker_setup_env
- # setup data directories and permissions (when run as root)
- docker_create_db_directories
- if [ "$(id -u)" = '0' ]; then
- # then restart script as postgres user
- exec su-exec postgres "$BASH_SOURCE" "$@"
- fi
-
- # only run initialization on an empty data directory
- if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
- docker_verify_minimum_env
-
- # check dir permissions to reduce likelihood of half-initialized database
- ls /docker-entrypoint-initdb.d/ > /dev/null
-
- docker_init_database_dir
- pg_setup_hba_conf "$@"
-
- # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
- # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
- export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
- docker_temp_server_start "$@"
-
- docker_setup_db
- docker_process_init_files /docker-entrypoint-initdb.d/*
-
- docker_temp_server_stop
- unset PGPASSWORD
-
- cat <<-'EOM'
-
- PostgreSQL init process complete; ready for start up.
-
- EOM
- else
- cat <<-'EOM'
-
- PostgreSQL Database directory appears to contain a database; Skipping initialization
-
- EOM
- fi
- fi
-
- exec "$@"
-}
-
-if ! _is_sourced; then
- _main "$@"
-fi
diff --git a/14/alpine/Dockerfile b/14/alpine3.21/Dockerfile
similarity index 63%
rename from 14/alpine/Dockerfile
rename to 14/alpine3.21/Dockerfile
index 532ff95e2b..49eb44c2c7 100644
--- a/14/alpine/Dockerfile
+++ b/14/alpine3.21/Dockerfile
@@ -4,17 +4,47 @@
# PLEASE DO NOT EDIT IT DIRECTLY.
#
-FROM alpine:3.17
+FROM alpine:3.21
# 70 is the standard uid/gid for "postgres" in Alpine
-# https://git.alpinelinux.org/aports/tree/main/postgresql/postgresql.pre-install?h=3.12-stable
+# https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.22-stable
RUN set -eux; \
addgroup -g 70 -S postgres; \
adduser -u 70 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \
- mkdir -p /var/lib/postgresql; \
- chown -R postgres:postgres /var/lib/postgresql
+# also create the postgres user's home directory with appropriate permissions
+# see https://github.com/docker-library/postgres/issues/274
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
-# su-exec (gosu-compatible) is installed further down
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ \
+ apk add --no-cache --virtual .gosu-deps \
+ ca-certificates \
+ dpkg \
+ gnupg \
+ ; \
+ \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ \
+# verify the signature
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ \
+# clean up fetch dependencies
+ apk del --no-network .gosu-deps; \
+ \
+ chmod +x /usr/local/bin/gosu; \
+# verify that the binary works
+ gosu --version; \
+ gosu nobody true
+RUN set -eux; ln -svf gosu /usr/local/bin/su-exec; su-exec nobody true # backwards compatibility (removed in PostgreSQL 17+)
# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
# alpine doesn't require explicit locale-file generation
@@ -23,8 +53,12 @@ ENV LANG en_US.utf8
RUN mkdir /docker-entrypoint-initdb.d
ENV PG_MAJOR 14
-ENV PG_VERSION 14.7
-ENV PG_SHA256 cef60f0098fa8101c1546f4254e45b722af5431337945b37af207007630db331
+ENV PG_VERSION 14.18
+ENV PG_SHA256 83ab29d6bfc3dc58b2ed3c664114fdfbeb6a0450c4b8d7fa69aee91e3ca14f8e
+
+ENV DOCKER_PG_LLVM_DEPS \
+ llvm19-dev \
+ clang19
RUN set -eux; \
\
@@ -40,10 +74,12 @@ RUN set -eux; \
rm postgresql.tar.bz2; \
\
apk add --no-cache --virtual .build-deps \
+ $DOCKER_PG_LLVM_DEPS \
bison \
coreutils \
dpkg-dev dpkg \
flex \
+ g++ \
gcc \
krb5-dev \
libc-dev \
@@ -51,7 +87,6 @@ RUN set -eux; \
libxml2-dev \
libxslt-dev \
linux-headers \
- llvm-dev clang g++ \
make \
openldap-dev \
openssl-dev \
@@ -75,12 +110,16 @@ RUN set -eux; \
grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \
mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \
gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
-# explicitly update autoconf config.guess and config.sub so they support more arches/libcs
- wget -O config/config.guess 'https://git.savannah.gnu.org/cgit/config.git/plain/config.guess?id=7d3d27baf8107b630586c962c057e22149653deb'; \
- wget -O config/config.sub 'https://git.savannah.gnu.org/cgit/config.git/plain/config.sub?id=7d3d27baf8107b630586c962c057e22149653deb'; \
+ \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n176 ("export LLVM_CONFIG")
+ export LLVM_CONFIG="/usr/lib/llvm19/bin/llvm-config"; \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n180 ("older clang versions don't have a 'clang' exe anymore.")
+ export CLANG=clang-19; \
+ \
# configure options taken from:
# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
./configure \
+ --enable-option-checking=fatal \
--build="$gnuArch" \
# "/usr/src/postgresql/src/backend/access/common/tupconvert.c:105: undefined reference to `libintl_gettext'"
# --enable-nls \
@@ -97,7 +136,6 @@ RUN set -eux; \
--prefix=/usr/local \
--with-includes=/usr/local/include \
--with-libraries=/usr/local/lib \
- --with-krb5 \
--with-gssapi \
--with-ldap \
--with-tcl \
@@ -111,8 +149,8 @@ RUN set -eux; \
--with-llvm \
--with-lz4 \
; \
- make -j "$(nproc)" world; \
- make install-world; \
+ make -j "$(nproc)" world-bin; \
+ make install-world-bin; \
make -C contrib install; \
\
runDeps="$( \
@@ -127,13 +165,11 @@ RUN set -eux; \
apk add --no-cache --virtual .postgresql-rundeps \
$runDeps \
bash \
- su-exec \
tzdata \
zstd \
# https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split
icu-data-full \
-# nss_wrapper is not availble on ppc64le: "test case segfaults in ppc64le"
-# https://git.alpinelinux.org/aports/commit/testing/nss_wrapper/APKBUILD?h=3.17-stable&id=94d81ceeb58cff448d489bbcbe9a6d40c9991663
+# https://git.alpinelinux.org/aports/tree/community/nss_wrapper/APKBUILD?h=3.22-stable#n7 ("ppc64le: test case segfaults")
$([ "$(apk --print-arch)" != 'ppc64le' ] && echo 'nss_wrapper') \
; \
apk del --no-network .build-deps; \
@@ -152,31 +188,26 @@ RUN set -eux; \
sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \
grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample
-RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 3777 /var/run/postgresql
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
ENV PGDATA /var/lib/postgresql/data
-# this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values)
-RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 1777 "$PGDATA"
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
VOLUME /var/lib/postgresql/data
-COPY docker-entrypoint.sh /usr/local/bin/
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
ENTRYPOINT ["docker-entrypoint.sh"]
# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
# calls "Fast Shutdown mode" wherein new connections are disallowed and any
# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
-# flush tables to disk, which is the best compromise available to avoid data
-# corruption.
-#
-# Users who know their applications do not keep open long-lived idle connections
-# may way to use a value of SIGTERM instead, which corresponds to "Smart
-# Shutdown mode" in which any existing sessions are allowed to finish and the
-# server stops when all sessions are terminated.
+# flush tables to disk.
#
-# See https://www.postgresql.org/docs/12/server-shutdown.html for more details
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
# about available PostgreSQL server shutdown signals.
#
-# See also https://www.postgresql.org/docs/12/server-start.html for further
+# See also https://www.postgresql.org/docs/current/server-start.html for further
# justification of this as the default value, namely that the example (and
# shipped) systemd service files use the "Fast Shutdown mode" for service
# termination.
@@ -186,10 +217,10 @@ STOPSIGNAL SIGINT
# An additional setting that is recommended for all users regardless of this
# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
# equivalent) for controlling how long to wait between sending the defined
-# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption).
+# STOPSIGNAL and sending SIGKILL.
#
# The default in most runtimes (such as Docker) is 10 seconds, and the
-# documentation at https://www.postgresql.org/docs/12/server-start.html notes
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
# that even 90 seconds may not be long enough in many instances.
EXPOSE 5432
diff --git a/14/alpine3.21/docker-ensure-initdb.sh b/14/alpine3.21/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..e9b15ef77d
--- /dev/null
+++ b/14/alpine3.21/docker-ensure-initdb.sh
@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/11/alpine/docker-entrypoint.sh b/14/alpine3.21/docker-entrypoint.sh
similarity index 84%
rename from 11/alpine/docker-entrypoint.sh
rename to 14/alpine3.21/docker-entrypoint.sh
index a383a36487..5a62870b50 100755
--- a/11/alpine/docker-entrypoint.sh
+++ b/14/alpine3.21/docker-entrypoint.sh
@@ -103,20 +103,24 @@ docker_init_database_dir() {
# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
docker_verify_minimum_env() {
- # check password first so we can output the warning before postgres
- # messes it up
- if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
- cat >&2 <<-'EOWARN'
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
- WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
- This will not work if used via PGPASSWORD with "psql".
+ This will not work if used via PGPASSWORD with "psql".
- https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
- https://github.com/docker-library/postgres/issues/507
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
- EOWARN
- fi
+ EOWARN
+ fi
+ ;;
+ esac
if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
# The - option suppresses leading tabs but *not* spaces. :)
cat >&2 <<-'EOE'
@@ -150,6 +154,29 @@ docker_verify_minimum_env() {
EOWARN
fi
}
+# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade)
+docker_error_old_databases() {
+ if [ -n "${OLD_DATABASES[0]:-}" ]; then
+ cat >&2 <<-EOE
+ Error: in 18+, these Docker images are configured to store database data in a
+ format which is compatible with "pg_ctlcluster" (specifically, using
+ major-version-specific directory names). This better reflects how
+ PostgreSQL itself works, and how upgrades are to be performed.
+
+ See also https://github.com/docker-library/postgres/pull/1259
+
+ Counter to that, there appears to be PostgreSQL data in:
+ ${OLD_DATABASES[*]}
+
+ This is usually the result of upgrading the Docker image without upgrading
+ the underlying database using "pg_upgrade" (which requires both versions).
+
+ See https://github.com/docker-library/postgres/issues/37 for a (long)
+ discussion around this process, and suggestions for how to do so.
+ EOE
+ exit 1
+ fi
+}
# usage: docker_process_init_files [file [file [...]]]
# ie: docker_process_init_files /always-initdb.d/*
@@ -225,9 +252,18 @@ docker_setup_env() {
: "${POSTGRES_HOST_AUTH_METHOD:=}"
declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ declare -ag OLD_DATABASES=()
# look specifically for PG_VERSION, as it is expected in the DB dir
if [ -s "$PGDATA/PG_VERSION" ]; then
DATABASE_ALREADY_EXISTS='true'
+ elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then
+ # https://github.com/docker-library/postgres/pull/1259
+ for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do
+ if [ -s "$d/PG_VERSION" ]; then
+ OLD_DATABASES+=( "$d" )
+ fi
+ done
fi
}
@@ -247,7 +283,7 @@ pg_setup_hba_conf() {
printf '\n'
if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
printf '# warning trust is enabled for all connections\n'
- printf '# see https://www.postgresql.org/docs/12/auth-trust.html\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
fi
printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
} >> "$PGDATA/pg_hba.conf"
@@ -264,6 +300,9 @@ docker_temp_server_start() {
# does not listen on external TCP/IP and waits until start finishes
set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
PGUSER="${PGUSER:-$POSTGRES_USER}" \
pg_ctl -D "$PGDATA" \
-o "$(printf '%q ' "$@")" \
@@ -305,12 +344,13 @@ _main() {
docker_create_db_directories
if [ "$(id -u)" = '0' ]; then
# then restart script as postgres user
- exec su-exec postgres "$BASH_SOURCE" "$@"
+ exec gosu postgres "$BASH_SOURCE" "$@"
fi
# only run initialization on an empty data directory
if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
docker_verify_minimum_env
+ docker_error_old_databases
# check dir permissions to reduce likelihood of half-initialized database
ls /docker-entrypoint-initdb.d/ > /dev/null
diff --git a/12/alpine/Dockerfile b/14/alpine3.22/Dockerfile
similarity index 62%
rename from 12/alpine/Dockerfile
rename to 14/alpine3.22/Dockerfile
index a96a546e71..238930ef21 100644
--- a/12/alpine/Dockerfile
+++ b/14/alpine3.22/Dockerfile
@@ -4,17 +4,47 @@
# PLEASE DO NOT EDIT IT DIRECTLY.
#
-FROM alpine:3.17
+FROM alpine:3.22
# 70 is the standard uid/gid for "postgres" in Alpine
-# https://git.alpinelinux.org/aports/tree/main/postgresql/postgresql.pre-install?h=3.12-stable
+# https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.22-stable
RUN set -eux; \
addgroup -g 70 -S postgres; \
adduser -u 70 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \
- mkdir -p /var/lib/postgresql; \
- chown -R postgres:postgres /var/lib/postgresql
+# also create the postgres user's home directory with appropriate permissions
+# see https://github.com/docker-library/postgres/issues/274
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
-# su-exec (gosu-compatible) is installed further down
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ \
+ apk add --no-cache --virtual .gosu-deps \
+ ca-certificates \
+ dpkg \
+ gnupg \
+ ; \
+ \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ \
+# verify the signature
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ \
+# clean up fetch dependencies
+ apk del --no-network .gosu-deps; \
+ \
+ chmod +x /usr/local/bin/gosu; \
+# verify that the binary works
+ gosu --version; \
+ gosu nobody true
+RUN set -eux; ln -svf gosu /usr/local/bin/su-exec; su-exec nobody true # backwards compatibility (removed in PostgreSQL 17+)
# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
# alpine doesn't require explicit locale-file generation
@@ -22,9 +52,13 @@ ENV LANG en_US.utf8
RUN mkdir /docker-entrypoint-initdb.d
-ENV PG_MAJOR 12
-ENV PG_VERSION 12.14
-ENV PG_SHA256 785610237d382c842d356e347138e58c06ffeae240e6cc0b52ac5ebcc30d043e
+ENV PG_MAJOR 14
+ENV PG_VERSION 14.18
+ENV PG_SHA256 83ab29d6bfc3dc58b2ed3c664114fdfbeb6a0450c4b8d7fa69aee91e3ca14f8e
+
+ENV DOCKER_PG_LLVM_DEPS \
+ llvm19-dev \
+ clang19
RUN set -eux; \
\
@@ -40,10 +74,12 @@ RUN set -eux; \
rm postgresql.tar.bz2; \
\
apk add --no-cache --virtual .build-deps \
+ $DOCKER_PG_LLVM_DEPS \
bison \
coreutils \
dpkg-dev dpkg \
flex \
+ g++ \
gcc \
krb5-dev \
libc-dev \
@@ -51,7 +87,6 @@ RUN set -eux; \
libxml2-dev \
libxslt-dev \
linux-headers \
- llvm-dev clang g++ \
make \
openldap-dev \
openssl-dev \
@@ -64,6 +99,8 @@ RUN set -eux; \
zlib-dev \
# https://www.postgresql.org/docs/10/static/release-10.html#id-1.11.6.9.5.13
icu-dev \
+# https://www.postgresql.org/docs/14/release-14.html#id-1.11.6.5.5.3.7
+ lz4-dev \
; \
\
cd /usr/src/postgresql; \
@@ -73,12 +110,16 @@ RUN set -eux; \
grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \
mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \
gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
-# explicitly update autoconf config.guess and config.sub so they support more arches/libcs
- wget -O config/config.guess 'https://git.savannah.gnu.org/cgit/config.git/plain/config.guess?id=7d3d27baf8107b630586c962c057e22149653deb'; \
- wget -O config/config.sub 'https://git.savannah.gnu.org/cgit/config.git/plain/config.sub?id=7d3d27baf8107b630586c962c057e22149653deb'; \
+ \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n176 ("export LLVM_CONFIG")
+ export LLVM_CONFIG="/usr/lib/llvm19/bin/llvm-config"; \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n180 ("older clang versions don't have a 'clang' exe anymore.")
+ export CLANG=clang-19; \
+ \
# configure options taken from:
# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
./configure \
+ --enable-option-checking=fatal \
--build="$gnuArch" \
# "/usr/src/postgresql/src/backend/access/common/tupconvert.c:105: undefined reference to `libintl_gettext'"
# --enable-nls \
@@ -95,7 +136,6 @@ RUN set -eux; \
--prefix=/usr/local \
--with-includes=/usr/local/include \
--with-libraries=/usr/local/lib \
- --with-krb5 \
--with-gssapi \
--with-ldap \
--with-tcl \
@@ -107,9 +147,10 @@ RUN set -eux; \
--with-libxslt \
--with-icu \
--with-llvm \
+ --with-lz4 \
; \
- make -j "$(nproc)" world; \
- make install-world; \
+ make -j "$(nproc)" world-bin; \
+ make install-world-bin; \
make -C contrib install; \
\
runDeps="$( \
@@ -124,13 +165,11 @@ RUN set -eux; \
apk add --no-cache --virtual .postgresql-rundeps \
$runDeps \
bash \
- su-exec \
tzdata \
zstd \
# https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split
icu-data-full \
-# nss_wrapper is not availble on ppc64le: "test case segfaults in ppc64le"
-# https://git.alpinelinux.org/aports/commit/testing/nss_wrapper/APKBUILD?h=3.17-stable&id=94d81ceeb58cff448d489bbcbe9a6d40c9991663
+# https://git.alpinelinux.org/aports/tree/community/nss_wrapper/APKBUILD?h=3.22-stable#n7 ("ppc64le: test case segfaults")
$([ "$(apk --print-arch)" != 'ppc64le' ] && echo 'nss_wrapper') \
; \
apk del --no-network .build-deps; \
@@ -149,31 +188,26 @@ RUN set -eux; \
sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \
grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample
-RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 3777 /var/run/postgresql
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
ENV PGDATA /var/lib/postgresql/data
-# this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values)
-RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 1777 "$PGDATA"
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
VOLUME /var/lib/postgresql/data
-COPY docker-entrypoint.sh /usr/local/bin/
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
ENTRYPOINT ["docker-entrypoint.sh"]
# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
# calls "Fast Shutdown mode" wherein new connections are disallowed and any
# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
-# flush tables to disk, which is the best compromise available to avoid data
-# corruption.
-#
-# Users who know their applications do not keep open long-lived idle connections
-# may way to use a value of SIGTERM instead, which corresponds to "Smart
-# Shutdown mode" in which any existing sessions are allowed to finish and the
-# server stops when all sessions are terminated.
+# flush tables to disk.
#
-# See https://www.postgresql.org/docs/12/server-shutdown.html for more details
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
# about available PostgreSQL server shutdown signals.
#
-# See also https://www.postgresql.org/docs/12/server-start.html for further
+# See also https://www.postgresql.org/docs/current/server-start.html for further
# justification of this as the default value, namely that the example (and
# shipped) systemd service files use the "Fast Shutdown mode" for service
# termination.
@@ -183,10 +217,10 @@ STOPSIGNAL SIGINT
# An additional setting that is recommended for all users regardless of this
# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
# equivalent) for controlling how long to wait between sending the defined
-# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption).
+# STOPSIGNAL and sending SIGKILL.
#
# The default in most runtimes (such as Docker) is 10 seconds, and the
-# documentation at https://www.postgresql.org/docs/12/server-start.html notes
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
# that even 90 seconds may not be long enough in many instances.
EXPOSE 5432
diff --git a/14/alpine3.22/docker-ensure-initdb.sh b/14/alpine3.22/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..e9b15ef77d
--- /dev/null
+++ b/14/alpine3.22/docker-ensure-initdb.sh
@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/14/alpine3.22/docker-entrypoint.sh b/14/alpine3.22/docker-entrypoint.sh
new file mode 100755
index 0000000000..5a62870b50
--- /dev/null
+++ b/14/alpine3.22/docker-entrypoint.sh
@@ -0,0 +1,391 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+# ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+ local var="$1"
+ local fileVar="${var}_FILE"
+ local def="${2:-}"
+ if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+ printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+ exit 1
+ fi
+ local val="$def"
+ if [ "${!var:-}" ]; then
+ val="${!var}"
+ elif [ "${!fileVar:-}" ]; then
+ val="$(< "${!fileVar}")"
+ fi
+ export "$var"="$val"
+ unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+ # https://unix.stackexchange.com/a/215279
+ [ "${#FUNCNAME[@]}" -ge 2 ] \
+ && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+ && [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+ local user; user="$(id -u)"
+
+ mkdir -p "$PGDATA"
+ # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+ chmod 00700 "$PGDATA" || :
+
+ # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+ mkdir -p /var/run/postgresql || :
+ chmod 03775 /var/run/postgresql || :
+
+ # Create the transaction log directory before initdb is run so the directory is owned by the correct user
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ mkdir -p "$POSTGRES_INITDB_WALDIR"
+ if [ "$user" = '0' ]; then
+ find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+ fi
+ chmod 700 "$POSTGRES_INITDB_WALDIR"
+ fi
+
+ # allow the container to be started with `--user`
+ if [ "$user" = '0' ]; then
+ find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+ find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+ fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+ # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+ # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+ local uid; uid="$(id -u)"
+ if ! getent passwd "$uid" &> /dev/null; then
+ # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+ local wrapper
+ for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+ if [ -s "$wrapper" ]; then
+ NSS_WRAPPER_PASSWD="$(mktemp)"
+ NSS_WRAPPER_GROUP="$(mktemp)"
+ export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ local gid; gid="$(id -g)"
+ printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+ printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+ break
+ fi
+ done
+ fi
+
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+ fi
+
+ # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+ eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+ # unset/cleanup "nss_wrapper" bits
+ if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+ rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+ unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
+
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+
+ This will not work if used via PGPASSWORD with "psql".
+
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
+
+ EOWARN
+ fi
+ ;;
+ esac
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ # The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD to a non-empty value for the
+ superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+ You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+ connections without a password. This is *not* recommended.
+
+ See PostgreSQL documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ cat >&2 <<-'EOWARN'
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
+ EOWARN
+ fi
+}
+# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade)
+docker_error_old_databases() {
+ if [ -n "${OLD_DATABASES[0]:-}" ]; then
+ cat >&2 <<-EOE
+ Error: in 18+, these Docker images are configured to store database data in a
+ format which is compatible with "pg_ctlcluster" (specifically, using
+ major-version-specific directory names). This better reflects how
+ PostgreSQL itself works, and how upgrades are to be performed.
+
+ See also https://github.com/docker-library/postgres/pull/1259
+
+ Counter to that, there appears to be PostgreSQL data in:
+ ${OLD_DATABASES[*]}
+
+ This is usually the result of upgrading the Docker image without upgrading
+ the underlying database using "pg_upgrade" (which requires both versions).
+
+ See https://github.com/docker-library/postgres/issues/37 for a (long)
+ discussion around this process, and suggestions for how to do so.
+ EOE
+ exit 1
+ fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+# ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+ # psql here for backwards compatibility "${psql[@]}"
+ psql=( docker_process_sql )
+
+ printf '\n'
+ local f
+ for f; do
+ case "$f" in
+ *.sh)
+ # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+ # https://github.com/docker-library/postgres/pull/452
+ if [ -x "$f" ]; then
+ printf '%s: running %s\n' "$0" "$f"
+ "$f"
+ else
+ printf '%s: sourcing %s\n' "$0" "$f"
+ . "$f"
+ fi
+ ;;
+ *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+ *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+ *) printf '%s: ignoring %s\n' "$0" "$f" ;;
+ esac
+ printf '\n'
+ done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+# ie: docker_process_sql -f my-file.sql
+# ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+ local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+ if [ -n "$POSTGRES_DB" ]; then
+ query_runner+=( --dbname "$POSTGRES_DB" )
+ fi
+
+ PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+ local dbAlreadyExists
+ dbAlreadyExists="$(
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+ SELECT 1 FROM pg_database WHERE datname = :'db' ;
+ EOSQL
+ )"
+ if [ -z "$dbAlreadyExists" ]; then
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+ CREATE DATABASE :"db" ;
+ EOSQL
+ printf '\n'
+ fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+ file_env 'POSTGRES_PASSWORD'
+
+ file_env 'POSTGRES_USER' 'postgres'
+ file_env 'POSTGRES_DB' "$POSTGRES_USER"
+ file_env 'POSTGRES_INITDB_ARGS'
+ : "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+ declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ declare -ag OLD_DATABASES=()
+ # look specifically for PG_VERSION, as it is expected in the DB dir
+ if [ -s "$PGDATA/PG_VERSION" ]; then
+ DATABASE_ALREADY_EXISTS='true'
+ elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then
+ # https://github.com/docker-library/postgres/pull/1259
+ for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do
+ if [ -s "$d/PG_VERSION" ]; then
+ OLD_DATABASES+=( "$d" )
+ fi
+ done
+ fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+ # default authentication method is md5 on versions before 14
+ # https://www.postgresql.org/about/news/postgresql-14-released-2318/
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+ local auth
+ # check the default/configured encryption and use that as the auth method
+ auth="$(postgres -C password_encryption "$@")"
+ : "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+ {
+ printf '\n'
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ printf '# warning trust is enabled for all connections\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+ fi
+ printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+ } >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+
+ # internal start of server in order to allow setup using psql client
+ # does not listen on external TCP/IP and waits until start finishes
+ set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
+ PGUSER="${PGUSER:-$POSTGRES_USER}" \
+ pg_ctl -D "$PGDATA" \
+ -o "$(printf '%q ' "$@")" \
+ -w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+ PGUSER="${PGUSER:-postgres}" \
+ pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+ local arg
+ for arg; do
+ case "$arg" in
+ # postgres --help | grep 'then exit'
+ # leaving out -C on purpose since it always fails and is unhelpful:
+ # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+ -'?'|--help|--describe-config|-V|--version)
+ return 0
+ ;;
+ esac
+ done
+ return 1
+}
+
+_main() {
+ # if first arg looks like a flag, assume we want to run postgres server
+ if [ "${1:0:1}" = '-' ]; then
+ set -- postgres "$@"
+ fi
+
+ if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+ docker_setup_env
+ # setup data directories and permissions (when run as root)
+ docker_create_db_directories
+ if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+ fi
+
+ # only run initialization on an empty data directory
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+
+ cat <<-'EOM'
+
+ PostgreSQL init process complete; ready for start up.
+
+ EOM
+ else
+ cat <<-'EOM'
+
+ PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+ EOM
+ fi
+ fi
+
+ exec "$@"
+}
+
+if ! _is_sourced; then
+ _main "$@"
+fi
diff --git a/14/bookworm/Dockerfile b/14/bookworm/Dockerfile
new file mode 100644
index 0000000000..e9a0e21b1c
--- /dev/null
+++ b/14/bookworm/Dockerfile
@@ -0,0 +1,218 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM debian:bookworm-slim
+
+# explicitly set user/group IDs
+RUN set -eux; \
+ groupadd -r postgres --gid=999; \
+# https://salsa.debian.org/postgresql/postgresql-common/blob/997d842ee744687d99a2b2d95c1083a2615c79e8/debian/postgresql-common.postinst#L32-35
+ useradd -r -g postgres --uid=999 --home-dir=/var/lib/postgresql --shell=/bin/bash postgres; \
+# also create the postgres user's home directory with appropriate permissions
+# see https://github.com/docker-library/postgres/issues/274
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
+
+RUN set -ex; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ gnupg \
+# https://www.postgresql.org/docs/16/app-psql.html#APP-PSQL-META-COMMAND-PSET-PAGER
+# https://github.com/postgres/postgres/blob/REL_16_1/src/include/fe_utils/print.h#L25
+# (if "less" is available, it gets used as the default pager for psql, and it only adds ~1.5MiB to our image size)
+ less \
+ ; \
+ rm -rf /var/lib/apt/lists/*
+
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ savedAptMark="$(apt-mark showmanual)"; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends ca-certificates wget; \
+ rm -rf /var/lib/apt/lists/*; \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ apt-mark auto '.*' > /dev/null; \
+ [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \
+ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+ chmod +x /usr/local/bin/gosu; \
+ gosu --version; \
+ gosu nobody true
+
+# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
+RUN set -eux; \
+ if [ -f /etc/dpkg/dpkg.cfg.d/docker ]; then \
+# if this file exists, we're likely in "debian:xxx-slim", and locales are thus being excluded so we need to remove that exclusion (since we need locales)
+ grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
+ sed -ri '/\/usr\/share\/locale/d' /etc/dpkg/dpkg.cfg.d/docker; \
+ ! grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
+ fi; \
+ apt-get update; apt-get install -y --no-install-recommends locales; rm -rf /var/lib/apt/lists/*; \
+ echo 'en_US.UTF-8 UTF-8' >> /etc/locale.gen; \
+ locale-gen; \
+ locale -a | grep 'en_US.utf8'
+ENV LANG en_US.utf8
+
+RUN set -eux; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ libnss-wrapper \
+ xz-utils \
+ zstd \
+ ; \
+ rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /docker-entrypoint-initdb.d
+
+RUN set -ex; \
+# pub 4096R/ACCC4CF8 2011-10-13 [expires: 2019-07-02]
+# Key fingerprint = B97B 0AFC AA1A 47F0 44F2 44A0 7FCC 7D46 ACCC 4CF8
+# uid PostgreSQL Debian Repository
+ key='B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8'; \
+ export GNUPGHOME="$(mktemp -d)"; \
+ mkdir -p /usr/local/share/keyrings/; \
+ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \
+ gpg --batch --export --armor "$key" > /usr/local/share/keyrings/postgres.gpg.asc; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME"
+
+ENV PG_MAJOR 14
+ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
+
+ENV PG_VERSION 14.18-1.pgdg120+1
+
+RUN set -ex; \
+ \
+# see note below about "*.pyc" files
+ export PYTHONDONTWRITEBYTECODE=1; \
+ \
+ dpkgArch="$(dpkg --print-architecture)"; \
+ aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ bookworm-pgdg main $PG_MAJOR"; \
+ case "$dpkgArch" in \
+ amd64 | arm64 | ppc64el) \
+# arches officialy built by upstream
+ echo "deb $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \
+ apt-get update; \
+ ;; \
+ *) \
+# we're on an architecture upstream doesn't officially build for
+# let's build binaries from their published source packages
+ echo "deb-src $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \
+ \
+ savedAptMark="$(apt-mark showmanual)"; \
+ \
+ tempDir="$(mktemp -d)"; \
+ cd "$tempDir"; \
+ \
+# create a temporary local APT repo to install from (so that dependency resolution can be handled by APT, as it should be)
+ apt-get update; \
+ apt-get install -y --no-install-recommends dpkg-dev; \
+ echo "deb [ trusted=yes ] file://$tempDir ./" > /etc/apt/sources.list.d/temp.list; \
+ _update_repo() { \
+ dpkg-scanpackages . > Packages; \
+# work around the following APT issue by using "Acquire::GzipIndexes=false" (overriding "/etc/apt/apt.conf.d/docker-gzip-indexes")
+# Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+# ...
+# E: Failed to fetch store:/var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+ apt-get -o Acquire::GzipIndexes=false update; \
+ }; \
+ _update_repo; \
+ \
+# build .deb files from upstream's source packages (which are verified by apt-get)
+ nproc="$(nproc)"; \
+ export DEB_BUILD_OPTIONS="nocheck parallel=$nproc"; \
+# we have to build postgresql-common-dev first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/f4338a0d28cf4541956bddb0f4e444ba9dba81b9
+ apt-get build-dep -y postgresql-common-dev; \
+ apt-get source --compile postgresql-common-dev; \
+ _update_repo; \
+ apt-get build-dep -y "postgresql-$PG_MAJOR=$PG_VERSION"; \
+ apt-get source --compile "postgresql-$PG_MAJOR=$PG_VERSION"; \
+ \
+# we don't remove APT lists here because they get re-downloaded and removed later
+ \
+# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
+# (which is done after we install the built packages so we don't have to redownload any overlapping dependencies)
+ apt-mark showmanual | xargs apt-mark auto > /dev/null; \
+ apt-mark manual $savedAptMark; \
+ \
+ ls -lAFh; \
+ _update_repo; \
+ grep '^Package: ' Packages; \
+ cd /; \
+ ;; \
+ esac; \
+ \
+ apt-get install -y --no-install-recommends postgresql-common; \
+ sed -ri 's/#(create_main_cluster) .*$/\1 = false/' /etc/postgresql-common/createcluster.conf; \
+ apt-get install -y --no-install-recommends \
+ "postgresql-$PG_MAJOR=$PG_VERSION" \
+ ; \
+ \
+ rm -rf /var/lib/apt/lists/*; \
+ \
+ if [ -n "$tempDir" ]; then \
+# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
+ apt-get purge -y --auto-remove; \
+ rm -rf "$tempDir" /etc/apt/sources.list.d/temp.list; \
+ fi; \
+ \
+# some of the steps above generate a lot of "*.pyc" files (and setting "PYTHONDONTWRITEBYTECODE" beforehand doesn't propagate properly for some reason), so we clean them up manually (as long as they aren't owned by a package)
+ find /usr -name '*.pyc' -type f -exec bash -c 'for pyc; do dpkg -S "$pyc" &> /dev/null || rm -vf "$pyc"; done' -- '{}' +; \
+ \
+ postgres --version
+
+# make the sample config easier to munge (and "correct by default")
+RUN set -eux; \
+ dpkg-divert --add --rename --divert "/usr/share/postgresql/postgresql.conf.sample.dpkg" "/usr/share/postgresql/$PG_MAJOR/postgresql.conf.sample"; \
+ cp -v /usr/share/postgresql/postgresql.conf.sample.dpkg /usr/share/postgresql/postgresql.conf.sample; \
+ ln -sv ../postgresql.conf.sample "/usr/share/postgresql/$PG_MAJOR/"; \
+ sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/share/postgresql/postgresql.conf.sample; \
+ grep -F "listen_addresses = '*'" /usr/share/postgresql/postgresql.conf.sample
+
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
+
+ENV PGDATA /var/lib/postgresql/data
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
+VOLUME /var/lib/postgresql/data
+
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
+# calls "Fast Shutdown mode" wherein new connections are disallowed and any
+# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
+# flush tables to disk.
+#
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
+# about available PostgreSQL server shutdown signals.
+#
+# See also https://www.postgresql.org/docs/current/server-start.html for further
+# justification of this as the default value, namely that the example (and
+# shipped) systemd service files use the "Fast Shutdown mode" for service
+# termination.
+#
+STOPSIGNAL SIGINT
+#
+# An additional setting that is recommended for all users regardless of this
+# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
+# equivalent) for controlling how long to wait between sending the defined
+# STOPSIGNAL and sending SIGKILL.
+#
+# The default in most runtimes (such as Docker) is 10 seconds, and the
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
+# that even 90 seconds may not be long enough in many instances.
+
+EXPOSE 5432
+CMD ["postgres"]
diff --git a/14/bookworm/docker-ensure-initdb.sh b/14/bookworm/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..e9b15ef77d
--- /dev/null
+++ b/14/bookworm/docker-ensure-initdb.sh
@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/14/bookworm/docker-entrypoint.sh b/14/bookworm/docker-entrypoint.sh
new file mode 100755
index 0000000000..5a62870b50
--- /dev/null
+++ b/14/bookworm/docker-entrypoint.sh
@@ -0,0 +1,391 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+# ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+ local var="$1"
+ local fileVar="${var}_FILE"
+ local def="${2:-}"
+ if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+ printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+ exit 1
+ fi
+ local val="$def"
+ if [ "${!var:-}" ]; then
+ val="${!var}"
+ elif [ "${!fileVar:-}" ]; then
+ val="$(< "${!fileVar}")"
+ fi
+ export "$var"="$val"
+ unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+ # https://unix.stackexchange.com/a/215279
+ [ "${#FUNCNAME[@]}" -ge 2 ] \
+ && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+ && [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+ local user; user="$(id -u)"
+
+ mkdir -p "$PGDATA"
+ # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+ chmod 00700 "$PGDATA" || :
+
+ # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+ mkdir -p /var/run/postgresql || :
+ chmod 03775 /var/run/postgresql || :
+
+ # Create the transaction log directory before initdb is run so the directory is owned by the correct user
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ mkdir -p "$POSTGRES_INITDB_WALDIR"
+ if [ "$user" = '0' ]; then
+ find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+ fi
+ chmod 700 "$POSTGRES_INITDB_WALDIR"
+ fi
+
+ # allow the container to be started with `--user`
+ if [ "$user" = '0' ]; then
+ find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+ find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+ fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+ # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+ # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+ local uid; uid="$(id -u)"
+ if ! getent passwd "$uid" &> /dev/null; then
+ # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+ local wrapper
+ for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+ if [ -s "$wrapper" ]; then
+ NSS_WRAPPER_PASSWD="$(mktemp)"
+ NSS_WRAPPER_GROUP="$(mktemp)"
+ export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ local gid; gid="$(id -g)"
+ printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+ printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+ break
+ fi
+ done
+ fi
+
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+ fi
+
+ # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+ eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+ # unset/cleanup "nss_wrapper" bits
+ if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+ rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+ unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
+
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+
+ This will not work if used via PGPASSWORD with "psql".
+
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
+
+ EOWARN
+ fi
+ ;;
+ esac
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ # The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD to a non-empty value for the
+ superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+ You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+ connections without a password. This is *not* recommended.
+
+ See PostgreSQL documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ cat >&2 <<-'EOWARN'
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
+ EOWARN
+ fi
+}
+# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade)
+docker_error_old_databases() {
+ if [ -n "${OLD_DATABASES[0]:-}" ]; then
+ cat >&2 <<-EOE
+ Error: in 18+, these Docker images are configured to store database data in a
+ format which is compatible with "pg_ctlcluster" (specifically, using
+ major-version-specific directory names). This better reflects how
+ PostgreSQL itself works, and how upgrades are to be performed.
+
+ See also https://github.com/docker-library/postgres/pull/1259
+
+ Counter to that, there appears to be PostgreSQL data in:
+ ${OLD_DATABASES[*]}
+
+ This is usually the result of upgrading the Docker image without upgrading
+ the underlying database using "pg_upgrade" (which requires both versions).
+
+ See https://github.com/docker-library/postgres/issues/37 for a (long)
+ discussion around this process, and suggestions for how to do so.
+ EOE
+ exit 1
+ fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+# ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+ # psql here for backwards compatibility "${psql[@]}"
+ psql=( docker_process_sql )
+
+ printf '\n'
+ local f
+ for f; do
+ case "$f" in
+ *.sh)
+ # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+ # https://github.com/docker-library/postgres/pull/452
+ if [ -x "$f" ]; then
+ printf '%s: running %s\n' "$0" "$f"
+ "$f"
+ else
+ printf '%s: sourcing %s\n' "$0" "$f"
+ . "$f"
+ fi
+ ;;
+ *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+ *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+ *) printf '%s: ignoring %s\n' "$0" "$f" ;;
+ esac
+ printf '\n'
+ done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+# ie: docker_process_sql -f my-file.sql
+# ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+ local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+ if [ -n "$POSTGRES_DB" ]; then
+ query_runner+=( --dbname "$POSTGRES_DB" )
+ fi
+
+ PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+ local dbAlreadyExists
+ dbAlreadyExists="$(
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+ SELECT 1 FROM pg_database WHERE datname = :'db' ;
+ EOSQL
+ )"
+ if [ -z "$dbAlreadyExists" ]; then
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+ CREATE DATABASE :"db" ;
+ EOSQL
+ printf '\n'
+ fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+ file_env 'POSTGRES_PASSWORD'
+
+ file_env 'POSTGRES_USER' 'postgres'
+ file_env 'POSTGRES_DB' "$POSTGRES_USER"
+ file_env 'POSTGRES_INITDB_ARGS'
+ : "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+ declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ declare -ag OLD_DATABASES=()
+ # look specifically for PG_VERSION, as it is expected in the DB dir
+ if [ -s "$PGDATA/PG_VERSION" ]; then
+ DATABASE_ALREADY_EXISTS='true'
+ elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then
+ # https://github.com/docker-library/postgres/pull/1259
+ for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do
+ if [ -s "$d/PG_VERSION" ]; then
+ OLD_DATABASES+=( "$d" )
+ fi
+ done
+ fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+ # default authentication method is md5 on versions before 14
+ # https://www.postgresql.org/about/news/postgresql-14-released-2318/
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+ local auth
+ # check the default/configured encryption and use that as the auth method
+ auth="$(postgres -C password_encryption "$@")"
+ : "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+ {
+ printf '\n'
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ printf '# warning trust is enabled for all connections\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+ fi
+ printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+ } >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+
+ # internal start of server in order to allow setup using psql client
+ # does not listen on external TCP/IP and waits until start finishes
+ set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
+ PGUSER="${PGUSER:-$POSTGRES_USER}" \
+ pg_ctl -D "$PGDATA" \
+ -o "$(printf '%q ' "$@")" \
+ -w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+ PGUSER="${PGUSER:-postgres}" \
+ pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+ local arg
+ for arg; do
+ case "$arg" in
+ # postgres --help | grep 'then exit'
+ # leaving out -C on purpose since it always fails and is unhelpful:
+ # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+ -'?'|--help|--describe-config|-V|--version)
+ return 0
+ ;;
+ esac
+ done
+ return 1
+}
+
+_main() {
+ # if first arg looks like a flag, assume we want to run postgres server
+ if [ "${1:0:1}" = '-' ]; then
+ set -- postgres "$@"
+ fi
+
+ if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+ docker_setup_env
+ # setup data directories and permissions (when run as root)
+ docker_create_db_directories
+ if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+ fi
+
+ # only run initialization on an empty data directory
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+
+ cat <<-'EOM'
+
+ PostgreSQL init process complete; ready for start up.
