diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000000..4d1ee06a43
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1,4 @@
+/*/**/Dockerfile linguist-generated
+/*/**/docker-ensure-initdb.sh linguist-generated
+/*/**/docker-entrypoint.sh linguist-generated
+/Dockerfile*.template linguist-language=Dockerfile
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 0000000000..ccc7fd8955
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,50 @@
+name: GitHub CI
+
+on:
+ pull_request:
+ push:
+ schedule:
+ - cron: 0 0 * * 0
+ workflow_dispatch:
+
+defaults:
+ run:
+ shell: 'bash -Eeuo pipefail -x {0}'
+
+jobs:
+
+ generate-jobs:
+ name: Generate Jobs
+ runs-on: ubuntu-latest
+ outputs:
+ strategy: ${{ steps.generate-jobs.outputs.strategy }}
+ steps:
+ - uses: actions/checkout@v4
+ - uses: docker-library/bashbrew@HEAD
+ - id: generate-jobs
+ name: Generate Jobs
+ run: |
+ strategy="$("$BASHBREW_SCRIPTS/github-actions/generate.sh")"
+ strategy="$(.github/workflows/munge.sh -c <<<"$strategy")"
+ echo "strategy=$strategy" >> "$GITHUB_OUTPUT"
+ jq . <<<"$strategy" # sanity check / debugging aid
+
+ test:
+ needs: generate-jobs
+ strategy: ${{ fromJson(needs.generate-jobs.outputs.strategy) }}
+ name: ${{ matrix.name }}
+ runs-on: ${{ matrix.os }}
+ steps:
+ - uses: actions/checkout@v4
+ - name: Prepare Environment
+ run: ${{ matrix.runs.prepare }}
+ - name: Pull Dependencies
+ run: ${{ matrix.runs.pull }}
+ - name: Build ${{ matrix.name }}
+ run: ${{ matrix.runs.build }}
+ - name: History ${{ matrix.name }}
+ run: ${{ matrix.runs.history }}
+ - name: Test ${{ matrix.name }}
+ run: ${{ matrix.runs.test }}
+ - name: '"docker images"'
+ run: ${{ matrix.runs.images }}
diff --git a/.github/workflows/munge.sh b/.github/workflows/munge.sh
new file mode 100755
index 0000000000..9686dd0700
--- /dev/null
+++ b/.github/workflows/munge.sh
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+# copy all the Debian build jobs into "force deb build" jobs which build like architectures upstream doesn't publish for will
+jq \
+ --arg prefix '[ "$(dpkg --print-architecture)" = "amd64" ]' \
+ --arg dfMunge 'grep -qE "amd64 [|] " "$df"; sed -ri -e "s/amd64 [|] //g" "$df"; ! grep -qE "amd64 [|] " "$df"' \
+ '
+ .matrix.include += [
+ .matrix.include[]
+ | select(.name | test(" (.+)") | not) # ignore any existing munged builds
+ | select(.meta.froms[] | test("^debian:|^ubuntu:"))
+ | .name += " (force deb build)"
+ | .runs.build = (
+ [
+ "# force us to build debs instead of downloading them",
+ $prefix,
+ ("for df in " + ([ .meta.dockerfiles[] | @sh ] | join(" ")) + "; do " + $dfMunge + "; done"),
+ .runs.build
+ ] | join ("\n")
+ )
+ ]
+ ' "$@"
diff --git a/.github/workflows/verify-templating.yml b/.github/workflows/verify-templating.yml
new file mode 100644
index 0000000000..e822ba6bb9
--- /dev/null
+++ b/.github/workflows/verify-templating.yml
@@ -0,0 +1,19 @@
+name: Verify Templating
+
+on:
+ pull_request:
+ push:
+ workflow_dispatch:
+
+defaults:
+ run:
+ shell: 'bash -Eeuo pipefail -x {0}'
+
+jobs:
+ apply-templates:
+ name: Check For Uncomitted Changes
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+ - run: ./apply-templates.sh
+ - run: git diff --exit-code
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000000..d548f66de0
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+.jq-template.awk
diff --git a/.travis.yml b/.travis.yml