+
+ EOM
+ else
+ cat <<-'EOM'
+
+ PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+ EOM
+ fi
+ fi
+
+ exec "$@"
+}
+
+if ! _is_sourced; then
+ _main "$@"
+fi
diff --git a/14/bullseye/Dockerfile b/14/bullseye/Dockerfile
index 5bfaee23c0..ff863ef774 100644
--- a/14/bullseye/Dockerfile
+++ b/14/bullseye/Dockerfile
@@ -6,16 +6,6 @@
FROM debian:bullseye-slim
-RUN set -ex; \
- if ! command -v gpg > /dev/null; then \
- apt-get update; \
- apt-get install -y --no-install-recommends \
- gnupg \
- dirmngr \
- ; \
- rm -rf /var/lib/apt/lists/*; \
- fi
-
# explicitly set user/group IDs
RUN set -eux; \
groupadd -r postgres --gid=999; \
@@ -23,12 +13,22 @@ RUN set -eux; \
useradd -r -g postgres --uid=999 --home-dir=/var/lib/postgresql --shell=/bin/bash postgres; \
# also create the postgres user's home directory with appropriate permissions
# see https://github.com/docker-library/postgres/issues/274
- mkdir -p /var/lib/postgresql; \
- chown -R postgres:postgres /var/lib/postgresql
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
+
+RUN set -ex; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ gnupg \
+# https://www.postgresql.org/docs/16/app-psql.html#APP-PSQL-META-COMMAND-PSET-PAGER
+# https://github.com/postgres/postgres/blob/REL_16_1/src/include/fe_utils/print.h#L25
+# (if "less" is available, it gets used as the default pager for psql, and it only adds ~1.5MiB to our image size)
+ less \
+ ; \
+ rm -rf /var/lib/apt/lists/*
# grab gosu for easy step-down from root
# https://github.com/tianon/gosu/releases
-ENV GOSU_VERSION 1.16
+ENV GOSU_VERSION 1.17
RUN set -eux; \
savedAptMark="$(apt-mark showmanual)"; \
apt-get update; \
@@ -58,7 +58,9 @@ RUN set -eux; \
! grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
fi; \
apt-get update; apt-get install -y --no-install-recommends locales; rm -rf /var/lib/apt/lists/*; \
- localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
+ echo 'en_US.UTF-8 UTF-8' >> /etc/locale.gen; \
+ locale-gen; \
+ locale -a | grep 'en_US.utf8'
ENV LANG en_US.utf8
RUN set -eux; \
@@ -81,13 +83,13 @@ RUN set -ex; \
mkdir -p /usr/local/share/keyrings/; \
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \
gpg --batch --export --armor "$key" > /usr/local/share/keyrings/postgres.gpg.asc; \
- command -v gpgconf > /dev/null && gpgconf --kill all; \
+ gpgconf --kill all; \
rm -rf "$GNUPGHOME"
ENV PG_MAJOR 14
ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
-ENV PG_VERSION 14.7-1.pgdg110+1
+ENV PG_VERSION 14.18-1.pgdg110+1
RUN set -ex; \
\
@@ -129,10 +131,9 @@ RUN set -ex; \
# build .deb files from upstream's source packages (which are verified by apt-get)
nproc="$(nproc)"; \
export DEB_BUILD_OPTIONS="nocheck parallel=$nproc"; \
-# we have to build postgresql-common first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/99f44476e258cae6bf9e919219fa2c5414fa2876
-# (and it "Depends: pgdg-keyring")
- apt-get build-dep -y postgresql-common pgdg-keyring; \
- apt-get source --compile postgresql-common pgdg-keyring; \
+# we have to build postgresql-common-dev first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/f4338a0d28cf4541956bddb0f4e444ba9dba81b9
+ apt-get build-dep -y postgresql-common-dev; \
+ apt-get source --compile postgresql-common-dev; \
_update_repo; \
apt-get build-dep -y "postgresql-$PG_MAJOR=$PG_VERSION"; \
apt-get source --compile "postgresql-$PG_MAJOR=$PG_VERSION"; \
@@ -178,31 +179,26 @@ RUN set -eux; \
sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/share/postgresql/postgresql.conf.sample; \
grep -F "listen_addresses = '*'" /usr/share/postgresql/postgresql.conf.sample
-RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
ENV PGDATA /var/lib/postgresql/data
-# this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values)
-RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA"
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
VOLUME /var/lib/postgresql/data
-COPY docker-entrypoint.sh /usr/local/bin/
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
ENTRYPOINT ["docker-entrypoint.sh"]
# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
# calls "Fast Shutdown mode" wherein new connections are disallowed and any
# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
-# flush tables to disk, which is the best compromise available to avoid data
-# corruption.
-#
-# Users who know their applications do not keep open long-lived idle connections
-# may way to use a value of SIGTERM instead, which corresponds to "Smart
-# Shutdown mode" in which any existing sessions are allowed to finish and the
-# server stops when all sessions are terminated.
+# flush tables to disk.
#
-# See https://www.postgresql.org/docs/12/server-shutdown.html for more details
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
# about available PostgreSQL server shutdown signals.
#
-# See also https://www.postgresql.org/docs/12/server-start.html for further
+# See also https://www.postgresql.org/docs/current/server-start.html for further
# justification of this as the default value, namely that the example (and
# shipped) systemd service files use the "Fast Shutdown mode" for service
# termination.
@@ -212,10 +208,10 @@ STOPSIGNAL SIGINT
# An additional setting that is recommended for all users regardless of this
# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
# equivalent) for controlling how long to wait between sending the defined
-# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption).
+# STOPSIGNAL and sending SIGKILL.
#
# The default in most runtimes (such as Docker) is 10 seconds, and the
-# documentation at https://www.postgresql.org/docs/12/server-start.html notes
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
# that even 90 seconds may not be long enough in many instances.
EXPOSE 5432
diff --git a/14/bullseye/docker-ensure-initdb.sh b/14/bullseye/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..e9b15ef77d
--- /dev/null
+++ b/14/bullseye/docker-ensure-initdb.sh
@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/14/bullseye/docker-entrypoint.sh b/14/bullseye/docker-entrypoint.sh
index 0ae0ecf8c2..5a62870b50 100755
--- a/14/bullseye/docker-entrypoint.sh
+++ b/14/bullseye/docker-entrypoint.sh
@@ -103,20 +103,24 @@ docker_init_database_dir() {
# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
docker_verify_minimum_env() {
- # check password first so we can output the warning before postgres
- # messes it up
- if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
- cat >&2 <<-'EOWARN'
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
- WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
- This will not work if used via PGPASSWORD with "psql".
+ This will not work if used via PGPASSWORD with "psql".
- https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
- https://github.com/docker-library/postgres/issues/507
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
- EOWARN
- fi
+ EOWARN
+ fi
+ ;;
+ esac
if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
# The - option suppresses leading tabs but *not* spaces. :)
cat >&2 <<-'EOE'
@@ -150,6 +154,29 @@ docker_verify_minimum_env() {
EOWARN
fi
}
+# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade)
+docker_error_old_databases() {
+ if [ -n "${OLD_DATABASES[0]:-}" ]; then
+ cat >&2 <<-EOE
+ Error: in 18+, these Docker images are configured to store database data in a
+ format which is compatible with "pg_ctlcluster" (specifically, using
+ major-version-specific directory names). This better reflects how
+ PostgreSQL itself works, and how upgrades are to be performed.
+
+ See also https://github.com/docker-library/postgres/pull/1259
+
+ Counter to that, there appears to be PostgreSQL data in:
+ ${OLD_DATABASES[*]}
+
+ This is usually the result of upgrading the Docker image without upgrading
+ the underlying database using "pg_upgrade" (which requires both versions).
+
+ See https://github.com/docker-library/postgres/issues/37 for a (long)
+ discussion around this process, and suggestions for how to do so.
+ EOE
+ exit 1
+ fi
+}
# usage: docker_process_init_files [file [file [...]]]
# ie: docker_process_init_files /always-initdb.d/*
@@ -225,9 +252,18 @@ docker_setup_env() {
: "${POSTGRES_HOST_AUTH_METHOD:=}"
declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ declare -ag OLD_DATABASES=()
# look specifically for PG_VERSION, as it is expected in the DB dir
if [ -s "$PGDATA/PG_VERSION" ]; then
DATABASE_ALREADY_EXISTS='true'
+ elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then
+ # https://github.com/docker-library/postgres/pull/1259
+ for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do
+ if [ -s "$d/PG_VERSION" ]; then
+ OLD_DATABASES+=( "$d" )
+ fi
+ done
fi
}
@@ -247,7 +283,7 @@ pg_setup_hba_conf() {
printf '\n'
if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
printf '# warning trust is enabled for all connections\n'
- printf '# see https://www.postgresql.org/docs/12/auth-trust.html\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
fi
printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
} >> "$PGDATA/pg_hba.conf"
@@ -264,6 +300,9 @@ docker_temp_server_start() {
# does not listen on external TCP/IP and waits until start finishes
set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
PGUSER="${PGUSER:-$POSTGRES_USER}" \
pg_ctl -D "$PGDATA" \
-o "$(printf '%q ' "$@")" \
@@ -311,6 +350,7 @@ _main() {
# only run initialization on an empty data directory
if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
docker_verify_minimum_env
+ docker_error_old_databases
# check dir permissions to reduce likelihood of half-initialized database
ls /docker-entrypoint-initdb.d/ > /dev/null
diff --git a/15/alpine/docker-entrypoint.sh b/15/alpine/docker-entrypoint.sh
deleted file mode 100755
index a383a36487..0000000000
--- a/15/alpine/docker-entrypoint.sh
+++ /dev/null
@@ -1,351 +0,0 @@
-#!/usr/bin/env bash
-set -Eeo pipefail
-# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
-
-# usage: file_env VAR [DEFAULT]
-# ie: file_env 'XYZ_DB_PASSWORD' 'example'
-# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
-# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
-file_env() {
- local var="$1"
- local fileVar="${var}_FILE"
- local def="${2:-}"
- if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
- printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
- exit 1
- fi
- local val="$def"
- if [ "${!var:-}" ]; then
- val="${!var}"
- elif [ "${!fileVar:-}" ]; then
- val="$(< "${!fileVar}")"
- fi
- export "$var"="$val"
- unset "$fileVar"
-}
-
-# check to see if this file is being run or sourced from another script
-_is_sourced() {
- # https://unix.stackexchange.com/a/215279
- [ "${#FUNCNAME[@]}" -ge 2 ] \
- && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
- && [ "${FUNCNAME[1]}" = 'source' ]
-}
-
-# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
-docker_create_db_directories() {
- local user; user="$(id -u)"
-
- mkdir -p "$PGDATA"
- # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
- chmod 00700 "$PGDATA" || :
-
- # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
- mkdir -p /var/run/postgresql || :
- chmod 03775 /var/run/postgresql || :
-
- # Create the transaction log directory before initdb is run so the directory is owned by the correct user
- if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
- mkdir -p "$POSTGRES_INITDB_WALDIR"
- if [ "$user" = '0' ]; then
- find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
- fi
- chmod 700 "$POSTGRES_INITDB_WALDIR"
- fi
-
- # allow the container to be started with `--user`
- if [ "$user" = '0' ]; then
- find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
- find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
- fi
-}
-
-# initialize empty PGDATA directory with new database via 'initdb'
-# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
-# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
-# this is also where the database user is created, specified by `POSTGRES_USER` env
-docker_init_database_dir() {
- # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
- # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
- local uid; uid="$(id -u)"
- if ! getent passwd "$uid" &> /dev/null; then
- # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
- local wrapper
- for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
- if [ -s "$wrapper" ]; then
- NSS_WRAPPER_PASSWD="$(mktemp)"
- NSS_WRAPPER_GROUP="$(mktemp)"
- export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
- local gid; gid="$(id -g)"
- printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
- printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
- break
- fi
- done
- fi
-
- if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
- set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
- fi
-
- # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
- eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
-
- # unset/cleanup "nss_wrapper" bits
- if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
- rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
- unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
- fi
-}
-
-# print large warning if POSTGRES_PASSWORD is long
-# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
-# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
-# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
-docker_verify_minimum_env() {
- # check password first so we can output the warning before postgres
- # messes it up
- if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
- cat >&2 <<-'EOWARN'
-
- WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
-
- This will not work if used via PGPASSWORD with "psql".
-
- https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
- https://github.com/docker-library/postgres/issues/507
-
- EOWARN
- fi
- if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
- # The - option suppresses leading tabs but *not* spaces. :)
- cat >&2 <<-'EOE'
- Error: Database is uninitialized and superuser password is not specified.
- You must specify POSTGRES_PASSWORD to a non-empty value for the
- superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
-
- You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
- connections without a password. This is *not* recommended.
-
- See PostgreSQL documentation about "trust":
- https://www.postgresql.org/docs/current/auth-trust.html
- EOE
- exit 1
- fi
- if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
- cat >&2 <<-'EOWARN'
- ********************************************************************************
- WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
- anyone with access to the Postgres port to access your database without
- a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
- documentation about "trust":
- https://www.postgresql.org/docs/current/auth-trust.html
- In Docker's default configuration, this is effectively any other
- container on the same system.
-
- It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
- it with "-e POSTGRES_PASSWORD=password" instead to set a password in
- "docker run".
- ********************************************************************************
- EOWARN
- fi
-}
-
-# usage: docker_process_init_files [file [file [...]]]
-# ie: docker_process_init_files /always-initdb.d/*
-# process initializer files, based on file extensions and permissions
-docker_process_init_files() {
- # psql here for backwards compatibility "${psql[@]}"
- psql=( docker_process_sql )
-
- printf '\n'
- local f
- for f; do
- case "$f" in
- *.sh)
- # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
- # https://github.com/docker-library/postgres/pull/452
- if [ -x "$f" ]; then
- printf '%s: running %s\n' "$0" "$f"
- "$f"
- else
- printf '%s: sourcing %s\n' "$0" "$f"
- . "$f"
- fi
- ;;
- *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
- *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
- *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
- *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
- *) printf '%s: ignoring %s\n' "$0" "$f" ;;
- esac
- printf '\n'
- done
-}
-
-# Execute sql script, passed via stdin (or -f flag of pqsl)
-# usage: docker_process_sql [psql-cli-args]
-# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
-# ie: docker_process_sql -f my-file.sql
-# ie: docker_process_sql <my-file.sql
-docker_process_sql() {
- local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
- if [ -n "$POSTGRES_DB" ]; then
- query_runner+=( --dbname "$POSTGRES_DB" )
- fi
-
- PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
-}
-
-# create initial database
-# uses environment variables for input: POSTGRES_DB
-docker_setup_db() {
- local dbAlreadyExists
- dbAlreadyExists="$(
- POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
- SELECT 1 FROM pg_database WHERE datname = :'db' ;
- EOSQL
- )"
- if [ -z "$dbAlreadyExists" ]; then
- POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
- CREATE DATABASE :"db" ;
- EOSQL
- printf '\n'
- fi
-}
-
-# Loads various settings that are used elsewhere in the script
-# This should be called before any other functions
-docker_setup_env() {
- file_env 'POSTGRES_PASSWORD'
-
- file_env 'POSTGRES_USER' 'postgres'
- file_env 'POSTGRES_DB' "$POSTGRES_USER"
- file_env 'POSTGRES_INITDB_ARGS'
- : "${POSTGRES_HOST_AUTH_METHOD:=}"
-
- declare -g DATABASE_ALREADY_EXISTS
- # look specifically for PG_VERSION, as it is expected in the DB dir
- if [ -s "$PGDATA/PG_VERSION" ]; then
- DATABASE_ALREADY_EXISTS='true'
- fi
-}
-
-# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
-# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
-pg_setup_hba_conf() {
- # default authentication method is md5 on versions before 14
- # https://www.postgresql.org/about/news/postgresql-14-released-2318/
- if [ "$1" = 'postgres' ]; then
- shift
- fi
- local auth
- # check the default/configured encryption and use that as the auth method
- auth="$(postgres -C password_encryption "$@")"
- : "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
- {
- printf '\n'
- if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
- printf '# warning trust is enabled for all connections\n'
- printf '# see https://www.postgresql.org/docs/12/auth-trust.html\n'
- fi
- printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
- } >> "$PGDATA/pg_hba.conf"
-}
-
-# start socket-only postgresql server for setting up or running scripts
-# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
-docker_temp_server_start() {
- if [ "$1" = 'postgres' ]; then
- shift
- fi
-
- # internal start of server in order to allow setup using psql client
- # does not listen on external TCP/IP and waits until start finishes
- set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
-
- PGUSER="${PGUSER:-$POSTGRES_USER}" \
- pg_ctl -D "$PGDATA" \
- -o "$(printf '%q ' "$@")" \
- -w start
-}
-
-# stop postgresql server after done setting up user and running scripts
-docker_temp_server_stop() {
- PGUSER="${PGUSER:-postgres}" \
- pg_ctl -D "$PGDATA" -m fast -w stop
-}
-
-# check arguments for an option that would cause postgres to stop
-# return true if there is one
-_pg_want_help() {
- local arg
- for arg; do
- case "$arg" in
- # postgres --help | grep 'then exit'
- # leaving out -C on purpose since it always fails and is unhelpful:
- # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
- -'?'|--help|--describe-config|-V|--version)
- return 0
- ;;
- esac
- done
- return 1
-}
-
-_main() {
- # if first arg looks like a flag, assume we want to run postgres server
- if [ "${1:0:1}" = '-' ]; then
- set -- postgres "$@"
- fi
-
- if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
- docker_setup_env
- # setup data directories and permissions (when run as root)
- docker_create_db_directories
- if [ "$(id -u)" = '0' ]; then
- # then restart script as postgres user
- exec su-exec postgres "$BASH_SOURCE" "$@"
- fi
-
- # only run initialization on an empty data directory
- if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
- docker_verify_minimum_env
-
- # check dir permissions to reduce likelihood of half-initialized database
- ls /docker-entrypoint-initdb.d/ > /dev/null
-
- docker_init_database_dir
- pg_setup_hba_conf "$@"
-
- # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
- # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
- export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
- docker_temp_server_start "$@"
-
- docker_setup_db
- docker_process_init_files /docker-entrypoint-initdb.d/*
-
- docker_temp_server_stop
- unset PGPASSWORD
-
- cat <<-'EOM'
-
- PostgreSQL init process complete; ready for start up.
-
- EOM
- else
- cat <<-'EOM'
-
- PostgreSQL Database directory appears to contain a database; Skipping initialization
-
- EOM
- fi
- fi
-
- exec "$@"
-}
-
-if ! _is_sourced; then
- _main "$@"
-fi
diff --git a/15/alpine3.21/Dockerfile b/15/alpine3.21/Dockerfile
new file mode 100644
index 0000000000..91ab89c023
--- /dev/null
+++ b/15/alpine3.21/Dockerfile
@@ -0,0 +1,230 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM alpine:3.21
+
+# 70 is the standard uid/gid for "postgres" in Alpine
+# https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.22-stable
+RUN set -eux; \
+ addgroup -g 70 -S postgres; \
+ adduser -u 70 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \
+# also create the postgres user's home directory with appropriate permissions
+# see https://github.com/docker-library/postgres/issues/274
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
+
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ \
+ apk add --no-cache --virtual .gosu-deps \
+ ca-certificates \
+ dpkg \
+ gnupg \
+ ; \
+ \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ \
+# verify the signature
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ \
+# clean up fetch dependencies
+ apk del --no-network .gosu-deps; \
+ \
+ chmod +x /usr/local/bin/gosu; \
+# verify that the binary works
+ gosu --version; \
+ gosu nobody true
+RUN set -eux; ln -svf gosu /usr/local/bin/su-exec; su-exec nobody true # backwards compatibility (removed in PostgreSQL 17+)
+
+# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
+# alpine doesn't require explicit locale-file generation
+ENV LANG en_US.utf8
+
+RUN mkdir /docker-entrypoint-initdb.d
+
+ENV PG_MAJOR 15
+ENV PG_VERSION 15.13
+ENV PG_SHA256 4f62e133d22ea08a0401b0840920e26698644d01a80c34341fb732dd0a90ca5d
+
+ENV DOCKER_PG_LLVM_DEPS \
+ llvm19-dev \
+ clang19
+
+RUN set -eux; \
+ \
+ wget -O postgresql.tar.bz2 "https://ftp.postgresql.org/pub/source/v$PG_VERSION/postgresql-$PG_VERSION.tar.bz2"; \
+ echo "$PG_SHA256 *postgresql.tar.bz2" | sha256sum -c -; \
+ mkdir -p /usr/src/postgresql; \
+ tar \
+ --extract \
+ --file postgresql.tar.bz2 \
+ --directory /usr/src/postgresql \
+ --strip-components 1 \
+ ; \
+ rm postgresql.tar.bz2; \
+ \
+ apk add --no-cache --virtual .build-deps \
+ $DOCKER_PG_LLVM_DEPS \
+ bison \
+ coreutils \
+ dpkg-dev dpkg \
+ flex \
+ g++ \
+ gcc \
+ krb5-dev \
+ libc-dev \
+ libedit-dev \
+ libxml2-dev \
+ libxslt-dev \
+ linux-headers \
+ make \
+ openldap-dev \
+ openssl-dev \
+ perl-dev \
+ perl-ipc-run \
+ perl-utils \
+ python3-dev \
+ tcl-dev \
+ util-linux-dev \
+ zlib-dev \
+# https://www.postgresql.org/docs/10/static/release-10.html#id-1.11.6.9.5.13
+ icu-dev \
+# https://www.postgresql.org/docs/14/release-14.html#id-1.11.6.5.5.3.7
+ lz4-dev \
+# https://www.postgresql.org/docs/15/release-15.html "--with-zstd to enable Zstandard builds"
+ zstd-dev \
+ ; \
+ \
+ cd /usr/src/postgresql; \
+# update "DEFAULT_PGSOCKET_DIR" to "/var/run/postgresql" (matching Debian)
+# see https://anonscm.debian.org/git/pkg-postgresql/postgresql.git/tree/debian/patches/51-default-sockets-in-var.patch?id=8b539fcb3e093a521c095e70bdfa76887217b89f
+ awk '$1 == "#define" && $2 == "DEFAULT_PGSOCKET_DIR" && $3 == "\"/tmp\"" { $3 = "\"/var/run/postgresql\""; print; next } { print }' src/include/pg_config_manual.h > src/include/pg_config_manual.h.new; \
+ grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \
+ mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \
+ gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
+ \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n176 ("export LLVM_CONFIG")
+ export LLVM_CONFIG="/usr/lib/llvm19/bin/llvm-config"; \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n180 ("older clang versions don't have a 'clang' exe anymore.")
+ export CLANG=clang-19; \
+ \
+# configure options taken from:
+# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
+ ./configure \
+ --enable-option-checking=fatal \
+ --build="$gnuArch" \
+# "/usr/src/postgresql/src/backend/access/common/tupconvert.c:105: undefined reference to `libintl_gettext'"
+# --enable-nls \
+ --enable-integer-datetimes \
+ --enable-thread-safety \
+ --enable-tap-tests \
+# skip debugging info -- we want tiny size instead
+# --enable-debug \
+ --disable-rpath \
+ --with-uuid=e2fs \
+ --with-gnu-ld \
+ --with-pgport=5432 \
+ --with-system-tzdata=/usr/share/zoneinfo \
+ --prefix=/usr/local \
+ --with-includes=/usr/local/include \
+ --with-libraries=/usr/local/lib \
+ --with-gssapi \
+ --with-ldap \
+ --with-tcl \
+ --with-perl \
+ --with-python \
+# --with-pam \
+ --with-openssl \
+ --with-libxml \
+ --with-libxslt \
+ --with-icu \
+ --with-llvm \
+ --with-lz4 \
+ --with-zstd \
+ ; \
+ make -j "$(nproc)" world-bin; \
+ make install-world-bin; \
+ make -C contrib install; \
+ \
+ runDeps="$( \
+ scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \
+ | tr ',' '\n' \
+ | sort -u \
+ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
+# Remove plperl, plpython and pltcl dependencies by default to save image size
+# To use the pl extensions, those have to be installed in a derived image
+ | grep -v -e perl -e python -e tcl \
+ )"; \
+ apk add --no-cache --virtual .postgresql-rundeps \
+ $runDeps \
+ bash \
+ tzdata \
+ zstd \
+# https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split
+ icu-data-full \
+# https://git.alpinelinux.org/aports/tree/community/nss_wrapper/APKBUILD?h=3.22-stable#n7 ("ppc64le: test case segfaults")
+ $([ "$(apk --print-arch)" != 'ppc64le' ] && echo 'nss_wrapper') \
+ ; \
+ apk del --no-network .build-deps; \
+ cd /; \
+ rm -rf \
+ /usr/src/postgresql \
+ /usr/local/share/doc \
+ /usr/local/share/man \
+ ; \
+ \
+ postgres --version
+
+# make the sample config easier to munge (and "correct by default")
+RUN set -eux; \
+ cp -v /usr/local/share/postgresql/postgresql.conf.sample /usr/local/share/postgresql/postgresql.conf.sample.orig; \
+ sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \
+ grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample
+
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
+
+ENV PGDATA /var/lib/postgresql/data
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
+VOLUME /var/lib/postgresql/data
+
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
+# calls "Fast Shutdown mode" wherein new connections are disallowed and any
+# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
+# flush tables to disk.
+#
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
+# about available PostgreSQL server shutdown signals.
+#
+# See also https://www.postgresql.org/docs/current/server-start.html for further
+# justification of this as the default value, namely that the example (and
+# shipped) systemd service files use the "Fast Shutdown mode" for service
+# termination.
+#
+STOPSIGNAL SIGINT
+#
+# An additional setting that is recommended for all users regardless of this
+# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
+# equivalent) for controlling how long to wait between sending the defined
+# STOPSIGNAL and sending SIGKILL.
+#
+# The default in most runtimes (such as Docker) is 10 seconds, and the
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
+# that even 90 seconds may not be long enough in many instances.
+
+EXPOSE 5432
+CMD ["postgres"]
diff --git a/15/alpine3.21/docker-ensure-initdb.sh b/15/alpine3.21/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..e9b15ef77d
--- /dev/null
+++ b/15/alpine3.21/docker-ensure-initdb.sh
@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/15/alpine3.21/docker-entrypoint.sh b/15/alpine3.21/docker-entrypoint.sh
new file mode 100755
index 0000000000..5a62870b50
--- /dev/null
+++ b/15/alpine3.21/docker-entrypoint.sh
@@ -0,0 +1,391 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+# ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+ local var="$1"
+ local fileVar="${var}_FILE"
+ local def="${2:-}"
+ if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+ printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+ exit 1
+ fi
+ local val="$def"
+ if [ "${!var:-}" ]; then
+ val="${!var}"
+ elif [ "${!fileVar:-}" ]; then
+ val="$(< "${!fileVar}")"
+ fi
+ export "$var"="$val"
+ unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+ # https://unix.stackexchange.com/a/215279
+ [ "${#FUNCNAME[@]}" -ge 2 ] \
+ && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+ && [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+ local user; user="$(id -u)"
+
+ mkdir -p "$PGDATA"
+ # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+ chmod 00700 "$PGDATA" || :
+
+ # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+ mkdir -p /var/run/postgresql || :
+ chmod 03775 /var/run/postgresql || :
+
+ # Create the transaction log directory before initdb is run so the directory is owned by the correct user
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ mkdir -p "$POSTGRES_INITDB_WALDIR"
+ if [ "$user" = '0' ]; then
+ find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+ fi
+ chmod 700 "$POSTGRES_INITDB_WALDIR"
+ fi
+
+ # allow the container to be started with `--user`
+ if [ "$user" = '0' ]; then
+ find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+ find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+ fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+ # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+ # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+ local uid; uid="$(id -u)"
+ if ! getent passwd "$uid" &> /dev/null; then
+ # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+ local wrapper
+ for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+ if [ -s "$wrapper" ]; then
+ NSS_WRAPPER_PASSWD="$(mktemp)"
+ NSS_WRAPPER_GROUP="$(mktemp)"
+ export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ local gid; gid="$(id -g)"
+ printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+ printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+ break
+ fi
+ done
+ fi
+
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+ fi
+
+ # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+ eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+ # unset/cleanup "nss_wrapper" bits
+ if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+ rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+ unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
+
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+
+ This will not work if used via PGPASSWORD with "psql".
+
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
+
+ EOWARN
+ fi
+ ;;
+ esac
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ # The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD to a non-empty value for the
+ superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+ You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+ connections without a password. This is *not* recommended.
+
+ See PostgreSQL documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ cat >&2 <<-'EOWARN'
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
+ EOWARN
+ fi
+}
+# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade)
+docker_error_old_databases() {
+ if [ -n "${OLD_DATABASES[0]:-}" ]; then
+ cat >&2 <<-EOE
+ Error: in 18+, these Docker images are configured to store database data in a
+ format which is compatible with "pg_ctlcluster" (specifically, using
+ major-version-specific directory names). This better reflects how
+ PostgreSQL itself works, and how upgrades are to be performed.
+
+ See also https://github.com/docker-library/postgres/pull/1259
+
+ Counter to that, there appears to be PostgreSQL data in:
+ ${OLD_DATABASES[*]}
+
+ This is usually the result of upgrading the Docker image without upgrading
+ the underlying database using "pg_upgrade" (which requires both versions).
+
+ See https://github.com/docker-library/postgres/issues/37 for a (long)
+ discussion around this process, and suggestions for how to do so.
+ EOE
+ exit 1
+ fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+# ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+ # psql here for backwards compatibility "${psql[@]}"
+ psql=( docker_process_sql )
+
+ printf '\n'
+ local f
+ for f; do
+ case "$f" in
+ *.sh)
+ # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+ # https://github.com/docker-library/postgres/pull/452
+ if [ -x "$f" ]; then
+ printf '%s: running %s\n' "$0" "$f"
+ "$f"
+ else
+ printf '%s: sourcing %s\n' "$0" "$f"
+ . "$f"
+ fi
+ ;;
+ *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+ *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+ *) printf '%s: ignoring %s\n' "$0" "$f" ;;
+ esac
+ printf '\n'
+ done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+# ie: docker_process_sql -f my-file.sql
+# ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+ local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+ if [ -n "$POSTGRES_DB" ]; then
+ query_runner+=( --dbname "$POSTGRES_DB" )
+ fi
+
+ PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+ local dbAlreadyExists
+ dbAlreadyExists="$(
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+ SELECT 1 FROM pg_database WHERE datname = :'db' ;
+ EOSQL
+ )"
+ if [ -z "$dbAlreadyExists" ]; then
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+ CREATE DATABASE :"db" ;
+ EOSQL
+ printf '\n'
+ fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+ file_env 'POSTGRES_PASSWORD'
+
+ file_env 'POSTGRES_USER' 'postgres'
+ file_env 'POSTGRES_DB' "$POSTGRES_USER"
+ file_env 'POSTGRES_INITDB_ARGS'
+ : "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+ declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ declare -ag OLD_DATABASES=()
+ # look specifically for PG_VERSION, as it is expected in the DB dir
+ if [ -s "$PGDATA/PG_VERSION" ]; then
+ DATABASE_ALREADY_EXISTS='true'
+ elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then
+ # https://github.com/docker-library/postgres/pull/1259
+ for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do
+ if [ -s "$d/PG_VERSION" ]; then
+ OLD_DATABASES+=( "$d" )
+ fi
+ done
+ fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+ # default authentication method is md5 on versions before 14
+ # https://www.postgresql.org/about/news/postgresql-14-released-2318/
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+ local auth
+ # check the default/configured encryption and use that as the auth method
+ auth="$(postgres -C password_encryption "$@")"
+ : "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+ {
+ printf '\n'
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ printf '# warning trust is enabled for all connections\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+ fi
+ printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+ } >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+
+ # internal start of server in order to allow setup using psql client
+ # does not listen on external TCP/IP and waits until start finishes
+ set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
+ PGUSER="${PGUSER:-$POSTGRES_USER}" \
+ pg_ctl -D "$PGDATA" \
+ -o "$(printf '%q ' "$@")" \
+ -w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+ PGUSER="${PGUSER:-postgres}" \
+ pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+ local arg
+ for arg; do
+ case "$arg" in
+ # postgres --help | grep 'then exit'
+ # leaving out -C on purpose since it always fails and is unhelpful:
+ # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+ -'?'|--help|--describe-config|-V|--version)
+ return 0
+ ;;
+ esac
+ done
+ return 1
+}
+
+_main() {
+ # if first arg looks like a flag, assume we want to run postgres server
+ if [ "${1:0:1}" = '-' ]; then
+ set -- postgres "$@"
+ fi
+
+ if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+ docker_setup_env
+ # setup data directories and permissions (when run as root)
+ docker_create_db_directories
+ if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+ fi
+
+ # only run initialization on an empty data directory
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+
+ cat <<-'EOM'
+
+ PostgreSQL init process complete; ready for start up.
+
+ EOM
+ else
+ cat <<-'EOM'
+
+ PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+ EOM
+ fi
+ fi
+
+ exec "$@"
+}
+
+if ! _is_sourced; then
+ _main "$@"
+fi
diff --git a/15/alpine3.22/Dockerfile b/15/alpine3.22/Dockerfile
new file mode 100644
index 0000000000..201065d8a3
--- /dev/null
+++ b/15/alpine3.22/Dockerfile
@@ -0,0 +1,230 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM alpine:3.22
+
+# 70 is the standard uid/gid for "postgres" in Alpine
+# https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.22-stable
+RUN set -eux; \
+ addgroup -g 70 -S postgres; \
+ adduser -u 70 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \
+# also create the postgres user's home directory with appropriate permissions
+# see https://github.com/docker-library/postgres/issues/274
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
+
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ \
+ apk add --no-cache --virtual .gosu-deps \
+ ca-certificates \
+ dpkg \
+ gnupg \
+ ; \
+ \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ \
+# verify the signature
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ \
+# clean up fetch dependencies
+ apk del --no-network .gosu-deps; \
+ \
+ chmod +x /usr/local/bin/gosu; \
+# verify that the binary works
+ gosu --version; \
+ gosu nobody true
+RUN set -eux; ln -svf gosu /usr/local/bin/su-exec; su-exec nobody true # backwards compatibility (removed in PostgreSQL 17+)
+
+# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
+# alpine doesn't require explicit locale-file generation
+ENV LANG en_US.utf8
+
+RUN mkdir /docker-entrypoint-initdb.d
+
+ENV PG_MAJOR 15
+ENV PG_VERSION 15.13
+ENV PG_SHA256 4f62e133d22ea08a0401b0840920e26698644d01a80c34341fb732dd0a90ca5d
+
+ENV DOCKER_PG_LLVM_DEPS \
+ llvm19-dev \
+ clang19
+
+RUN set -eux; \
+ \
+ wget -O postgresql.tar.bz2 "https://ftp.postgresql.org/pub/source/v$PG_VERSION/postgresql-$PG_VERSION.tar.bz2"; \
+ echo "$PG_SHA256 *postgresql.tar.bz2" | sha256sum -c -; \
+ mkdir -p /usr/src/postgresql; \
+ tar \
+ --extract \
+ --file postgresql.tar.bz2 \
+ --directory /usr/src/postgresql \
+ --strip-components 1 \
+ ; \
+ rm postgresql.tar.bz2; \
+ \
+ apk add --no-cache --virtual .build-deps \
+ $DOCKER_PG_LLVM_DEPS \
+ bison \
+ coreutils \
+ dpkg-dev dpkg \
+ flex \
+ g++ \
+ gcc \
+ krb5-dev \
+ libc-dev \
+ libedit-dev \
+ libxml2-dev \
+ libxslt-dev \
+ linux-headers \
+ make \
+ openldap-dev \
+ openssl-dev \
+ perl-dev \
+ perl-ipc-run \
+ perl-utils \
+ python3-dev \
+ tcl-dev \
+ util-linux-dev \
+ zlib-dev \
+# https://www.postgresql.org/docs/10/static/release-10.html#id-1.11.6.9.5.13
+ icu-dev \
+# https://www.postgresql.org/docs/14/release-14.html#id-1.11.6.5.5.3.7
+ lz4-dev \
+# https://www.postgresql.org/docs/15/release-15.html "--with-zstd to enable Zstandard builds"
+ zstd-dev \
+ ; \
+ \
+ cd /usr/src/postgresql; \
+# update "DEFAULT_PGSOCKET_DIR" to "/var/run/postgresql" (matching Debian)
+# see https://anonscm.debian.org/git/pkg-postgresql/postgresql.git/tree/debian/patches/51-default-sockets-in-var.patch?id=8b539fcb3e093a521c095e70bdfa76887217b89f
+ awk '$1 == "#define" && $2 == "DEFAULT_PGSOCKET_DIR" && $3 == "\"/tmp\"" { $3 = "\"/var/run/postgresql\""; print; next } { print }' src/include/pg_config_manual.h > src/include/pg_config_manual.h.new; \
+ grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \
+ mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \
+ gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
+ \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n176 ("export LLVM_CONFIG")
+ export LLVM_CONFIG="/usr/lib/llvm19/bin/llvm-config"; \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n180 ("older clang versions don't have a 'clang' exe anymore.")
+ export CLANG=clang-19; \
+ \
+# configure options taken from:
+# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
+ ./configure \
+ --enable-option-checking=fatal \
+ --build="$gnuArch" \
+# "/usr/src/postgresql/src/backend/access/common/tupconvert.c:105: undefined reference to `libintl_gettext'"
+# --enable-nls \
+ --enable-integer-datetimes \
+ --enable-thread-safety \
+ --enable-tap-tests \
+# skip debugging info -- we want tiny size instead
+# --enable-debug \
+ --disable-rpath \
+ --with-uuid=e2fs \
+ --with-gnu-ld \
+ --with-pgport=5432 \
+ --with-system-tzdata=/usr/share/zoneinfo \
+ --prefix=/usr/local \
+ --with-includes=/usr/local/include \
+ --with-libraries=/usr/local/lib \
+ --with-gssapi \
+ --with-ldap \
+ --with-tcl \
+ --with-perl \
+ --with-python \
+# --with-pam \
+ --with-openssl \
+ --with-libxml \
+ --with-libxslt \
+ --with-icu \
+ --with-llvm \
+ --with-lz4 \
+ --with-zstd \
+ ; \
+ make -j "$(nproc)" world-bin; \
+ make install-world-bin; \
+ make -C contrib install; \
+ \
+ runDeps="$( \
+ scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \
+ | tr ',' '\n' \
+ | sort -u \
+ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
+# Remove plperl, plpython and pltcl dependencies by default to save image size
+# To use the pl extensions, those have to be installed in a derived image
+ | grep -v -e perl -e python -e tcl \
+ )"; \
+ apk add --no-cache --virtual .postgresql-rundeps \
+ $runDeps \
+ bash \
+ tzdata \
+ zstd \
+# https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split
+ icu-data-full \
+# https://git.alpinelinux.org/aports/tree/community/nss_wrapper/APKBUILD?h=3.22-stable#n7 ("ppc64le: test case segfaults")
+ $([ "$(apk --print-arch)" != 'ppc64le' ] && echo 'nss_wrapper') \
+ ; \
+ apk del --no-network .build-deps; \
+ cd /; \
+ rm -rf \
+ /usr/src/postgresql \
+ /usr/local/share/doc \
+ /usr/local/share/man \
+ ; \
+ \
+ postgres --version
+
+# make the sample config easier to munge (and "correct by default")
+RUN set -eux; \
+ cp -v /usr/local/share/postgresql/postgresql.conf.sample /usr/local/share/postgresql/postgresql.conf.sample.orig; \
+ sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \
+ grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample
+
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
+
+ENV PGDATA /var/lib/postgresql/data
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
+VOLUME /var/lib/postgresql/data
+
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
+# calls "Fast Shutdown mode" wherein new connections are disallowed and any
+# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
+# flush tables to disk.
+#
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
+# about available PostgreSQL server shutdown signals.
+#
+# See also https://www.postgresql.org/docs/current/server-start.html for further
+# justification of this as the default value, namely that the example (and
+# shipped) systemd service files use the "Fast Shutdown mode" for service
+# termination.
+#
+STOPSIGNAL SIGINT
+#
+# An additional setting that is recommended for all users regardless of this
+# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
+# equivalent) for controlling how long to wait between sending the defined
+# STOPSIGNAL and sending SIGKILL.
+#
+# The default in most runtimes (such as Docker) is 10 seconds, and the
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
+# that even 90 seconds may not be long enough in many instances.
+
+EXPOSE 5432
+CMD ["postgres"]
diff --git a/15/alpine3.22/docker-ensure-initdb.sh b/15/alpine3.22/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..e9b15ef77d
--- /dev/null
+++ b/15/alpine3.22/docker-ensure-initdb.sh
@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/15/alpine3.22/docker-entrypoint.sh b/15/alpine3.22/docker-entrypoint.sh
new file mode 100755
index 0000000000..5a62870b50
--- /dev/null
+++ b/15/alpine3.22/docker-entrypoint.sh
@@ -0,0 +1,391 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+# ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+ local var="$1"
+ local fileVar="${var}_FILE"
+ local def="${2:-}"
+ if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+ printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+ exit 1
+ fi
+ local val="$def"
+ if [ "${!var:-}" ]; then
+ val="${!var}"
+ elif [ "${!fileVar:-}" ]; then
+ val="$(< "${!fileVar}")"
+ fi
+ export "$var"="$val"
+ unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+ # https://unix.stackexchange.com/a/215279
+ [ "${#FUNCNAME[@]}" -ge 2 ] \
+ && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+ && [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+ local user; user="$(id -u)"
+
+ mkdir -p "$PGDATA"
+ # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+ chmod 00700 "$PGDATA" || :
+
+ # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+ mkdir -p /var/run/postgresql || :
+ chmod 03775 /var/run/postgresql || :
+
+ # Create the transaction log directory before initdb is run so the directory is owned by the correct user
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ mkdir -p "$POSTGRES_INITDB_WALDIR"
+ if [ "$user" = '0' ]; then
+ find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+ fi
+ chmod 700 "$POSTGRES_INITDB_WALDIR"
+ fi
+
+ # allow the container to be started with `--user`
+ if [ "$user" = '0' ]; then
+ find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+ find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+ fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+ # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+ # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+ local uid; uid="$(id -u)"
+ if ! getent passwd "$uid" &> /dev/null; then
+ # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+ local wrapper
+ for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+ if [ -s "$wrapper" ]; then
+ NSS_WRAPPER_PASSWD="$(mktemp)"
+ NSS_WRAPPER_GROUP="$(mktemp)"
+ export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ local gid; gid="$(id -g)"
+ printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+ printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+ break
+ fi
+ done
+ fi
+
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+ fi
+
+ # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+ eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+ # unset/cleanup "nss_wrapper" bits
+ if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+ rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+ unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
+
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+
+ This will not work if used via PGPASSWORD with "psql".
+
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
+
+ EOWARN
+ fi
+ ;;
+ esac
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ # The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD to a non-empty value for the
+ superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+ You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+ connections without a password. This is *not* recommended.
+
+ See PostgreSQL documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ cat >&2 <<-'EOWARN'
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
+ EOWARN
+ fi
+}
+# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade)
+docker_error_old_databases() {
+ if [ -n "${OLD_DATABASES[0]:-}" ]; then
+ cat >&2 <<-EOE
+ Error: in 18+, these Docker images are configured to store database data in a
+ format which is compatible with "pg_ctlcluster" (specifically, using
+ major-version-specific directory names). This better reflects how
+ PostgreSQL itself works, and how upgrades are to be performed.
+
+ See also https://github.com/docker-library/postgres/pull/1259
+
+ Counter to that, there appears to be PostgreSQL data in:
+ ${OLD_DATABASES[*]}
+
+ This is usually the result of upgrading the Docker image without upgrading
+ the underlying database using "pg_upgrade" (which requires both versions).
+
+ See https://github.com/docker-library/postgres/issues/37 for a (long)
+ discussion around this process, and suggestions for how to do so.
+ EOE
+ exit 1
+ fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+# ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+ # psql here for backwards compatibility "${psql[@]}"
+ psql=( docker_process_sql )
+
+ printf '\n'
+ local f
+ for f; do
+ case "$f" in
+ *.sh)
+ # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+ # https://github.com/docker-library/postgres/pull/452
+ if [ -x "$f" ]; then
+ printf '%s: running %s\n' "$0" "$f"
+ "$f"
+ else
+ printf '%s: sourcing %s\n' "$0" "$f"
+ . "$f"
+ fi
+ ;;
+ *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+ *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+ *) printf '%s: ignoring %s\n' "$0" "$f" ;;
+ esac
+ printf '\n'
+ done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+# ie: docker_process_sql -f my-file.sql
+# ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+ local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+ if [ -n "$POSTGRES_DB" ]; then
+ query_runner+=( --dbname "$POSTGRES_DB" )
+ fi
+
+ PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+ local dbAlreadyExists
+ dbAlreadyExists="$(
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+ SELECT 1 FROM pg_database WHERE datname = :'db' ;
+ EOSQL
+ )"
+ if [ -z "$dbAlreadyExists" ]; then
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+ CREATE DATABASE :"db" ;
+ EOSQL
+ printf '\n'
+ fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+ file_env 'POSTGRES_PASSWORD'
+
+ file_env 'POSTGRES_USER' 'postgres'
+ file_env 'POSTGRES_DB' "$POSTGRES_USER"
+ file_env 'POSTGRES_INITDB_ARGS'
+ : "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+ declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ declare -ag OLD_DATABASES=()
+ # look specifically for PG_VERSION, as it is expected in the DB dir
+ if [ -s "$PGDATA/PG_VERSION" ]; then
+ DATABASE_ALREADY_EXISTS='true'
+ elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then
+ # https://github.com/docker-library/postgres/pull/1259
+ for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do
+ if [ -s "$d/PG_VERSION" ]; then
+ OLD_DATABASES+=( "$d" )
+ fi
+ done
+ fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+ # default authentication method is md5 on versions before 14
+ # https://www.postgresql.org/about/news/postgresql-14-released-2318/
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+ local auth
+ # check the default/configured encryption and use that as the auth method
+ auth="$(postgres -C password_encryption "$@")"
+ : "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+ {
+ printf '\n'
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ printf '# warning trust is enabled for all connections\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+ fi
+ printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+ } >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+
+ # internal start of server in order to allow setup using psql client
+ # does not listen on external TCP/IP and waits until start finishes
+ set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
+ PGUSER="${PGUSER:-$POSTGRES_USER}" \
+ pg_ctl -D "$PGDATA" \
+ -o "$(printf '%q ' "$@")" \
+ -w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+ PGUSER="${PGUSER:-postgres}" \
+ pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+ local arg
+ for arg; do
+ case "$arg" in
+ # postgres --help | grep 'then exit'
+ # leaving out -C on purpose since it always fails and is unhelpful:
+ # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+ -'?'|--help|--describe-config|-V|--version)
+ return 0
+ ;;
+ esac
+ done
+ return 1
+}
+
+_main() {
+ # if first arg looks like a flag, assume we want to run postgres server
+ if [ "${1:0:1}" = '-' ]; then
+ set -- postgres "$@"
+ fi
+
+ if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+ docker_setup_env
+ # setup data directories and permissions (when run as root)
+ docker_create_db_directories
+ if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+ fi
+
+ # only run initialization on an empty data directory
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+
+ cat <<-'EOM'
+
+ PostgreSQL init process complete; ready for start up.
+
+ EOM
+ else
+ cat <<-'EOM'
+
+ PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+ EOM
+ fi
+ fi
+
+ exec "$@"
+}
+
+if ! _is_sourced; then
+ _main "$@"
+fi
diff --git a/15/bookworm/Dockerfile b/15/bookworm/Dockerfile
new file mode 100644
index 0000000000..d58f9ab6a4
--- /dev/null
+++ b/15/bookworm/Dockerfile
@@ -0,0 +1,218 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM debian:bookworm-slim
+
+# explicitly set user/group IDs
+RUN set -eux; \
+ groupadd -r postgres --gid=999; \
+# https://salsa.debian.org/postgresql/postgresql-common/blob/997d842ee744687d99a2b2d95c1083a2615c79e8/debian/postgresql-common.postinst#L32-35
+ useradd -r -g postgres --uid=999 --home-dir=/var/lib/postgresql --shell=/bin/bash postgres; \
+# also create the postgres user's home directory with appropriate permissions
+# see https://github.com/docker-library/postgres/issues/274
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
+
+RUN set -ex; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ gnupg \
+# https://www.postgresql.org/docs/16/app-psql.html#APP-PSQL-META-COMMAND-PSET-PAGER
+# https://github.com/postgres/postgres/blob/REL_16_1/src/include/fe_utils/print.h#L25
+# (if "less" is available, it gets used as the default pager for psql, and it only adds ~1.5MiB to our image size)
+ less \
+ ; \
+ rm -rf /var/lib/apt/lists/*
+
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ savedAptMark="$(apt-mark showmanual)"; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends ca-certificates wget; \
+ rm -rf /var/lib/apt/lists/*; \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ apt-mark auto '.*' > /dev/null; \
+ [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \
+ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+ chmod +x /usr/local/bin/gosu; \
+ gosu --version; \
+ gosu nobody true
+
+# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
+RUN set -eux; \
+ if [ -f /etc/dpkg/dpkg.cfg.d/docker ]; then \
+# if this file exists, we're likely in "debian:xxx-slim", and locales are thus being excluded so we need to remove that exclusion (since we need locales)
+ grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
+ sed -ri '/\/usr\/share\/locale/d' /etc/dpkg/dpkg.cfg.d/docker; \
+ ! grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
+ fi; \
+ apt-get update; apt-get install -y --no-install-recommends locales; rm -rf /var/lib/apt/lists/*; \
+ echo 'en_US.UTF-8 UTF-8' >> /etc/locale.gen; \
+ locale-gen; \
+ locale -a | grep 'en_US.utf8'
+ENV LANG en_US.utf8
+
+RUN set -eux; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ libnss-wrapper \
+ xz-utils \
+ zstd \
+ ; \
+ rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /docker-entrypoint-initdb.d
+
+RUN set -ex; \
+# pub 4096R/ACCC4CF8 2011-10-13 [expires: 2019-07-02]
+# Key fingerprint = B97B 0AFC AA1A 47F0 44F2 44A0 7FCC 7D46 ACCC 4CF8
+# uid PostgreSQL Debian Repository
+ key='B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8'; \
+ export GNUPGHOME="$(mktemp -d)"; \
+ mkdir -p /usr/local/share/keyrings/; \
+ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \
+ gpg --batch --export --armor "$key" > /usr/local/share/keyrings/postgres.gpg.asc; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME"
+
+ENV PG_MAJOR 15
+ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
+
+ENV PG_VERSION 15.13-1.pgdg120+1
+
+RUN set -ex; \
+ \
+# see note below about "*.pyc" files
+ export PYTHONDONTWRITEBYTECODE=1; \
+ \
+ dpkgArch="$(dpkg --print-architecture)"; \
+ aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ bookworm-pgdg main $PG_MAJOR"; \
+ case "$dpkgArch" in \
+ amd64 | arm64 | ppc64el) \
+# arches officialy built by upstream
+ echo "deb $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \
+ apt-get update; \
+ ;; \
+ *) \
+# we're on an architecture upstream doesn't officially build for
+# let's build binaries from their published source packages
+ echo "deb-src $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \
+ \
+ savedAptMark="$(apt-mark showmanual)"; \
+ \
+ tempDir="$(mktemp -d)"; \
+ cd "$tempDir"; \
+ \
+# create a temporary local APT repo to install from (so that dependency resolution can be handled by APT, as it should be)
+ apt-get update; \
+ apt-get install -y --no-install-recommends dpkg-dev; \
+ echo "deb [ trusted=yes ] file://$tempDir ./" > /etc/apt/sources.list.d/temp.list; \
+ _update_repo() { \
+ dpkg-scanpackages . > Packages; \
+# work around the following APT issue by using "Acquire::GzipIndexes=false" (overriding "/etc/apt/apt.conf.d/docker-gzip-indexes")
+# Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+# ...
+# E: Failed to fetch store:/var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+ apt-get -o Acquire::GzipIndexes=false update; \
+ }; \
+ _update_repo; \
+ \
+# build .deb files from upstream's source packages (which are verified by apt-get)
+ nproc="$(nproc)"; \
+ export DEB_BUILD_OPTIONS="nocheck parallel=$nproc"; \
+# we have to build postgresql-common-dev first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/f4338a0d28cf4541956bddb0f4e444ba9dba81b9
+ apt-get build-dep -y postgresql-common-dev; \
+ apt-get source --compile postgresql-common-dev; \
+ _update_repo; \
+ apt-get build-dep -y "postgresql-$PG_MAJOR=$PG_VERSION"; \
+ apt-get source --compile "postgresql-$PG_MAJOR=$PG_VERSION"; \
+ \
+# we don't remove APT lists here because they get re-downloaded and removed later
+ \
+# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
+# (which is done after we install the built packages so we don't have to redownload any overlapping dependencies)
+ apt-mark showmanual | xargs apt-mark auto > /dev/null; \
+ apt-mark manual $savedAptMark; \
+ \
+ ls -lAFh; \
+ _update_repo; \
+ grep '^Package: ' Packages; \
+ cd /; \
+ ;; \
+ esac; \
+ \
+ apt-get install -y --no-install-recommends postgresql-common; \
+ sed -ri 's/#(create_main_cluster) .*$/\1 = false/' /etc/postgresql-common/createcluster.conf; \
+ apt-get install -y --no-install-recommends \
+ "postgresql-$PG_MAJOR=$PG_VERSION" \
+ ; \
+ \
+ rm -rf /var/lib/apt/lists/*; \
+ \
+ if [ -n "$tempDir" ]; then \
+# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
+ apt-get purge -y --auto-remove; \
+ rm -rf "$tempDir" /etc/apt/sources.list.d/temp.list; \
+ fi; \
+ \
+# some of the steps above generate a lot of "*.pyc" files (and setting "PYTHONDONTWRITEBYTECODE" beforehand doesn't propagate properly for some reason), so we clean them up manually (as long as they aren't owned by a package)
+ find /usr -name '*.pyc' -type f -exec bash -c 'for pyc; do dpkg -S "$pyc" &> /dev/null || rm -vf "$pyc"; done' -- '{}' +; \
+ \
+ postgres --version
+
+# make the sample config easier to munge (and "correct by default")
+RUN set -eux; \
+ dpkg-divert --add --rename --divert "/usr/share/postgresql/postgresql.conf.sample.dpkg" "/usr/share/postgresql/$PG_MAJOR/postgresql.conf.sample"; \
+ cp -v /usr/share/postgresql/postgresql.conf.sample.dpkg /usr/share/postgresql/postgresql.conf.sample; \
+ ln -sv ../postgresql.conf.sample "/usr/share/postgresql/$PG_MAJOR/"; \
+ sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/share/postgresql/postgresql.conf.sample; \
+ grep -F "listen_addresses = '*'" /usr/share/postgresql/postgresql.conf.sample
+
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
+
+ENV PGDATA /var/lib/postgresql/data
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
+VOLUME /var/lib/postgresql/data
+
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
+# calls "Fast Shutdown mode" wherein new connections are disallowed and any
+# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
+# flush tables to disk.
+#
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
+# about available PostgreSQL server shutdown signals.
+#
+# See also https://www.postgresql.org/docs/current/server-start.html for further
+# justification of this as the default value, namely that the example (and
+# shipped) systemd service files use the "Fast Shutdown mode" for service
+# termination.
+#
+STOPSIGNAL SIGINT
+#
+# An additional setting that is recommended for all users regardless of this
+# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
+# equivalent) for controlling how long to wait between sending the defined
+# STOPSIGNAL and sending SIGKILL.
+#
+# The default in most runtimes (such as Docker) is 10 seconds, and the
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
+# that even 90 seconds may not be long enough in many instances.
+
+EXPOSE 5432
+CMD ["postgres"]
diff --git a/15/bookworm/docker-ensure-initdb.sh b/15/bookworm/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..e9b15ef77d
--- /dev/null
+++ b/15/bookworm/docker-ensure-initdb.sh
@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/15/bookworm/docker-entrypoint.sh b/15/bookworm/docker-entrypoint.sh
new file mode 100755
index 0000000000..5a62870b50
--- /dev/null
+++ b/15/bookworm/docker-entrypoint.sh
@@ -0,0 +1,391 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+# ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+ local var="$1"
+ local fileVar="${var}_FILE"
+ local def="${2:-}"
+ if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+ printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+ exit 1
+ fi
+ local val="$def"
+ if [ "${!var:-}" ]; then
+ val="${!var}"
+ elif [ "${!fileVar:-}" ]; then
+ val="$(< "${!fileVar}")"
+ fi
+ export "$var"="$val"
+ unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+ # https://unix.stackexchange.com/a/215279
+ [ "${#FUNCNAME[@]}" -ge 2 ] \
+ && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+ && [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+ local user; user="$(id -u)"
+
+ mkdir -p "$PGDATA"
+ # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+ chmod 00700 "$PGDATA" || :
+
+ # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+ mkdir -p /var/run/postgresql || :
+ chmod 03775 /var/run/postgresql || :
+
+ # Create the transaction log directory before initdb is run so the directory is owned by the correct user
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ mkdir -p "$POSTGRES_INITDB_WALDIR"
+ if [ "$user" = '0' ]; then
+ find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+ fi
+ chmod 700 "$POSTGRES_INITDB_WALDIR"
+ fi
+
+ # allow the container to be started with `--user`
+ if [ "$user" = '0' ]; then
+ find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+ find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+ fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+ # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+ # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+ local uid; uid="$(id -u)"
+ if ! getent passwd "$uid" &> /dev/null; then
+ # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+ local wrapper
+ for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+ if [ -s "$wrapper" ]; then
+ NSS_WRAPPER_PASSWD="$(mktemp)"
+ NSS_WRAPPER_GROUP="$(mktemp)"
+ export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ local gid; gid="$(id -g)"
+ printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+ printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+ break
+ fi
+ done
+ fi
+
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+ fi
+
+ # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+ eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+ # unset/cleanup "nss_wrapper" bits
+ if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+ rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+ unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
+
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+
+ This will not work if used via PGPASSWORD with "psql".
+
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
+
+ EOWARN
+ fi
+ ;;
+ esac
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ # The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD to a non-empty value for the
+ superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+ You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+ connections without a password. This is *not* recommended.
+
+ See PostgreSQL documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ cat >&2 <<-'EOWARN'
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
+ EOWARN
+ fi
+}
+# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade)
+docker_error_old_databases() {
+ if [ -n "${OLD_DATABASES[0]:-}" ]; then
+ cat >&2 <<-EOE
+ Error: in 18+, these Docker images are configured to store database data in a
+ format which is compatible with "pg_ctlcluster" (specifically, using
+ major-version-specific directory names). This better reflects how
+ PostgreSQL itself works, and how upgrades are to be performed.
+
+ See also https://github.com/docker-library/postgres/pull/1259
+
+ Counter to that, there appears to be PostgreSQL data in:
+ ${OLD_DATABASES[*]}
+
+ This is usually the result of upgrading the Docker image without upgrading
+ the underlying database using "pg_upgrade" (which requires both versions).
+
+ See https://github.com/docker-library/postgres/issues/37 for a (long)
+ discussion around this process, and suggestions for how to do so.
+ EOE
+ exit 1
+ fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+# ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+ # psql here for backwards compatibility "${psql[@]}"
+ psql=( docker_process_sql )
+
+ printf '\n'
+ local f
+ for f; do
+ case "$f" in
+ *.sh)
+ # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+ # https://github.com/docker-library/postgres/pull/452
+ if [ -x "$f" ]; then
+ printf '%s: running %s\n' "$0" "$f"
+ "$f"
+ else
+ printf '%s: sourcing %s\n' "$0" "$f"
+ . "$f"
+ fi
+ ;;
+ *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+ *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+ *) printf '%s: ignoring %s\n' "$0" "$f" ;;
+ esac
+ printf '\n'
+ done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+# ie: docker_process_sql -f my-file.sql
+# ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+ local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+ if [ -n "$POSTGRES_DB" ]; then
+ query_runner+=( --dbname "$POSTGRES_DB" )
+ fi
+
+ PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+ local dbAlreadyExists
+ dbAlreadyExists="$(
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+ SELECT 1 FROM pg_database WHERE datname = :'db' ;
+ EOSQL
+ )"
+ if [ -z "$dbAlreadyExists" ]; then
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+ CREATE DATABASE :"db" ;
+ EOSQL
+ printf '\n'
+ fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+ file_env 'POSTGRES_PASSWORD'
+
+ file_env 'POSTGRES_USER' 'postgres'
+ file_env 'POSTGRES_DB' "$POSTGRES_USER"
+ file_env 'POSTGRES_INITDB_ARGS'
+ : "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+ declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ declare -ag OLD_DATABASES=()
+ # look specifically for PG_VERSION, as it is expected in the DB dir
+ if [ -s "$PGDATA/PG_VERSION" ]; then
+ DATABASE_ALREADY_EXISTS='true'
+ elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then
+ # https://github.com/docker-library/postgres/pull/1259
+ for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do
+ if [ -s "$d/PG_VERSION" ]; then
+ OLD_DATABASES+=( "$d" )
+ fi
+ done
+ fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+ # default authentication method is md5 on versions before 14
+ # https://www.postgresql.org/about/news/postgresql-14-released-2318/
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+ local auth
+ # check the default/configured encryption and use that as the auth method
+ auth="$(postgres -C password_encryption "$@")"
+ : "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+ {
+ printf '\n'
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ printf '# warning trust is enabled for all connections\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+ fi
+ printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+ } >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+
+ # internal start of server in order to allow setup using psql client
+ # does not listen on external TCP/IP and waits until start finishes
+ set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
+ PGUSER="${PGUSER:-$POSTGRES_USER}" \
+ pg_ctl -D "$PGDATA" \
+ -o "$(printf '%q ' "$@")" \
+ -w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+ PGUSER="${PGUSER:-postgres}" \
+ pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+ local arg
+ for arg; do
+ case "$arg" in
+ # postgres --help | grep 'then exit'
+ # leaving out -C on purpose since it always fails and is unhelpful:
+ # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+ -'?'|--help|--describe-config|-V|--version)
+ return 0
+ ;;
+ esac
+ done
+ return 1
+}
+
+_main() {
+ # if first arg looks like a flag, assume we want to run postgres server
+ if [ "${1:0:1}" = '-' ]; then
+ set -- postgres "$@"
+ fi
+
+ if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+ docker_setup_env
+ # setup data directories and permissions (when run as root)
+ docker_create_db_directories
+ if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+ fi
+
+ # only run initialization on an empty data directory
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+
+ cat <<-'EOM'
+
+ PostgreSQL init process complete; ready for start up.
+
+ EOM
+ else
+ cat <<-'EOM'
+
+ PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+ EOM
+ fi
+ fi
+
+ exec "$@"
+}
+
+if ! _is_sourced; then
+ _main "$@"
+fi
diff --git a/15/bullseye/Dockerfile b/15/bullseye/Dockerfile
index a9480e325c..ec325d7c88 100644
--- a/15/bullseye/Dockerfile
+++ b/15/bullseye/Dockerfile
@@ -6,16 +6,6 @@
FROM debian:bullseye-slim
-RUN set -ex; \
- if ! command -v gpg > /dev/null; then \
- apt-get update; \
- apt-get install -y --no-install-recommends \
- gnupg \
- dirmngr \
- ; \
- rm -rf /var/lib/apt/lists/*; \
- fi
-
# explicitly set user/group IDs
RUN set -eux; \
groupadd -r postgres --gid=999; \
@@ -23,12 +13,22 @@ RUN set -eux; \
useradd -r -g postgres --uid=999 --home-dir=/var/lib/postgresql --shell=/bin/bash postgres; \
# also create the postgres user's home directory with appropriate permissions
# see https://github.com/docker-library/postgres/issues/274
- mkdir -p /var/lib/postgresql; \
- chown -R postgres:postgres /var/lib/postgresql
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
+
+RUN set -ex; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ gnupg \
+# https://www.postgresql.org/docs/16/app-psql.html#APP-PSQL-META-COMMAND-PSET-PAGER
+# https://github.com/postgres/postgres/blob/REL_16_1/src/include/fe_utils/print.h#L25
+# (if "less" is available, it gets used as the default pager for psql, and it only adds ~1.5MiB to our image size)
+ less \
+ ; \
+ rm -rf /var/lib/apt/lists/*
# grab gosu for easy step-down from root
# https://github.com/tianon/gosu/releases
-ENV GOSU_VERSION 1.16
+ENV GOSU_VERSION 1.17
RUN set -eux; \
savedAptMark="$(apt-mark showmanual)"; \
apt-get update; \
@@ -58,7 +58,9 @@ RUN set -eux; \
! grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
fi; \
apt-get update; apt-get install -y --no-install-recommends locales; rm -rf /var/lib/apt/lists/*; \
- localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
+ echo 'en_US.UTF-8 UTF-8' >> /etc/locale.gen; \
+ locale-gen; \
+ locale -a | grep 'en_US.utf8'
ENV LANG en_US.utf8
RUN set -eux; \
@@ -81,13 +83,13 @@ RUN set -ex; \
mkdir -p /usr/local/share/keyrings/; \
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \
gpg --batch --export --armor "$key" > /usr/local/share/keyrings/postgres.gpg.asc; \
- command -v gpgconf > /dev/null && gpgconf --kill all; \
+ gpgconf --kill all; \
rm -rf "$GNUPGHOME"
ENV PG_MAJOR 15
ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
-ENV PG_VERSION 15.2-1.pgdg110+1
+ENV PG_VERSION 15.13-1.pgdg110+1
RUN set -ex; \
\
@@ -129,10 +131,9 @@ RUN set -ex; \
# build .deb files from upstream's source packages (which are verified by apt-get)
nproc="$(nproc)"; \
export DEB_BUILD_OPTIONS="nocheck parallel=$nproc"; \
-# we have to build postgresql-common first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/99f44476e258cae6bf9e919219fa2c5414fa2876
-# (and it "Depends: pgdg-keyring")
- apt-get build-dep -y postgresql-common pgdg-keyring; \
- apt-get source --compile postgresql-common pgdg-keyring; \
+# we have to build postgresql-common-dev first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/f4338a0d28cf4541956bddb0f4e444ba9dba81b9
+ apt-get build-dep -y postgresql-common-dev; \
+ apt-get source --compile postgresql-common-dev; \
_update_repo; \
apt-get build-dep -y "postgresql-$PG_MAJOR=$PG_VERSION"; \
apt-get source --compile "postgresql-$PG_MAJOR=$PG_VERSION"; \
@@ -178,31 +179,26 @@ RUN set -eux; \
sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/share/postgresql/postgresql.conf.sample; \
grep -F "listen_addresses = '*'" /usr/share/postgresql/postgresql.conf.sample
-RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
ENV PGDATA /var/lib/postgresql/data
-# this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values)
-RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA"
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
VOLUME /var/lib/postgresql/data
-COPY docker-entrypoint.sh /usr/local/bin/
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
ENTRYPOINT ["docker-entrypoint.sh"]
# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
# calls "Fast Shutdown mode" wherein new connections are disallowed and any
# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
-# flush tables to disk, which is the best compromise available to avoid data
-# corruption.
-#
-# Users who know their applications do not keep open long-lived idle connections
-# may way to use a value of SIGTERM instead, which corresponds to "Smart
-# Shutdown mode" in which any existing sessions are allowed to finish and the
-# server stops when all sessions are terminated.
+# flush tables to disk.
#
-# See https://www.postgresql.org/docs/12/server-shutdown.html for more details
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
# about available PostgreSQL server shutdown signals.
#
-# See also https://www.postgresql.org/docs/12/server-start.html for further
+# See also https://www.postgresql.org/docs/current/server-start.html for further
# justification of this as the default value, namely that the example (and
# shipped) systemd service files use the "Fast Shutdown mode" for service
# termination.
@@ -212,10 +208,10 @@ STOPSIGNAL SIGINT
# An additional setting that is recommended for all users regardless of this
# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
# equivalent) for controlling how long to wait between sending the defined
-# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption).
+# STOPSIGNAL and sending SIGKILL.
#
# The default in most runtimes (such as Docker) is 10 seconds, and the
-# documentation at https://www.postgresql.org/docs/12/server-start.html notes
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
# that even 90 seconds may not be long enough in many instances.
EXPOSE 5432
diff --git a/15/bullseye/docker-ensure-initdb.sh b/15/bullseye/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..e9b15ef77d
--- /dev/null
+++ b/15/bullseye/docker-ensure-initdb.sh
@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/15/bullseye/docker-entrypoint.sh b/15/bullseye/docker-entrypoint.sh
index 0ae0ecf8c2..5a62870b50 100755
--- a/15/bullseye/docker-entrypoint.sh
+++ b/15/bullseye/docker-entrypoint.sh
@@ -103,20 +103,24 @@ docker_init_database_dir() {
# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
docker_verify_minimum_env() {
- # check password first so we can output the warning before postgres
- # messes it up
- if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
- cat >&2 <<-'EOWARN'
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
- WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
- This will not work if used via PGPASSWORD with "psql".
+ This will not work if used via PGPASSWORD with "psql".
- https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
- https://github.com/docker-library/postgres/issues/507
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
- EOWARN
- fi
+ EOWARN
+ fi
+ ;;
+ esac
if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
# The - option suppresses leading tabs but *not* spaces. :)
cat >&2 <<-'EOE'
@@ -150,6 +154,29 @@ docker_verify_minimum_env() {
EOWARN
fi
}
+# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade)
+docker_error_old_databases() {
+ if [ -n "${OLD_DATABASES[0]:-}" ]; then
+ cat >&2 <<-EOE
+ Error: in 18+, these Docker images are configured to store database data in a
+ format which is compatible with "pg_ctlcluster" (specifically, using
+ major-version-specific directory names). This better reflects how
+ PostgreSQL itself works, and how upgrades are to be performed.
+
+ See also https://github.com/docker-library/postgres/pull/1259
+
+ Counter to that, there appears to be PostgreSQL data in:
+ ${OLD_DATABASES[*]}
+
+ This is usually the result of upgrading the Docker image without upgrading
+ the underlying database using "pg_upgrade" (which requires both versions).
+
+ See https://github.com/docker-library/postgres/issues/37 for a (long)
+ discussion around this process, and suggestions for how to do so.
+ EOE
+ exit 1
+ fi
+}
# usage: docker_process_init_files [file [file [...]]]
# ie: docker_process_init_files /always-initdb.d/*
@@ -225,9 +252,18 @@ docker_setup_env() {
: "${POSTGRES_HOST_AUTH_METHOD:=}"
declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ declare -ag OLD_DATABASES=()
# look specifically for PG_VERSION, as it is expected in the DB dir
if [ -s "$PGDATA/PG_VERSION" ]; then
DATABASE_ALREADY_EXISTS='true'
+ elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then
+ # https://github.com/docker-library/postgres/pull/1259
+ for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do
+ if [ -s "$d/PG_VERSION" ]; then
+ OLD_DATABASES+=( "$d" )
+ fi
+ done
fi
}
@@ -247,7 +283,7 @@ pg_setup_hba_conf() {
printf '\n'
if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
printf '# warning trust is enabled for all connections\n'
- printf '# see https://www.postgresql.org/docs/12/auth-trust.html\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
fi
printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
} >> "$PGDATA/pg_hba.conf"
@@ -264,6 +300,9 @@ docker_temp_server_start() {
# does not listen on external TCP/IP and waits until start finishes
set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
PGUSER="${PGUSER:-$POSTGRES_USER}" \
pg_ctl -D "$PGDATA" \
-o "$(printf '%q ' "$@")" \
@@ -311,6 +350,7 @@ _main() {
# only run initialization on an empty data directory
if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
docker_verify_minimum_env
+ docker_error_old_databases
# check dir permissions to reduce likelihood of half-initialized database
ls /docker-entrypoint-initdb.d/ > /dev/null
diff --git a/16/alpine3.21/Dockerfile b/16/alpine3.21/Dockerfile
new file mode 100644
index 0000000000..1bf2cab5a5
--- /dev/null
+++ b/16/alpine3.21/Dockerfile
@@ -0,0 +1,229 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM alpine:3.21
+
+# 70 is the standard uid/gid for "postgres" in Alpine
+# https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.22-stable
+RUN set -eux; \
+ addgroup -g 70 -S postgres; \
+ adduser -u 70 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \
+# also create the postgres user's home directory with appropriate permissions
+# see https://github.com/docker-library/postgres/issues/274
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
+
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ \
+ apk add --no-cache --virtual .gosu-deps \
+ ca-certificates \
+ dpkg \
+ gnupg \
+ ; \
+ \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ \
+# verify the signature
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ \
+# clean up fetch dependencies
+ apk del --no-network .gosu-deps; \
+ \
+ chmod +x /usr/local/bin/gosu; \
+# verify that the binary works
+ gosu --version; \
+ gosu nobody true
+RUN set -eux; ln -svf gosu /usr/local/bin/su-exec; su-exec nobody true # backwards compatibility (removed in PostgreSQL 17+)
+
+# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
+# alpine doesn't require explicit locale-file generation
+ENV LANG en_US.utf8
+
+RUN mkdir /docker-entrypoint-initdb.d
+
+ENV PG_MAJOR 16
+ENV PG_VERSION 16.9
+ENV PG_SHA256 07c00fb824df0a0c295f249f44691b86e3266753b380c96f633c3311e10bd005
+
+ENV DOCKER_PG_LLVM_DEPS \
+ llvm19-dev \
+ clang19
+
+RUN set -eux; \
+ \
+ wget -O postgresql.tar.bz2 "https://ftp.postgresql.org/pub/source/v$PG_VERSION/postgresql-$PG_VERSION.tar.bz2"; \
+ echo "$PG_SHA256 *postgresql.tar.bz2" | sha256sum -c -; \
+ mkdir -p /usr/src/postgresql; \
+ tar \
+ --extract \
+ --file postgresql.tar.bz2 \
+ --directory /usr/src/postgresql \
+ --strip-components 1 \
+ ; \
+ rm postgresql.tar.bz2; \
+ \
+ apk add --no-cache --virtual .build-deps \
+ $DOCKER_PG_LLVM_DEPS \
+ bison \
+ coreutils \
+ dpkg-dev dpkg \
+ flex \
+ g++ \
+ gcc \
+ krb5-dev \
+ libc-dev \
+ libedit-dev \
+ libxml2-dev \
+ libxslt-dev \
+ linux-headers \
+ make \
+ openldap-dev \
+ openssl-dev \
+ perl-dev \
+ perl-ipc-run \
+ perl-utils \
+ python3-dev \
+ tcl-dev \
+ util-linux-dev \
+ zlib-dev \
+# https://www.postgresql.org/docs/10/static/release-10.html#id-1.11.6.9.5.13
+ icu-dev \
+# https://www.postgresql.org/docs/14/release-14.html#id-1.11.6.5.5.3.7
+ lz4-dev \
+# https://www.postgresql.org/docs/15/release-15.html "--with-zstd to enable Zstandard builds"
+ zstd-dev \
+ ; \
+ \
+ cd /usr/src/postgresql; \
+# update "DEFAULT_PGSOCKET_DIR" to "/var/run/postgresql" (matching Debian)
+# see https://anonscm.debian.org/git/pkg-postgresql/postgresql.git/tree/debian/patches/51-default-sockets-in-var.patch?id=8b539fcb3e093a521c095e70bdfa76887217b89f
+ awk '$1 == "#define" && $2 == "DEFAULT_PGSOCKET_DIR" && $3 == "\"/tmp\"" { $3 = "\"/var/run/postgresql\""; print; next } { print }' src/include/pg_config_manual.h > src/include/pg_config_manual.h.new; \
+ grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \
+ mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \
+ gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
+ \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n176 ("export LLVM_CONFIG")
+ export LLVM_CONFIG="/usr/lib/llvm19/bin/llvm-config"; \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n180 ("older clang versions don't have a 'clang' exe anymore.")
+ export CLANG=clang-19; \
+ \
+# configure options taken from:
+# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
+ ./configure \
+ --enable-option-checking=fatal \
+ --build="$gnuArch" \
+# "/usr/src/postgresql/src/backend/access/common/tupconvert.c:105: undefined reference to `libintl_gettext'"
+# --enable-nls \
+ --enable-integer-datetimes \
+ --enable-thread-safety \
+ --enable-tap-tests \
+# skip debugging info -- we want tiny size instead
+# --enable-debug \
+ --disable-rpath \
+ --with-uuid=e2fs \
+ --with-pgport=5432 \
+ --with-system-tzdata=/usr/share/zoneinfo \
+ --prefix=/usr/local \
+ --with-includes=/usr/local/include \
+ --with-libraries=/usr/local/lib \
+ --with-gssapi \
+ --with-ldap \
+ --with-tcl \
+ --with-perl \
+ --with-python \
+# --with-pam \
+ --with-openssl \
+ --with-libxml \
+ --with-libxslt \
+ --with-icu \
+ --with-llvm \
+ --with-lz4 \
+ --with-zstd \
+ ; \
+ make -j "$(nproc)" world-bin; \
+ make install-world-bin; \
+ make -C contrib install; \
+ \
+ runDeps="$( \
+ scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \
+ | tr ',' '\n' \
+ | sort -u \
+ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
+# Remove plperl, plpython and pltcl dependencies by default to save image size
+# To use the pl extensions, those have to be installed in a derived image
+ | grep -v -e perl -e python -e tcl \
+ )"; \
+ apk add --no-cache --virtual .postgresql-rundeps \
+ $runDeps \
+ bash \
+ tzdata \
+ zstd \
+# https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split
+ icu-data-full \
+# https://git.alpinelinux.org/aports/tree/community/nss_wrapper/APKBUILD?h=3.22-stable#n7 ("ppc64le: test case segfaults")
+ $([ "$(apk --print-arch)" != 'ppc64le' ] && echo 'nss_wrapper') \
+ ; \
+ apk del --no-network .build-deps; \
+ cd /; \
+ rm -rf \
+ /usr/src/postgresql \
+ /usr/local/share/doc \
+ /usr/local/share/man \
+ ; \
+ \
+ postgres --version
+
+# make the sample config easier to munge (and "correct by default")
+RUN set -eux; \
+ cp -v /usr/local/share/postgresql/postgresql.conf.sample /usr/local/share/postgresql/postgresql.conf.sample.orig; \
+ sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \
+ grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample
+
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
+
+ENV PGDATA /var/lib/postgresql/data
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
+VOLUME /var/lib/postgresql/data
+
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
+# calls "Fast Shutdown mode" wherein new connections are disallowed and any
+# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
+# flush tables to disk.
+#
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
+# about available PostgreSQL server shutdown signals.
+#
+# See also https://www.postgresql.org/docs/current/server-start.html for further
+# justification of this as the default value, namely that the example (and
+# shipped) systemd service files use the "Fast Shutdown mode" for service
+# termination.
+#
+STOPSIGNAL SIGINT
+#
+# An additional setting that is recommended for all users regardless of this
+# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
+# equivalent) for controlling how long to wait between sending the defined
+# STOPSIGNAL and sending SIGKILL.
+#
+# The default in most runtimes (such as Docker) is 10 seconds, and the
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
+# that even 90 seconds may not be long enough in many instances.