deleted file mode 100644
index eaa66e00e1..0000000000
--- a/.travis.yml
+++ /dev/null
@@ -1,48 +0,0 @@
-language: bash
-services: docker
-
-env:
- - VERSION=11
- - VERSION=11 FORCE_DEB_BUILD=1
- - VERSION=11 VARIANT=alpine
- - VERSION=10
- - VERSION=10 FORCE_DEB_BUILD=1
- - VERSION=10 VARIANT=alpine
- - VERSION=9.6
- - VERSION=9.6 FORCE_DEB_BUILD=1
- - VERSION=9.6 VARIANT=alpine
- - VERSION=9.5
- - VERSION=9.5 FORCE_DEB_BUILD=1
- - VERSION=9.5 VARIANT=alpine
- - VERSION=9.4
- - VERSION=9.4 FORCE_DEB_BUILD=1
- - VERSION=9.4 VARIANT=alpine
-
-install:
- - git clone https://github.com/docker-library/official-images.git ~/official-images
-
-before_script:
- - env | sort
- - wget -qO- 'https://github.com/tianon/pgp-happy-eyeballs/raw/master/hack-my-builds.sh' | bash
- - cd "$VERSION/$VARIANT"
- - image="postgres:${VERSION}${VARIANT:+-${VARIANT}}"
-
-script:
- - |
- (
- set -Eeuo pipefail
- set -x
- if [ -n "${FORCE_DEB_BUILD:+x}" ]; then
- [ "$(dpkg --print-architecture)" = 'amd64' ]
- grep -qE 'amd64[|]' Dockerfile
- sed -ri -e 's/amd64[|]//g' Dockerfile
- ! grep -qE 'amd64[|]' Dockerfile
- fi
- docker build -t "$image" .
- ~/official-images/test/run.sh "$image"
- )
-
-after_script:
- - docker images
-
-# vim:set et ts=2 sw=2:
diff --git a/10/Dockerfile b/10/Dockerfile
deleted file mode 100644
index 4bfc95641e..0000000000
--- a/10/Dockerfile
+++ /dev/null
@@ -1,175 +0,0 @@
-# vim:set ft=dockerfile:
-FROM debian:stretch-slim
-
-RUN set -ex; \
- if ! command -v gpg > /dev/null; then \
- apt-get update; \
- apt-get install -y --no-install-recommends \
- gnupg \
- dirmngr \
- ; \
- rm -rf /var/lib/apt/lists/*; \
- fi
-
-# explicitly set user/group IDs
-RUN set -eux; \
- groupadd -r postgres --gid=999; \
-# https://salsa.debian.org/postgresql/postgresql-common/blob/997d842ee744687d99a2b2d95c1083a2615c79e8/debian/postgresql-common.postinst#L32-35
- useradd -r -g postgres --uid=999 --home-dir=/var/lib/postgresql --shell=/bin/bash postgres; \
-# also create the postgres user's home directory with appropriate permissions
-# see https://github.com/docker-library/postgres/issues/274
- mkdir -p /var/lib/postgresql; \
- chown -R postgres:postgres /var/lib/postgresql
-
-# grab gosu for easy step-down from root
-ENV GOSU_VERSION 1.11
-RUN set -x \
- && apt-get update && apt-get install -y --no-install-recommends ca-certificates wget && rm -rf /var/lib/apt/lists/* \
- && wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture)" \
- && wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture).asc" \
- && export GNUPGHOME="$(mktemp -d)" \
- && gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 \
- && gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu \
- && { command -v gpgconf > /dev/null && gpgconf --kill all || :; } \
- && rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc \
- && chmod +x /usr/local/bin/gosu \
- && gosu nobody true \
- && apt-get purge -y --auto-remove ca-certificates wget
-
-# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
-RUN set -eux; \
- if [ -f /etc/dpkg/dpkg.cfg.d/docker ]; then \
-# if this file exists, we're likely in "debian:xxx-slim", and locales are thus being excluded so we need to remove that exclusion (since we need locales)
- grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
- sed -ri '/\/usr\/share\/locale/d' /etc/dpkg/dpkg.cfg.d/docker; \
- ! grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