+
+EXPOSE 5432
+CMD ["postgres"]
diff --git a/16/alpine3.21/docker-ensure-initdb.sh b/16/alpine3.21/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..e9b15ef77d
--- /dev/null
+++ b/16/alpine3.21/docker-ensure-initdb.sh
@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/16/alpine3.21/docker-entrypoint.sh b/16/alpine3.21/docker-entrypoint.sh
new file mode 100755
index 0000000000..5a62870b50
--- /dev/null
+++ b/16/alpine3.21/docker-entrypoint.sh
@@ -0,0 +1,391 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+# ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+ local var="$1"
+ local fileVar="${var}_FILE"
+ local def="${2:-}"
+ if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+ printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+ exit 1
+ fi
+ local val="$def"
+ if [ "${!var:-}" ]; then
+ val="${!var}"
+ elif [ "${!fileVar:-}" ]; then
+ val="$(< "${!fileVar}")"
+ fi
+ export "$var"="$val"
+ unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+ # https://unix.stackexchange.com/a/215279
+ [ "${#FUNCNAME[@]}" -ge 2 ] \
+ && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+ && [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+ local user; user="$(id -u)"
+
+ mkdir -p "$PGDATA"
+ # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+ chmod 00700 "$PGDATA" || :
+
+ # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+ mkdir -p /var/run/postgresql || :
+ chmod 03775 /var/run/postgresql || :
+
+ # Create the transaction log directory before initdb is run so the directory is owned by the correct user
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ mkdir -p "$POSTGRES_INITDB_WALDIR"
+ if [ "$user" = '0' ]; then
+ find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+ fi
+ chmod 700 "$POSTGRES_INITDB_WALDIR"
+ fi
+
+ # allow the container to be started with `--user`
+ if [ "$user" = '0' ]; then
+ find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+ find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+ fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+ # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+ # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+ local uid; uid="$(id -u)"
+ if ! getent passwd "$uid" &> /dev/null; then
+ # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+ local wrapper
+ for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+ if [ -s "$wrapper" ]; then
+ NSS_WRAPPER_PASSWD="$(mktemp)"
+ NSS_WRAPPER_GROUP="$(mktemp)"
+ export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ local gid; gid="$(id -g)"
+ printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+ printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+ break
+ fi
+ done
+ fi
+
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+ fi
+
+ # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+ eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+ # unset/cleanup "nss_wrapper" bits
+ if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+ rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+ unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
+
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+
+ This will not work if used via PGPASSWORD with "psql".
+
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
+
+ EOWARN
+ fi
+ ;;
+ esac
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ # The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD to a non-empty value for the
+ superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+ You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+ connections without a password. This is *not* recommended.
+
+ See PostgreSQL documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ cat >&2 <<-'EOWARN'
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
+ EOWARN
+ fi
+}
+# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade)
+docker_error_old_databases() {
+ if [ -n "${OLD_DATABASES[0]:-}" ]; then
+ cat >&2 <<-EOE
+ Error: in 18+, these Docker images are configured to store database data in a
+ format which is compatible with "pg_ctlcluster" (specifically, using
+ major-version-specific directory names). This better reflects how
+ PostgreSQL itself works, and how upgrades are to be performed.
+
+ See also https://github.com/docker-library/postgres/pull/1259
+
+ Counter to that, there appears to be PostgreSQL data in:
+ ${OLD_DATABASES[*]}
+
+ This is usually the result of upgrading the Docker image without upgrading
+ the underlying database using "pg_upgrade" (which requires both versions).
+
+ See https://github.com/docker-library/postgres/issues/37 for a (long)
+ discussion around this process, and suggestions for how to do so.
+ EOE
+ exit 1
+ fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+# ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+ # psql here for backwards compatibility "${psql[@]}"
+ psql=( docker_process_sql )
+
+ printf '\n'
+ local f
+ for f; do
+ case "$f" in
+ *.sh)
+ # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+ # https://github.com/docker-library/postgres/pull/452
+ if [ -x "$f" ]; then
+ printf '%s: running %s\n' "$0" "$f"
+ "$f"
+ else
+ printf '%s: sourcing %s\n' "$0" "$f"
+ . "$f"
+ fi
+ ;;
+ *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+ *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+ *) printf '%s: ignoring %s\n' "$0" "$f" ;;
+ esac
+ printf '\n'
+ done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+# ie: docker_process_sql -f my-file.sql
+# ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+ local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+ if [ -n "$POSTGRES_DB" ]; then
+ query_runner+=( --dbname "$POSTGRES_DB" )
+ fi
+
+ PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+ local dbAlreadyExists
+ dbAlreadyExists="$(
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+ SELECT 1 FROM pg_database WHERE datname = :'db' ;
+ EOSQL
+ )"
+ if [ -z "$dbAlreadyExists" ]; then
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+ CREATE DATABASE :"db" ;
+ EOSQL
+ printf '\n'
+ fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+ file_env 'POSTGRES_PASSWORD'
+
+ file_env 'POSTGRES_USER' 'postgres'
+ file_env 'POSTGRES_DB' "$POSTGRES_USER"
+ file_env 'POSTGRES_INITDB_ARGS'
+ : "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+ declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ declare -ag OLD_DATABASES=()
+ # look specifically for PG_VERSION, as it is expected in the DB dir
+ if [ -s "$PGDATA/PG_VERSION" ]; then
+ DATABASE_ALREADY_EXISTS='true'
+ elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then
+ # https://github.com/docker-library/postgres/pull/1259
+ for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do
+ if [ -s "$d/PG_VERSION" ]; then
+ OLD_DATABASES+=( "$d" )
+ fi
+ done
+ fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+ # default authentication method is md5 on versions before 14
+ # https://www.postgresql.org/about/news/postgresql-14-released-2318/
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+ local auth
+ # check the default/configured encryption and use that as the auth method
+ auth="$(postgres -C password_encryption "$@")"
+ : "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+ {
+ printf '\n'
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ printf '# warning trust is enabled for all connections\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+ fi
+ printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+ } >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+
+ # internal start of server in order to allow setup using psql client
+ # does not listen on external TCP/IP and waits until start finishes
+ set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
+ PGUSER="${PGUSER:-$POSTGRES_USER}" \
+ pg_ctl -D "$PGDATA" \
+ -o "$(printf '%q ' "$@")" \
+ -w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+ PGUSER="${PGUSER:-postgres}" \
+ pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+ local arg
+ for arg; do
+ case "$arg" in
+ # postgres --help | grep 'then exit'
+ # leaving out -C on purpose since it always fails and is unhelpful:
+ # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+ -'?'|--help|--describe-config|-V|--version)
+ return 0
+ ;;
+ esac
+ done
+ return 1
+}
+
+_main() {
+ # if first arg looks like a flag, assume we want to run postgres server
+ if [ "${1:0:1}" = '-' ]; then
+ set -- postgres "$@"
+ fi
+
+ if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+ docker_setup_env
+ # setup data directories and permissions (when run as root)
+ docker_create_db_directories
+ if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+ fi
+
+ # only run initialization on an empty data directory
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+
+ cat <<-'EOM'
+
+ PostgreSQL init process complete; ready for start up.
+
+ EOM
+ else
+ cat <<-'EOM'
+
+ PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+ EOM
+ fi
+ fi
+
+ exec "$@"
+}
+
+if ! _is_sourced; then
+ _main "$@"
+fi
diff --git a/16/alpine3.22/Dockerfile b/16/alpine3.22/Dockerfile
new file mode 100644
index 0000000000..902de7538f
--- /dev/null
+++ b/16/alpine3.22/Dockerfile
@@ -0,0 +1,229 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM alpine:3.22
+
+# 70 is the standard uid/gid for "postgres" in Alpine
+# https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.22-stable
+RUN set -eux; \
+ addgroup -g 70 -S postgres; \
+ adduser -u 70 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \
+# also create the postgres user's home directory with appropriate permissions
+# see https://github.com/docker-library/postgres/issues/274
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
+
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ \
+ apk add --no-cache --virtual .gosu-deps \
+ ca-certificates \
+ dpkg \
+ gnupg \
+ ; \
+ \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ \
+# verify the signature
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ \
+# clean up fetch dependencies
+ apk del --no-network .gosu-deps; \
+ \
+ chmod +x /usr/local/bin/gosu; \
+# verify that the binary works
+ gosu --version; \
+ gosu nobody true
+RUN set -eux; ln -svf gosu /usr/local/bin/su-exec; su-exec nobody true # backwards compatibility (removed in PostgreSQL 17+)
+
+# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
+# alpine doesn't require explicit locale-file generation
+ENV LANG en_US.utf8
+
+RUN mkdir /docker-entrypoint-initdb.d
+
+ENV PG_MAJOR 16
+ENV PG_VERSION 16.9
+ENV PG_SHA256 07c00fb824df0a0c295f249f44691b86e3266753b380c96f633c3311e10bd005
+
+ENV DOCKER_PG_LLVM_DEPS \
+ llvm19-dev \
+ clang19
+
+RUN set -eux; \
+ \
+ wget -O postgresql.tar.bz2 "https://ftp.postgresql.org/pub/source/v$PG_VERSION/postgresql-$PG_VERSION.tar.bz2"; \
+ echo "$PG_SHA256 *postgresql.tar.bz2" | sha256sum -c -; \
+ mkdir -p /usr/src/postgresql; \
+ tar \
+ --extract \
+ --file postgresql.tar.bz2 \
+ --directory /usr/src/postgresql \
+ --strip-components 1 \
+ ; \
+ rm postgresql.tar.bz2; \
+ \
+ apk add --no-cache --virtual .build-deps \
+ $DOCKER_PG_LLVM_DEPS \
+ bison \
+ coreutils \
+ dpkg-dev dpkg \
+ flex \
+ g++ \
+ gcc \
+ krb5-dev \
+ libc-dev \
+ libedit-dev \
+ libxml2-dev \
+ libxslt-dev \
+ linux-headers \
+ make \
+ openldap-dev \
+ openssl-dev \
+ perl-dev \
+ perl-ipc-run \
+ perl-utils \
+ python3-dev \
+ tcl-dev \
+ util-linux-dev \
+ zlib-dev \
+# https://www.postgresql.org/docs/10/static/release-10.html#id-1.11.6.9.5.13
+ icu-dev \
+# https://www.postgresql.org/docs/14/release-14.html#id-1.11.6.5.5.3.7
+ lz4-dev \
+# https://www.postgresql.org/docs/15/release-15.html "--with-zstd to enable Zstandard builds"
+ zstd-dev \
+ ; \
+ \
+ cd /usr/src/postgresql; \
+# update "DEFAULT_PGSOCKET_DIR" to "/var/run/postgresql" (matching Debian)
+# see https://anonscm.debian.org/git/pkg-postgresql/postgresql.git/tree/debian/patches/51-default-sockets-in-var.patch?id=8b539fcb3e093a521c095e70bdfa76887217b89f
+ awk '$1 == "#define" && $2 == "DEFAULT_PGSOCKET_DIR" && $3 == "\"/tmp\"" { $3 = "\"/var/run/postgresql\""; print; next } { print }' src/include/pg_config_manual.h > src/include/pg_config_manual.h.new; \
+ grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \
+ mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \
+ gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
+ \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n176 ("export LLVM_CONFIG")
+ export LLVM_CONFIG="/usr/lib/llvm19/bin/llvm-config"; \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n180 ("older clang versions don't have a 'clang' exe anymore.")
+ export CLANG=clang-19; \
+ \
+# configure options taken from:
+# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
+ ./configure \
+ --enable-option-checking=fatal \
+ --build="$gnuArch" \
+# "/usr/src/postgresql/src/backend/access/common/tupconvert.c:105: undefined reference to `libintl_gettext'"
+# --enable-nls \
+ --enable-integer-datetimes \
+ --enable-thread-safety \
+ --enable-tap-tests \
+# skip debugging info -- we want tiny size instead
+# --enable-debug \
+ --disable-rpath \
+ --with-uuid=e2fs \
+ --with-pgport=5432 \
+ --with-system-tzdata=/usr/share/zoneinfo \
+ --prefix=/usr/local \
+ --with-includes=/usr/local/include \
+ --with-libraries=/usr/local/lib \
+ --with-gssapi \
+ --with-ldap \
+ --with-tcl \
+ --with-perl \
+ --with-python \
+# --with-pam \
+ --with-openssl \
+ --with-libxml \
+ --with-libxslt \
+ --with-icu \
+ --with-llvm \
+ --with-lz4 \
+ --with-zstd \
+ ; \
+ make -j "$(nproc)" world-bin; \
+ make install-world-bin; \
+ make -C contrib install; \
+ \
+ runDeps="$( \
+ scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \
+ | tr ',' '\n' \
+ | sort -u \
+ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
+# Remove plperl, plpython and pltcl dependencies by default to save image size
+# To use the pl extensions, those have to be installed in a derived image
+ | grep -v -e perl -e python -e tcl \
+ )"; \
+ apk add --no-cache --virtual .postgresql-rundeps \
+ $runDeps \
+ bash \
+ tzdata \
+ zstd \
+# https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split
+ icu-data-full \
+# https://git.alpinelinux.org/aports/tree/community/nss_wrapper/APKBUILD?h=3.22-stable#n7 ("ppc64le: test case segfaults")
+ $([ "$(apk --print-arch)" != 'ppc64le' ] && echo 'nss_wrapper') \
+ ; \
+ apk del --no-network .build-deps; \
+ cd /; \
+ rm -rf \
+ /usr/src/postgresql \
+ /usr/local/share/doc \
+ /usr/local/share/man \
+ ; \
+ \
+ postgres --version
+
+# make the sample config easier to munge (and "correct by default")
+RUN set -eux; \
+ cp -v /usr/local/share/postgresql/postgresql.conf.sample /usr/local/share/postgresql/postgresql.conf.sample.orig; \
+ sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \
+ grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample
+
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
+
+ENV PGDATA /var/lib/postgresql/data
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
+VOLUME /var/lib/postgresql/data
+
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
+# calls "Fast Shutdown mode" wherein new connections are disallowed and any
+# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
+# flush tables to disk.
+#
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
+# about available PostgreSQL server shutdown signals.
+#
+# See also https://www.postgresql.org/docs/current/server-start.html for further
+# justification of this as the default value, namely that the example (and
+# shipped) systemd service files use the "Fast Shutdown mode" for service
+# termination.
+#
+STOPSIGNAL SIGINT
+#
+# An additional setting that is recommended for all users regardless of this
+# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
+# equivalent) for controlling how long to wait between sending the defined
+# STOPSIGNAL and sending SIGKILL.
+#
+# The default in most runtimes (such as Docker) is 10 seconds, and the
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
+# that even 90 seconds may not be long enough in many instances.
+
+EXPOSE 5432
+CMD ["postgres"]
diff --git a/16/alpine3.22/docker-ensure-initdb.sh b/16/alpine3.22/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..e9b15ef77d
--- /dev/null
+++ b/16/alpine3.22/docker-ensure-initdb.sh
@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/16/alpine3.22/docker-entrypoint.sh b/16/alpine3.22/docker-entrypoint.sh
new file mode 100755
index 0000000000..5a62870b50
--- /dev/null
+++ b/16/alpine3.22/docker-entrypoint.sh
@@ -0,0 +1,391 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+# ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+ local var="$1"
+ local fileVar="${var}_FILE"
+ local def="${2:-}"
+ if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+ printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+ exit 1
+ fi
+ local val="$def"
+ if [ "${!var:-}" ]; then
+ val="${!var}"
+ elif [ "${!fileVar:-}" ]; then
+ val="$(< "${!fileVar}")"
+ fi
+ export "$var"="$val"
+ unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+ # https://unix.stackexchange.com/a/215279
+ [ "${#FUNCNAME[@]}" -ge 2 ] \
+ && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+ && [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+ local user; user="$(id -u)"
+
+ mkdir -p "$PGDATA"
+ # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+ chmod 00700 "$PGDATA" || :
+
+ # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+ mkdir -p /var/run/postgresql || :
+ chmod 03775 /var/run/postgresql || :
+
+ # Create the transaction log directory before initdb is run so the directory is owned by the correct user
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ mkdir -p "$POSTGRES_INITDB_WALDIR"
+ if [ "$user" = '0' ]; then
+ find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+ fi
+ chmod 700 "$POSTGRES_INITDB_WALDIR"
+ fi
+
+ # allow the container to be started with `--user`
+ if [ "$user" = '0' ]; then
+ find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+ find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+ fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+ # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+ # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+ local uid; uid="$(id -u)"
+ if ! getent passwd "$uid" &> /dev/null; then
+ # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+ local wrapper
+ for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+ if [ -s "$wrapper" ]; then
+ NSS_WRAPPER_PASSWD="$(mktemp)"
+ NSS_WRAPPER_GROUP="$(mktemp)"
+ export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ local gid; gid="$(id -g)"
+ printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+ printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+ break
+ fi
+ done
+ fi
+
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+ fi
+
+ # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+ eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+ # unset/cleanup "nss_wrapper" bits
+ if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+ rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+ unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
+
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+
+ This will not work if used via PGPASSWORD with "psql".
+
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
+
+ EOWARN
+ fi
+ ;;
+ esac
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ # The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD to a non-empty value for the
+ superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+ You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+ connections without a password. This is *not* recommended.
+
+ See PostgreSQL documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ cat >&2 <<-'EOWARN'
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
+ EOWARN
+ fi
+}
+# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade)
+docker_error_old_databases() {
+ if [ -n "${OLD_DATABASES[0]:-}" ]; then
+ cat >&2 <<-EOE
+ Error: in 18+, these Docker images are configured to store database data in a
+ format which is compatible with "pg_ctlcluster" (specifically, using
+ major-version-specific directory names). This better reflects how
+ PostgreSQL itself works, and how upgrades are to be performed.
+
+ See also https://github.com/docker-library/postgres/pull/1259
+
+ Counter to that, there appears to be PostgreSQL data in:
+ ${OLD_DATABASES[*]}
+
+ This is usually the result of upgrading the Docker image without upgrading
+ the underlying database using "pg_upgrade" (which requires both versions).
+
+ See https://github.com/docker-library/postgres/issues/37 for a (long)
+ discussion around this process, and suggestions for how to do so.
+ EOE
+ exit 1
+ fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+# ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+ # psql here for backwards compatibility "${psql[@]}"
+ psql=( docker_process_sql )
+
+ printf '\n'
+ local f
+ for f; do
+ case "$f" in
+ *.sh)
+ # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+ # https://github.com/docker-library/postgres/pull/452
+ if [ -x "$f" ]; then
+ printf '%s: running %s\n' "$0" "$f"
+ "$f"
+ else
+ printf '%s: sourcing %s\n' "$0" "$f"
+ . "$f"
+ fi
+ ;;
+ *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+ *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+ *) printf '%s: ignoring %s\n' "$0" "$f" ;;
+ esac
+ printf '\n'
+ done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+# ie: docker_process_sql -f my-file.sql
+# ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+ local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+ if [ -n "$POSTGRES_DB" ]; then
+ query_runner+=( --dbname "$POSTGRES_DB" )
+ fi
+
+ PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+ local dbAlreadyExists
+ dbAlreadyExists="$(
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+ SELECT 1 FROM pg_database WHERE datname = :'db' ;
+ EOSQL
+ )"
+ if [ -z "$dbAlreadyExists" ]; then
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+ CREATE DATABASE :"db" ;
+ EOSQL
+ printf '\n'
+ fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+ file_env 'POSTGRES_PASSWORD'
+
+ file_env 'POSTGRES_USER' 'postgres'
+ file_env 'POSTGRES_DB' "$POSTGRES_USER"
+ file_env 'POSTGRES_INITDB_ARGS'
+ : "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+ declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ declare -ag OLD_DATABASES=()
+ # look specifically for PG_VERSION, as it is expected in the DB dir
+ if [ -s "$PGDATA/PG_VERSION" ]; then
+ DATABASE_ALREADY_EXISTS='true'
+ elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then
+ # https://github.com/docker-library/postgres/pull/1259
+ for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do
+ if [ -s "$d/PG_VERSION" ]; then
+ OLD_DATABASES+=( "$d" )
+ fi
+ done
+ fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+ # default authentication method is md5 on versions before 14
+ # https://www.postgresql.org/about/news/postgresql-14-released-2318/
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+ local auth
+ # check the default/configured encryption and use that as the auth method
+ auth="$(postgres -C password_encryption "$@")"
+ : "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+ {
+ printf '\n'
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ printf '# warning trust is enabled for all connections\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+ fi
+ printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+ } >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+
+ # internal start of server in order to allow setup using psql client
+ # does not listen on external TCP/IP and waits until start finishes
+ set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
+ PGUSER="${PGUSER:-$POSTGRES_USER}" \
+ pg_ctl -D "$PGDATA" \
+ -o "$(printf '%q ' "$@")" \
+ -w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+ PGUSER="${PGUSER:-postgres}" \
+ pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+ local arg
+ for arg; do
+ case "$arg" in
+ # postgres --help | grep 'then exit'
+ # leaving out -C on purpose since it always fails and is unhelpful:
+ # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+ -'?'|--help|--describe-config|-V|--version)
+ return 0
+ ;;
+ esac
+ done
+ return 1
+}
+
+_main() {
+ # if first arg looks like a flag, assume we want to run postgres server
+ if [ "${1:0:1}" = '-' ]; then
+ set -- postgres "$@"
+ fi
+
+ if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+ docker_setup_env
+ # setup data directories and permissions (when run as root)
+ docker_create_db_directories
+ if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+ fi
+
+ # only run initialization on an empty data directory
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+
+ cat <<-'EOM'
+
+ PostgreSQL init process complete; ready for start up.
+
+ EOM
+ else
+ cat <<-'EOM'
+
+ PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+ EOM
+ fi
+ fi
+
+ exec "$@"
+}
+
+if ! _is_sourced; then
+ _main "$@"
+fi
diff --git a/16/bookworm/Dockerfile b/16/bookworm/Dockerfile
new file mode 100644
index 0000000000..7421ccaf0a
--- /dev/null
+++ b/16/bookworm/Dockerfile
@@ -0,0 +1,218 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM debian:bookworm-slim
+
+# explicitly set user/group IDs
+RUN set -eux; \
+ groupadd -r postgres --gid=999; \
+# https://salsa.debian.org/postgresql/postgresql-common/blob/997d842ee744687d99a2b2d95c1083a2615c79e8/debian/postgresql-common.postinst#L32-35
+ useradd -r -g postgres --uid=999 --home-dir=/var/lib/postgresql --shell=/bin/bash postgres; \
+# also create the postgres user's home directory with appropriate permissions
+# see https://github.com/docker-library/postgres/issues/274
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
+
+RUN set -ex; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ gnupg \
+# https://www.postgresql.org/docs/16/app-psql.html#APP-PSQL-META-COMMAND-PSET-PAGER
+# https://github.com/postgres/postgres/blob/REL_16_1/src/include/fe_utils/print.h#L25
+# (if "less" is available, it gets used as the default pager for psql, and it only adds ~1.5MiB to our image size)
+ less \
+ ; \
+ rm -rf /var/lib/apt/lists/*
+
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ savedAptMark="$(apt-mark showmanual)"; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends ca-certificates wget; \
+ rm -rf /var/lib/apt/lists/*; \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ apt-mark auto '.*' > /dev/null; \
+ [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \
+ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+ chmod +x /usr/local/bin/gosu; \
+ gosu --version; \
+ gosu nobody true
+
+# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
+RUN set -eux; \
+ if [ -f /etc/dpkg/dpkg.cfg.d/docker ]; then \
+# if this file exists, we're likely in "debian:xxx-slim", and locales are thus being excluded so we need to remove that exclusion (since we need locales)
+ grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
+ sed -ri '/\/usr\/share\/locale/d' /etc/dpkg/dpkg.cfg.d/docker; \
+ ! grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
+ fi; \
+ apt-get update; apt-get install -y --no-install-recommends locales; rm -rf /var/lib/apt/lists/*; \
+ echo 'en_US.UTF-8 UTF-8' >> /etc/locale.gen; \
+ locale-gen; \
+ locale -a | grep 'en_US.utf8'
+ENV LANG en_US.utf8
+
+RUN set -eux; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ libnss-wrapper \
+ xz-utils \
+ zstd \
+ ; \
+ rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /docker-entrypoint-initdb.d
+
+RUN set -ex; \
+# pub 4096R/ACCC4CF8 2011-10-13 [expires: 2019-07-02]
+# Key fingerprint = B97B 0AFC AA1A 47F0 44F2 44A0 7FCC 7D46 ACCC 4CF8
+# uid PostgreSQL Debian Repository
+ key='B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8'; \
+ export GNUPGHOME="$(mktemp -d)"; \
+ mkdir -p /usr/local/share/keyrings/; \
+ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \
+ gpg --batch --export --armor "$key" > /usr/local/share/keyrings/postgres.gpg.asc; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME"
+
+ENV PG_MAJOR 16
+ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
+
+ENV PG_VERSION 16.9-1.pgdg120+1
+
+RUN set -ex; \
+ \
+# see note below about "*.pyc" files
+ export PYTHONDONTWRITEBYTECODE=1; \
+ \
+ dpkgArch="$(dpkg --print-architecture)"; \
+ aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ bookworm-pgdg main $PG_MAJOR"; \
+ case "$dpkgArch" in \
+ amd64 | arm64 | ppc64el) \
+# arches officialy built by upstream
+ echo "deb $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \
+ apt-get update; \
+ ;; \
+ *) \
+# we're on an architecture upstream doesn't officially build for
+# let's build binaries from their published source packages
+ echo "deb-src $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \
+ \
+ savedAptMark="$(apt-mark showmanual)"; \
+ \
+ tempDir="$(mktemp -d)"; \
+ cd "$tempDir"; \
+ \
+# create a temporary local APT repo to install from (so that dependency resolution can be handled by APT, as it should be)
+ apt-get update; \
+ apt-get install -y --no-install-recommends dpkg-dev; \
+ echo "deb [ trusted=yes ] file://$tempDir ./" > /etc/apt/sources.list.d/temp.list; \
+ _update_repo() { \
+ dpkg-scanpackages . > Packages; \
+# work around the following APT issue by using "Acquire::GzipIndexes=false" (overriding "/etc/apt/apt.conf.d/docker-gzip-indexes")
+# Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+# ...
+# E: Failed to fetch store:/var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+ apt-get -o Acquire::GzipIndexes=false update; \
+ }; \
+ _update_repo; \
+ \
+# build .deb files from upstream's source packages (which are verified by apt-get)
+ nproc="$(nproc)"; \
+ export DEB_BUILD_OPTIONS="nocheck parallel=$nproc"; \
+# we have to build postgresql-common-dev first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/f4338a0d28cf4541956bddb0f4e444ba9dba81b9
+ apt-get build-dep -y postgresql-common-dev; \
+ apt-get source --compile postgresql-common-dev; \
+ _update_repo; \
+ apt-get build-dep -y "postgresql-$PG_MAJOR=$PG_VERSION"; \
+ apt-get source --compile "postgresql-$PG_MAJOR=$PG_VERSION"; \
+ \
+# we don't remove APT lists here because they get re-downloaded and removed later
+ \
+# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
+# (which is done after we install the built packages so we don't have to redownload any overlapping dependencies)
+ apt-mark showmanual | xargs apt-mark auto > /dev/null; \
+ apt-mark manual $savedAptMark; \
+ \
+ ls -lAFh; \
+ _update_repo; \
+ grep '^Package: ' Packages; \
+ cd /; \
+ ;; \
+ esac; \
+ \
+ apt-get install -y --no-install-recommends postgresql-common; \
+ sed -ri 's/#(create_main_cluster) .*$/\1 = false/' /etc/postgresql-common/createcluster.conf; \
+ apt-get install -y --no-install-recommends \
+ "postgresql-$PG_MAJOR=$PG_VERSION" \
+ ; \
+ \
+ rm -rf /var/lib/apt/lists/*; \
+ \
+ if [ -n "$tempDir" ]; then \
+# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
+ apt-get purge -y --auto-remove; \
+ rm -rf "$tempDir" /etc/apt/sources.list.d/temp.list; \
+ fi; \
+ \
+# some of the steps above generate a lot of "*.pyc" files (and setting "PYTHONDONTWRITEBYTECODE" beforehand doesn't propagate properly for some reason), so we clean them up manually (as long as they aren't owned by a package)
+ find /usr -name '*.pyc' -type f -exec bash -c 'for pyc; do dpkg -S "$pyc" &> /dev/null || rm -vf "$pyc"; done' -- '{}' +; \
+ \
+ postgres --version
+
+# make the sample config easier to munge (and "correct by default")
+RUN set -eux; \
+ dpkg-divert --add --rename --divert "/usr/share/postgresql/postgresql.conf.sample.dpkg" "/usr/share/postgresql/$PG_MAJOR/postgresql.conf.sample"; \
+ cp -v /usr/share/postgresql/postgresql.conf.sample.dpkg /usr/share/postgresql/postgresql.conf.sample; \
+ ln -sv ../postgresql.conf.sample "/usr/share/postgresql/$PG_MAJOR/"; \
+ sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/share/postgresql/postgresql.conf.sample; \
+ grep -F "listen_addresses = '*'" /usr/share/postgresql/postgresql.conf.sample
+
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
+
+ENV PGDATA /var/lib/postgresql/data
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
+VOLUME /var/lib/postgresql/data
+
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
+# calls "Fast Shutdown mode" wherein new connections are disallowed and any
+# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
+# flush tables to disk.
+#
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
+# about available PostgreSQL server shutdown signals.
+#
+# See also https://www.postgresql.org/docs/current/server-start.html for further
+# justification of this as the default value, namely that the example (and
+# shipped) systemd service files use the "Fast Shutdown mode" for service
+# termination.
+#
+STOPSIGNAL SIGINT
+#
+# An additional setting that is recommended for all users regardless of this
+# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
+# equivalent) for controlling how long to wait between sending the defined
+# STOPSIGNAL and sending SIGKILL.
+#
+# The default in most runtimes (such as Docker) is 10 seconds, and the
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
+# that even 90 seconds may not be long enough in many instances.
+
+EXPOSE 5432
+CMD ["postgres"]
diff --git a/16/bookworm/docker-ensure-initdb.sh b/16/bookworm/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..e9b15ef77d
--- /dev/null
+++ b/16/bookworm/docker-ensure-initdb.sh
@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/16/bookworm/docker-entrypoint.sh b/16/bookworm/docker-entrypoint.sh
new file mode 100755
index 0000000000..5a62870b50
--- /dev/null
+++ b/16/bookworm/docker-entrypoint.sh
@@ -0,0 +1,391 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+# ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+ local var="$1"
+ local fileVar="${var}_FILE"
+ local def="${2:-}"
+ if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+ printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+ exit 1
+ fi
+ local val="$def"
+ if [ "${!var:-}" ]; then
+ val="${!var}"
+ elif [ "${!fileVar:-}" ]; then
+ val="$(< "${!fileVar}")"
+ fi
+ export "$var"="$val"
+ unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+ # https://unix.stackexchange.com/a/215279
+ [ "${#FUNCNAME[@]}" -ge 2 ] \
+ && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+ && [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+ local user; user="$(id -u)"
+
+ mkdir -p "$PGDATA"
+ # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+ chmod 00700 "$PGDATA" || :
+
+ # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+ mkdir -p /var/run/postgresql || :
+ chmod 03775 /var/run/postgresql || :
+
+ # Create the transaction log directory before initdb is run so the directory is owned by the correct user
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ mkdir -p "$POSTGRES_INITDB_WALDIR"
+ if [ "$user" = '0' ]; then
+ find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+ fi
+ chmod 700 "$POSTGRES_INITDB_WALDIR"
+ fi
+
+ # allow the container to be started with `--user`
+ if [ "$user" = '0' ]; then
+ find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+ find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+ fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+ # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+ # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+ local uid; uid="$(id -u)"
+ if ! getent passwd "$uid" &> /dev/null; then
+ # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+ local wrapper
+ for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+ if [ -s "$wrapper" ]; then
+ NSS_WRAPPER_PASSWD="$(mktemp)"
+ NSS_WRAPPER_GROUP="$(mktemp)"
+ export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ local gid; gid="$(id -g)"
+ printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+ printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+ break
+ fi
+ done
+ fi
+
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+ fi
+
+ # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+ eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+ # unset/cleanup "nss_wrapper" bits
+ if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+ rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+ unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
+
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+
+ This will not work if used via PGPASSWORD with "psql".
+
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
+
+ EOWARN
+ fi
+ ;;
+ esac
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ # The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD to a non-empty value for the
+ superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+ You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+ connections without a password. This is *not* recommended.
+
+ See PostgreSQL documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ cat >&2 <<-'EOWARN'
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
+ EOWARN
+ fi
+}
+# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade)
+docker_error_old_databases() {
+ if [ -n "${OLD_DATABASES[0]:-}" ]; then
+ cat >&2 <<-EOE
+ Error: in 18+, these Docker images are configured to store database data in a
+ format which is compatible with "pg_ctlcluster" (specifically, using
+ major-version-specific directory names). This better reflects how
+ PostgreSQL itself works, and how upgrades are to be performed.
+
+ See also https://github.com/docker-library/postgres/pull/1259
+
+ Counter to that, there appears to be PostgreSQL data in:
+ ${OLD_DATABASES[*]}
+
+ This is usually the result of upgrading the Docker image without upgrading
+ the underlying database using "pg_upgrade" (which requires both versions).
+
+ See https://github.com/docker-library/postgres/issues/37 for a (long)
+ discussion around this process, and suggestions for how to do so.
+ EOE
+ exit 1
+ fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+# ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+ # psql here for backwards compatibility "${psql[@]}"
+ psql=( docker_process_sql )
+
+ printf '\n'
+ local f
+ for f; do
+ case "$f" in
+ *.sh)
+ # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+ # https://github.com/docker-library/postgres/pull/452
+ if [ -x "$f" ]; then
+ printf '%s: running %s\n' "$0" "$f"
+ "$f"
+ else
+ printf '%s: sourcing %s\n' "$0" "$f"
+ . "$f"
+ fi
+ ;;
+ *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+ *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+ *) printf '%s: ignoring %s\n' "$0" "$f" ;;
+ esac
+ printf '\n'
+ done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+# ie: docker_process_sql -f my-file.sql
+# ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+ local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+ if [ -n "$POSTGRES_DB" ]; then
+ query_runner+=( --dbname "$POSTGRES_DB" )
+ fi
+
+ PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+ local dbAlreadyExists
+ dbAlreadyExists="$(
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+ SELECT 1 FROM pg_database WHERE datname = :'db' ;
+ EOSQL
+ )"
+ if [ -z "$dbAlreadyExists" ]; then
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+ CREATE DATABASE :"db" ;
+ EOSQL
+ printf '\n'
+ fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+ file_env 'POSTGRES_PASSWORD'
+
+ file_env 'POSTGRES_USER' 'postgres'
+ file_env 'POSTGRES_DB' "$POSTGRES_USER"
+ file_env 'POSTGRES_INITDB_ARGS'
+ : "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+ declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ declare -ag OLD_DATABASES=()
+ # look specifically for PG_VERSION, as it is expected in the DB dir
+ if [ -s "$PGDATA/PG_VERSION" ]; then
+ DATABASE_ALREADY_EXISTS='true'
+ elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then
+ # https://github.com/docker-library/postgres/pull/1259
+ for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do
+ if [ -s "$d/PG_VERSION" ]; then
+ OLD_DATABASES+=( "$d" )
+ fi
+ done
+ fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+ # default authentication method is md5 on versions before 14
+ # https://www.postgresql.org/about/news/postgresql-14-released-2318/
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+ local auth
+ # check the default/configured encryption and use that as the auth method
+ auth="$(postgres -C password_encryption "$@")"
+ : "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+ {
+ printf '\n'
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ printf '# warning trust is enabled for all connections\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+ fi
+ printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+ } >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+
+ # internal start of server in order to allow setup using psql client
+ # does not listen on external TCP/IP and waits until start finishes
+ set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
+ PGUSER="${PGUSER:-$POSTGRES_USER}" \
+ pg_ctl -D "$PGDATA" \
+ -o "$(printf '%q ' "$@")" \
+ -w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+ PGUSER="${PGUSER:-postgres}" \
+ pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+ local arg
+ for arg; do
+ case "$arg" in
+ # postgres --help | grep 'then exit'
+ # leaving out -C on purpose since it always fails and is unhelpful:
+ # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+ -'?'|--help|--describe-config|-V|--version)
+ return 0
+ ;;
+ esac
+ done
+ return 1
+}
+
+_main() {
+ # if first arg looks like a flag, assume we want to run postgres server
+ if [ "${1:0:1}" = '-' ]; then
+ set -- postgres "$@"
+ fi
+
+ if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+ docker_setup_env
+ # setup data directories and permissions (when run as root)
+ docker_create_db_directories
+ if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+ fi
+
+ # only run initialization on an empty data directory
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+
+ cat <<-'EOM'
+
+ PostgreSQL init process complete; ready for start up.
+
+ EOM
+ else
+ cat <<-'EOM'
+
+ PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+ EOM
+ fi
+ fi
+
+ exec "$@"
+}
+
+if ! _is_sourced; then
+ _main "$@"
+fi
diff --git a/11/bullseye/Dockerfile b/16/bullseye/Dockerfile
similarity index 81%
rename from 11/bullseye/Dockerfile
rename to 16/bullseye/Dockerfile
index 53fe1d791d..a3ac0c55ab 100644
--- a/11/bullseye/Dockerfile
+++ b/16/bullseye/Dockerfile
@@ -6,16 +6,6 @@
FROM debian:bullseye-slim
-RUN set -ex; \
- if ! command -v gpg > /dev/null; then \
- apt-get update; \
- apt-get install -y --no-install-recommends \
- gnupg \
- dirmngr \
- ; \
- rm -rf /var/lib/apt/lists/*; \
- fi
-
# explicitly set user/group IDs
RUN set -eux; \
groupadd -r postgres --gid=999; \
@@ -23,12 +13,22 @@ RUN set -eux; \
useradd -r -g postgres --uid=999 --home-dir=/var/lib/postgresql --shell=/bin/bash postgres; \
# also create the postgres user's home directory with appropriate permissions
# see https://github.com/docker-library/postgres/issues/274
- mkdir -p /var/lib/postgresql; \
- chown -R postgres:postgres /var/lib/postgresql
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
+
+RUN set -ex; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ gnupg \
+# https://www.postgresql.org/docs/16/app-psql.html#APP-PSQL-META-COMMAND-PSET-PAGER
+# https://github.com/postgres/postgres/blob/REL_16_1/src/include/fe_utils/print.h#L25
+# (if "less" is available, it gets used as the default pager for psql, and it only adds ~1.5MiB to our image size)
+ less \
+ ; \
+ rm -rf /var/lib/apt/lists/*
# grab gosu for easy step-down from root
# https://github.com/tianon/gosu/releases
-ENV GOSU_VERSION 1.16
+ENV GOSU_VERSION 1.17
RUN set -eux; \
savedAptMark="$(apt-mark showmanual)"; \
apt-get update; \
@@ -58,7 +58,9 @@ RUN set -eux; \
! grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
fi; \
apt-get update; apt-get install -y --no-install-recommends locales; rm -rf /var/lib/apt/lists/*; \
- localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
+ echo 'en_US.UTF-8 UTF-8' >> /etc/locale.gen; \
+ locale-gen; \
+ locale -a | grep 'en_US.utf8'
ENV LANG en_US.utf8
RUN set -eux; \
@@ -81,13 +83,13 @@ RUN set -ex; \
mkdir -p /usr/local/share/keyrings/; \
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \
gpg --batch --export --armor "$key" > /usr/local/share/keyrings/postgres.gpg.asc; \
- command -v gpgconf > /dev/null && gpgconf --kill all; \
+ gpgconf --kill all; \
rm -rf "$GNUPGHOME"
-ENV PG_MAJOR 11
+ENV PG_MAJOR 16
ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
-ENV PG_VERSION 11.19-1.pgdg110+1
+ENV PG_VERSION 16.9-1.pgdg110+1
RUN set -ex; \
\
@@ -129,10 +131,9 @@ RUN set -ex; \
# build .deb files from upstream's source packages (which are verified by apt-get)
nproc="$(nproc)"; \
export DEB_BUILD_OPTIONS="nocheck parallel=$nproc"; \
-# we have to build postgresql-common first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/99f44476e258cae6bf9e919219fa2c5414fa2876
-# (and it "Depends: pgdg-keyring")
- apt-get build-dep -y postgresql-common pgdg-keyring; \
- apt-get source --compile postgresql-common pgdg-keyring; \
+# we have to build postgresql-common-dev first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/f4338a0d28cf4541956bddb0f4e444ba9dba81b9
+ apt-get build-dep -y postgresql-common-dev; \
+ apt-get source --compile postgresql-common-dev; \
_update_repo; \
apt-get build-dep -y "postgresql-$PG_MAJOR=$PG_VERSION"; \
apt-get source --compile "postgresql-$PG_MAJOR=$PG_VERSION"; \
@@ -178,31 +179,26 @@ RUN set -eux; \
sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/share/postgresql/postgresql.conf.sample; \
grep -F "listen_addresses = '*'" /usr/share/postgresql/postgresql.conf.sample
-RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
ENV PGDATA /var/lib/postgresql/data
-# this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values)
-RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA"
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
VOLUME /var/lib/postgresql/data
-COPY docker-entrypoint.sh /usr/local/bin/
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
ENTRYPOINT ["docker-entrypoint.sh"]
# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
# calls "Fast Shutdown mode" wherein new connections are disallowed and any
# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
-# flush tables to disk, which is the best compromise available to avoid data
-# corruption.
-#
-# Users who know their applications do not keep open long-lived idle connections
-# may way to use a value of SIGTERM instead, which corresponds to "Smart
-# Shutdown mode" in which any existing sessions are allowed to finish and the
-# server stops when all sessions are terminated.
+# flush tables to disk.
#
-# See https://www.postgresql.org/docs/12/server-shutdown.html for more details
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
# about available PostgreSQL server shutdown signals.
#
-# See also https://www.postgresql.org/docs/12/server-start.html for further
+# See also https://www.postgresql.org/docs/current/server-start.html for further
# justification of this as the default value, namely that the example (and
# shipped) systemd service files use the "Fast Shutdown mode" for service
# termination.
@@ -212,10 +208,10 @@ STOPSIGNAL SIGINT
# An additional setting that is recommended for all users regardless of this
# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
# equivalent) for controlling how long to wait between sending the defined
-# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption).
+# STOPSIGNAL and sending SIGKILL.
#
# The default in most runtimes (such as Docker) is 10 seconds, and the
-# documentation at https://www.postgresql.org/docs/12/server-start.html notes
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
# that even 90 seconds may not be long enough in many instances.
EXPOSE 5432
diff --git a/16/bullseye/docker-ensure-initdb.sh b/16/bullseye/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..e9b15ef77d
--- /dev/null
+++ b/16/bullseye/docker-ensure-initdb.sh
@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/16/bullseye/docker-entrypoint.sh b/16/bullseye/docker-entrypoint.sh
new file mode 100755
index 0000000000..5a62870b50
--- /dev/null
+++ b/16/bullseye/docker-entrypoint.sh
@@ -0,0 +1,391 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+# ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+ local var="$1"
+ local fileVar="${var}_FILE"
+ local def="${2:-}"
+ if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+ printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+ exit 1
+ fi
+ local val="$def"
+ if [ "${!var:-}" ]; then
+ val="${!var}"
+ elif [ "${!fileVar:-}" ]; then
+ val="$(< "${!fileVar}")"
+ fi
+ export "$var"="$val"
+ unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+ # https://unix.stackexchange.com/a/215279
+ [ "${#FUNCNAME[@]}" -ge 2 ] \
+ && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+ && [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+ local user; user="$(id -u)"
+
+ mkdir -p "$PGDATA"
+ # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+ chmod 00700 "$PGDATA" || :
+
+ # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+ mkdir -p /var/run/postgresql || :
+ chmod 03775 /var/run/postgresql || :
+
+ # Create the transaction log directory before initdb is run so the directory is owned by the correct user
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ mkdir -p "$POSTGRES_INITDB_WALDIR"
+ if [ "$user" = '0' ]; then
+ find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+ fi
+ chmod 700 "$POSTGRES_INITDB_WALDIR"
+ fi
+
+ # allow the container to be started with `--user`
+ if [ "$user" = '0' ]; then
+ find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+ find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+ fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+ # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+ # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+ local uid; uid="$(id -u)"
+ if ! getent passwd "$uid" &> /dev/null; then
+ # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+ local wrapper
+ for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+ if [ -s "$wrapper" ]; then
+ NSS_WRAPPER_PASSWD="$(mktemp)"
+ NSS_WRAPPER_GROUP="$(mktemp)"
+ export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ local gid; gid="$(id -g)"
+ printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+ printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+ break
+ fi
+ done
+ fi
+
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+ fi
+
+ # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+ eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+ # unset/cleanup "nss_wrapper" bits
+ if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+ rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+ unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
+
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+
+ This will not work if used via PGPASSWORD with "psql".
+
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
+
+ EOWARN
+ fi
+ ;;
+ esac
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ # The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD to a non-empty value for the
+ superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+ You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+ connections without a password. This is *not* recommended.
+
+ See PostgreSQL documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ cat >&2 <<-'EOWARN'
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
+ EOWARN
+ fi
+}
+# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade)
+docker_error_old_databases() {
+ if [ -n "${OLD_DATABASES[0]:-}" ]; then
+ cat >&2 <<-EOE
+ Error: in 18+, these Docker images are configured to store database data in a
+ format which is compatible with "pg_ctlcluster" (specifically, using
+ major-version-specific directory names). This better reflects how
+ PostgreSQL itself works, and how upgrades are to be performed.
+
+ See also https://github.com/docker-library/postgres/pull/1259
+
+ Counter to that, there appears to be PostgreSQL data in:
+ ${OLD_DATABASES[*]}
+
+ This is usually the result of upgrading the Docker image without upgrading
+ the underlying database using "pg_upgrade" (which requires both versions).
+
+ See https://github.com/docker-library/postgres/issues/37 for a (long)
+ discussion around this process, and suggestions for how to do so.
+ EOE
+ exit 1
+ fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+# ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+ # psql here for backwards compatibility "${psql[@]}"
+ psql=( docker_process_sql )
+
+ printf '\n'
+ local f
+ for f; do
+ case "$f" in
+ *.sh)
+ # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+ # https://github.com/docker-library/postgres/pull/452
+ if [ -x "$f" ]; then
+ printf '%s: running %s\n' "$0" "$f"
+ "$f"
+ else
+ printf '%s: sourcing %s\n' "$0" "$f"
+ . "$f"
+ fi
+ ;;
+ *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+ *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+ *) printf '%s: ignoring %s\n' "$0" "$f" ;;
+ esac
+ printf '\n'
+ done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+# ie: docker_process_sql -f my-file.sql
+# ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+ local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+ if [ -n "$POSTGRES_DB" ]; then
+ query_runner+=( --dbname "$POSTGRES_DB" )
+ fi
+
+ PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+ local dbAlreadyExists
+ dbAlreadyExists="$(
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+ SELECT 1 FROM pg_database WHERE datname = :'db' ;
+ EOSQL
+ )"
+ if [ -z "$dbAlreadyExists" ]; then
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+ CREATE DATABASE :"db" ;
+ EOSQL
+ printf '\n'
+ fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+ file_env 'POSTGRES_PASSWORD'
+
+ file_env 'POSTGRES_USER' 'postgres'
+ file_env 'POSTGRES_DB' "$POSTGRES_USER"
+ file_env 'POSTGRES_INITDB_ARGS'
+ : "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+ declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ declare -ag OLD_DATABASES=()
+ # look specifically for PG_VERSION, as it is expected in the DB dir
+ if [ -s "$PGDATA/PG_VERSION" ]; then
+ DATABASE_ALREADY_EXISTS='true'
+ elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then
+ # https://github.com/docker-library/postgres/pull/1259
+ for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do
+ if [ -s "$d/PG_VERSION" ]; then
+ OLD_DATABASES+=( "$d" )
+ fi
+ done
+ fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+ # default authentication method is md5 on versions before 14
+ # https://www.postgresql.org/about/news/postgresql-14-released-2318/
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+ local auth
+ # check the default/configured encryption and use that as the auth method
+ auth="$(postgres -C password_encryption "$@")"
+ : "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+ {
+ printf '\n'
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ printf '# warning trust is enabled for all connections\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+ fi
+ printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+ } >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+
+ # internal start of server in order to allow setup using psql client
+ # does not listen on external TCP/IP and waits until start finishes
+ set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
+ PGUSER="${PGUSER:-$POSTGRES_USER}" \
+ pg_ctl -D "$PGDATA" \
+ -o "$(printf '%q ' "$@")" \
+ -w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+ PGUSER="${PGUSER:-postgres}" \
+ pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+ local arg
+ for arg; do
+ case "$arg" in
+ # postgres --help | grep 'then exit'
+ # leaving out -C on purpose since it always fails and is unhelpful:
+ # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+ -'?'|--help|--describe-config|-V|--version)
+ return 0
+ ;;
+ esac
+ done
+ return 1
+}
+
+_main() {
+ # if first arg looks like a flag, assume we want to run postgres server
+ if [ "${1:0:1}" = '-' ]; then
+ set -- postgres "$@"
+ fi
+
+ if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+ docker_setup_env
+ # setup data directories and permissions (when run as root)
+ docker_create_db_directories
+ if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+ fi
+
+ # only run initialization on an empty data directory
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+
+ cat <<-'EOM'
+
+ PostgreSQL init process complete; ready for start up.
+
+ EOM
+ else
+ cat <<-'EOM'
+
+ PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+ EOM
+ fi
+ fi
+
+ exec "$@"
+}
+
+if ! _is_sourced; then
+ _main "$@"
+fi
diff --git a/15/alpine/Dockerfile b/17/alpine3.21/Dockerfile
similarity index 64%
rename from 15/alpine/Dockerfile
rename to 17/alpine3.21/Dockerfile
index 90b2988f4e..c3c81bd437 100644
--- a/15/alpine/Dockerfile
+++ b/17/alpine3.21/Dockerfile
@@ -4,17 +4,46 @@
# PLEASE DO NOT EDIT IT DIRECTLY.
#
-FROM alpine:3.17
+FROM alpine:3.21
# 70 is the standard uid/gid for "postgres" in Alpine
-# https://git.alpinelinux.org/aports/tree/main/postgresql/postgresql.pre-install?h=3.12-stable
+# https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.22-stable
RUN set -eux; \
addgroup -g 70 -S postgres; \
adduser -u 70 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \
- mkdir -p /var/lib/postgresql; \
- chown -R postgres:postgres /var/lib/postgresql
+# also create the postgres user's home directory with appropriate permissions
+# see https://github.com/docker-library/postgres/issues/274
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
-# su-exec (gosu-compatible) is installed further down
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ \
+ apk add --no-cache --virtual .gosu-deps \
+ ca-certificates \
+ dpkg \
+ gnupg \
+ ; \
+ \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ \
+# verify the signature
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ \
+# clean up fetch dependencies
+ apk del --no-network .gosu-deps; \
+ \
+ chmod +x /usr/local/bin/gosu; \
+# verify that the binary works
+ gosu --version; \
+ gosu nobody true
# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
# alpine doesn't require explicit locale-file generation
@@ -22,9 +51,13 @@ ENV LANG en_US.utf8
RUN mkdir /docker-entrypoint-initdb.d
-ENV PG_MAJOR 15
-ENV PG_VERSION 15.2
-ENV PG_SHA256 99a2171fc3d6b5b5f56b757a7a3cb85d509a38e4273805def23941ed2b8468c7
+ENV PG_MAJOR 17
+ENV PG_VERSION 17.5
+ENV PG_SHA256 fcb7ab38e23b264d1902cb25e6adafb4525a6ebcbd015434aeef9eda80f528d8
+
+ENV DOCKER_PG_LLVM_DEPS \
+ llvm19-dev \
+ clang19
RUN set -eux; \
\
@@ -40,10 +73,12 @@ RUN set -eux; \
rm postgresql.tar.bz2; \
\
apk add --no-cache --virtual .build-deps \
+ $DOCKER_PG_LLVM_DEPS \
bison \
coreutils \
dpkg-dev dpkg \
flex \
+ g++ \
gcc \
krb5-dev \
libc-dev \
@@ -51,7 +86,6 @@ RUN set -eux; \
libxml2-dev \
libxslt-dev \
linux-headers \
- llvm-dev clang g++ \
make \
openldap-dev \
openssl-dev \
@@ -77,29 +111,30 @@ RUN set -eux; \
grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \
mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \
gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
-# explicitly update autoconf config.guess and config.sub so they support more arches/libcs
- wget -O config/config.guess 'https://git.savannah.gnu.org/cgit/config.git/plain/config.guess?id=7d3d27baf8107b630586c962c057e22149653deb'; \
- wget -O config/config.sub 'https://git.savannah.gnu.org/cgit/config.git/plain/config.sub?id=7d3d27baf8107b630586c962c057e22149653deb'; \
+ \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n176 ("export LLVM_CONFIG")
+ export LLVM_CONFIG="/usr/lib/llvm19/bin/llvm-config"; \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n180 ("older clang versions don't have a 'clang' exe anymore.")
+ export CLANG=clang-19; \
+ \
# configure options taken from:
# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
./configure \
+ --enable-option-checking=fatal \
--build="$gnuArch" \
# "/usr/src/postgresql/src/backend/access/common/tupconvert.c:105: undefined reference to `libintl_gettext'"
# --enable-nls \
--enable-integer-datetimes \
- --enable-thread-safety \
--enable-tap-tests \
# skip debugging info -- we want tiny size instead
# --enable-debug \
--disable-rpath \
--with-uuid=e2fs \
- --with-gnu-ld \
--with-pgport=5432 \
--with-system-tzdata=/usr/share/zoneinfo \
--prefix=/usr/local \
--with-includes=/usr/local/include \
--with-libraries=/usr/local/lib \
- --with-krb5 \
--with-gssapi \
--with-ldap \
--with-tcl \
@@ -114,8 +149,8 @@ RUN set -eux; \
--with-lz4 \
--with-zstd \
; \
- make -j "$(nproc)" world; \
- make install-world; \
+ make -j "$(nproc)" world-bin; \
+ make install-world-bin; \
make -C contrib install; \
\
runDeps="$( \
@@ -130,13 +165,11 @@ RUN set -eux; \
apk add --no-cache --virtual .postgresql-rundeps \
$runDeps \
bash \
- su-exec \
tzdata \
zstd \
# https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split
icu-data-full \
-# nss_wrapper is not availble on ppc64le: "test case segfaults in ppc64le"
-# https://git.alpinelinux.org/aports/commit/testing/nss_wrapper/APKBUILD?h=3.17-stable&id=94d81ceeb58cff448d489bbcbe9a6d40c9991663
+# https://git.alpinelinux.org/aports/tree/community/nss_wrapper/APKBUILD?h=3.22-stable#n7 ("ppc64le: test case segfaults")
$([ "$(apk --print-arch)" != 'ppc64le' ] && echo 'nss_wrapper') \
; \
apk del --no-network .build-deps; \
@@ -155,31 +188,26 @@ RUN set -eux; \
sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \
grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample
-RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 3777 /var/run/postgresql
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
ENV PGDATA /var/lib/postgresql/data
-# this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values)
-RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 1777 "$PGDATA"
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
VOLUME /var/lib/postgresql/data
-COPY docker-entrypoint.sh /usr/local/bin/
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
ENTRYPOINT ["docker-entrypoint.sh"]
# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
# calls "Fast Shutdown mode" wherein new connections are disallowed and any
# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
-# flush tables to disk, which is the best compromise available to avoid data
-# corruption.
-#
-# Users who know their applications do not keep open long-lived idle connections
-# may way to use a value of SIGTERM instead, which corresponds to "Smart
-# Shutdown mode" in which any existing sessions are allowed to finish and the
-# server stops when all sessions are terminated.
+# flush tables to disk.
#
-# See https://www.postgresql.org/docs/12/server-shutdown.html for more details
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
# about available PostgreSQL server shutdown signals.
#
-# See also https://www.postgresql.org/docs/12/server-start.html for further
+# See also https://www.postgresql.org/docs/current/server-start.html for further
# justification of this as the default value, namely that the example (and
# shipped) systemd service files use the "Fast Shutdown mode" for service
# termination.
@@ -189,10 +217,10 @@ STOPSIGNAL SIGINT
# An additional setting that is recommended for all users regardless of this
# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
# equivalent) for controlling how long to wait between sending the defined
-# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption).
+# STOPSIGNAL and sending SIGKILL.
#
# The default in most runtimes (such as Docker) is 10 seconds, and the
-# documentation at https://www.postgresql.org/docs/12/server-start.html notes
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
# that even 90 seconds may not be long enough in many instances.
EXPOSE 5432
diff --git a/17/alpine3.21/docker-ensure-initdb.sh b/17/alpine3.21/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..e9b15ef77d
--- /dev/null
+++ b/17/alpine3.21/docker-ensure-initdb.sh
@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/17/alpine3.21/docker-entrypoint.sh b/17/alpine3.21/docker-entrypoint.sh
new file mode 100755
index 0000000000..5a62870b50
--- /dev/null
+++ b/17/alpine3.21/docker-entrypoint.sh
@@ -0,0 +1,391 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+# ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+ local var="$1"
+ local fileVar="${var}_FILE"
+ local def="${2:-}"
+ if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+ printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+ exit 1
+ fi
+ local val="$def"
+ if [ "${!var:-}" ]; then
+ val="${!var}"
+ elif [ "${!fileVar:-}" ]; then
+ val="$(< "${!fileVar}")"
+ fi
+ export "$var"="$val"
+ unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+ # https://unix.stackexchange.com/a/215279
+ [ "${#FUNCNAME[@]}" -ge 2 ] \
+ && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+ && [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+ local user; user="$(id -u)"
+
+ mkdir -p "$PGDATA"
+ # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+ chmod 00700 "$PGDATA" || :
+
+ # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+ mkdir -p /var/run/postgresql || :
+ chmod 03775 /var/run/postgresql || :
+
+ # Create the transaction log directory before initdb is run so the directory is owned by the correct user
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ mkdir -p "$POSTGRES_INITDB_WALDIR"
+ if [ "$user" = '0' ]; then
+ find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+ fi
+ chmod 700 "$POSTGRES_INITDB_WALDIR"
+ fi
+
+ # allow the container to be started with `--user`
+ if [ "$user" = '0' ]; then
+ find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+ find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+ fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+ # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+ # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+ local uid; uid="$(id -u)"
+ if ! getent passwd "$uid" &> /dev/null; then
+ # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+ local wrapper
+ for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+ if [ -s "$wrapper" ]; then
+ NSS_WRAPPER_PASSWD="$(mktemp)"
+ NSS_WRAPPER_GROUP="$(mktemp)"
+ export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ local gid; gid="$(id -g)"
+ printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+ printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+ break
+ fi
+ done
+ fi
+
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+ fi
+
+ # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+ eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+ # unset/cleanup "nss_wrapper" bits
+ if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+ rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+ unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
+
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+
+ This will not work if used via PGPASSWORD with "psql".
+
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
+
+ EOWARN
+ fi
+ ;;
+ esac
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ # The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD to a non-empty value for the
+ superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+ You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+ connections without a password. This is *not* recommended.
+
+ See PostgreSQL documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ cat >&2 <<-'EOWARN'
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
+ EOWARN
+ fi
+}
+# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade)
+docker_error_old_databases() {
+ if [ -n "${OLD_DATABASES[0]:-}" ]; then
+ cat >&2 <<-EOE
+ Error: in 18+, these Docker images are configured to store database data in a
+ format which is compatible with "pg_ctlcluster" (specifically, using
+ major-version-specific directory names). This better reflects how
+ PostgreSQL itself works, and how upgrades are to be performed.
+
+ See also https://github.com/docker-library/postgres/pull/1259
+
+ Counter to that, there appears to be PostgreSQL data in:
+ ${OLD_DATABASES[*]}
+
+ This is usually the result of upgrading the Docker image without upgrading
+ the underlying database using "pg_upgrade" (which requires both versions).
+
+ See https://github.com/docker-library/postgres/issues/37 for a (long)
+ discussion around this process, and suggestions for how to do so.
+ EOE
+ exit 1
+ fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+# ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+ # psql here for backwards compatibility "${psql[@]}"
+ psql=( docker_process_sql )
+
+ printf '\n'
+ local f
+ for f; do
+ case "$f" in
+ *.sh)
+ # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+ # https://github.com/docker-library/postgres/pull/452
+ if [ -x "$f" ]; then
+ printf '%s: running %s\n' "$0" "$f"
+ "$f"
+ else
+ printf '%s: sourcing %s\n' "$0" "$f"
+ . "$f"
+ fi
+ ;;
+ *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+ *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+ *) printf '%s: ignoring %s\n' "$0" "$f" ;;
+ esac
+ printf '\n'
+ done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+# ie: docker_process_sql -f my-file.sql
+# ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+ local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+ if [ -n "$POSTGRES_DB" ]; then
+ query_runner+=( --dbname "$POSTGRES_DB" )
+ fi
+
+ PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+ local dbAlreadyExists
+ dbAlreadyExists="$(
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+ SELECT 1 FROM pg_database WHERE datname = :'db' ;
+ EOSQL
+ )"
+ if [ -z "$dbAlreadyExists" ]; then
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+ CREATE DATABASE :"db" ;
+ EOSQL
+ printf '\n'
+ fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+ file_env 'POSTGRES_PASSWORD'
+
+ file_env 'POSTGRES_USER' 'postgres'
+ file_env 'POSTGRES_DB' "$POSTGRES_USER"
+ file_env 'POSTGRES_INITDB_ARGS'
+ : "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+ declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ declare -ag OLD_DATABASES=()
+ # look specifically for PG_VERSION, as it is expected in the DB dir
+ if [ -s "$PGDATA/PG_VERSION" ]; then
+ DATABASE_ALREADY_EXISTS='true'
+ elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then
+ # https://github.com/docker-library/postgres/pull/1259
+ for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do
+ if [ -s "$d/PG_VERSION" ]; then
+ OLD_DATABASES+=( "$d" )
+ fi
+ done
+ fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+ # default authentication method is md5 on versions before 14
+ # https://www.postgresql.org/about/news/postgresql-14-released-2318/
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+ local auth
+ # check the default/configured encryption and use that as the auth method
+ auth="$(postgres -C password_encryption "$@")"
+ : "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+ {
+ printf '\n'
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ printf '# warning trust is enabled for all connections\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+ fi
+ printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+ } >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+
+ # internal start of server in order to allow setup using psql client
+ # does not listen on external TCP/IP and waits until start finishes
+ set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
+ PGUSER="${PGUSER:-$POSTGRES_USER}" \
+ pg_ctl -D "$PGDATA" \
+ -o "$(printf '%q ' "$@")" \
+ -w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+ PGUSER="${PGUSER:-postgres}" \
+ pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+ local arg
+ for arg; do
+ case "$arg" in
+ # postgres --help | grep 'then exit'
+ # leaving out -C on purpose since it always fails and is unhelpful:
+ # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+ -'?'|--help|--describe-config|-V|--version)
+ return 0
+ ;;
+ esac
+ done
+ return 1
+}
+
+_main() {
+ # if first arg looks like a flag, assume we want to run postgres server
+ if [ "${1:0:1}" = '-' ]; then
+ set -- postgres "$@"
+ fi
+
+ if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+ docker_setup_env
+ # setup data directories and permissions (when run as root)
+ docker_create_db_directories
+ if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+ fi
+
+ # only run initialization on an empty data directory
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+
+ cat <<-'EOM'
+
+ PostgreSQL init process complete; ready for start up.
+
+ EOM
+ else
+ cat <<-'EOM'
+
+ PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+ EOM
+ fi
+ fi
+
+ exec "$@"
+}
+
+if ! _is_sourced; then
+ _main "$@"
+fi
diff --git a/17/alpine3.22/Dockerfile b/17/alpine3.22/Dockerfile
new file mode 100644
index 0000000000..5c303bd7d0
--- /dev/null
+++ b/17/alpine3.22/Dockerfile
@@ -0,0 +1,227 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM alpine:3.22
+
+# 70 is the standard uid/gid for "postgres" in Alpine
+# https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.22-stable
+RUN set -eux; \
+ addgroup -g 70 -S postgres; \
+ adduser -u 70 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \
+# also create the postgres user's home directory with appropriate permissions
+# see https://github.com/docker-library/postgres/issues/274
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
+
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ \
+ apk add --no-cache --virtual .gosu-deps \
+ ca-certificates \
+ dpkg \
+ gnupg \
+ ; \
+ \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ \
+# verify the signature
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ \
+# clean up fetch dependencies
+ apk del --no-network .gosu-deps; \
+ \
+ chmod +x /usr/local/bin/gosu; \
+# verify that the binary works
+ gosu --version; \
+ gosu nobody true
+
+# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
+# alpine doesn't require explicit locale-file generation
+ENV LANG en_US.utf8
+
+RUN mkdir /docker-entrypoint-initdb.d
+
+ENV PG_MAJOR 17
+ENV PG_VERSION 17.5
+ENV PG_SHA256 fcb7ab38e23b264d1902cb25e6adafb4525a6ebcbd015434aeef9eda80f528d8
+
+ENV DOCKER_PG_LLVM_DEPS \
+ llvm19-dev \
+ clang19
+
+RUN set -eux; \
+ \
+ wget -O postgresql.tar.bz2 "https://ftp.postgresql.org/pub/source/v$PG_VERSION/postgresql-$PG_VERSION.tar.bz2"; \
+ echo "$PG_SHA256 *postgresql.tar.bz2" | sha256sum -c -; \
+ mkdir -p /usr/src/postgresql; \
+ tar \
+ --extract \
+ --file postgresql.tar.bz2 \
+ --directory /usr/src/postgresql \
+ --strip-components 1 \
+ ; \
+ rm postgresql.tar.bz2; \
+ \
+ apk add --no-cache --virtual .build-deps \
+ $DOCKER_PG_LLVM_DEPS \
+ bison \
+ coreutils \
+ dpkg-dev dpkg \
+ flex \
+ g++ \
+ gcc \
+ krb5-dev \
+ libc-dev \
+ libedit-dev \
+ libxml2-dev \
+ libxslt-dev \
+ linux-headers \
+ make \
+ openldap-dev \
+ openssl-dev \
+ perl-dev \
+ perl-ipc-run \
+ perl-utils \
+ python3-dev \
+ tcl-dev \
+ util-linux-dev \
+ zlib-dev \
+# https://www.postgresql.org/docs/10/static/release-10.html#id-1.11.6.9.5.13
+ icu-dev \
+# https://www.postgresql.org/docs/14/release-14.html#id-1.11.6.5.5.3.7
+ lz4-dev \
+# https://www.postgresql.org/docs/15/release-15.html "--with-zstd to enable Zstandard builds"
+ zstd-dev \
+ ; \
+ \
+ cd /usr/src/postgresql; \
+# update "DEFAULT_PGSOCKET_DIR" to "/var/run/postgresql" (matching Debian)
+# see https://anonscm.debian.org/git/pkg-postgresql/postgresql.git/tree/debian/patches/51-default-sockets-in-var.patch?id=8b539fcb3e093a521c095e70bdfa76887217b89f
+ awk '$1 == "#define" && $2 == "DEFAULT_PGSOCKET_DIR" && $3 == "\"/tmp\"" { $3 = "\"/var/run/postgresql\""; print; next } { print }' src/include/pg_config_manual.h > src/include/pg_config_manual.h.new; \
+ grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \
+ mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \
+ gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
+ \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n176 ("export LLVM_CONFIG")
+ export LLVM_CONFIG="/usr/lib/llvm19/bin/llvm-config"; \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n180 ("older clang versions don't have a 'clang' exe anymore.")
+ export CLANG=clang-19; \
+ \
+# configure options taken from:
+# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
+ ./configure \
+ --enable-option-checking=fatal \
+ --build="$gnuArch" \
+# "/usr/src/postgresql/src/backend/access/common/tupconvert.c:105: undefined reference to `libintl_gettext'"
+# --enable-nls \
+ --enable-integer-datetimes \
+ --enable-tap-tests \
+# skip debugging info -- we want tiny size instead
+# --enable-debug \
+ --disable-rpath \
+ --with-uuid=e2fs \
+ --with-pgport=5432 \
+ --with-system-tzdata=/usr/share/zoneinfo \
+ --prefix=/usr/local \
+ --with-includes=/usr/local/include \
+ --with-libraries=/usr/local/lib \
+ --with-gssapi \
+ --with-ldap \
+ --with-tcl \
+ --with-perl \
+ --with-python \
+# --with-pam \
+ --with-openssl \
+ --with-libxml \
+ --with-libxslt \
+ --with-icu \
+ --with-llvm \
+ --with-lz4 \
+ --with-zstd \
+ ; \
+ make -j "$(nproc)" world-bin; \
+ make install-world-bin; \
+ make -C contrib install; \
+ \
+ runDeps="$( \
+ scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \
+ | tr ',' '\n' \
+ | sort -u \
+ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
+# Remove plperl, plpython and pltcl dependencies by default to save image size
+# To use the pl extensions, those have to be installed in a derived image
+ | grep -v -e perl -e python -e tcl \
+ )"; \
+ apk add --no-cache --virtual .postgresql-rundeps \
+ $runDeps \
+ bash \
+ tzdata \
+ zstd \
+# https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split
+ icu-data-full \
+# https://git.alpinelinux.org/aports/tree/community/nss_wrapper/APKBUILD?h=3.22-stable#n7 ("ppc64le: test case segfaults")
+ $([ "$(apk --print-arch)" != 'ppc64le' ] && echo 'nss_wrapper') \
+ ; \
+ apk del --no-network .build-deps; \
+ cd /; \
+ rm -rf \
+ /usr/src/postgresql \
+ /usr/local/share/doc \
+ /usr/local/share/man \
+ ; \
+ \
+ postgres --version
+
+# make the sample config easier to munge (and "correct by default")
+RUN set -eux; \
+ cp -v /usr/local/share/postgresql/postgresql.conf.sample /usr/local/share/postgresql/postgresql.conf.sample.orig; \
+ sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \
+ grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample
+
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
+
+ENV PGDATA /var/lib/postgresql/data
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
+VOLUME /var/lib/postgresql/data
+
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
+# calls "Fast Shutdown mode" wherein new connections are disallowed and any
+# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
+# flush tables to disk.
+#
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
+# about available PostgreSQL server shutdown signals.
+#
+# See also https://www.postgresql.org/docs/current/server-start.html for further
+# justification of this as the default value, namely that the example (and
+# shipped) systemd service files use the "Fast Shutdown mode" for service
+# termination.
+#
+STOPSIGNAL SIGINT
+#
+# An additional setting that is recommended for all users regardless of this
+# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
+# equivalent) for controlling how long to wait between sending the defined
+# STOPSIGNAL and sending SIGKILL.
+#
+# The default in most runtimes (such as Docker) is 10 seconds, and the
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
+# that even 90 seconds may not be long enough in many instances.
+
+EXPOSE 5432
+CMD ["postgres"]
diff --git a/17/alpine3.22/docker-ensure-initdb.sh b/17/alpine3.22/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..e9b15ef77d
--- /dev/null
+++ b/17/alpine3.22/docker-ensure-initdb.sh
@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/17/alpine3.22/docker-entrypoint.sh b/17/alpine3.22/docker-entrypoint.sh
new file mode 100755
index 0000000000..5a62870b50
--- /dev/null
+++ b/17/alpine3.22/docker-entrypoint.sh
@@ -0,0 +1,391 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+# ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+ local var="$1"
+ local fileVar="${var}_FILE"
+ local def="${2:-}"
+ if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+ printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+ exit 1
+ fi
+ local val="$def"
+ if [ "${!var:-}" ]; then
+ val="${!var}"
+ elif [ "${!fileVar:-}" ]; then
+ val="$(< "${!fileVar}")"
+ fi
+ export "$var"="$val"
+ unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+ # https://unix.stackexchange.com/a/215279
+ [ "${#FUNCNAME[@]}" -ge 2 ] \
+ && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+ && [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+ local user; user="$(id -u)"
+
+ mkdir -p "$PGDATA"
+ # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+ chmod 00700 "$PGDATA" || :
+
+ # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+ mkdir -p /var/run/postgresql || :
+ chmod 03775 /var/run/postgresql || :
+
+ # Create the transaction log directory before initdb is run so the directory is owned by the correct user
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ mkdir -p "$POSTGRES_INITDB_WALDIR"
+ if [ "$user" = '0' ]; then
+ find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+ fi
+ chmod 700 "$POSTGRES_INITDB_WALDIR"
+ fi
+
+ # allow the container to be started with `--user`
+ if [ "$user" = '0' ]; then
+ find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+ find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+ fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+ # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+ # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+ local uid; uid="$(id -u)"
+ if ! getent passwd "$uid" &> /dev/null; then
+ # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+ local wrapper
+ for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+ if [ -s "$wrapper" ]; then
+ NSS_WRAPPER_PASSWD="$(mktemp)"
+ NSS_WRAPPER_GROUP="$(mktemp)"
+ export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ local gid; gid="$(id -g)"
+ printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+ printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+ break
+ fi
+ done
+ fi
+
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+ fi
+
+ # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+ eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+ # unset/cleanup "nss_wrapper" bits
+ if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+ rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+ unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
+
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+
+ This will not work if used via PGPASSWORD with "psql".
+
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
+
+ EOWARN
+ fi
+ ;;
+ esac
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ # The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD to a non-empty value for the
+ superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+ You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+ connections without a password. This is *not* recommended.
+
+ See PostgreSQL documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ cat >&2 <<-'EOWARN'
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
+ EOWARN
+ fi
+}
+# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade)
+docker_error_old_databases() {
+ if [ -n "${OLD_DATABASES[0]:-}" ]; then
+ cat >&2 <<-EOE
+ Error: in 18+, these Docker images are configured to store database data in a
+ format which is compatible with "pg_ctlcluster" (specifically, using
+ major-version-specific directory names). This better reflects how
+ PostgreSQL itself works, and how upgrades are to be performed.
+
+ See also https://github.com/docker-library/postgres/pull/1259
+
+ Counter to that, there appears to be PostgreSQL data in:
+ ${OLD_DATABASES[*]}
+
+ This is usually the result of upgrading the Docker image without upgrading
+ the underlying database using "pg_upgrade" (which requires both versions).
+
+ See https://github.com/docker-library/postgres/issues/37 for a (long)
+ discussion around this process, and suggestions for how to do so.
+ EOE
+ exit 1
+ fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+# ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+ # psql here for backwards compatibility "${psql[@]}"
+ psql=( docker_process_sql )
+
+ printf '\n'
+ local f
+ for f; do
+ case "$f" in
+ *.sh)
+ # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+ # https://github.com/docker-library/postgres/pull/452
+ if [ -x "$f" ]; then
+ printf '%s: running %s\n' "$0" "$f"
+ "$f"
+ else
+ printf '%s: sourcing %s\n' "$0" "$f"
+ . "$f"
+ fi
+ ;;
+ *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+ *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+ *) printf '%s: ignoring %s\n' "$0" "$f" ;;
+ esac
+ printf '\n'
+ done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+# ie: docker_process_sql -f my-file.sql
+# ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+ local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+ if [ -n "$POSTGRES_DB" ]; then
+ query_runner+=( --dbname "$POSTGRES_DB" )
+ fi
+
+ PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+ local dbAlreadyExists
+ dbAlreadyExists="$(
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+ SELECT 1 FROM pg_database WHERE datname = :'db' ;
+ EOSQL
+ )"
+ if [ -z "$dbAlreadyExists" ]; then
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+ CREATE DATABASE :"db" ;
+ EOSQL
+ printf '\n'
+ fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+ file_env 'POSTGRES_PASSWORD'
+
+ file_env 'POSTGRES_USER' 'postgres'
+ file_env 'POSTGRES_DB' "$POSTGRES_USER"
+ file_env 'POSTGRES_INITDB_ARGS'
+ : "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+ declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ declare -ag OLD_DATABASES=()
+ # look specifically for PG_VERSION, as it is expected in the DB dir
+ if [ -s "$PGDATA/PG_VERSION" ]; then
+ DATABASE_ALREADY_EXISTS='true'
+ elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then
+ # https://github.com/docker-library/postgres/pull/1259
+ for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do
+ if [ -s "$d/PG_VERSION" ]; then
+ OLD_DATABASES+=( "$d" )
+ fi
+ done
+ fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+ # default authentication method is md5 on versions before 14
+ # https://www.postgresql.org/about/news/postgresql-14-released-2318/
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+ local auth
+ # check the default/configured encryption and use that as the auth method
+ auth="$(postgres -C password_encryption "$@")"
+ : "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+ {
+ printf '\n'
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ printf '# warning trust is enabled for all connections\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+ fi
+ printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+ } >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+
+ # internal start of server in order to allow setup using psql client
+ # does not listen on external TCP/IP and waits until start finishes
+ set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
+ PGUSER="${PGUSER:-$POSTGRES_USER}" \
+ pg_ctl -D "$PGDATA" \
+ -o "$(printf '%q ' "$@")" \
+ -w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+ PGUSER="${PGUSER:-postgres}" \
+ pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+ local arg
+ for arg; do
+ case "$arg" in
+ # postgres --help | grep 'then exit'
+ # leaving out -C on purpose since it always fails and is unhelpful:
+ # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+ -'?'|--help|--describe-config|-V|--version)
+ return 0
+ ;;
+ esac
+ done
+ return 1
+}
+
+_main() {
+ # if first arg looks like a flag, assume we want to run postgres server
+ if [ "${1:0:1}" = '-' ]; then
+ set -- postgres "$@"
+ fi
+
+ if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+ docker_setup_env
+ # setup data directories and permissions (when run as root)
+ docker_create_db_directories
+ if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+ fi
+
+ # only run initialization on an empty data directory
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+
+ cat <<-'EOM'
+
+ PostgreSQL init process complete; ready for start up.
+
+ EOM
+ else
+ cat <<-'EOM'
+
+ PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+ EOM
+ fi
+ fi
+
+ exec "$@"
+}
+
+if ! _is_sourced; then
+ _main "$@"
+fi
diff --git a/17/bookworm/Dockerfile b/17/bookworm/Dockerfile
new file mode 100644
index 0000000000..25c2142f1f
--- /dev/null
+++ b/17/bookworm/Dockerfile
@@ -0,0 +1,218 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM debian:bookworm-slim
+
+# explicitly set user/group IDs
+RUN set -eux; \
+ groupadd -r postgres --gid=999; \
+# https://salsa.debian.org/postgresql/postgresql-common/blob/997d842ee744687d99a2b2d95c1083a2615c79e8/debian/postgresql-common.postinst#L32-35
+ useradd -r -g postgres --uid=999 --home-dir=/var/lib/postgresql --shell=/bin/bash postgres; \
+# also create the postgres user's home directory with appropriate permissions
+# see https://github.com/docker-library/postgres/issues/274
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
+
+RUN set -ex; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ gnupg \
+# https://www.postgresql.org/docs/16/app-psql.html#APP-PSQL-META-COMMAND-PSET-PAGER
+# https://github.com/postgres/postgres/blob/REL_16_1/src/include/fe_utils/print.h#L25
+# (if "less" is available, it gets used as the default pager for psql, and it only adds ~1.5MiB to our image size)
+ less \
+ ; \
+ rm -rf /var/lib/apt/lists/*
+
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ savedAptMark="$(apt-mark showmanual)"; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends ca-certificates wget; \
+ rm -rf /var/lib/apt/lists/*; \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ apt-mark auto '.*' > /dev/null; \
+ [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \
+ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+ chmod +x /usr/local/bin/gosu; \
+ gosu --version; \
+ gosu nobody true
+
+# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
+RUN set -eux; \
+ if [ -f /etc/dpkg/dpkg.cfg.d/docker ]; then \
+# if this file exists, we're likely in "debian:xxx-slim", and locales are thus being excluded so we need to remove that exclusion (since we need locales)
+ grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
+ sed -ri '/\/usr\/share\/locale/d' /etc/dpkg/dpkg.cfg.d/docker; \
+ ! grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
+ fi; \
+ apt-get update; apt-get install -y --no-install-recommends locales; rm -rf /var/lib/apt/lists/*; \
+ echo 'en_US.UTF-8 UTF-8' >> /etc/locale.gen; \
+ locale-gen; \
+ locale -a | grep 'en_US.utf8'
+ENV LANG en_US.utf8
+
+RUN set -eux; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ libnss-wrapper \
+ xz-utils \
+ zstd \
+ ; \
+ rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /docker-entrypoint-initdb.d
+
+RUN set -ex; \
+# pub 4096R/ACCC4CF8 2011-10-13 [expires: 2019-07-02]
+# Key fingerprint = B97B 0AFC AA1A 47F0 44F2 44A0 7FCC 7D46 ACCC 4CF8
+# uid PostgreSQL Debian Repository
+ key='B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8'; \
+ export GNUPGHOME="$(mktemp -d)"; \
+ mkdir -p /usr/local/share/keyrings/; \
+ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \
+ gpg --batch --export --armor "$key" > /usr/local/share/keyrings/postgres.gpg.asc; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME"
+
+ENV PG_MAJOR 17
+ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
+
+ENV PG_VERSION 17.5-1.pgdg120+1
+
+RUN set -ex; \
+ \
+# see note below about "*.pyc" files
+ export PYTHONDONTWRITEBYTECODE=1; \
+ \
+ dpkgArch="$(dpkg --print-architecture)"; \
+ aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ bookworm-pgdg main $PG_MAJOR"; \
+ case "$dpkgArch" in \
+ amd64 | arm64 | ppc64el) \
+# arches officialy built by upstream
+ echo "deb $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \
+ apt-get update; \
+ ;; \
+ *) \
+# we're on an architecture upstream doesn't officially build for
+# let's build binaries from their published source packages
+ echo "deb-src $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \
+ \
+ savedAptMark="$(apt-mark showmanual)"; \
+ \
+ tempDir="$(mktemp -d)"; \
+ cd "$tempDir"; \
+ \
+# create a temporary local APT repo to install from (so that dependency resolution can be handled by APT, as it should be)
+ apt-get update; \
+ apt-get install -y --no-install-recommends dpkg-dev; \
+ echo "deb [ trusted=yes ] file://$tempDir ./" > /etc/apt/sources.list.d/temp.list; \
+ _update_repo() { \
+ dpkg-scanpackages . > Packages; \
+# work around the following APT issue by using "Acquire::GzipIndexes=false" (overriding "/etc/apt/apt.conf.d/docker-gzip-indexes")
+# Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+# ...