- fi; \
- apt-get update; apt-get install -y locales; rm -rf /var/lib/apt/lists/*; \
- localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
-ENV LANG en_US.utf8
-
-# install "nss_wrapper" in case we need to fake "/etc/passwd" and "/etc/group" (especially for OpenShift)
-# https://github.com/docker-library/postgres/issues/359
-# https://cwrap.org/nss_wrapper.html
-RUN set -eux; \
- apt-get update; \
- apt-get install -y --no-install-recommends libnss-wrapper; \
- rm -rf /var/lib/apt/lists/*
-
-RUN mkdir /docker-entrypoint-initdb.d
-
-RUN set -ex; \
-# pub 4096R/ACCC4CF8 2011-10-13 [expires: 2019-07-02]
-# Key fingerprint = B97B 0AFC AA1A 47F0 44F2 44A0 7FCC 7D46 ACCC 4CF8
-# uid PostgreSQL Debian Repository
- key='B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8'; \
- export GNUPGHOME="$(mktemp -d)"; \
- gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys "$key"; \
- gpg --batch --export "$key" > /etc/apt/trusted.gpg.d/postgres.gpg; \
- command -v gpgconf > /dev/null && gpgconf --kill all; \
- rm -rf "$GNUPGHOME"; \
- apt-key list
-
-ENV PG_MAJOR 10
-ENV PG_VERSION 10.7-1.pgdg90+1
-
-RUN set -ex; \
- \
-# see note below about "*.pyc" files
- export PYTHONDONTWRITEBYTECODE=1; \
- \
- dpkgArch="$(dpkg --print-architecture)"; \
- case "$dpkgArch" in \
- amd64|i386|ppc64el) \
-# arches officialy built by upstream
- echo "deb http://apt.postgresql.org/pub/repos/apt/ stretch-pgdg main $PG_MAJOR" > /etc/apt/sources.list.d/pgdg.list; \
- apt-get update; \
- ;; \
- *) \
-# we're on an architecture upstream doesn't officially build for
-# let's build binaries from their published source packages
- echo "deb-src http://apt.postgresql.org/pub/repos/apt/ stretch-pgdg main $PG_MAJOR" > /etc/apt/sources.list.d/pgdg.list; \
- \
- case "$PG_MAJOR" in \
- 9.* | 10 ) ;; \
- *) \
-# https://github.com/docker-library/postgres/issues/484 (clang-6.0 required, only available in stretch-backports)
-# TODO remove this once we hit buster+
- echo 'deb http://deb.debian.org/debian stretch-backports main' >> /etc/apt/sources.list.d/pgdg.list; \
- ;; \
- esac; \
- \
- tempDir="$(mktemp -d)"; \
- cd "$tempDir"; \
- \
- savedAptMark="$(apt-mark showmanual)"; \
- \
-# build .deb files from upstream's source packages (which are verified by apt-get)
- apt-get update; \
- apt-get build-dep -y \
- postgresql-common pgdg-keyring \
- "postgresql-$PG_MAJOR=$PG_VERSION" \
- ; \
- DEB_BUILD_OPTIONS="nocheck parallel=$(nproc)" \
- apt-get source --compile \
- postgresql-common pgdg-keyring \
- "postgresql-$PG_MAJOR=$PG_VERSION" \
- ; \
-# we don't remove APT lists here because they get re-downloaded and removed later
- \
-# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
-# (which is done after we install the built packages so we don't have to redownload any overlapping dependencies)
- apt-mark showmanual | xargs apt-mark auto > /dev/null; \
- apt-mark manual $savedAptMark; \
- \
-# create a temporary local APT repo to install from (so that dependency resolution can be handled by APT, as it should be)
- ls -lAFh; \
- dpkg-scanpackages . > Packages; \
- grep '^Package: ' Packages; \
- echo "deb [ trusted=yes ] file://$tempDir ./" > /etc/apt/sources.list.d/temp.list; \
-# work around the following APT issue by using "Acquire::GzipIndexes=false" (overriding "/etc/apt/apt.conf.d/docker-gzip-indexes")
-# Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
-# ...