+# E: Failed to fetch store:/var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+ apt-get -o Acquire::GzipIndexes=false update; \
+ }; \
+ _update_repo; \
+ \
+# build .deb files from upstream's source packages (which are verified by apt-get)
+ nproc="$(nproc)"; \
+ export DEB_BUILD_OPTIONS="nocheck parallel=$nproc"; \
+# we have to build postgresql-common-dev first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/f4338a0d28cf4541956bddb0f4e444ba9dba81b9
+ apt-get build-dep -y postgresql-common-dev; \
+ apt-get source --compile postgresql-common-dev; \
+ _update_repo; \
+ apt-get build-dep -y "postgresql-$PG_MAJOR=$PG_VERSION"; \
+ apt-get source --compile "postgresql-$PG_MAJOR=$PG_VERSION"; \
+ \
+# we don't remove APT lists here because they get re-downloaded and removed later
+ \
+# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
+# (which is done after we install the built packages so we don't have to redownload any overlapping dependencies)
+ apt-mark showmanual | xargs apt-mark auto > /dev/null; \
+ apt-mark manual $savedAptMark; \
+ \
+ ls -lAFh; \
+ _update_repo; \
+ grep '^Package: ' Packages; \
+ cd /; \
+ ;; \
+ esac; \
+ \
+ apt-get install -y --no-install-recommends postgresql-common; \
+ sed -ri 's/#(create_main_cluster) .*$/\1 = false/' /etc/postgresql-common/createcluster.conf; \
+ apt-get install -y --no-install-recommends \
+ "postgresql-$PG_MAJOR=$PG_VERSION" \
+ ; \
+ \
+ rm -rf /var/lib/apt/lists/*; \
+ \
+ if [ -n "$tempDir" ]; then \
+# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
+ apt-get purge -y --auto-remove; \
+ rm -rf "$tempDir" /etc/apt/sources.list.d/temp.list; \
+ fi; \
+ \
+# some of the steps above generate a lot of "*.pyc" files (and setting "PYTHONDONTWRITEBYTECODE" beforehand doesn't propagate properly for some reason), so we clean them up manually (as long as they aren't owned by a package)
+ find /usr -name '*.pyc' -type f -exec bash -c 'for pyc; do dpkg -S "$pyc" &> /dev/null || rm -vf "$pyc"; done' -- '{}' +; \
+ \
+ postgres --version
+
+# make the sample config easier to munge (and "correct by default")
+RUN set -eux; \
+ dpkg-divert --add --rename --divert "/usr/share/postgresql/postgresql.conf.sample.dpkg" "/usr/share/postgresql/$PG_MAJOR/postgresql.conf.sample"; \
+ cp -v /usr/share/postgresql/postgresql.conf.sample.dpkg /usr/share/postgresql/postgresql.conf.sample; \
+ ln -sv ../postgresql.conf.sample "/usr/share/postgresql/$PG_MAJOR/"; \
+ sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/share/postgresql/postgresql.conf.sample; \
+ grep -F "listen_addresses = '*'" /usr/share/postgresql/postgresql.conf.sample
+
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
+
+ENV PGDATA /var/lib/postgresql/data
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
+VOLUME /var/lib/postgresql/data
+
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
+# calls "Fast Shutdown mode" wherein new connections are disallowed and any
+# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
+# flush tables to disk.
+#
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
+# about available PostgreSQL server shutdown signals.
+#
+# See also https://www.postgresql.org/docs/current/server-start.html for further
+# justification of this as the default value, namely that the example (and
+# shipped) systemd service files use the "Fast Shutdown mode" for service
+# termination.
+#
+STOPSIGNAL SIGINT
+#
+# An additional setting that is recommended for all users regardless of this
+# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
+# equivalent) for controlling how long to wait between sending the defined
+# STOPSIGNAL and sending SIGKILL.
+#
+# The default in most runtimes (such as Docker) is 10 seconds, and the
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
+# that even 90 seconds may not be long enough in many instances.
+
+EXPOSE 5432
+CMD ["postgres"]
diff --git a/17/bookworm/docker-ensure-initdb.sh b/17/bookworm/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..e9b15ef77d
--- /dev/null
+++ b/17/bookworm/docker-ensure-initdb.sh
@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/17/bookworm/docker-entrypoint.sh b/17/bookworm/docker-entrypoint.sh
new file mode 100755
index 0000000000..5a62870b50
--- /dev/null
+++ b/17/bookworm/docker-entrypoint.sh
@@ -0,0 +1,391 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+# ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+ local var="$1"
+ local fileVar="${var}_FILE"
+ local def="${2:-}"
+ if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+ printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+ exit 1
+ fi
+ local val="$def"
+ if [ "${!var:-}" ]; then
+ val="${!var}"
+ elif [ "${!fileVar:-}" ]; then
+ val="$(< "${!fileVar}")"
+ fi
+ export "$var"="$val"
+ unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+ # https://unix.stackexchange.com/a/215279
+ [ "${#FUNCNAME[@]}" -ge 2 ] \
+ && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+ && [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+ local user; user="$(id -u)"
+
+ mkdir -p "$PGDATA"
+ # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+ chmod 00700 "$PGDATA" || :
+
+ # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+ mkdir -p /var/run/postgresql || :
+ chmod 03775 /var/run/postgresql || :
+
+ # Create the transaction log directory before initdb is run so the directory is owned by the correct user
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ mkdir -p "$POSTGRES_INITDB_WALDIR"
+ if [ "$user" = '0' ]; then
+ find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+ fi
+ chmod 700 "$POSTGRES_INITDB_WALDIR"
+ fi
+
+ # allow the container to be started with `--user`
+ if [ "$user" = '0' ]; then
+ find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+ find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+ fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+ # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+ # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+ local uid; uid="$(id -u)"
+ if ! getent passwd "$uid" &> /dev/null; then
+ # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+ local wrapper
+ for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+ if [ -s "$wrapper" ]; then
+ NSS_WRAPPER_PASSWD="$(mktemp)"
+ NSS_WRAPPER_GROUP="$(mktemp)"
+ export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ local gid; gid="$(id -g)"
+ printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+ printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+ break
+ fi
+ done
+ fi
+
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+ fi
+
+ # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+ eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+ # unset/cleanup "nss_wrapper" bits
+ if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+ rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+ unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
+
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+
+ This will not work if used via PGPASSWORD with "psql".
+
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
+
+ EOWARN
+ fi
+ ;;
+ esac
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ # The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD to a non-empty value for the
+ superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+ You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+ connections without a password. This is *not* recommended.
+
+ See PostgreSQL documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ cat >&2 <<-'EOWARN'
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
+ EOWARN
+ fi
+}
+# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade)
+docker_error_old_databases() {
+ if [ -n "${OLD_DATABASES[0]:-}" ]; then
+ cat >&2 <<-EOE
+ Error: in 18+, these Docker images are configured to store database data in a
+ format which is compatible with "pg_ctlcluster" (specifically, using
+ major-version-specific directory names). This better reflects how
+ PostgreSQL itself works, and how upgrades are to be performed.
+
+ See also https://github.com/docker-library/postgres/pull/1259
+
+ Counter to that, there appears to be PostgreSQL data in:
+ ${OLD_DATABASES[*]}
+
+ This is usually the result of upgrading the Docker image without upgrading
+ the underlying database using "pg_upgrade" (which requires both versions).
+
+ See https://github.com/docker-library/postgres/issues/37 for a (long)
+ discussion around this process, and suggestions for how to do so.
+ EOE
+ exit 1
+ fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+# ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+ # psql here for backwards compatibility "${psql[@]}"
+ psql=( docker_process_sql )
+
+ printf '\n'
+ local f
+ for f; do
+ case "$f" in
+ *.sh)
+ # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+ # https://github.com/docker-library/postgres/pull/452
+ if [ -x "$f" ]; then
+ printf '%s: running %s\n' "$0" "$f"
+ "$f"
+ else
+ printf '%s: sourcing %s\n' "$0" "$f"
+ . "$f"
+ fi
+ ;;
+ *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+ *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+ *) printf '%s: ignoring %s\n' "$0" "$f" ;;
+ esac
+ printf '\n'
+ done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+# ie: docker_process_sql -f my-file.sql
+# ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+ local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+ if [ -n "$POSTGRES_DB" ]; then
+ query_runner+=( --dbname "$POSTGRES_DB" )
+ fi
+
+ PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+ local dbAlreadyExists
+ dbAlreadyExists="$(
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+ SELECT 1 FROM pg_database WHERE datname = :'db' ;
+ EOSQL
+ )"
+ if [ -z "$dbAlreadyExists" ]; then
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+ CREATE DATABASE :"db" ;
+ EOSQL
+ printf '\n'
+ fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+ file_env 'POSTGRES_PASSWORD'
+
+ file_env 'POSTGRES_USER' 'postgres'
+ file_env 'POSTGRES_DB' "$POSTGRES_USER"
+ file_env 'POSTGRES_INITDB_ARGS'
+ : "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+ declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ declare -ag OLD_DATABASES=()
+ # look specifically for PG_VERSION, as it is expected in the DB dir
+ if [ -s "$PGDATA/PG_VERSION" ]; then
+ DATABASE_ALREADY_EXISTS='true'
+ elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then
+ # https://github.com/docker-library/postgres/pull/1259
+ for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do
+ if [ -s "$d/PG_VERSION" ]; then
+ OLD_DATABASES+=( "$d" )
+ fi
+ done
+ fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+ # default authentication method is md5 on versions before 14
+ # https://www.postgresql.org/about/news/postgresql-14-released-2318/
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+ local auth
+ # check the default/configured encryption and use that as the auth method
+ auth="$(postgres -C password_encryption "$@")"
+ : "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+ {
+ printf '\n'
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ printf '# warning trust is enabled for all connections\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+ fi
+ printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+ } >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+
+ # internal start of server in order to allow setup using psql client
+ # does not listen on external TCP/IP and waits until start finishes
+ set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
+ PGUSER="${PGUSER:-$POSTGRES_USER}" \
+ pg_ctl -D "$PGDATA" \
+ -o "$(printf '%q ' "$@")" \
+ -w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+ PGUSER="${PGUSER:-postgres}" \
+ pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+ local arg
+ for arg; do
+ case "$arg" in
+ # postgres --help | grep 'then exit'
+ # leaving out -C on purpose since it always fails and is unhelpful:
+ # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+ -'?'|--help|--describe-config|-V|--version)
+ return 0
+ ;;
+ esac
+ done
+ return 1
+}
+
+_main() {
+ # if first arg looks like a flag, assume we want to run postgres server
+ if [ "${1:0:1}" = '-' ]; then
+ set -- postgres "$@"
+ fi
+
+ if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+ docker_setup_env
+ # setup data directories and permissions (when run as root)
+ docker_create_db_directories
+ if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+ fi
+
+ # only run initialization on an empty data directory
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+
+ cat <<-'EOM'
+
+ PostgreSQL init process complete; ready for start up.
+
+ EOM
+ else
+ cat <<-'EOM'
+
+ PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+ EOM
+ fi
+ fi
+
+ exec "$@"
+}
+
+if ! _is_sourced; then
+ _main "$@"
+fi
diff --git a/12/bullseye/Dockerfile b/17/bullseye/Dockerfile
similarity index 81%
rename from 12/bullseye/Dockerfile
rename to 17/bullseye/Dockerfile
index 41d75da7a6..fc554d1fae 100644
--- a/12/bullseye/Dockerfile
+++ b/17/bullseye/Dockerfile
@@ -6,16 +6,6 @@
FROM debian:bullseye-slim
-RUN set -ex; \
- if ! command -v gpg > /dev/null; then \
- apt-get update; \
- apt-get install -y --no-install-recommends \
- gnupg \
- dirmngr \
- ; \
- rm -rf /var/lib/apt/lists/*; \
- fi
-
# explicitly set user/group IDs
RUN set -eux; \
groupadd -r postgres --gid=999; \
@@ -23,12 +13,22 @@ RUN set -eux; \
useradd -r -g postgres --uid=999 --home-dir=/var/lib/postgresql --shell=/bin/bash postgres; \
# also create the postgres user's home directory with appropriate permissions
# see https://github.com/docker-library/postgres/issues/274
- mkdir -p /var/lib/postgresql; \
- chown -R postgres:postgres /var/lib/postgresql
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
+
+RUN set -ex; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ gnupg \
+# https://www.postgresql.org/docs/16/app-psql.html#APP-PSQL-META-COMMAND-PSET-PAGER
+# https://github.com/postgres/postgres/blob/REL_16_1/src/include/fe_utils/print.h#L25
+# (if "less" is available, it gets used as the default pager for psql, and it only adds ~1.5MiB to our image size)
+ less \
+ ; \
+ rm -rf /var/lib/apt/lists/*
# grab gosu for easy step-down from root
# https://github.com/tianon/gosu/releases
-ENV GOSU_VERSION 1.16
+ENV GOSU_VERSION 1.17
RUN set -eux; \
savedAptMark="$(apt-mark showmanual)"; \
apt-get update; \
@@ -58,7 +58,9 @@ RUN set -eux; \
! grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
fi; \
apt-get update; apt-get install -y --no-install-recommends locales; rm -rf /var/lib/apt/lists/*; \
- localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
+ echo 'en_US.UTF-8 UTF-8' >> /etc/locale.gen; \
+ locale-gen; \
+ locale -a | grep 'en_US.utf8'
ENV LANG en_US.utf8
RUN set -eux; \
@@ -81,13 +83,13 @@ RUN set -ex; \
mkdir -p /usr/local/share/keyrings/; \
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \
gpg --batch --export --armor "$key" > /usr/local/share/keyrings/postgres.gpg.asc; \
- command -v gpgconf > /dev/null && gpgconf --kill all; \
+ gpgconf --kill all; \
rm -rf "$GNUPGHOME"
-ENV PG_MAJOR 12
+ENV PG_MAJOR 17
ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
-ENV PG_VERSION 12.14-1.pgdg110+1
+ENV PG_VERSION 17.5-1.pgdg110+1
RUN set -ex; \
\
@@ -129,10 +131,9 @@ RUN set -ex; \
# build .deb files from upstream's source packages (which are verified by apt-get)
nproc="$(nproc)"; \
export DEB_BUILD_OPTIONS="nocheck parallel=$nproc"; \
-# we have to build postgresql-common first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/99f44476e258cae6bf9e919219fa2c5414fa2876
-# (and it "Depends: pgdg-keyring")
- apt-get build-dep -y postgresql-common pgdg-keyring; \
- apt-get source --compile postgresql-common pgdg-keyring; \
+# we have to build postgresql-common-dev first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/f4338a0d28cf4541956bddb0f4e444ba9dba81b9
+ apt-get build-dep -y postgresql-common-dev; \
+ apt-get source --compile postgresql-common-dev; \
_update_repo; \
apt-get build-dep -y "postgresql-$PG_MAJOR=$PG_VERSION"; \
apt-get source --compile "postgresql-$PG_MAJOR=$PG_VERSION"; \
@@ -178,31 +179,26 @@ RUN set -eux; \
sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/share/postgresql/postgresql.conf.sample; \
grep -F "listen_addresses = '*'" /usr/share/postgresql/postgresql.conf.sample
-RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
ENV PGDATA /var/lib/postgresql/data
-# this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values)
-RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA"
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
VOLUME /var/lib/postgresql/data
-COPY docker-entrypoint.sh /usr/local/bin/
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
ENTRYPOINT ["docker-entrypoint.sh"]
# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
# calls "Fast Shutdown mode" wherein new connections are disallowed and any
# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
-# flush tables to disk, which is the best compromise available to avoid data
-# corruption.
-#
-# Users who know their applications do not keep open long-lived idle connections
-# may way to use a value of SIGTERM instead, which corresponds to "Smart
-# Shutdown mode" in which any existing sessions are allowed to finish and the
-# server stops when all sessions are terminated.
+# flush tables to disk.
#
-# See https://www.postgresql.org/docs/12/server-shutdown.html for more details
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
# about available PostgreSQL server shutdown signals.
#
-# See also https://www.postgresql.org/docs/12/server-start.html for further
+# See also https://www.postgresql.org/docs/current/server-start.html for further
# justification of this as the default value, namely that the example (and
# shipped) systemd service files use the "Fast Shutdown mode" for service
# termination.
@@ -212,10 +208,10 @@ STOPSIGNAL SIGINT
# An additional setting that is recommended for all users regardless of this
# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
# equivalent) for controlling how long to wait between sending the defined
-# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption).
+# STOPSIGNAL and sending SIGKILL.
#
# The default in most runtimes (such as Docker) is 10 seconds, and the
-# documentation at https://www.postgresql.org/docs/12/server-start.html notes
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
# that even 90 seconds may not be long enough in many instances.
EXPOSE 5432
diff --git a/17/bullseye/docker-ensure-initdb.sh b/17/bullseye/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..e9b15ef77d
--- /dev/null
+++ b/17/bullseye/docker-ensure-initdb.sh
@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/17/bullseye/docker-entrypoint.sh b/17/bullseye/docker-entrypoint.sh
new file mode 100755
index 0000000000..5a62870b50
--- /dev/null
+++ b/17/bullseye/docker-entrypoint.sh
@@ -0,0 +1,391 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+# ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+ local var="$1"
+ local fileVar="${var}_FILE"
+ local def="${2:-}"
+ if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+ printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+ exit 1
+ fi
+ local val="$def"
+ if [ "${!var:-}" ]; then
+ val="${!var}"
+ elif [ "${!fileVar:-}" ]; then
+ val="$(< "${!fileVar}")"
+ fi
+ export "$var"="$val"
+ unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+ # https://unix.stackexchange.com/a/215279
+ [ "${#FUNCNAME[@]}" -ge 2 ] \
+ && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+ && [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+ local user; user="$(id -u)"
+
+ mkdir -p "$PGDATA"
+ # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+ chmod 00700 "$PGDATA" || :
+
+ # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+ mkdir -p /var/run/postgresql || :
+ chmod 03775 /var/run/postgresql || :
+
+ # Create the transaction log directory before initdb is run so the directory is owned by the correct user
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ mkdir -p "$POSTGRES_INITDB_WALDIR"
+ if [ "$user" = '0' ]; then
+ find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+ fi
+ chmod 700 "$POSTGRES_INITDB_WALDIR"
+ fi
+
+ # allow the container to be started with `--user`
+ if [ "$user" = '0' ]; then
+ find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+ find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+ fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+ # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+ # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+ local uid; uid="$(id -u)"
+ if ! getent passwd "$uid" &> /dev/null; then
+ # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+ local wrapper
+ for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+ if [ -s "$wrapper" ]; then
+ NSS_WRAPPER_PASSWD="$(mktemp)"
+ NSS_WRAPPER_GROUP="$(mktemp)"
+ export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ local gid; gid="$(id -g)"
+ printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+ printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+ break
+ fi
+ done
+ fi
+
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+ fi
+
+ # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+ eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+ # unset/cleanup "nss_wrapper" bits
+ if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+ rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+ unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
+
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+
+ This will not work if used via PGPASSWORD with "psql".
+
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
+
+ EOWARN
+ fi
+ ;;
+ esac
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ # The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD to a non-empty value for the
+ superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+ You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+ connections without a password. This is *not* recommended.
+
+ See PostgreSQL documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ cat >&2 <<-'EOWARN'
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
+ EOWARN
+ fi
+}
+# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade)
+docker_error_old_databases() {
+ if [ -n "${OLD_DATABASES[0]:-}" ]; then
+ cat >&2 <<-EOE
+ Error: in 18+, these Docker images are configured to store database data in a
+ format which is compatible with "pg_ctlcluster" (specifically, using
+ major-version-specific directory names). This better reflects how
+ PostgreSQL itself works, and how upgrades are to be performed.
+
+ See also https://github.com/docker-library/postgres/pull/1259
+
+ Counter to that, there appears to be PostgreSQL data in:
+ ${OLD_DATABASES[*]}
+
+ This is usually the result of upgrading the Docker image without upgrading
+ the underlying database using "pg_upgrade" (which requires both versions).
+
+ See https://github.com/docker-library/postgres/issues/37 for a (long)
+ discussion around this process, and suggestions for how to do so.
+ EOE
+ exit 1
+ fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+# ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+ # psql here for backwards compatibility "${psql[@]}"
+ psql=( docker_process_sql )
+
+ printf '\n'
+ local f
+ for f; do
+ case "$f" in
+ *.sh)
+ # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+ # https://github.com/docker-library/postgres/pull/452
+ if [ -x "$f" ]; then
+ printf '%s: running %s\n' "$0" "$f"
+ "$f"
+ else
+ printf '%s: sourcing %s\n' "$0" "$f"
+ . "$f"
+ fi
+ ;;
+ *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+ *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+ *) printf '%s: ignoring %s\n' "$0" "$f" ;;
+ esac
+ printf '\n'
+ done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+# ie: docker_process_sql -f my-file.sql
+# ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+ local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+ if [ -n "$POSTGRES_DB" ]; then
+ query_runner+=( --dbname "$POSTGRES_DB" )
+ fi
+
+ PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+ local dbAlreadyExists
+ dbAlreadyExists="$(
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+ SELECT 1 FROM pg_database WHERE datname = :'db' ;
+ EOSQL
+ )"
+ if [ -z "$dbAlreadyExists" ]; then
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+ CREATE DATABASE :"db" ;
+ EOSQL
+ printf '\n'
+ fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+ file_env 'POSTGRES_PASSWORD'
+
+ file_env 'POSTGRES_USER' 'postgres'
+ file_env 'POSTGRES_DB' "$POSTGRES_USER"
+ file_env 'POSTGRES_INITDB_ARGS'
+ : "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+ declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ declare -ag OLD_DATABASES=()
+ # look specifically for PG_VERSION, as it is expected in the DB dir
+ if [ -s "$PGDATA/PG_VERSION" ]; then
+ DATABASE_ALREADY_EXISTS='true'
+ elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then
+ # https://github.com/docker-library/postgres/pull/1259
+ for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do
+ if [ -s "$d/PG_VERSION" ]; then
+ OLD_DATABASES+=( "$d" )
+ fi
+ done
+ fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+ # default authentication method is md5 on versions before 14
+ # https://www.postgresql.org/about/news/postgresql-14-released-2318/
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+ local auth
+ # check the default/configured encryption and use that as the auth method
+ auth="$(postgres -C password_encryption "$@")"
+ : "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+ {
+ printf '\n'
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ printf '# warning trust is enabled for all connections\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+ fi
+ printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+ } >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+
+ # internal start of server in order to allow setup using psql client
+ # does not listen on external TCP/IP and waits until start finishes
+ set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
+ PGUSER="${PGUSER:-$POSTGRES_USER}" \
+ pg_ctl -D "$PGDATA" \
+ -o "$(printf '%q ' "$@")" \
+ -w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+ PGUSER="${PGUSER:-postgres}" \
+ pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+ local arg
+ for arg; do
+ case "$arg" in
+ # postgres --help | grep 'then exit'
+ # leaving out -C on purpose since it always fails and is unhelpful:
+ # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+ -'?'|--help|--describe-config|-V|--version)
+ return 0
+ ;;
+ esac
+ done
+ return 1
+}
+
+_main() {
+ # if first arg looks like a flag, assume we want to run postgres server
+ if [ "${1:0:1}" = '-' ]; then
+ set -- postgres "$@"
+ fi
+
+ if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+ docker_setup_env
+ # setup data directories and permissions (when run as root)
+ docker_create_db_directories
+ if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+ fi
+
+ # only run initialization on an empty data directory
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+
+ cat <<-'EOM'
+
+ PostgreSQL init process complete; ready for start up.
+
+ EOM
+ else
+ cat <<-'EOM'
+
+ PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+ EOM
+ fi
+ fi
+
+ exec "$@"
+}
+
+if ! _is_sourced; then
+ _main "$@"
+fi
diff --git a/18/alpine3.21/Dockerfile b/18/alpine3.21/Dockerfile
new file mode 100644
index 0000000000..e9eff8d01f
--- /dev/null
+++ b/18/alpine3.21/Dockerfile
@@ -0,0 +1,230 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM alpine:3.21
+
+# 70 is the standard uid/gid for "postgres" in Alpine
+# https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.22-stable
+RUN set -eux; \
+ addgroup -g 70 -S postgres; \
+ adduser -u 70 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \
+# also create the postgres user's home directory with appropriate permissions
+# see https://github.com/docker-library/postgres/issues/274
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
+
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ \
+ apk add --no-cache --virtual .gosu-deps \
+ ca-certificates \
+ dpkg \
+ gnupg \
+ ; \
+ \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ \
+# verify the signature
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ \
+# clean up fetch dependencies
+ apk del --no-network .gosu-deps; \
+ \
+ chmod +x /usr/local/bin/gosu; \
+# verify that the binary works
+ gosu --version; \
+ gosu nobody true
+
+# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
+# alpine doesn't require explicit locale-file generation
+ENV LANG en_US.utf8
+
+RUN mkdir /docker-entrypoint-initdb.d
+
+ENV PG_MAJOR 18
+ENV PG_VERSION 18beta1
+ENV PG_SHA256 0b7c83df6195398aa67dbf5c002e7fa4082be393aae99aa69926d483f98eb885
+
+ENV DOCKER_PG_LLVM_DEPS \
+ llvm19-dev \
+ clang19
+
+RUN set -eux; \
+ \
+ wget -O postgresql.tar.bz2 "https://ftp.postgresql.org/pub/source/v$PG_VERSION/postgresql-$PG_VERSION.tar.bz2"; \
+ echo "$PG_SHA256 *postgresql.tar.bz2" | sha256sum -c -; \
+ mkdir -p /usr/src/postgresql; \
+ tar \
+ --extract \
+ --file postgresql.tar.bz2 \
+ --directory /usr/src/postgresql \
+ --strip-components 1 \
+ ; \
+ rm postgresql.tar.bz2; \
+ \
+ apk add --no-cache --virtual .build-deps \
+ $DOCKER_PG_LLVM_DEPS \
+ bison \
+ coreutils \
+ dpkg-dev dpkg \
+ flex \
+ g++ \
+ gcc \
+ krb5-dev \
+ libc-dev \
+ libedit-dev \
+ libxml2-dev \
+ libxslt-dev \
+ linux-headers \
+ make \
+ openldap-dev \
+ openssl-dev \
+ perl-dev \
+ perl-ipc-run \
+ perl-utils \
+ python3-dev \
+ tcl-dev \
+ util-linux-dev \
+ zlib-dev \
+# https://www.postgresql.org/docs/10/static/release-10.html#id-1.11.6.9.5.13
+ icu-dev \
+# https://www.postgresql.org/docs/14/release-14.html#id-1.11.6.5.5.3.7
+ lz4-dev \
+# https://www.postgresql.org/docs/15/release-15.html "--with-zstd to enable Zstandard builds"
+ zstd-dev \
+ ; \
+ \
+ cd /usr/src/postgresql; \
+# update "DEFAULT_PGSOCKET_DIR" to "/var/run/postgresql" (matching Debian)
+# see https://anonscm.debian.org/git/pkg-postgresql/postgresql.git/tree/debian/patches/51-default-sockets-in-var.patch?id=8b539fcb3e093a521c095e70bdfa76887217b89f
+ awk '$1 == "#define" && $2 == "DEFAULT_PGSOCKET_DIR" && $3 == "\"/tmp\"" { $3 = "\"/var/run/postgresql\""; print; next } { print }' src/include/pg_config_manual.h > src/include/pg_config_manual.h.new; \
+ grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \
+ mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \
+ gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
+ \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n176 ("export LLVM_CONFIG")
+ export LLVM_CONFIG="/usr/lib/llvm19/bin/llvm-config"; \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n180 ("older clang versions don't have a 'clang' exe anymore.")
+ export CLANG=clang-19; \
+ \
+# configure options taken from:
+# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
+ ./configure \
+ --enable-option-checking=fatal \
+ --build="$gnuArch" \
+# "/usr/src/postgresql/src/backend/access/common/tupconvert.c:105: undefined reference to `libintl_gettext'"
+# --enable-nls \
+ --enable-integer-datetimes \
+ --enable-tap-tests \
+# skip debugging info -- we want tiny size instead
+# --enable-debug \
+ --disable-rpath \
+ --with-uuid=e2fs \
+ --with-pgport=5432 \
+ --with-system-tzdata=/usr/share/zoneinfo \
+ --prefix=/usr/local \
+ --with-includes=/usr/local/include \
+ --with-libraries=/usr/local/lib \
+ --with-gssapi \
+ --with-ldap \
+ --with-tcl \
+ --with-perl \
+ --with-python \
+# --with-pam \
+ --with-openssl \
+ --with-libxml \
+ --with-libxslt \
+ --with-icu \
+ --with-llvm \
+ --with-lz4 \
+ --with-zstd \
+ ; \
+ make -j "$(nproc)" world-bin; \
+ make install-world-bin; \
+ make -C contrib install; \
+ \
+ runDeps="$( \
+ scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \
+ | tr ',' '\n' \
+ | sort -u \
+ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
+# Remove plperl, plpython and pltcl dependencies by default to save image size
+# To use the pl extensions, those have to be installed in a derived image
+ | grep -v -e perl -e python -e tcl \
+ )"; \
+ apk add --no-cache --virtual .postgresql-rundeps \
+ $runDeps \
+ bash \
+ tzdata \
+ zstd \
+# https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split
+ icu-data-full \
+# https://git.alpinelinux.org/aports/tree/community/nss_wrapper/APKBUILD?h=3.22-stable#n7 ("ppc64le: test case segfaults")
+ $([ "$(apk --print-arch)" != 'ppc64le' ] && echo 'nss_wrapper') \
+ ; \
+ apk del --no-network .build-deps; \
+ cd /; \
+ rm -rf \
+ /usr/src/postgresql \
+ /usr/local/share/doc \
+ /usr/local/share/man \
+ ; \
+ \
+ postgres --version
+
+# make the sample config easier to munge (and "correct by default")
+RUN set -eux; \
+ cp -v /usr/local/share/postgresql/postgresql.conf.sample /usr/local/share/postgresql/postgresql.conf.sample.orig; \
+ sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \
+ grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample
+
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
+
+#
+# NOTE: in 18+, PGDATA has changed to match the pg_ctlcluster standard directory structure, and the VOLUME has moved from /var/lib/postgresql/data to /var/lib/postgresql
+#
+ENV PGDATA /var/lib/postgresql/18/docker
+RUN ln -svT . /var/lib/postgresql/data # https://github.com/docker-library/postgres/pull/1259#issuecomment-2215477494
+VOLUME /var/lib/postgresql
+# ("/var/lib/postgresql" is already pre-created with suitably usable permissions above)
+
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
+# calls "Fast Shutdown mode" wherein new connections are disallowed and any
+# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
+# flush tables to disk.
+#
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
+# about available PostgreSQL server shutdown signals.
+#
+# See also https://www.postgresql.org/docs/current/server-start.html for further
+# justification of this as the default value, namely that the example (and
+# shipped) systemd service files use the "Fast Shutdown mode" for service
+# termination.
+#
+STOPSIGNAL SIGINT
+#
+# An additional setting that is recommended for all users regardless of this
+# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
+# equivalent) for controlling how long to wait between sending the defined
+# STOPSIGNAL and sending SIGKILL.
+#
+# The default in most runtimes (such as Docker) is 10 seconds, and the
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
+# that even 90 seconds may not be long enough in many instances.
+
+EXPOSE 5432
+CMD ["postgres"]
diff --git a/18/alpine3.21/docker-ensure-initdb.sh b/18/alpine3.21/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..e9b15ef77d
--- /dev/null
+++ b/18/alpine3.21/docker-ensure-initdb.sh
@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/18/alpine3.21/docker-entrypoint.sh b/18/alpine3.21/docker-entrypoint.sh
new file mode 100755
index 0000000000..5a62870b50
--- /dev/null
+++ b/18/alpine3.21/docker-entrypoint.sh
@@ -0,0 +1,391 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+# ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+ local var="$1"
+ local fileVar="${var}_FILE"
+ local def="${2:-}"
+ if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+ printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+ exit 1
+ fi
+ local val="$def"
+ if [ "${!var:-}" ]; then
+ val="${!var}"
+ elif [ "${!fileVar:-}" ]; then
+ val="$(< "${!fileVar}")"
+ fi
+ export "$var"="$val"
+ unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+ # https://unix.stackexchange.com/a/215279
+ [ "${#FUNCNAME[@]}" -ge 2 ] \
+ && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+ && [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+ local user; user="$(id -u)"
+
+ mkdir -p "$PGDATA"
+ # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+ chmod 00700 "$PGDATA" || :
+
+ # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+ mkdir -p /var/run/postgresql || :
+ chmod 03775 /var/run/postgresql || :
+
+ # Create the transaction log directory before initdb is run so the directory is owned by the correct user
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ mkdir -p "$POSTGRES_INITDB_WALDIR"
+ if [ "$user" = '0' ]; then
+ find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+ fi
+ chmod 700 "$POSTGRES_INITDB_WALDIR"
+ fi
+
+ # allow the container to be started with `--user`
+ if [ "$user" = '0' ]; then
+ find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+ find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+ fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+ # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+ # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+ local uid; uid="$(id -u)"
+ if ! getent passwd "$uid" &> /dev/null; then
+ # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+ local wrapper
+ for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+ if [ -s "$wrapper" ]; then
+ NSS_WRAPPER_PASSWD="$(mktemp)"
+ NSS_WRAPPER_GROUP="$(mktemp)"
+ export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ local gid; gid="$(id -g)"
+ printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+ printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+ break
+ fi
+ done
+ fi
+
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+ fi
+
+ # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+ eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+ # unset/cleanup "nss_wrapper" bits
+ if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+ rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+ unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
+
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+
+ This will not work if used via PGPASSWORD with "psql".
+
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
+
+ EOWARN
+ fi
+ ;;
+ esac
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ # The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD to a non-empty value for the
+ superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+ You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+ connections without a password. This is *not* recommended.
+
+ See PostgreSQL documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ cat >&2 <<-'EOWARN'
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
+ EOWARN
+ fi
+}
+# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade)
+docker_error_old_databases() {
+ if [ -n "${OLD_DATABASES[0]:-}" ]; then
+ cat >&2 <<-EOE
+ Error: in 18+, these Docker images are configured to store database data in a
+ format which is compatible with "pg_ctlcluster" (specifically, using
+ major-version-specific directory names). This better reflects how
+ PostgreSQL itself works, and how upgrades are to be performed.
+
+ See also https://github.com/docker-library/postgres/pull/1259
+
+ Counter to that, there appears to be PostgreSQL data in:
+ ${OLD_DATABASES[*]}
+
+ This is usually the result of upgrading the Docker image without upgrading
+ the underlying database using "pg_upgrade" (which requires both versions).
+
+ See https://github.com/docker-library/postgres/issues/37 for a (long)
+ discussion around this process, and suggestions for how to do so.
+ EOE
+ exit 1
+ fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+# ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+ # psql here for backwards compatibility "${psql[@]}"
+ psql=( docker_process_sql )
+
+ printf '\n'
+ local f
+ for f; do
+ case "$f" in
+ *.sh)
+ # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+ # https://github.com/docker-library/postgres/pull/452
+ if [ -x "$f" ]; then
+ printf '%s: running %s\n' "$0" "$f"
+ "$f"
+ else
+ printf '%s: sourcing %s\n' "$0" "$f"
+ . "$f"
+ fi
+ ;;
+ *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+ *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+ *) printf '%s: ignoring %s\n' "$0" "$f" ;;
+ esac
+ printf '\n'
+ done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+# ie: docker_process_sql -f my-file.sql
+# ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+ local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+ if [ -n "$POSTGRES_DB" ]; then
+ query_runner+=( --dbname "$POSTGRES_DB" )
+ fi
+
+ PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+ local dbAlreadyExists
+ dbAlreadyExists="$(
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+ SELECT 1 FROM pg_database WHERE datname = :'db' ;
+ EOSQL
+ )"
+ if [ -z "$dbAlreadyExists" ]; then
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+ CREATE DATABASE :"db" ;
+ EOSQL
+ printf '\n'
+ fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+ file_env 'POSTGRES_PASSWORD'
+
+ file_env 'POSTGRES_USER' 'postgres'
+ file_env 'POSTGRES_DB' "$POSTGRES_USER"
+ file_env 'POSTGRES_INITDB_ARGS'
+ : "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+ declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ declare -ag OLD_DATABASES=()
+ # look specifically for PG_VERSION, as it is expected in the DB dir
+ if [ -s "$PGDATA/PG_VERSION" ]; then
+ DATABASE_ALREADY_EXISTS='true'
+ elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then
+ # https://github.com/docker-library/postgres/pull/1259
+ for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do
+ if [ -s "$d/PG_VERSION" ]; then
+ OLD_DATABASES+=( "$d" )
+ fi
+ done
+ fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+ # default authentication method is md5 on versions before 14
+ # https://www.postgresql.org/about/news/postgresql-14-released-2318/
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+ local auth
+ # check the default/configured encryption and use that as the auth method
+ auth="$(postgres -C password_encryption "$@")"
+ : "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+ {
+ printf '\n'
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ printf '# warning trust is enabled for all connections\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+ fi
+ printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+ } >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+
+ # internal start of server in order to allow setup using psql client
+ # does not listen on external TCP/IP and waits until start finishes
+ set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
+ PGUSER="${PGUSER:-$POSTGRES_USER}" \
+ pg_ctl -D "$PGDATA" \
+ -o "$(printf '%q ' "$@")" \
+ -w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+ PGUSER="${PGUSER:-postgres}" \
+ pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+ local arg
+ for arg; do
+ case "$arg" in
+ # postgres --help | grep 'then exit'
+ # leaving out -C on purpose since it always fails and is unhelpful:
+ # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+ -'?'|--help|--describe-config|-V|--version)
+ return 0
+ ;;
+ esac
+ done
+ return 1
+}
+
+_main() {
+ # if first arg looks like a flag, assume we want to run postgres server
+ if [ "${1:0:1}" = '-' ]; then
+ set -- postgres "$@"
+ fi
+
+ if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+ docker_setup_env
+ # setup data directories and permissions (when run as root)
+ docker_create_db_directories
+ if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+ fi
+
+ # only run initialization on an empty data directory
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+
+ cat <<-'EOM'
+
+ PostgreSQL init process complete; ready for start up.
+
+ EOM
+ else
+ cat <<-'EOM'
+
+ PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+ EOM
+ fi
+ fi
+
+ exec "$@"
+}
+
+if ! _is_sourced; then
+ _main "$@"
+fi
diff --git a/18/alpine3.22/Dockerfile b/18/alpine3.22/Dockerfile
new file mode 100644
index 0000000000..248d5cb987
--- /dev/null
+++ b/18/alpine3.22/Dockerfile
@@ -0,0 +1,230 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM alpine:3.22
+
+# 70 is the standard uid/gid for "postgres" in Alpine
+# https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.22-stable
+RUN set -eux; \
+ addgroup -g 70 -S postgres; \
+ adduser -u 70 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \
+# also create the postgres user's home directory with appropriate permissions
+# see https://github.com/docker-library/postgres/issues/274
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
+
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ \
+ apk add --no-cache --virtual .gosu-deps \
+ ca-certificates \
+ dpkg \
+ gnupg \
+ ; \
+ \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ \
+# verify the signature
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ \
+# clean up fetch dependencies
+ apk del --no-network .gosu-deps; \
+ \
+ chmod +x /usr/local/bin/gosu; \
+# verify that the binary works
+ gosu --version; \
+ gosu nobody true
+
+# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
+# alpine doesn't require explicit locale-file generation
+ENV LANG en_US.utf8
+
+RUN mkdir /docker-entrypoint-initdb.d
+
+ENV PG_MAJOR 18
+ENV PG_VERSION 18beta1
+ENV PG_SHA256 0b7c83df6195398aa67dbf5c002e7fa4082be393aae99aa69926d483f98eb885
+
+ENV DOCKER_PG_LLVM_DEPS \
+ llvm19-dev \
+ clang19
+
+RUN set -eux; \
+ \
+ wget -O postgresql.tar.bz2 "https://ftp.postgresql.org/pub/source/v$PG_VERSION/postgresql-$PG_VERSION.tar.bz2"; \
+ echo "$PG_SHA256 *postgresql.tar.bz2" | sha256sum -c -; \
+ mkdir -p /usr/src/postgresql; \
+ tar \
+ --extract \
+ --file postgresql.tar.bz2 \
+ --directory /usr/src/postgresql \
+ --strip-components 1 \
+ ; \
+ rm postgresql.tar.bz2; \
+ \
+ apk add --no-cache --virtual .build-deps \
+ $DOCKER_PG_LLVM_DEPS \
+ bison \
+ coreutils \
+ dpkg-dev dpkg \
+ flex \
+ g++ \
+ gcc \
+ krb5-dev \
+ libc-dev \
+ libedit-dev \
+ libxml2-dev \
+ libxslt-dev \
+ linux-headers \
+ make \
+ openldap-dev \
+ openssl-dev \
+ perl-dev \
+ perl-ipc-run \
+ perl-utils \
+ python3-dev \
+ tcl-dev \
+ util-linux-dev \
+ zlib-dev \
+# https://www.postgresql.org/docs/10/static/release-10.html#id-1.11.6.9.5.13
+ icu-dev \
+# https://www.postgresql.org/docs/14/release-14.html#id-1.11.6.5.5.3.7
+ lz4-dev \
+# https://www.postgresql.org/docs/15/release-15.html "--with-zstd to enable Zstandard builds"
+ zstd-dev \
+ ; \
+ \
+ cd /usr/src/postgresql; \
+# update "DEFAULT_PGSOCKET_DIR" to "/var/run/postgresql" (matching Debian)
+# see https://anonscm.debian.org/git/pkg-postgresql/postgresql.git/tree/debian/patches/51-default-sockets-in-var.patch?id=8b539fcb3e093a521c095e70bdfa76887217b89f
+ awk '$1 == "#define" && $2 == "DEFAULT_PGSOCKET_DIR" && $3 == "\"/tmp\"" { $3 = "\"/var/run/postgresql\""; print; next } { print }' src/include/pg_config_manual.h > src/include/pg_config_manual.h.new; \
+ grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \
+ mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \
+ gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
+ \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n176 ("export LLVM_CONFIG")
+ export LLVM_CONFIG="/usr/lib/llvm19/bin/llvm-config"; \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n180 ("older clang versions don't have a 'clang' exe anymore.")
+ export CLANG=clang-19; \
+ \
+# configure options taken from:
+# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
+ ./configure \
+ --enable-option-checking=fatal \
+ --build="$gnuArch" \
+# "/usr/src/postgresql/src/backend/access/common/tupconvert.c:105: undefined reference to `libintl_gettext'"
+# --enable-nls \
+ --enable-integer-datetimes \
+ --enable-tap-tests \
+# skip debugging info -- we want tiny size instead
+# --enable-debug \
+ --disable-rpath \
+ --with-uuid=e2fs \
+ --with-pgport=5432 \
+ --with-system-tzdata=/usr/share/zoneinfo \
+ --prefix=/usr/local \
+ --with-includes=/usr/local/include \
+ --with-libraries=/usr/local/lib \
+ --with-gssapi \
+ --with-ldap \
+ --with-tcl \
+ --with-perl \
+ --with-python \
+# --with-pam \
+ --with-openssl \
+ --with-libxml \
+ --with-libxslt \
+ --with-icu \
+ --with-llvm \
+ --with-lz4 \
+ --with-zstd \
+ ; \
+ make -j "$(nproc)" world-bin; \
+ make install-world-bin; \
+ make -C contrib install; \
+ \
+ runDeps="$( \
+ scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \
+ | tr ',' '\n' \
+ | sort -u \
+ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
+# Remove plperl, plpython and pltcl dependencies by default to save image size
+# To use the pl extensions, those have to be installed in a derived image
+ | grep -v -e perl -e python -e tcl \
+ )"; \
+ apk add --no-cache --virtual .postgresql-rundeps \
+ $runDeps \
+ bash \
+ tzdata \
+ zstd \
+# https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split
+ icu-data-full \
+# https://git.alpinelinux.org/aports/tree/community/nss_wrapper/APKBUILD?h=3.22-stable#n7 ("ppc64le: test case segfaults")
+ $([ "$(apk --print-arch)" != 'ppc64le' ] && echo 'nss_wrapper') \
+ ; \
+ apk del --no-network .build-deps; \
+ cd /; \
+ rm -rf \
+ /usr/src/postgresql \
+ /usr/local/share/doc \
+ /usr/local/share/man \
+ ; \
+ \
+ postgres --version
+
+# make the sample config easier to munge (and "correct by default")
+RUN set -eux; \
+ cp -v /usr/local/share/postgresql/postgresql.conf.sample /usr/local/share/postgresql/postgresql.conf.sample.orig; \
+ sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \
+ grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample
+
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
+
+#
+# NOTE: in 18+, PGDATA has changed to match the pg_ctlcluster standard directory structure, and the VOLUME has moved from /var/lib/postgresql/data to /var/lib/postgresql
+#
+ENV PGDATA /var/lib/postgresql/18/docker
+RUN ln -svT . /var/lib/postgresql/data # https://github.com/docker-library/postgres/pull/1259#issuecomment-2215477494
+VOLUME /var/lib/postgresql
+# ("/var/lib/postgresql" is already pre-created with suitably usable permissions above)
+
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
+# calls "Fast Shutdown mode" wherein new connections are disallowed and any
+# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
+# flush tables to disk.
+#
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
+# about available PostgreSQL server shutdown signals.
+#
+# See also https://www.postgresql.org/docs/current/server-start.html for further
+# justification of this as the default value, namely that the example (and
+# shipped) systemd service files use the "Fast Shutdown mode" for service
+# termination.
+#
+STOPSIGNAL SIGINT
+#
+# An additional setting that is recommended for all users regardless of this
+# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
+# equivalent) for controlling how long to wait between sending the defined
+# STOPSIGNAL and sending SIGKILL.
+#
+# The default in most runtimes (such as Docker) is 10 seconds, and the
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
+# that even 90 seconds may not be long enough in many instances.
+
+EXPOSE 5432
+CMD ["postgres"]
diff --git a/18/alpine3.22/docker-ensure-initdb.sh b/18/alpine3.22/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..e9b15ef77d
--- /dev/null
+++ b/18/alpine3.22/docker-ensure-initdb.sh
@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/18/alpine3.22/docker-entrypoint.sh b/18/alpine3.22/docker-entrypoint.sh
new file mode 100755
index 0000000000..5a62870b50
--- /dev/null
+++ b/18/alpine3.22/docker-entrypoint.sh
@@ -0,0 +1,391 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+# ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+ local var="$1"
+ local fileVar="${var}_FILE"
+ local def="${2:-}"
+ if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+ printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+ exit 1
+ fi
+ local val="$def"
+ if [ "${!var:-}" ]; then
+ val="${!var}"
+ elif [ "${!fileVar:-}" ]; then
+ val="$(< "${!fileVar}")"
+ fi
+ export "$var"="$val"
+ unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+ # https://unix.stackexchange.com/a/215279
+ [ "${#FUNCNAME[@]}" -ge 2 ] \
+ && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+ && [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+ local user; user="$(id -u)"
+
+ mkdir -p "$PGDATA"
+ # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+ chmod 00700 "$PGDATA" || :
+
+ # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+ mkdir -p /var/run/postgresql || :
+ chmod 03775 /var/run/postgresql || :
+
+ # Create the transaction log directory before initdb is run so the directory is owned by the correct user
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ mkdir -p "$POSTGRES_INITDB_WALDIR"
+ if [ "$user" = '0' ]; then
+ find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+ fi
+ chmod 700 "$POSTGRES_INITDB_WALDIR"
+ fi
+
+ # allow the container to be started with `--user`
+ if [ "$user" = '0' ]; then
+ find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+ find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+ fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+ # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+ # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+ local uid; uid="$(id -u)"
+ if ! getent passwd "$uid" &> /dev/null; then
+ # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+ local wrapper
+ for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+ if [ -s "$wrapper" ]; then
+ NSS_WRAPPER_PASSWD="$(mktemp)"
+ NSS_WRAPPER_GROUP="$(mktemp)"
+ export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ local gid; gid="$(id -g)"
+ printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+ printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+ break
+ fi
+ done
+ fi
+
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+ fi
+
+ # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+ eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+ # unset/cleanup "nss_wrapper" bits
+ if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+ rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+ unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
+
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+
+ This will not work if used via PGPASSWORD with "psql".
+
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
+
+ EOWARN
+ fi
+ ;;
+ esac
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ # The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD to a non-empty value for the
+ superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+ You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+ connections without a password. This is *not* recommended.
+
+ See PostgreSQL documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ cat >&2 <<-'EOWARN'
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
+ EOWARN
+ fi
+}
+# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade)
+docker_error_old_databases() {
+ if [ -n "${OLD_DATABASES[0]:-}" ]; then
+ cat >&2 <<-EOE
+ Error: in 18+, these Docker images are configured to store database data in a
+ format which is compatible with "pg_ctlcluster" (specifically, using
+ major-version-specific directory names). This better reflects how
+ PostgreSQL itself works, and how upgrades are to be performed.
+
+ See also https://github.com/docker-library/postgres/pull/1259
+
+ Counter to that, there appears to be PostgreSQL data in:
+ ${OLD_DATABASES[*]}
+
+ This is usually the result of upgrading the Docker image without upgrading
+ the underlying database using "pg_upgrade" (which requires both versions).
+
+ See https://github.com/docker-library/postgres/issues/37 for a (long)
+ discussion around this process, and suggestions for how to do so.
+ EOE
+ exit 1
+ fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+# ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+ # psql here for backwards compatibility "${psql[@]}"
+ psql=( docker_process_sql )
+
+ printf '\n'
+ local f
+ for f; do
+ case "$f" in
+ *.sh)
+ # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+ # https://github.com/docker-library/postgres/pull/452
+ if [ -x "$f" ]; then
+ printf '%s: running %s\n' "$0" "$f"
+ "$f"
+ else
+ printf '%s: sourcing %s\n' "$0" "$f"
+ . "$f"
+ fi
+ ;;
+ *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+ *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+ *) printf '%s: ignoring %s\n' "$0" "$f" ;;
+ esac
+ printf '\n'
+ done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+# ie: docker_process_sql -f my-file.sql
+# ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+ local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+ if [ -n "$POSTGRES_DB" ]; then
+ query_runner+=( --dbname "$POSTGRES_DB" )
+ fi
+
+ PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+ local dbAlreadyExists
+ dbAlreadyExists="$(
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+ SELECT 1 FROM pg_database WHERE datname = :'db' ;
+ EOSQL
+ )"
+ if [ -z "$dbAlreadyExists" ]; then
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+ CREATE DATABASE :"db" ;
+ EOSQL
+ printf '\n'
+ fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+ file_env 'POSTGRES_PASSWORD'
+
+ file_env 'POSTGRES_USER' 'postgres'
+ file_env 'POSTGRES_DB' "$POSTGRES_USER"
+ file_env 'POSTGRES_INITDB_ARGS'
+ : "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+ declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ declare -ag OLD_DATABASES=()
+ # look specifically for PG_VERSION, as it is expected in the DB dir
+ if [ -s "$PGDATA/PG_VERSION" ]; then
+ DATABASE_ALREADY_EXISTS='true'
+ elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then
+ # https://github.com/docker-library/postgres/pull/1259
+ for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do
+ if [ -s "$d/PG_VERSION" ]; then
+ OLD_DATABASES+=( "$d" )
+ fi
+ done
+ fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+ # default authentication method is md5 on versions before 14
+ # https://www.postgresql.org/about/news/postgresql-14-released-2318/
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+ local auth
+ # check the default/configured encryption and use that as the auth method
+ auth="$(postgres -C password_encryption "$@")"
+ : "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+ {
+ printf '\n'
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ printf '# warning trust is enabled for all connections\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+ fi
+ printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+ } >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+
+ # internal start of server in order to allow setup using psql client
+ # does not listen on external TCP/IP and waits until start finishes
+ set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
+ PGUSER="${PGUSER:-$POSTGRES_USER}" \
+ pg_ctl -D "$PGDATA" \
+ -o "$(printf '%q ' "$@")" \
+ -w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+ PGUSER="${PGUSER:-postgres}" \
+ pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+ local arg
+ for arg; do
+ case "$arg" in
+ # postgres --help | grep 'then exit'
+ # leaving out -C on purpose since it always fails and is unhelpful:
+ # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+ -'?'|--help|--describe-config|-V|--version)
+ return 0
+ ;;
+ esac
+ done
+ return 1
+}
+
+_main() {
+ # if first arg looks like a flag, assume we want to run postgres server
+ if [ "${1:0:1}" = '-' ]; then
+ set -- postgres "$@"
+ fi
+
+ if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+ docker_setup_env
+ # setup data directories and permissions (when run as root)
+ docker_create_db_directories
+ if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+ fi
+
+ # only run initialization on an empty data directory
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+
+ cat <<-'EOM'
+
+ PostgreSQL init process complete; ready for start up.
+
+ EOM
+ else
+ cat <<-'EOM'
+
+ PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+ EOM
+ fi
+ fi
+
+ exec "$@"
+}
+
+if ! _is_sourced; then
+ _main "$@"
+fi
diff --git a/18/bookworm/Dockerfile b/18/bookworm/Dockerfile
new file mode 100644
index 0000000000..0cf4c0fb08
--- /dev/null
+++ b/18/bookworm/Dockerfile
@@ -0,0 +1,225 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM debian:bookworm-slim
+
+# explicitly set user/group IDs
+RUN set -eux; \
+ groupadd -r postgres --gid=999; \
+# https://salsa.debian.org/postgresql/postgresql-common/blob/997d842ee744687d99a2b2d95c1083a2615c79e8/debian/postgresql-common.postinst#L32-35
+ useradd -r -g postgres --uid=999 --home-dir=/var/lib/postgresql --shell=/bin/bash postgres; \
+# also create the postgres user's home directory with appropriate permissions
+# see https://github.com/docker-library/postgres/issues/274
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
+
+RUN set -ex; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ gnupg \
+# https://www.postgresql.org/docs/16/app-psql.html#APP-PSQL-META-COMMAND-PSET-PAGER
+# https://github.com/postgres/postgres/blob/REL_16_1/src/include/fe_utils/print.h#L25
+# (if "less" is available, it gets used as the default pager for psql, and it only adds ~1.5MiB to our image size)
+ less \
+ ; \
+ rm -rf /var/lib/apt/lists/*
+
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ savedAptMark="$(apt-mark showmanual)"; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends ca-certificates wget; \
+ rm -rf /var/lib/apt/lists/*; \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ apt-mark auto '.*' > /dev/null; \
+ [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \
+ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+ chmod +x /usr/local/bin/gosu; \
+ gosu --version; \
+ gosu nobody true
+
+# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
+RUN set -eux; \
+ if [ -f /etc/dpkg/dpkg.cfg.d/docker ]; then \
+# if this file exists, we're likely in "debian:xxx-slim", and locales are thus being excluded so we need to remove that exclusion (since we need locales)
+ grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
+ sed -ri '/\/usr\/share\/locale/d' /etc/dpkg/dpkg.cfg.d/docker; \
+ ! grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
+ fi; \
+ apt-get update; apt-get install -y --no-install-recommends locales; rm -rf /var/lib/apt/lists/*; \
+ echo 'en_US.UTF-8 UTF-8' >> /etc/locale.gen; \
+ locale-gen; \
+ locale -a | grep 'en_US.utf8'
+ENV LANG en_US.utf8
+
+RUN set -eux; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ libnss-wrapper \
+ xz-utils \
+ zstd \
+ ; \
+ rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /docker-entrypoint-initdb.d
+
+RUN set -ex; \
+# pub 4096R/ACCC4CF8 2011-10-13 [expires: 2019-07-02]
+# Key fingerprint = B97B 0AFC AA1A 47F0 44F2 44A0 7FCC 7D46 ACCC 4CF8
+# uid PostgreSQL Debian Repository
+ key='B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8'; \
+ export GNUPGHOME="$(mktemp -d)"; \
+ mkdir -p /usr/local/share/keyrings/; \
+ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \
+ gpg --batch --export --armor "$key" > /usr/local/share/keyrings/postgres.gpg.asc; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME"
+
+ENV PG_MAJOR 18
+ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
+
+ENV PG_VERSION 18~beta1-1.pgdg120+1
+
+RUN set -ex; \
+ \
+# see note below about "*.pyc" files
+ export PYTHONDONTWRITEBYTECODE=1; \
+ \
+ dpkgArch="$(dpkg --print-architecture)"; \
+ aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ bookworm-pgdg main $PG_MAJOR"; \
+ case "$dpkgArch" in \
+ amd64 | arm64 | ppc64el) \
+# arches officialy built by upstream
+ echo "deb $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \
+ apt-get update; \
+ ;; \
+ *) \
+# we're on an architecture upstream doesn't officially build for
+# let's build binaries from their published source packages
+ echo "deb-src $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \
+ \
+ savedAptMark="$(apt-mark showmanual)"; \
+ \
+ tempDir="$(mktemp -d)"; \
+ cd "$tempDir"; \
+ \
+# create a temporary local APT repo to install from (so that dependency resolution can be handled by APT, as it should be)
+ apt-get update; \
+ apt-get install -y --no-install-recommends dpkg-dev; \
+ echo "deb [ trusted=yes ] file://$tempDir ./" > /etc/apt/sources.list.d/temp.list; \
+ _update_repo() { \
+ dpkg-scanpackages . > Packages; \
+# work around the following APT issue by using "Acquire::GzipIndexes=false" (overriding "/etc/apt/apt.conf.d/docker-gzip-indexes")
+# Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+# ...
+# E: Failed to fetch store:/var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+ apt-get -o Acquire::GzipIndexes=false update; \
+ }; \
+ _update_repo; \
+ \
+# build .deb files from upstream's source packages (which are verified by apt-get)
+ nproc="$(nproc)"; \
+ export DEB_BUILD_OPTIONS="nocheck parallel=$nproc"; \
+# we have to build postgresql-common-dev first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/f4338a0d28cf4541956bddb0f4e444ba9dba81b9
+ apt-get build-dep -y postgresql-common-dev; \
+ apt-get source --compile postgresql-common-dev; \
+ _update_repo; \
+ apt-get build-dep -y "postgresql-$PG_MAJOR=$PG_VERSION"; \
+ apt-get source --compile "postgresql-$PG_MAJOR=$PG_VERSION"; \
+ \
+# we don't remove APT lists here because they get re-downloaded and removed later
+ \
+# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
+# (which is done after we install the built packages so we don't have to redownload any overlapping dependencies)
+ apt-mark showmanual | xargs apt-mark auto > /dev/null; \
+ apt-mark manual $savedAptMark; \
+ \
+ ls -lAFh; \
+ _update_repo; \
+ grep '^Package: ' Packages; \
+ cd /; \
+ ;; \
+ esac; \
+ \
+ apt-get install -y --no-install-recommends postgresql-common; \
+ sed -ri 's/#(create_main_cluster) .*$/\1 = false/' /etc/postgresql-common/createcluster.conf; \
+ apt-get install -y --no-install-recommends \
+ "postgresql-$PG_MAJOR=$PG_VERSION" \
+ ; \
+# https://github.com/docker-library/postgres/pull/1344#issuecomment-2936578203 (JIT is a separate package in 18+, but only supported for a subset of architectures)
+ if apt-get install -s "postgresql-$PG_MAJOR-jit" > /dev/null 2>&1; then \
+ apt-get install -y --no-install-recommends "postgresql-$PG_MAJOR-jit=$PG_VERSION"; \
+ fi; \
+ \
+ rm -rf /var/lib/apt/lists/*; \
+ \
+ if [ -n "$tempDir" ]; then \
+# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
+ apt-get purge -y --auto-remove; \
+ rm -rf "$tempDir" /etc/apt/sources.list.d/temp.list; \
+ fi; \
+ \
+# some of the steps above generate a lot of "*.pyc" files (and setting "PYTHONDONTWRITEBYTECODE" beforehand doesn't propagate properly for some reason), so we clean them up manually (as long as they aren't owned by a package)
+ find /usr -name '*.pyc' -type f -exec bash -c 'for pyc; do dpkg -S "$pyc" &> /dev/null || rm -vf "$pyc"; done' -- '{}' +; \
+ \
+ postgres --version
+
+# make the sample config easier to munge (and "correct by default")
+RUN set -eux; \
+ dpkg-divert --add --rename --divert "/usr/share/postgresql/postgresql.conf.sample.dpkg" "/usr/share/postgresql/$PG_MAJOR/postgresql.conf.sample"; \
+ cp -v /usr/share/postgresql/postgresql.conf.sample.dpkg /usr/share/postgresql/postgresql.conf.sample; \
+ ln -sv ../postgresql.conf.sample "/usr/share/postgresql/$PG_MAJOR/"; \
+ sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/share/postgresql/postgresql.conf.sample; \
+ grep -F "listen_addresses = '*'" /usr/share/postgresql/postgresql.conf.sample
+
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
+
+#
+# NOTE: in 18+, PGDATA has changed to match the pg_ctlcluster standard directory structure, and the VOLUME has moved from /var/lib/postgresql/data to /var/lib/postgresql
+#
+ENV PGDATA /var/lib/postgresql/18/docker
+RUN ln -svT . /var/lib/postgresql/data # https://github.com/docker-library/postgres/pull/1259#issuecomment-2215477494
+VOLUME /var/lib/postgresql
+# ("/var/lib/postgresql" is already pre-created with suitably usable permissions above)
+
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
+# calls "Fast Shutdown mode" wherein new connections are disallowed and any
+# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
+# flush tables to disk.
+#
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
+# about available PostgreSQL server shutdown signals.
+#
+# See also https://www.postgresql.org/docs/current/server-start.html for further
+# justification of this as the default value, namely that the example (and
+# shipped) systemd service files use the "Fast Shutdown mode" for service
+# termination.
+#
+STOPSIGNAL SIGINT
+#
+# An additional setting that is recommended for all users regardless of this
+# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
+# equivalent) for controlling how long to wait between sending the defined
+# STOPSIGNAL and sending SIGKILL.
+#
+# The default in most runtimes (such as Docker) is 10 seconds, and the
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
+# that even 90 seconds may not be long enough in many instances.
+
+EXPOSE 5432
+CMD ["postgres"]
diff --git a/18/bookworm/docker-ensure-initdb.sh b/18/bookworm/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..e9b15ef77d
--- /dev/null
+++ b/18/bookworm/docker-ensure-initdb.sh
@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/18/bookworm/docker-entrypoint.sh b/18/bookworm/docker-entrypoint.sh
new file mode 100755
index 0000000000..5a62870b50
--- /dev/null
+++ b/18/bookworm/docker-entrypoint.sh
@@ -0,0 +1,391 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+# ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+ local var="$1"
+ local fileVar="${var}_FILE"
+ local def="${2:-}"
+ if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+ printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+ exit 1
+ fi
+ local val="$def"
+ if [ "${!var:-}" ]; then
+ val="${!var}"
+ elif [ "${!fileVar:-}" ]; then
+ val="$(< "${!fileVar}")"
+ fi
+ export "$var"="$val"
+ unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+ # https://unix.stackexchange.com/a/215279
+ [ "${#FUNCNAME[@]}" -ge 2 ] \
+ && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+ && [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+ local user; user="$(id -u)"
+
+ mkdir -p "$PGDATA"
+ # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+ chmod 00700 "$PGDATA" || :
+
+ # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+ mkdir -p /var/run/postgresql || :
+ chmod 03775 /var/run/postgresql || :
+
+ # Create the transaction log directory before initdb is run so the directory is owned by the correct user
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ mkdir -p "$POSTGRES_INITDB_WALDIR"
+ if [ "$user" = '0' ]; then
+ find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+ fi
+ chmod 700 "$POSTGRES_INITDB_WALDIR"
+ fi
+
+ # allow the container to be started with `--user`
+ if [ "$user" = '0' ]; then
+ find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+ find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+ fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+ # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+ # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+ local uid; uid="$(id -u)"
+ if ! getent passwd "$uid" &> /dev/null; then
+ # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+ local wrapper
+ for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+ if [ -s "$wrapper" ]; then
+ NSS_WRAPPER_PASSWD="$(mktemp)"
+ NSS_WRAPPER_GROUP="$(mktemp)"
+ export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ local gid; gid="$(id -g)"
+ printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+ printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+ break
+ fi
+ done
+ fi
+
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+ fi
+
+ # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+ eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+ # unset/cleanup "nss_wrapper" bits
+ if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+ rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+ unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
+
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+
+ This will not work if used via PGPASSWORD with "psql".
+
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
+
+ EOWARN
+ fi
+ ;;
+ esac
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ # The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD to a non-empty value for the
+ superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+ You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+ connections without a password. This is *not* recommended.
+
+ See PostgreSQL documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ cat >&2 <<-'EOWARN'
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
+ EOWARN
+ fi
+}
+# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade)
+docker_error_old_databases() {
+ if [ -n "${OLD_DATABASES[0]:-}" ]; then
+ cat >&2 <<-EOE
+ Error: in 18+, these Docker images are configured to store database data in a
+ format which is compatible with "pg_ctlcluster" (specifically, using
+ major-version-specific directory names). This better reflects how
+ PostgreSQL itself works, and how upgrades are to be performed.
+
+ See also https://github.com/docker-library/postgres/pull/1259
+
+ Counter to that, there appears to be PostgreSQL data in:
+ ${OLD_DATABASES[*]}
+
+ This is usually the result of upgrading the Docker image without upgrading
+ the underlying database using "pg_upgrade" (which requires both versions).
+
+ See https://github.com/docker-library/postgres/issues/37 for a (long)
+ discussion around this process, and suggestions for how to do so.
+ EOE
+ exit 1
+ fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+# ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+ # psql here for backwards compatibility "${psql[@]}"
+ psql=( docker_process_sql )
+
+ printf '\n'
+ local f
+ for f; do
+ case "$f" in
+ *.sh)
+ # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+ # https://github.com/docker-library/postgres/pull/452
+ if [ -x "$f" ]; then
+ printf '%s: running %s\n' "$0" "$f"
+ "$f"
+ else
+ printf '%s: sourcing %s\n' "$0" "$f"
+ . "$f"
+ fi
+ ;;
+ *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+ *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+ *) printf '%s: ignoring %s\n' "$0" "$f" ;;
+ esac
+ printf '\n'
+ done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+# ie: docker_process_sql -f my-file.sql
+# ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+ local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+ if [ -n "$POSTGRES_DB" ]; then
+ query_runner+=( --dbname "$POSTGRES_DB" )
+ fi
+
+ PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+ local dbAlreadyExists
+ dbAlreadyExists="$(
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+ SELECT 1 FROM pg_database WHERE datname = :'db' ;
+ EOSQL
+ )"
+ if [ -z "$dbAlreadyExists" ]; then
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+ CREATE DATABASE :"db" ;
+ EOSQL
+ printf '\n'
+ fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+ file_env 'POSTGRES_PASSWORD'
+
+ file_env 'POSTGRES_USER' 'postgres'
+ file_env 'POSTGRES_DB' "$POSTGRES_USER"
+ file_env 'POSTGRES_INITDB_ARGS'
+ : "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+ declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ declare -ag OLD_DATABASES=()
+ # look specifically for PG_VERSION, as it is expected in the DB dir
+ if [ -s "$PGDATA/PG_VERSION" ]; then
+ DATABASE_ALREADY_EXISTS='true'
+ elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then
+ # https://github.com/docker-library/postgres/pull/1259
+ for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do
+ if [ -s "$d/PG_VERSION" ]; then
+ OLD_DATABASES+=( "$d" )
+ fi
+ done
+ fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+ # default authentication method is md5 on versions before 14
+ # https://www.postgresql.org/about/news/postgresql-14-released-2318/
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+ local auth
+ # check the default/configured encryption and use that as the auth method
+ auth="$(postgres -C password_encryption "$@")"
+ : "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+ {
+ printf '\n'
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ printf '# warning trust is enabled for all connections\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+ fi
+ printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+ } >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+
+ # internal start of server in order to allow setup using psql client
+ # does not listen on external TCP/IP and waits until start finishes
+ set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
+ PGUSER="${PGUSER:-$POSTGRES_USER}" \
+ pg_ctl -D "$PGDATA" \
+ -o "$(printf '%q ' "$@")" \
+ -w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+ PGUSER="${PGUSER:-postgres}" \
+ pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+ local arg
+ for arg; do
+ case "$arg" in
+ # postgres --help | grep 'then exit'
+ # leaving out -C on purpose since it always fails and is unhelpful:
+ # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+ -'?'|--help|--describe-config|-V|--version)
+ return 0
+ ;;
+ esac
+ done
+ return 1
+}
+
+_main() {
+ # if first arg looks like a flag, assume we want to run postgres server
+ if [ "${1:0:1}" = '-' ]; then
+ set -- postgres "$@"
+ fi
+
+ if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+ docker_setup_env
+ # setup data directories and permissions (when run as root)
+ docker_create_db_directories
+ if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+ fi
+
+ # only run initialization on an empty data directory
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+
+ cat <<-'EOM'
+
+ PostgreSQL init process complete; ready for start up.
+
+ EOM
+ else
+ cat <<-'EOM'
+
+ PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+ EOM
+ fi
+ fi
+
+ exec "$@"
+}
+
+if ! _is_sourced; then
+ _main "$@"
+fi
diff --git a/18/bullseye/Dockerfile b/18/bullseye/Dockerfile
new file mode 100644
index 0000000000..2a4b74b9ff
--- /dev/null
+++ b/18/bullseye/Dockerfile
@@ -0,0 +1,225 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM debian:bullseye-slim
+
+# explicitly set user/group IDs
+RUN set -eux; \
+ groupadd -r postgres --gid=999; \
+# https://salsa.debian.org/postgresql/postgresql-common/blob/997d842ee744687d99a2b2d95c1083a2615c79e8/debian/postgresql-common.postinst#L32-35
+ useradd -r -g postgres --uid=999 --home-dir=/var/lib/postgresql --shell=/bin/bash postgres; \
+# also create the postgres user's home directory with appropriate permissions
+# see https://github.com/docker-library/postgres/issues/274
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
+
+RUN set -ex; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ gnupg \
+# https://www.postgresql.org/docs/16/app-psql.html#APP-PSQL-META-COMMAND-PSET-PAGER
+# https://github.com/postgres/postgres/blob/REL_16_1/src/include/fe_utils/print.h#L25
+# (if "less" is available, it gets used as the default pager for psql, and it only adds ~1.5MiB to our image size)
+ less \
+ ; \
+ rm -rf /var/lib/apt/lists/*
+
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ savedAptMark="$(apt-mark showmanual)"; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends ca-certificates wget; \
+ rm -rf /var/lib/apt/lists/*; \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ apt-mark auto '.*' > /dev/null; \
+ [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \
+ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+ chmod +x /usr/local/bin/gosu; \
+ gosu --version; \
+ gosu nobody true
+
+# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
+RUN set -eux; \
+ if [ -f /etc/dpkg/dpkg.cfg.d/docker ]; then \
+# if this file exists, we're likely in "debian:xxx-slim", and locales are thus being excluded so we need to remove that exclusion (since we need locales)
+ grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
+ sed -ri '/\/usr\/share\/locale/d' /etc/dpkg/dpkg.cfg.d/docker; \
+ ! grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
+ fi; \
+ apt-get update; apt-get install -y --no-install-recommends locales; rm -rf /var/lib/apt/lists/*; \
+ echo 'en_US.UTF-8 UTF-8' >> /etc/locale.gen; \
+ locale-gen; \
+ locale -a | grep 'en_US.utf8'
+ENV LANG en_US.utf8
+
+RUN set -eux; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ libnss-wrapper \
+ xz-utils \
+ zstd \
+ ; \
+ rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /docker-entrypoint-initdb.d
+
+RUN set -ex; \
+# pub 4096R/ACCC4CF8 2011-10-13 [expires: 2019-07-02]
+# Key fingerprint = B97B 0AFC AA1A 47F0 44F2 44A0 7FCC 7D46 ACCC 4CF8
+# uid PostgreSQL Debian Repository
+ key='B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8'; \
+ export GNUPGHOME="$(mktemp -d)"; \
+ mkdir -p /usr/local/share/keyrings/; \
+ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \
+ gpg --batch --export --armor "$key" > /usr/local/share/keyrings/postgres.gpg.asc; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME"
+
+ENV PG_MAJOR 18
+ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
+
+ENV PG_VERSION 18~beta1-1.pgdg110+1
+
+RUN set -ex; \
+ \
+# see note below about "*.pyc" files
+ export PYTHONDONTWRITEBYTECODE=1; \
+ \
+ dpkgArch="$(dpkg --print-architecture)"; \
+ aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ bullseye-pgdg main $PG_MAJOR"; \
+ case "$dpkgArch" in \
+ amd64 | arm64 | ppc64el) \
+# arches officialy built by upstream
+ echo "deb $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \
+ apt-get update; \
+ ;; \
+ *) \
+# we're on an architecture upstream doesn't officially build for
+# let's build binaries from their published source packages
+ echo "deb-src $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \
+ \
+ savedAptMark="$(apt-mark showmanual)"; \
+ \
+ tempDir="$(mktemp -d)"; \
+ cd "$tempDir"; \
+ \
+# create a temporary local APT repo to install from (so that dependency resolution can be handled by APT, as it should be)
+ apt-get update; \
+ apt-get install -y --no-install-recommends dpkg-dev; \
+ echo "deb [ trusted=yes ] file://$tempDir ./" > /etc/apt/sources.list.d/temp.list; \
+ _update_repo() { \
+ dpkg-scanpackages . > Packages; \
+# work around the following APT issue by using "Acquire::GzipIndexes=false" (overriding "/etc/apt/apt.conf.d/docker-gzip-indexes")
+# Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+# ...
+# E: Failed to fetch store:/var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+ apt-get -o Acquire::GzipIndexes=false update; \
+ }; \
+ _update_repo; \
+ \
+# build .deb files from upstream's source packages (which are verified by apt-get)
+ nproc="$(nproc)"; \
+ export DEB_BUILD_OPTIONS="nocheck parallel=$nproc"; \
+# we have to build postgresql-common-dev first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/f4338a0d28cf4541956bddb0f4e444ba9dba81b9
+ apt-get build-dep -y postgresql-common-dev; \
+ apt-get source --compile postgresql-common-dev; \
+ _update_repo; \
+ apt-get build-dep -y "postgresql-$PG_MAJOR=$PG_VERSION"; \
+ apt-get source --compile "postgresql-$PG_MAJOR=$PG_VERSION"; \
+ \
+# we don't remove APT lists here because they get re-downloaded and removed later
+ \
+# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
+# (which is done after we install the built packages so we don't have to redownload any overlapping dependencies)
+ apt-mark showmanual | xargs apt-mark auto > /dev/null; \
+ apt-mark manual $savedAptMark; \
+ \
+ ls -lAFh; \
+ _update_repo; \
+ grep '^Package: ' Packages; \
+ cd /; \
+ ;; \
+ esac; \
+ \
+ apt-get install -y --no-install-recommends postgresql-common; \
+ sed -ri 's/#(create_main_cluster) .*$/\1 = false/' /etc/postgresql-common/createcluster.conf; \
+ apt-get install -y --no-install-recommends \
+ "postgresql-$PG_MAJOR=$PG_VERSION" \
+ ; \
+# https://github.com/docker-library/postgres/pull/1344#issuecomment-2936578203 (JIT is a separate package in 18+, but only supported for a subset of architectures)
+ if apt-get install -s "postgresql-$PG_MAJOR-jit" > /dev/null 2>&1; then \
+ apt-get install -y --no-install-recommends "postgresql-$PG_MAJOR-jit=$PG_VERSION"; \
+ fi; \
+ \
+ rm -rf /var/lib/apt/lists/*; \
+ \
+ if [ -n "$tempDir" ]; then \
+# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
+ apt-get purge -y --auto-remove; \
+ rm -rf "$tempDir" /etc/apt/sources.list.d/temp.list; \
+ fi; \
+ \
+# some of the steps above generate a lot of "*.pyc" files (and setting "PYTHONDONTWRITEBYTECODE" beforehand doesn't propagate properly for some reason), so we clean them up manually (as long as they aren't owned by a package)
+ find /usr -name '*.pyc' -type f -exec bash -c 'for pyc; do dpkg -S "$pyc" &> /dev/null || rm -vf "$pyc"; done' -- '{}' +; \
+ \
+ postgres --version
+
+# make the sample config easier to munge (and "correct by default")
+RUN set -eux; \
+ dpkg-divert --add --rename --divert "/usr/share/postgresql/postgresql.conf.sample.dpkg" "/usr/share/postgresql/$PG_MAJOR/postgresql.conf.sample"; \
+ cp -v /usr/share/postgresql/postgresql.conf.sample.dpkg /usr/share/postgresql/postgresql.conf.sample; \
+ ln -sv ../postgresql.conf.sample "/usr/share/postgresql/$PG_MAJOR/"; \
+ sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/share/postgresql/postgresql.conf.sample; \
+ grep -F "listen_addresses = '*'" /usr/share/postgresql/postgresql.conf.sample
+
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
+
+#
+# NOTE: in 18+, PGDATA has changed to match the pg_ctlcluster standard directory structure, and the VOLUME has moved from /var/lib/postgresql/data to /var/lib/postgresql
+#
+ENV PGDATA /var/lib/postgresql/18/docker
+RUN ln -svT . /var/lib/postgresql/data # https://github.com/docker-library/postgres/pull/1259#issuecomment-2215477494
+VOLUME /var/lib/postgresql
+# ("/var/lib/postgresql" is already pre-created with suitably usable permissions above)
+
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
+# calls "Fast Shutdown mode" wherein new connections are disallowed and any
+# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
+# flush tables to disk.
+#
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
+# about available PostgreSQL server shutdown signals.
+#
+# See also https://www.postgresql.org/docs/current/server-start.html for further
+# justification of this as the default value, namely that the example (and
+# shipped) systemd service files use the "Fast Shutdown mode" for service
+# termination.
+#
+STOPSIGNAL SIGINT
+#
+# An additional setting that is recommended for all users regardless of this
+# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
+# equivalent) for controlling how long to wait between sending the defined
+# STOPSIGNAL and sending SIGKILL.
+#
+# The default in most runtimes (such as Docker) is 10 seconds, and the
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
+# that even 90 seconds may not be long enough in many instances.
+
+EXPOSE 5432
+CMD ["postgres"]
diff --git a/18/bullseye/docker-ensure-initdb.sh b/18/bullseye/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..e9b15ef77d
--- /dev/null
+++ b/18/bullseye/docker-ensure-initdb.sh
@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/18/bullseye/docker-entrypoint.sh b/18/bullseye/docker-entrypoint.sh
new file mode 100755
index 0000000000..5a62870b50
--- /dev/null
+++ b/18/bullseye/docker-entrypoint.sh
@@ -0,0 +1,391 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+# ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+ local var="$1"
+ local fileVar="${var}_FILE"
+ local def="${2:-}"
+ if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+ printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+ exit 1
+ fi
+ local val="$def"
+ if [ "${!var:-}" ]; then
+ val="${!var}"
+ elif [ "${!fileVar:-}" ]; then
+ val="$(< "${!fileVar}")"
+ fi
+ export "$var"="$val"
+ unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+ # https://unix.stackexchange.com/a/215279
+ [ "${#FUNCNAME[@]}" -ge 2 ] \
+ && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+ && [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+ local user; user="$(id -u)"
+
+ mkdir -p "$PGDATA"
+ # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+ chmod 00700 "$PGDATA" || :
+
+ # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+ mkdir -p /var/run/postgresql || :
+ chmod 03775 /var/run/postgresql || :
+
+ # Create the transaction log directory before initdb is run so the directory is owned by the correct user
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ mkdir -p "$POSTGRES_INITDB_WALDIR"
+ if [ "$user" = '0' ]; then
+ find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+ fi
+ chmod 700 "$POSTGRES_INITDB_WALDIR"
+ fi
+
+ # allow the container to be started with `--user`
+ if [ "$user" = '0' ]; then
+ find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+ find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+ fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+ # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+ # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+ local uid; uid="$(id -u)"
+ if ! getent passwd "$uid" &> /dev/null; then
+ # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+ local wrapper
+ for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+ if [ -s "$wrapper" ]; then
+ NSS_WRAPPER_PASSWD="$(mktemp)"
+ NSS_WRAPPER_GROUP="$(mktemp)"
+ export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ local gid; gid="$(id -g)"
+ printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+ printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+ break
+ fi
+ done
+ fi
+
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+ fi
+
+ # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+ eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+ # unset/cleanup "nss_wrapper" bits
+ if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+ rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+ unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
+
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+
+ This will not work if used via PGPASSWORD with "psql".