-# E: Failed to fetch store:/var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
- apt-get -o Acquire::GzipIndexes=false update; \
- ;; \
- esac; \
- \
- apt-get install -y postgresql-common; \
- sed -ri 's/#(create_main_cluster) .*$/\1 = false/' /etc/postgresql-common/createcluster.conf; \
- apt-get install -y \
- "postgresql-$PG_MAJOR=$PG_VERSION" \
- ; \
- \
- rm -rf /var/lib/apt/lists/*; \
- \
- if [ -n "$tempDir" ]; then \
-# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
- apt-get purge -y --auto-remove; \
- rm -rf "$tempDir" /etc/apt/sources.list.d/temp.list; \
- fi; \
- \
-# some of the steps above generate a lot of "*.pyc" files (and setting "PYTHONDONTWRITEBYTECODE" beforehand doesn't propagate properly for some reason), so we clean them up manually (as long as they aren't owned by a package)
- find /usr -name '*.pyc' -type f -exec bash -c 'for pyc; do dpkg -S "$pyc" &> /dev/null || rm -vf "$pyc"; done' -- '{}' +
-
-# make the sample config easier to munge (and "correct by default")
-RUN set -eux; \
- dpkg-divert --add --rename --divert "/usr/share/postgresql/postgresql.conf.sample.dpkg" "/usr/share/postgresql/$PG_MAJOR/postgresql.conf.sample"; \
- cp -v /usr/share/postgresql/postgresql.conf.sample.dpkg /usr/share/postgresql/postgresql.conf.sample; \
- ln -sv ../postgresql.conf.sample "/usr/share/postgresql/$PG_MAJOR/"; \
- sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/share/postgresql/postgresql.conf.sample; \
- grep -F "listen_addresses = '*'" /usr/share/postgresql/postgresql.conf.sample
-
-RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql
-
-ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
-ENV PGDATA /var/lib/postgresql/data
-RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" # this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values)
-VOLUME /var/lib/postgresql/data
-
-COPY docker-entrypoint.sh /usr/local/bin/
-RUN ln -s usr/local/bin/docker-entrypoint.sh / # backwards compat
-ENTRYPOINT ["docker-entrypoint.sh"]
-
-EXPOSE 5432
-CMD ["postgres"]
diff --git a/10/alpine/Dockerfile b/10/alpine/Dockerfile
deleted file mode 100644
index 7233e82987..0000000000
--- a/10/alpine/Dockerfile
+++ /dev/null
@@ -1,152 +0,0 @@
-# vim:set ft=dockerfile:
-FROM alpine:3.9
-
-# alpine includes "postgres" user/group in base install
-# /etc/passwd:22:postgres:x:70:70::/var/lib/postgresql:/bin/sh
-# /etc/group:34:postgres:x:70:
-# the home directory for the postgres user, however, is not created by default
-# see https://github.com/docker-library/postgres/issues/274
-RUN set -ex; \
- postgresHome="$(getent passwd postgres)"; \
- postgresHome="$(echo "$postgresHome" | cut -d: -f6)"; \
- [ "$postgresHome" = '/var/lib/postgresql' ]; \
- mkdir -p "$postgresHome"; \
- chown -R postgres:postgres "$postgresHome"
-
-# su-exec (gosu-compatible) is installed further down
-
-# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
-# alpine doesn't require explicit locale-file generation
-ENV LANG en_US.utf8
-
-RUN mkdir /docker-entrypoint-initdb.d
-
-ENV PG_MAJOR 10
-ENV PG_VERSION 10.7
-ENV PG_SHA256 bfed1065380c1bba927bfe51f23168471373f26e3324cbad859269cc32733ede
-
-RUN set -ex \
- \
- && apk add --no-cache --virtual .fetch-deps \
- ca-certificates \
- openssl \
- tar \
- \
- && wget -O postgresql.tar.bz2 "https://ftp.postgresql.org/pub/source/v$PG_VERSION/postgresql-$PG_VERSION.tar.bz2" \
- && echo "$PG_SHA256 *postgresql.tar.bz2" | sha256sum -c - \
- && mkdir -p /usr/src/postgresql \
- && tar \
- --extract \
- --file postgresql.tar.bz2 \
- --directory /usr/src/postgresql \
- --strip-components 1 \
- && rm postgresql.tar.bz2 \
- \
- && apk add --no-cache --virtual .build-deps \
- bison \
- coreutils \
- dpkg-dev dpkg \
- flex \
- gcc \
-# krb5-dev \
- libc-dev \
- libedit-dev \
- libxml2-dev \
- libxslt-dev \
- make \
-# openldap-dev \
- openssl-dev \
-# configure: error: prove not found
- perl-utils \
-# configure: error: Perl module IPC::Run is required to run TAP tests
- perl-ipc-run \
-# perl-dev \
-# python-dev \
-# python3-dev \
-# tcl-dev \
- util-linux-dev \
- zlib-dev \
- icu-dev \
- \
- && cd /usr/src/postgresql \
-# update "DEFAULT_PGSOCKET_DIR" to "/var/run/postgresql" (matching Debian)
-# see https://anonscm.debian.org/git/pkg-postgresql/postgresql.git/tree/debian/patches/51-default-sockets-in-var.patch?id=8b539fcb3e093a521c095e70bdfa76887217b89f
- && awk '$1 == "#define" && $2 == "DEFAULT_PGSOCKET_DIR" && $3 == "\"/tmp\"" { $3 = "\"/var/run/postgresql\""; print; next } { print }' src/include/pg_config_manual.h > src/include/pg_config_manual.h.new \
- && grep '/var/run/postgresql' src/include/pg_config_manual.h.new \
- && mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h \
- && gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)" \
-# explicitly update autoconf config.guess and config.sub so they support more arches/libcs
- && wget -O config/config.guess 'https://git.savannah.gnu.org/cgit/config.git/plain/config.guess?id=7d3d27baf8107b630586c962c057e22149653deb' \
- && wget -O config/config.sub 'https://git.savannah.gnu.org/cgit/config.git/plain/config.sub?id=7d3d27baf8107b630586c962c057e22149653deb' \
-# configure options taken from:
-# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
- && ./configure \
- --build="$gnuArch" \
-# "/usr/src/postgresql/src/backend/access/common/tupconvert.c:105: undefined reference to `libintl_gettext'"
-# --enable-nls \
- --enable-integer-datetimes \
- --enable-thread-safety \
- --enable-tap-tests \
-# skip debugging info -- we want tiny size instead
-# --enable-debug \
- --disable-rpath \
- --with-uuid=e2fs \
- --with-gnu-ld \
- --with-pgport=5432 \
- --with-system-tzdata=/usr/share/zoneinfo \
- --prefix=/usr/local \
- --with-includes=/usr/local/include \
- --with-libraries=/usr/local/lib \
- \
-# these make our image abnormally large (at least 100MB larger), which seems uncouth for an "Alpine" (ie, "small") variant :)
-# --with-krb5 \
-# --with-gssapi \
-# --with-ldap \
-# --with-tcl \
-# --with-perl \
-# --with-python \
-# --with-pam \
- --with-openssl \
- --with-libxml \
- --with-libxslt \
- --with-icu \
- && make -j "$(nproc)" world \
- && make install-world \
- && make -C contrib install \
- \
- && runDeps="$( \
- scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \
- | tr ',' '\n' \
- | sort -u \
- | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
- )" \
- && apk add --no-cache --virtual .postgresql-rundeps \
- $runDeps \
- bash \
- su-exec \
-# tzdata is optional, but only adds around 1Mb to image size and is recommended by Django documentation:
-# https://docs.djangoproject.com/en/1.10/ref/databases/#optimizing-postgresql-s-configuration
- tzdata \
- && apk del .fetch-deps .build-deps \
- && cd / \
- && rm -rf \
- /usr/src/postgresql \
- /usr/local/share/doc \
- /usr/local/share/man \
- && find /usr/local -name '*.a' -delete
-
-# make the sample config easier to munge (and "correct by default")
-RUN sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample
-
-RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql
-
-ENV PGDATA /var/lib/postgresql/data
-RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" # this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values)
-VOLUME /var/lib/postgresql/data
-
-COPY docker-entrypoint.sh /usr/local/bin/
-RUN ln -s usr/local/bin/docker-entrypoint.sh / # backwards compat
-ENTRYPOINT ["docker-entrypoint.sh"]
-
-EXPOSE 5432
-CMD ["postgres"]
diff --git a/10/alpine/docker-entrypoint.sh b/10/alpine/docker-entrypoint.sh
deleted file mode 100755
index 6dce8a15c6..0000000000
--- a/10/alpine/docker-entrypoint.sh
+++ /dev/null
@@ -1,176 +0,0 @@
-#!/usr/bin/env bash
-set -Eeo pipefail
-# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
-
-# usage: file_env VAR [DEFAULT]
-# ie: file_env 'XYZ_DB_PASSWORD' 'example'
-# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
-# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
-file_env() {
- local var="$1"
- local fileVar="${var}_FILE"
- local def="${2:-}"
- if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
- echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
- exit 1
- fi
- local val="$def"
- if [ "${!var:-}" ]; then
- val="${!var}"
- elif [ "${!fileVar:-}" ]; then
- val="$(< "${!fileVar}")"
- fi
- export "$var"="$val"
- unset "$fileVar"
-}
-
-if [ "${1:0:1}" = '-' ]; then
- set -- postgres "$@"
-fi
-
-# allow the container to be started with `--user`