+
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
+
+ EOWARN
+ fi
+ ;;
+ esac
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ # The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD to a non-empty value for the
+ superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+ You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+ connections without a password. This is *not* recommended.
+
+ See PostgreSQL documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ cat >&2 <<-'EOWARN'
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
+ EOWARN
+ fi
+}
+# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade)
+docker_error_old_databases() {
+ if [ -n "${OLD_DATABASES[0]:-}" ]; then
+ cat >&2 <<-EOE
+ Error: in 18+, these Docker images are configured to store database data in a
+ format which is compatible with "pg_ctlcluster" (specifically, using
+ major-version-specific directory names). This better reflects how
+ PostgreSQL itself works, and how upgrades are to be performed.
+
+ See also https://github.com/docker-library/postgres/pull/1259
+
+ Counter to that, there appears to be PostgreSQL data in:
+ ${OLD_DATABASES[*]}
+
+ This is usually the result of upgrading the Docker image without upgrading
+ the underlying database using "pg_upgrade" (which requires both versions).
+
+ See https://github.com/docker-library/postgres/issues/37 for a (long)
+ discussion around this process, and suggestions for how to do so.
+ EOE
+ exit 1
+ fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+# ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+ # psql here for backwards compatibility "${psql[@]}"
+ psql=( docker_process_sql )
+
+ printf '\n'
+ local f
+ for f; do
+ case "$f" in
+ *.sh)
+ # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+ # https://github.com/docker-library/postgres/pull/452
+ if [ -x "$f" ]; then
+ printf '%s: running %s\n' "$0" "$f"
+ "$f"
+ else
+ printf '%s: sourcing %s\n' "$0" "$f"
+ . "$f"
+ fi
+ ;;
+ *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+ *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+ *) printf '%s: ignoring %s\n' "$0" "$f" ;;
+ esac
+ printf '\n'
+ done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+# ie: docker_process_sql -f my-file.sql
+# ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+ local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+ if [ -n "$POSTGRES_DB" ]; then
+ query_runner+=( --dbname "$POSTGRES_DB" )
+ fi
+
+ PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+ local dbAlreadyExists
+ dbAlreadyExists="$(
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+ SELECT 1 FROM pg_database WHERE datname = :'db' ;
+ EOSQL
+ )"
+ if [ -z "$dbAlreadyExists" ]; then
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+ CREATE DATABASE :"db" ;
+ EOSQL
+ printf '\n'
+ fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+ file_env 'POSTGRES_PASSWORD'
+
+ file_env 'POSTGRES_USER' 'postgres'
+ file_env 'POSTGRES_DB' "$POSTGRES_USER"
+ file_env 'POSTGRES_INITDB_ARGS'
+ : "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+ declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ declare -ag OLD_DATABASES=()
+ # look specifically for PG_VERSION, as it is expected in the DB dir
+ if [ -s "$PGDATA/PG_VERSION" ]; then
+ DATABASE_ALREADY_EXISTS='true'
+ elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then
+ # https://github.com/docker-library/postgres/pull/1259
+ for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do
+ if [ -s "$d/PG_VERSION" ]; then
+ OLD_DATABASES+=( "$d" )
+ fi
+ done
+ fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+ # default authentication method is md5 on versions before 14
+ # https://www.postgresql.org/about/news/postgresql-14-released-2318/
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+ local auth
+ # check the default/configured encryption and use that as the auth method
+ auth="$(postgres -C password_encryption "$@")"
+ : "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+ {
+ printf '\n'
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ printf '# warning trust is enabled for all connections\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+ fi
+ printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+ } >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+
+ # internal start of server in order to allow setup using psql client
+ # does not listen on external TCP/IP and waits until start finishes
+ set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
+ PGUSER="${PGUSER:-$POSTGRES_USER}" \
+ pg_ctl -D "$PGDATA" \
+ -o "$(printf '%q ' "$@")" \
+ -w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+ PGUSER="${PGUSER:-postgres}" \
+ pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+ local arg
+ for arg; do
+ case "$arg" in
+ # postgres --help | grep 'then exit'
+ # leaving out -C on purpose since it always fails and is unhelpful:
+ # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+ -'?'|--help|--describe-config|-V|--version)
+ return 0
+ ;;
+ esac
+ done
+ return 1
+}
+
+_main() {
+ # if first arg looks like a flag, assume we want to run postgres server
+ if [ "${1:0:1}" = '-' ]; then
+ set -- postgres "$@"
+ fi
+
+ if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+ docker_setup_env
+ # setup data directories and permissions (when run as root)
+ docker_create_db_directories
+ if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+ fi
+
+ # only run initialization on an empty data directory
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+
+ cat <<-'EOM'
+
+ PostgreSQL init process complete; ready for start up.
+
+ EOM
+ else
+ cat <<-'EOM'
+
+ PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+ EOM
+ fi
+ fi
+
+ exec "$@"
+}
+
+if ! _is_sourced; then
+ _main "$@"
+fi
diff --git a/Dockerfile-alpine.template b/Dockerfile-alpine.template
index 57807bc851..e64ad2fc2f 100644
--- a/Dockerfile-alpine.template
+++ b/Dockerfile-alpine.template
@@ -1,14 +1,50 @@
-FROM alpine:{{ .alpine }}
+{{
+ def alpine_version:
+ env.variant | ltrimstr("alpine")
+-}}
+FROM alpine:{{ alpine_version }}
# 70 is the standard uid/gid for "postgres" in Alpine
-# https://git.alpinelinux.org/aports/tree/main/postgresql/postgresql.pre-install?h=3.12-stable
+# https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.22-stable
RUN set -eux; \
addgroup -g 70 -S postgres; \
adduser -u 70 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \
- mkdir -p /var/lib/postgresql; \
- chown -R postgres:postgres /var/lib/postgresql
+# also create the postgres user's home directory with appropriate permissions
+# see https://github.com/docker-library/postgres/issues/274
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
-# su-exec (gosu-compatible) is installed further down
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ \
+ apk add --no-cache --virtual .gosu-deps \
+ ca-certificates \
+ dpkg \
+ gnupg \
+ ; \
+ \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ \
+# verify the signature
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ \
+# clean up fetch dependencies
+ apk del --no-network .gosu-deps; \
+ \
+ chmod +x /usr/local/bin/gosu; \
+# verify that the binary works
+ gosu --version; \
+ gosu nobody true
+{{ if env.version | IN("13", "14", "15", "16") then ( -}}
+RUN set -eux; ln -svf gosu /usr/local/bin/su-exec; su-exec nobody true # backwards compatibility (removed in PostgreSQL 17+)
+{{ ) else "" end -}}
# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
# alpine doesn't require explicit locale-file generation
@@ -20,6 +56,14 @@ ENV PG_MAJOR {{ env.version }}
ENV PG_VERSION {{ .version }}
ENV PG_SHA256 {{ .sha256 }}
+{{
+ def llvmver:
+ "19"
+-}}
+ENV DOCKER_PG_LLVM_DEPS \
+ llvm{{ llvmver }}-dev \
+ clang{{ llvmver }}
+
RUN set -eux; \
\
wget -O postgresql.tar.bz2 "https://ftp.postgresql.org/pub/source/v$PG_VERSION/postgresql-$PG_VERSION.tar.bz2"; \
@@ -34,10 +78,12 @@ RUN set -eux; \
rm postgresql.tar.bz2; \
\
apk add --no-cache --virtual .build-deps \
+ $DOCKER_PG_LLVM_DEPS \
bison \
coreutils \
dpkg-dev dpkg \
flex \
+ g++ \
gcc \
krb5-dev \
libc-dev \
@@ -45,9 +91,6 @@ RUN set -eux; \
libxml2-dev \
libxslt-dev \
linux-headers \
-{{ if .major >= 11 then ( -}}
- llvm-dev clang g++ \
-{{ ) else "" end -}}
make \
openldap-dev \
openssl-dev \
@@ -77,29 +120,39 @@ RUN set -eux; \
grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \
mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \
gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
-# explicitly update autoconf config.guess and config.sub so they support more arches/libcs
- wget -O config/config.guess 'https://git.savannah.gnu.org/cgit/config.git/plain/config.guess?id=7d3d27baf8107b630586c962c057e22149653deb'; \
- wget -O config/config.sub 'https://git.savannah.gnu.org/cgit/config.git/plain/config.sub?id=7d3d27baf8107b630586c962c057e22149653deb'; \
+ \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n176 ("export LLVM_CONFIG")
+ export LLVM_CONFIG="/usr/lib/llvm{{ llvmver }}/bin/llvm-config"; \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.22-stable#n180 ("older clang versions don't have a 'clang' exe anymore.")
+ export CLANG=clang-{{ llvmver }}; \
+ \
# configure options taken from:
# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
./configure \
+ --enable-option-checking=fatal \
--build="$gnuArch" \
# "/usr/src/postgresql/src/backend/access/common/tupconvert.c:105: undefined reference to `libintl_gettext'"
# --enable-nls \
--enable-integer-datetimes \
+{{ if .major <= 16 then ( -}}
+{{ # in 17: this option is reversed. you need to disable it -}}
--enable-thread-safety \
+{{ ) else "" end -}}
--enable-tap-tests \
# skip debugging info -- we want tiny size instead
# --enable-debug \
--disable-rpath \
--with-uuid=e2fs \
+{{ # in 16: "configure: error: unrecognized options: --with-gnu-ld" -}}
+{{ # https://github.com/postgres/postgres/commit/9db49fc5bfdc0126be03f4b8986013e59d93b91d -}}
+{{ if .major <= 15 then ( -}}
--with-gnu-ld \
+{{ ) else "" end -}}
--with-pgport=5432 \
--with-system-tzdata=/usr/share/zoneinfo \
--prefix=/usr/local \
--with-includes=/usr/local/include \
--with-libraries=/usr/local/lib \
- --with-krb5 \
--with-gssapi \
--with-ldap \
--with-tcl \
@@ -110,9 +163,7 @@ RUN set -eux; \
--with-libxml \
--with-libxslt \
--with-icu \
-{{ if .major >= 11 then ( -}}
--with-llvm \
-{{ ) else "" end -}}
{{ if .major >= 14 then ( -}}
--with-lz4 \
{{ ) else "" end -}}
@@ -120,8 +171,8 @@ RUN set -eux; \
--with-zstd \
{{ ) else "" end -}}
; \
- make -j "$(nproc)" world; \
- make install-world; \
+ make -j "$(nproc)" world-bin; \
+ make install-world-bin; \
make -C contrib install; \
\
runDeps="$( \
@@ -136,13 +187,11 @@ RUN set -eux; \
apk add --no-cache --virtual .postgresql-rundeps \
$runDeps \
bash \
- su-exec \
tzdata \
zstd \
# https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split
icu-data-full \
-# nss_wrapper is not availble on ppc64le: "test case segfaults in ppc64le"
-# https://git.alpinelinux.org/aports/commit/testing/nss_wrapper/APKBUILD?h=3.17-stable&id=94d81ceeb58cff448d489bbcbe9a6d40c9991663
+# https://git.alpinelinux.org/aports/tree/community/nss_wrapper/APKBUILD?h=3.22-stable#n7 ("ppc64le: test case segfaults")
$([ "$(apk --print-arch)" != 'ppc64le' ] && echo 'nss_wrapper') \
; \
apk del --no-network .build-deps; \
@@ -161,34 +210,36 @@ RUN set -eux; \
sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \
grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample
-RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 3777 /var/run/postgresql
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
+{{ if .major >= 18 then ( -}}
+#
+# NOTE: in 18+, PGDATA has changed to match the pg_ctlcluster standard directory structure, and the VOLUME has moved from /var/lib/postgresql/data to /var/lib/postgresql
+#
+ENV PGDATA /var/lib/postgresql/{{ .major | tostring }}/docker
+RUN ln -svT . /var/lib/postgresql/data # https://github.com/docker-library/postgres/pull/1259#issuecomment-2215477494
+VOLUME /var/lib/postgresql
+# ("/var/lib/postgresql" is already pre-created with suitably usable permissions above)
+{{ ) else ( -}}
ENV PGDATA /var/lib/postgresql/data
-# this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values)
-RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 1777 "$PGDATA"
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
VOLUME /var/lib/postgresql/data
-
-COPY docker-entrypoint.sh /usr/local/bin/
-{{ if .major >= 11 then "" else ( -}}
-RUN ln -s usr/local/bin/docker-entrypoint.sh / # backwards compat
{{ ) end -}}
+
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
ENTRYPOINT ["docker-entrypoint.sh"]
# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
# calls "Fast Shutdown mode" wherein new connections are disallowed and any
# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
-# flush tables to disk, which is the best compromise available to avoid data
-# corruption.
-#
-# Users who know their applications do not keep open long-lived idle connections
-# may way to use a value of SIGTERM instead, which corresponds to "Smart
-# Shutdown mode" in which any existing sessions are allowed to finish and the
-# server stops when all sessions are terminated.
+# flush tables to disk.
#
-# See https://www.postgresql.org/docs/12/server-shutdown.html for more details
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
# about available PostgreSQL server shutdown signals.
#
-# See also https://www.postgresql.org/docs/12/server-start.html for further
+# See also https://www.postgresql.org/docs/current/server-start.html for further
# justification of this as the default value, namely that the example (and
# shipped) systemd service files use the "Fast Shutdown mode" for service
# termination.
@@ -198,10 +249,10 @@ STOPSIGNAL SIGINT
# An additional setting that is recommended for all users regardless of this
# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
# equivalent) for controlling how long to wait between sending the defined
-# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption).
+# STOPSIGNAL and sending SIGKILL.
#
# The default in most runtimes (such as Docker) is 10 seconds, and the
-# documentation at https://www.postgresql.org/docs/12/server-start.html notes
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
# that even 90 seconds may not be long enough in many instances.
EXPOSE 5432
diff --git a/Dockerfile-debian.template b/Dockerfile-debian.template
index 49b412d55e..81a6a0a0c5 100644
--- a/Dockerfile-debian.template
+++ b/Dockerfile-debian.template
@@ -1,15 +1,5 @@
FROM debian:{{ env.variant }}-slim
-RUN set -ex; \
- if ! command -v gpg > /dev/null; then \
- apt-get update; \
- apt-get install -y --no-install-recommends \
- gnupg \
- dirmngr \
- ; \
- rm -rf /var/lib/apt/lists/*; \
- fi
-
# explicitly set user/group IDs
RUN set -eux; \
groupadd -r postgres --gid=999; \
@@ -17,12 +7,22 @@ RUN set -eux; \
useradd -r -g postgres --uid=999 --home-dir=/var/lib/postgresql --shell=/bin/bash postgres; \
# also create the postgres user's home directory with appropriate permissions
# see https://github.com/docker-library/postgres/issues/274
- mkdir -p /var/lib/postgresql; \
- chown -R postgres:postgres /var/lib/postgresql
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
+
+RUN set -ex; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ gnupg \
+# https://www.postgresql.org/docs/16/app-psql.html#APP-PSQL-META-COMMAND-PSET-PAGER
+# https://github.com/postgres/postgres/blob/REL_16_1/src/include/fe_utils/print.h#L25
+# (if "less" is available, it gets used as the default pager for psql, and it only adds ~1.5MiB to our image size)
+ less \
+ ; \
+ rm -rf /var/lib/apt/lists/*
# grab gosu for easy step-down from root
# https://github.com/tianon/gosu/releases
-ENV GOSU_VERSION 1.16
+ENV GOSU_VERSION 1.17
RUN set -eux; \
savedAptMark="$(apt-mark showmanual)"; \
apt-get update; \
@@ -52,7 +52,9 @@ RUN set -eux; \
! grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
fi; \
apt-get update; apt-get install -y --no-install-recommends locales; rm -rf /var/lib/apt/lists/*; \
- localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
+ echo 'en_US.UTF-8 UTF-8' >> /etc/locale.gen; \
+ locale-gen; \
+ locale -a | grep 'en_US.utf8'
ENV LANG en_US.utf8
RUN set -eux; \
@@ -75,7 +77,7 @@ RUN set -ex; \
mkdir -p /usr/local/share/keyrings/; \
gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \
gpg --batch --export --armor "$key" > /usr/local/share/keyrings/postgres.gpg.asc; \
- command -v gpgconf > /dev/null && gpgconf --kill all; \
+ gpgconf --kill all; \
rm -rf "$GNUPGHOME"
ENV PG_MAJOR {{ env.version }}
@@ -123,10 +125,9 @@ RUN set -ex; \
# build .deb files from upstream's source packages (which are verified by apt-get)
nproc="$(nproc)"; \
export DEB_BUILD_OPTIONS="nocheck parallel=$nproc"; \
-# we have to build postgresql-common first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/99f44476e258cae6bf9e919219fa2c5414fa2876
-# (and it "Depends: pgdg-keyring")
- apt-get build-dep -y postgresql-common pgdg-keyring; \
- apt-get source --compile postgresql-common pgdg-keyring; \
+# we have to build postgresql-common-dev first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/f4338a0d28cf4541956bddb0f4e444ba9dba81b9
+ apt-get build-dep -y postgresql-common-dev; \
+ apt-get source --compile postgresql-common-dev; \
_update_repo; \
{{ if .major == 13 then ( -}}
# we need DEBIAN_FRONTEND on postgresql-13 for slapd ("Please enter the password for the admin entry in your LDAP directory."); see https://bugs.debian.org/929417
@@ -154,6 +155,12 @@ RUN set -ex; \
apt-get install -y --no-install-recommends \
"postgresql-$PG_MAJOR=$PG_VERSION" \
; \
+{{ if .major >= 18 then ( -}}
+# https://github.com/docker-library/postgres/pull/1344#issuecomment-2936578203 (JIT is a separate package in 18+, but only supported for a subset of architectures)
+ if apt-get install -s "postgresql-$PG_MAJOR-jit" > /dev/null 2>&1; then \
+ apt-get install -y --no-install-recommends "postgresql-$PG_MAJOR-jit=$PG_VERSION"; \
+ fi; \
+{{ ) else "" end -}}
\
rm -rf /var/lib/apt/lists/*; \
\
@@ -176,34 +183,36 @@ RUN set -eux; \
sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/share/postgresql/postgresql.conf.sample; \
grep -F "listen_addresses = '*'" /usr/share/postgresql/postgresql.conf.sample
-RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
+{{ if .major >= 18 then ( -}}
+#
+# NOTE: in 18+, PGDATA has changed to match the pg_ctlcluster standard directory structure, and the VOLUME has moved from /var/lib/postgresql/data to /var/lib/postgresql
+#
+ENV PGDATA /var/lib/postgresql/{{ .major | tostring }}/docker
+RUN ln -svT . /var/lib/postgresql/data # https://github.com/docker-library/postgres/pull/1259#issuecomment-2215477494
+VOLUME /var/lib/postgresql
+# ("/var/lib/postgresql" is already pre-created with suitably usable permissions above)
+{{ ) else ( -}}
ENV PGDATA /var/lib/postgresql/data
-# this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values)
-RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA"
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
VOLUME /var/lib/postgresql/data
-
-COPY docker-entrypoint.sh /usr/local/bin/
-{{ if .major >= 11 then "" else ( -}}
-RUN ln -s usr/local/bin/docker-entrypoint.sh / # backwards compat
{{ ) end -}}
+
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
ENTRYPOINT ["docker-entrypoint.sh"]
# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
# calls "Fast Shutdown mode" wherein new connections are disallowed and any
# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
-# flush tables to disk, which is the best compromise available to avoid data
-# corruption.
-#
-# Users who know their applications do not keep open long-lived idle connections
-# may way to use a value of SIGTERM instead, which corresponds to "Smart
-# Shutdown mode" in which any existing sessions are allowed to finish and the
-# server stops when all sessions are terminated.
+# flush tables to disk.
#
-# See https://www.postgresql.org/docs/12/server-shutdown.html for more details
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
# about available PostgreSQL server shutdown signals.
#
-# See also https://www.postgresql.org/docs/12/server-start.html for further
+# See also https://www.postgresql.org/docs/current/server-start.html for further
# justification of this as the default value, namely that the example (and
# shipped) systemd service files use the "Fast Shutdown mode" for service
# termination.
@@ -213,10 +222,10 @@ STOPSIGNAL SIGINT
# An additional setting that is recommended for all users regardless of this
# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
# equivalent) for controlling how long to wait between sending the defined
-# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption).
+# STOPSIGNAL and sending SIGKILL.
#
# The default in most runtimes (such as Docker) is 10 seconds, and the
-# documentation at https://www.postgresql.org/docs/12/server-start.html notes
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
# that even 90 seconds may not be long enough in many instances.
EXPOSE 5432
diff --git a/README.md b/README.md
index 09b82c90c2..883f0701e9 100644
--- a/README.md
+++ b/README.md
@@ -12,15 +12,4 @@ For more information about the full official images change lifecycle, see [the "
For outstanding `postgres` image PRs, check [PRs with the "library/postgres" label on the official-images repository](https://github.com/docker-library/official-images/labels/library%2Fpostgres). For the current "source of truth" for [`postgres`](https://hub.docker.com/_/postgres/), see [the `library/postgres` file in the official-images repository](https://github.com/docker-library/official-images/blob/master/library/postgres).
----
-
-- [](https://github.com/docker-library/postgres/actions?query=workflow%3A%22GitHub+CI%22+branch%3Amaster)
-- [](https://doi-janky.infosiftr.net/job/update.sh/job/postgres/)
-
-| Build | Status | Badges | (per-arch) |
-|:-:|:-:|:-:|:-:|
-| [](https://doi-janky.infosiftr.net/job/multiarch/job/amd64/job/postgres/) | [](https://doi-janky.infosiftr.net/job/multiarch/job/arm32v5/job/postgres/) | [](https://doi-janky.infosiftr.net/job/multiarch/job/arm32v6/job/postgres/) | [](https://doi-janky.infosiftr.net/job/multiarch/job/arm32v7/job/postgres/) |
-| [](https://doi-janky.infosiftr.net/job/multiarch/job/arm64v8/job/postgres/) | [](https://doi-janky.infosiftr.net/job/multiarch/job/i386/job/postgres/) | [](https://doi-janky.infosiftr.net/job/multiarch/job/mips64le/job/postgres/) | [](https://doi-janky.infosiftr.net/job/multiarch/job/ppc64le/job/postgres/) |
-| [](https://doi-janky.infosiftr.net/job/multiarch/job/s390x/job/postgres/) | [](https://doi-janky.infosiftr.net/job/put-shared/job/light/job/postgres/) |
-
<!-- THIS FILE IS GENERATED BY https://github.com/docker-library/docs/blob/master/generate-repo-stub-readme.sh -->
diff --git a/apply-templates.sh b/apply-templates.sh
index b4c1a33d7f..aa2d65c6b0 100755
--- a/apply-templates.sh
+++ b/apply-templates.sh
@@ -34,7 +34,7 @@ for version; do
major="$(jq -r '.[env.version].major' versions.json)"
- variants="$(jq -r '.[env.version].debianSuites + ["alpine"] | map(@sh) | join(" ")' versions.json)"
+ variants="$(jq -r '.[env.version].variants | map(@sh) | join(" ")' versions.json)"
eval "variants=( $variants )"
rm -rf "$version"
@@ -47,19 +47,20 @@ for version; do
echo "processing $dir ..."
- if [ "$variant" = 'alpine' ]; then
- template='Dockerfile-alpine.template'
- else
- template='Dockerfile-debian.template'
- fi
+ case "$variant" in
+ alpine*)
+ template='Dockerfile-alpine.template'
+ ;;
+ *)
+ template='Dockerfile-debian.template'
+ ;;
+ esac
+
{
generated_warning
gawk -f "$jqt" "$template"
} > "$dir/Dockerfile"
- cp -a docker-entrypoint.sh "$dir/"
- if [ "$variant" = 'alpine' ]; then
- sed -i -e 's/gosu/su-exec/g' "$dir/docker-entrypoint.sh"
- fi
+ cp -a docker-entrypoint.sh docker-ensure-initdb.sh "$dir/"
done
done
diff --git a/docker-ensure-initdb.sh b/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..e9b15ef77d
--- /dev/null
+++ b/docker-ensure-initdb.sh
@@ -0,0 +1,72 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+ docker_error_old_databases
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
index 0ae0ecf8c2..5a62870b50 100755
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@@ -103,20 +103,24 @@ docker_init_database_dir() {
# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
docker_verify_minimum_env() {
- # check password first so we can output the warning before postgres
- # messes it up
- if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
- cat >&2 <<-'EOWARN'
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
- WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
- This will not work if used via PGPASSWORD with "psql".
+ This will not work if used via PGPASSWORD with "psql".
- https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
- https://github.com/docker-library/postgres/issues/507
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
- EOWARN
- fi
+ EOWARN
+ fi
+ ;;
+ esac
if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
# The - option suppresses leading tabs but *not* spaces. :)
cat >&2 <<-'EOE'
@@ -150,6 +154,29 @@ docker_verify_minimum_env() {
EOWARN
fi
}
+# similar to the above, but errors if there are any "old" databases detected (usually due to upgrades without pg_upgrade)
+docker_error_old_databases() {
+ if [ -n "${OLD_DATABASES[0]:-}" ]; then
+ cat >&2 <<-EOE
+ Error: in 18+, these Docker images are configured to store database data in a
+ format which is compatible with "pg_ctlcluster" (specifically, using
+ major-version-specific directory names). This better reflects how
+ PostgreSQL itself works, and how upgrades are to be performed.
+
+ See also https://github.com/docker-library/postgres/pull/1259
+
+ Counter to that, there appears to be PostgreSQL data in:
+ ${OLD_DATABASES[*]}
+
+ This is usually the result of upgrading the Docker image without upgrading
+ the underlying database using "pg_upgrade" (which requires both versions).
+
+ See https://github.com/docker-library/postgres/issues/37 for a (long)
+ discussion around this process, and suggestions for how to do so.
+ EOE
+ exit 1
+ fi
+}
# usage: docker_process_init_files [file [file [...]]]
# ie: docker_process_init_files /always-initdb.d/*
@@ -225,9 +252,18 @@ docker_setup_env() {
: "${POSTGRES_HOST_AUTH_METHOD:=}"
declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ declare -ag OLD_DATABASES=()
# look specifically for PG_VERSION, as it is expected in the DB dir
if [ -s "$PGDATA/PG_VERSION" ]; then
DATABASE_ALREADY_EXISTS='true'
+ elif [ "$PGDATA" = "/var/lib/postgresql/$PG_MAJOR/docker" ]; then
+ # https://github.com/docker-library/postgres/pull/1259
+ for d in /var/lib/postgresql /var/lib/postgresql/data /var/lib/postgresql/*/docker; do
+ if [ -s "$d/PG_VERSION" ]; then
+ OLD_DATABASES+=( "$d" )
+ fi
+ done
fi
}
@@ -247,7 +283,7 @@ pg_setup_hba_conf() {
printf '\n'
if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
printf '# warning trust is enabled for all connections\n'
- printf '# see https://www.postgresql.org/docs/12/auth-trust.html\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
fi
printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
} >> "$PGDATA/pg_hba.conf"
@@ -264,6 +300,9 @@ docker_temp_server_start() {
# does not listen on external TCP/IP and waits until start finishes
set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
PGUSER="${PGUSER:-$POSTGRES_USER}" \
pg_ctl -D "$PGDATA" \
-o "$(printf '%q ' "$@")" \
@@ -311,6 +350,7 @@ _main() {
# only run initialization on an empty data directory
if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
docker_verify_minimum_env
+ docker_error_old_databases
# check dir permissions to reduce likelihood of half-initialized database
ls /docker-entrypoint-initdb.d/ > /dev/null
diff --git a/generate-stackbrew-library.sh b/generate-stackbrew-library.sh
index cef5d3534f..234a5266a1 100755
--- a/generate-stackbrew-library.sh
+++ b/generate-stackbrew-library.sh
@@ -2,7 +2,7 @@
set -Eeuo pipefail
declare -A aliases=(
- [15]='latest'
+ [17]='latest'
)
self="$(basename "$BASH_SOURCE")"
@@ -44,17 +44,19 @@ dirCommit() {
getArches() {
local repo="$1"; shift
- local officialImagesUrl='https://github.com/docker-library/official-images/raw/master/library/'
+ local officialImagesBase="${BASHBREW_LIBRARY:-https://github.com/docker-library/official-images/raw/HEAD/library}/"
- eval "declare -g -A parentRepoToArches=( $(
- find -name 'Dockerfile' -exec awk '
+ local parentRepoToArchesStr
+ parentRepoToArchesStr="$(
+ find -name 'Dockerfile' -exec awk -v officialImagesBase="$officialImagesBase" '
toupper($1) == "FROM" && $2 !~ /^('"$repo"'|scratch|.*\/.*)(:|$)/ {
- print "'"$officialImagesUrl"'" $2
+ printf "%s%s\n", officialImagesBase, $2
}
' '{}' + \
| sort -u \
- | xargs bashbrew cat --format '[{{ .RepoName }}:{{ .TagName }}]="{{ join " " .TagEntry.Architectures }}"'
- ) )"
+ | xargs -r bashbrew cat --format '["{{ .RepoName }}:{{ .TagName }}"]="{{ join " " .TagEntry.Architectures }}"'
+ )"
+ eval "declare -g -A parentRepoToArches=( $parentRepoToArchesStr )"
}
getArches 'postgres'
@@ -76,9 +78,10 @@ join() {
for version; do
export version
- variants="$(jq -r '.[env.version].debianSuites + ["alpine"] | map(@sh) | join(" ")' versions.json)"
+ variants="$(jq -r '.[env.version].variants | map(@sh) | join(" ")' versions.json)"
eval "variants=( $variants )"
+ alpine="$(jq -r '.[env.version].alpine' versions.json)"
debian="$(jq -r '.[env.version].debian' versions.json)"
fullVersion="$(jq -r '.[env.version].version' versions.json)"
@@ -115,9 +118,8 @@ for version; do
"${variantAliases[@]}"
)
;;
- alpine)
- alpine="alpine${parent#*:}"
- variantAliases+=( "${versionAliases[@]/%/-$alpine}" )
+ alpine"$alpine")
+ variantAliases+=( "${versionAliases[@]/%/-alpine}" )
variantAliases=( "${variantAliases[@]//latest-/}" )
;;
esac
diff --git a/versions.json b/versions.json
index d214443618..96e2558966 100644
--- a/versions.json
+++ b/versions.json
@@ -1,92 +1,176 @@
{
- "11": {
- "alpine": "3.17",
+ "13": {
+ "alpine": "3.22",
+ "bookworm": {
+ "arches": [
+ "amd64",
+ "arm64",
+ "ppc64el"
+ ],
+ "version": "13.21-1.pgdg120+1"
+ },
"bullseye": {
"arches": [
"amd64",
"arm64",
"ppc64el"
],
- "version": "11.19-1.pgdg110+1"
+ "version": "13.21-1.pgdg110+1"
},
- "debian": "",
- "debianSuites": [
- "bullseye"
+ "debian": "bookworm",
+ "major": 13,
+ "sha256": "dcda1294df45f033b0656cf7a8e4afbbc624c25e1b144aec79530f74d7ef4ab4",
+ "variants": [
+ "bookworm",
+ "bullseye",
+ "alpine3.22",
+ "alpine3.21"
],
- "major": 11,
- "sha256": "13109e2b71f1139405c27201da3733a61ace72ee1c228d9c9f0320e06aee14c2",
- "version": "11.19"
+ "version": "13.21"
},
- "12": {
- "alpine": "3.17",
+ "14": {
+ "alpine": "3.22",
+ "bookworm": {
+ "arches": [
+ "amd64",
+ "arm64",
+ "ppc64el"
+ ],
+ "version": "14.18-1.pgdg120+1"
+ },
"bullseye": {
"arches": [
"amd64",
"arm64",
"ppc64el"
],
- "version": "12.14-1.pgdg110+1"
+ "version": "14.18-1.pgdg110+1"
},
- "debian": "bullseye",
- "debianSuites": [
- "bullseye"
+ "debian": "bookworm",
+ "major": 14,
+ "sha256": "83ab29d6bfc3dc58b2ed3c664114fdfbeb6a0450c4b8d7fa69aee91e3ca14f8e",
+ "variants": [
+ "bookworm",
+ "bullseye",
+ "alpine3.22",
+ "alpine3.21"
],
- "major": 12,
- "sha256": "785610237d382c842d356e347138e58c06ffeae240e6cc0b52ac5ebcc30d043e",
- "version": "12.14"
+ "version": "14.18"
},
- "13": {
- "alpine": "3.17",
+ "15": {
+ "alpine": "3.22",
+ "bookworm": {
+ "arches": [
+ "amd64",
+ "arm64",
+ "ppc64el"
+ ],
+ "version": "15.13-1.pgdg120+1"
+ },
"bullseye": {
"arches": [
"amd64",
"arm64",
"ppc64el"
],
- "version": "13.10-1.pgdg110+1"
+ "version": "15.13-1.pgdg110+1"
},
- "debian": "bullseye",
- "debianSuites": [
- "bullseye"
+ "debian": "bookworm",
+ "major": 15,
+ "sha256": "4f62e133d22ea08a0401b0840920e26698644d01a80c34341fb732dd0a90ca5d",
+ "variants": [
+ "bookworm",
+ "bullseye",
+ "alpine3.22",
+ "alpine3.21"
],
- "major": 13,
- "sha256": "5bbcf5a56d85c44f3a8b058fb46862ff49cbc91834d07e295d02e6de3c216df2",
- "version": "13.10"
+ "version": "15.13"
},
- "14": {
- "alpine": "3.17",
+ "16": {
+ "alpine": "3.22",
+ "bookworm": {
+ "arches": [
+ "amd64",
+ "arm64",
+ "ppc64el"
+ ],
+ "version": "16.9-1.pgdg120+1"
+ },
"bullseye": {
"arches": [
"amd64",
"arm64",
"ppc64el"
],
- "version": "14.7-1.pgdg110+1"
+ "version": "16.9-1.pgdg110+1"
},
- "debian": "bullseye",
- "debianSuites": [
- "bullseye"
+ "debian": "bookworm",
+ "major": 16,
+ "sha256": "07c00fb824df0a0c295f249f44691b86e3266753b380c96f633c3311e10bd005",
+ "variants": [
+ "bookworm",
+ "bullseye",
+ "alpine3.22",
+ "alpine3.21"
],
- "major": 14,
- "sha256": "cef60f0098fa8101c1546f4254e45b722af5431337945b37af207007630db331",
- "version": "14.7"
+ "version": "16.9"
},
- "15": {
- "alpine": "3.17",
+ "17": {
+ "alpine": "3.22",
+ "bookworm": {
+ "arches": [
+ "amd64",
+ "arm64",
+ "ppc64el"
+ ],
+ "version": "17.5-1.pgdg120+1"
+ },
"bullseye": {
"arches": [
"amd64",
"arm64",
"ppc64el"
],
- "version": "15.2-1.pgdg110+1"
+ "version": "17.5-1.pgdg110+1"
},
- "debian": "bullseye",
- "debianSuites": [
- "bullseye"
+ "debian": "bookworm",
+ "major": 17,
+ "sha256": "fcb7ab38e23b264d1902cb25e6adafb4525a6ebcbd015434aeef9eda80f528d8",
+ "variants": [
+ "bookworm",
+ "bullseye",
+ "alpine3.22",
+ "alpine3.21"
],
- "major": 15,
- "sha256": "99a2171fc3d6b5b5f56b757a7a3cb85d509a38e4273805def23941ed2b8468c7",
- "version": "15.2"
+ "version": "17.5"
+ },
+ "18": {
+ "alpine": "3.22",
+ "bookworm": {
+ "arches": [
+ "amd64",
+ "arm64",
+ "ppc64el"
+ ],
+ "version": "18~beta1-1.pgdg120+1"
+ },
+ "bullseye": {
+ "arches": [
+ "amd64",
+ "arm64",
+ "ppc64el"
+ ],
+ "version": "18~beta1-1.pgdg110+1"
+ },
+ "debian": "bookworm",
+ "major": 18,
+ "sha256": "0b7c83df6195398aa67dbf5c002e7fa4082be393aae99aa69926d483f98eb885",
+ "variants": [
+ "bookworm",
+ "bullseye",
+ "alpine3.22",
+ "alpine3.21"
+ ],
+ "version": "18beta1"
}
}
diff --git a/versions.sh b/versions.sh
index e0bead30d2..f466ac57a9 100755
--- a/versions.sh
+++ b/versions.sh
@@ -1,15 +1,19 @@
#!/usr/bin/env bash
set -Eeuo pipefail
-# https://github.com/docker-library/postgres/issues/582 😬
-defaultDebianSuite='bullseye'
-declare -A debianSuites=(
- [11]=''
-)
-allDebianSuites=(
+# we will support at most two entries in each of these lists, and both should be in descending order
+supportedDebianSuites=(
+ bookworm
bullseye
)
-defaultAlpineVersion='3.17'
+supportedAlpineVersions=(
+ 3.22
+ 3.21
+)
+defaultDebianSuite="${supportedDebianSuites[0]}"
+declare -A debianSuites=(
+)
+defaultAlpineVersion="${supportedAlpineVersions[0]}"
declare -A alpineVersions=(
#[14]='3.16'
)
@@ -35,6 +39,8 @@ _raw_package_list() {
curl -fsSL "$packagesBase/$suite-pgdg/$component/binary-$arch/Packages.bz2" | bunzip2
}
fetch_suite_package_list() {
+ local -; set +x # make sure running with "set -x" doesn't spam the terminal with the raw package lists
+
local suite="$1"; shift
local version="$1"; shift
local arch="$1"; shift
@@ -74,7 +80,7 @@ for version in "${versions[@]}"; do
export version
versionAlpineVersion="${alpineVersions[$version]:-$defaultAlpineVersion}"
- versionDebianSuite="${debianSuites[$version]-$defaultDebianSuite}" # intentionally missing ":" so it can be empty (again, https://github.com/docker-library/postgres/issues/582 ðŸ˜)
+ versionDebianSuite="${debianSuites[$version]:-$defaultDebianSuite}"
export versionAlpineVersion versionDebianSuite
doc="$(jq -nc '{
@@ -82,24 +88,20 @@ for version in "${versions[@]}"; do
debian: env.versionDebianSuite,
}')"
- versionDebianSuites=()
- for suite in "${allDebianSuites[@]}"; do
- versionDebianSuites+=( "$suite" )
- done
-
fullVersion=
- for suite in "${versionDebianSuites[@]}"; do
+ for suite in "${supportedDebianSuites[@]}"; do
fetch_suite_package_list "$suite" "$version" 'amd64'
- suiteVersion="$(awk_package_list "$suite" "$version" 'amd64' '
+ suiteVersions="$(awk_package_list "$suite" "$version" 'amd64' '
$1 == "Package" { pkg = $2 }
- $1 == "Version" && pkg == "postgresql-" version { print $2; exit }
- ')"
- srcVersion="${suiteVersion%%-*}"
+ $1 == "Version" && pkg == "postgresql-" version { print $2 }
+ ' | sort -V)"
+ suiteVersion="$(tail -1 <<<"$suiteVersions")" # "15~beta4-1.pgdg110+1"
+ srcVersion="${suiteVersion%%-*}" # "15~beta4"
tilde='~'
- srcVersion="${srcVersion//$tilde/}"
+ srcVersion="${srcVersion//$tilde/}" # "15beta4"
[ -n "$fullVersion" ] || fullVersion="$srcVersion"
if [ "$fullVersion" != "$srcVersion" ]; then
- echo >&2 "warning: $version should be '$fullVersion' but $suite is '$srcVersion'"
+ echo >&2 "warning: $version should be '$fullVersion' but $suite has '$srcVersion' ($suiteVersion)"
continue
fi
@@ -122,7 +124,13 @@ for version in "${versions[@]}"; do
version: env.suiteVersion,
arches: $arches,
}
- | .debianSuites += [ env.suite ]
+ | .variants += [ env.suite ]
+ ')"
+ done
+
+ for alpineVersion in "${supportedAlpineVersions[@]}"; do
+ doc="$(jq <<<"$doc" -c --arg v "$alpineVersion" '
+ .variants += [ "alpine" + $v ]
')"
done