-if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then
- mkdir -p "$PGDATA"
- chown -R postgres "$PGDATA"
- chmod 700 "$PGDATA"
-
- mkdir -p /var/run/postgresql
- chown -R postgres /var/run/postgresql
- chmod 775 /var/run/postgresql
-
- # Create the transaction log directory before initdb is run (below) so the directory is owned by the correct user
- if [ "$POSTGRES_INITDB_WALDIR" ]; then
- mkdir -p "$POSTGRES_INITDB_WALDIR"
- chown -R postgres "$POSTGRES_INITDB_WALDIR"
- chmod 700 "$POSTGRES_INITDB_WALDIR"
- fi
-
- exec su-exec postgres "$BASH_SOURCE" "$@"
-fi
-
-if [ "$1" = 'postgres' ]; then
- mkdir -p "$PGDATA"
- chown -R "$(id -u)" "$PGDATA" 2>/dev/null || :
- chmod 700 "$PGDATA" 2>/dev/null || :
-
- # look specifically for PG_VERSION, as it is expected in the DB dir
- if [ ! -s "$PGDATA/PG_VERSION" ]; then
- # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
- # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
- if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then
- export LD_PRELOAD='/usr/lib/libnss_wrapper.so'
- export NSS_WRAPPER_PASSWD="$(mktemp)"
- export NSS_WRAPPER_GROUP="$(mktemp)"
- echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD"
- echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"
- fi
-
- file_env 'POSTGRES_USER' 'postgres'
- file_env 'POSTGRES_PASSWORD'
-
- file_env 'POSTGRES_INITDB_ARGS'
- if [ "$POSTGRES_INITDB_WALDIR" ]; then
- export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --waldir $POSTGRES_INITDB_WALDIR"
- fi
- eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"
-
- # unset/cleanup "nss_wrapper" bits
- if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then
- rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
- unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
- fi
-
- # check password first so we can output the warning before postgres
- # messes it up
- if [ -n "$POSTGRES_PASSWORD" ]; then
- authMethod=md5
-
- if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
- cat >&2 <<-'EOWARN'
-
- WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
-
- This will not work if used via PGPASSWORD with "psql".
-
- https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
- https://github.com/docker-library/postgres/issues/507
-
- EOWARN
- fi
- else
- # The - option suppresses leading tabs but *not* spaces. :)
- cat >&2 <<-'EOWARN'
- ****************************************************
- WARNING: No password has been set for the database.
- This will allow anyone with access to the
- Postgres port to access your database. In
- Docker's default configuration, this is
- effectively any other container on the same
- system.
-
- Use "-e POSTGRES_PASSWORD=password" to set
- it in "docker run".
- ****************************************************
- EOWARN
-
- authMethod=trust
- fi
-
- {
- echo
- echo "host all all all $authMethod"
- } >> "$PGDATA/pg_hba.conf"
-
- # internal start of server in order to allow set-up using psql-client
- # does not listen on external TCP/IP and waits until start finishes
- PGUSER="${PGUSER:-$POSTGRES_USER}" \
- pg_ctl -D "$PGDATA" \
- -o "-c listen_addresses=''" \
- -w start
-
- file_env 'POSTGRES_DB' "$POSTGRES_USER"
-
- export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
- psql=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password )
-
- if [ "$POSTGRES_DB" != 'postgres' ]; then
- "${psql[@]}" --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
- CREATE DATABASE :"db" ;
- EOSQL
- echo
- fi
- psql+=( --dbname "$POSTGRES_DB" )
-
- echo
- for f in /docker-entrypoint-initdb.d/*; do
- case "$f" in
- *.sh)
- # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
- # https://github.com/docker-library/postgres/pull/452
- if [ -x "$f" ]; then
- echo "$0: running $f"
- "$f"
- else
- echo "$0: sourcing $f"
- . "$f"
- fi
- ;;
- *.sql) echo "$0: running $f"; "${psql[@]}" -f "$f"; echo ;;
- *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | "${psql[@]}"; echo ;;
- *) echo "$0: ignoring $f" ;;
- esac
- echo
- done
-
- PGUSER="${PGUSER:-$POSTGRES_USER}" \
- pg_ctl -D "$PGDATA" -m fast -w stop
-
- unset PGPASSWORD
-
- echo
- echo 'PostgreSQL init process complete; ready for start up.'
- echo
- fi
-fi
-
-exec "$@"
diff --git a/10/docker-entrypoint.sh b/10/docker-entrypoint.sh
deleted file mode 100755
index 93ee4fba4d..0000000000
--- a/10/docker-entrypoint.sh
+++ /dev/null
@@ -1,176 +0,0 @@
-#!/usr/bin/env bash
-set -Eeo pipefail
-# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
-
-# usage: file_env VAR [DEFAULT]
-# ie: file_env 'XYZ_DB_PASSWORD' 'example'
-# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
-# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
-file_env() {
- local var="$1"
- local fileVar="${var}_FILE"
- local def="${2:-}"
- if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
- echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
- exit 1
- fi
- local val="$def"
- if [ "${!var:-}" ]; then
- val="${!var}"
- elif [ "${!fileVar:-}" ]; then
- val="$(< "${!fileVar}")"
- fi
- export "$var"="$val"
- unset "$fileVar"
-}
-
-if [ "${1:0:1}" = '-' ]; then
- set -- postgres "$@"
-fi
-
-# allow the container to be started with `--user`
-if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then
- mkdir -p "$PGDATA"
- chown -R postgres "$PGDATA"
- chmod 700 "$PGDATA"
-
- mkdir -p /var/run/postgresql
- chown -R postgres /var/run/postgresql
- chmod 775 /var/run/postgresql
-
- # Create the transaction log directory before initdb is run (below) so the directory is owned by the correct user
- if [ "$POSTGRES_INITDB_WALDIR" ]; then
- mkdir -p "$POSTGRES_INITDB_WALDIR"
- chown -R postgres "$POSTGRES_INITDB_WALDIR"
- chmod 700 "$POSTGRES_INITDB_WALDIR"
- fi
-
- exec gosu postgres "$BASH_SOURCE" "$@"
-fi
-
-if [ "$1" = 'postgres' ]; then
- mkdir -p "$PGDATA"
- chown -R "$(id -u)" "$PGDATA" 2>/dev/null || :
- chmod 700 "$PGDATA" 2>/dev/null || :
-
- # look specifically for PG_VERSION, as it is expected in the DB dir
- if [ ! -s "$PGDATA/PG_VERSION" ]; then
- # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
- # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
- if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then
- export LD_PRELOAD='/usr/lib/libnss_wrapper.so'
- export NSS_WRAPPER_PASSWD="$(mktemp)"
- export NSS_WRAPPER_GROUP="$(mktemp)"
- echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD"
- echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"
- fi
-
- file_env 'POSTGRES_USER' 'postgres'
- file_env 'POSTGRES_PASSWORD'
-
- file_env 'POSTGRES_INITDB_ARGS'
- if [ "$POSTGRES_INITDB_WALDIR" ]; then
- export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --waldir $POSTGRES_INITDB_WALDIR"
- fi
- eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"
-
- # unset/cleanup "nss_wrapper" bits
- if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then
- rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
- unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
- fi
-
- # check password first so we can output the warning before postgres
- # messes it up
- if [ -n "$POSTGRES_PASSWORD" ]; then
- authMethod=md5
-
- if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
- cat >&2 <<-'EOWARN'
-
- WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
-
- This will not work if used via PGPASSWORD with "psql".
-
- https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
- https://github.com/docker-library/postgres/issues/507
-
- EOWARN
- fi
- else
- # The - option suppresses leading tabs but *not* spaces. :)
- cat >&2 <<-'EOWARN'
- ****************************************************
- WARNING: No password has been set for the database.
- This will allow anyone with access to the
- Postgres port to access your database. In
- Docker's default configuration, this is
- effectively any other container on the same
- system.
-
- Use "-e POSTGRES_PASSWORD=password" to set
- it in "docker run".
- ****************************************************
- EOWARN
-
- authMethod=trust
- fi
-
- {
- echo
- echo "host all all all $authMethod"
- } >> "$PGDATA/pg_hba.conf"
-
- # internal start of server in order to allow set-up using psql-client
- # does not listen on external TCP/IP and waits until start finishes
- PGUSER="${PGUSER:-$POSTGRES_USER}" \
- pg_ctl -D "$PGDATA" \
- -o "-c listen_addresses=''" \
- -w start
-
- file_env 'POSTGRES_DB' "$POSTGRES_USER"
-
- export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
- psql=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password )
-
- if [ "$POSTGRES_DB" != 'postgres' ]; then
- "${psql[@]}" --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
- CREATE DATABASE :"db" ;
- EOSQL
- echo
- fi
- psql+=( --dbname "$POSTGRES_DB" )
-
- echo
- for f in /docker-entrypoint-initdb.d/*; do
- case "$f" in
- *.sh)
- # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
- # https://github.com/docker-library/postgres/pull/452
- if [ -x "$f" ]; then
- echo "$0: running $f"
- "$f"
- else
- echo "$0: sourcing $f"
- . "$f"
- fi
- ;;
- *.sql) echo "$0: running $f"; "${psql[@]}" -f "$f"; echo ;;
- *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | "${psql[@]}"; echo ;;
- *) echo "$0: ignoring $f" ;;
- esac
- echo
- done
-
- PGUSER="${PGUSER:-$POSTGRES_USER}" \
- pg_ctl -D "$PGDATA" -m fast -w stop
-
- unset PGPASSWORD
-
- echo
- echo 'PostgreSQL init process complete; ready for start up.'
- echo
- fi
-fi
-
-exec "$@"
diff --git a/11/Dockerfile b/11/Dockerfile
deleted file mode 100644
index 9ef6a1b37b..0000000000
--- a/11/Dockerfile
+++ /dev/null
@@ -1,175 +0,0 @@
-# vim:set ft=dockerfile:
-FROM debian:stretch-slim
-
-RUN set -ex; \
- if ! command -v gpg > /dev/null; then \
- apt-get update; \
- apt-get install -y --no-install-recommends \
- gnupg \
- dirmngr \
- ; \
- rm -rf /var/lib/apt/lists/*; \
- fi
-
-# explicitly set user/group IDs
-RUN set -eux; \
- groupadd -r postgres --gid=999; \
-# https://salsa.debian.org/postgresql/postgresql-common/blob/997d842ee744687d99a2b2d95c1083a2615c79e8/debian/postgresql-common.postinst#L32-35
- useradd -r -g postgres --uid=999 --home-dir=/var/lib/postgresql --shell=/bin/bash postgres; \
-# also create the postgres user's home directory with appropriate permissions
-# see https://github.com/docker-library/postgres/issues/274
- mkdir -p /var/lib/postgresql; \
- chown -R postgres:postgres /var/lib/postgresql
-
-# grab gosu for easy step-down from root
-ENV GOSU_VERSION 1.11
-RUN set -x \
- && apt-get update && apt-get install -y --no-install-recommends ca-certificates wget && rm -rf /var/lib/apt/lists/* \
- && wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture)" \
- && wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture).asc" \
- && export GNUPGHOME="$(mktemp -d)" \
- && gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 \
- && gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu \
- && { command -v gpgconf > /dev/null && gpgconf --kill all || :; } \
- && rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc \
- && chmod +x /usr/local/bin/gosu \
- && gosu nobody true \
- && apt-get purge -y --auto-remove ca-certificates wget
-
-# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
-RUN set -eux; \
- if [ -f /etc/dpkg/dpkg.cfg.d/docker ]; then \
-# if this file exists, we're likely in "debian:xxx-slim", and locales are thus being excluded so we need to remove that exclusion (since we need locales)
- grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
- sed -ri '/\/usr\/share\/locale/d' /etc/dpkg/dpkg.cfg.d/docker; \
- ! grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
- fi; \
- apt-get update; apt-get install -y locales; rm -rf /var/lib/apt/lists/*; \
- localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
-ENV LANG en_US.utf8
-
-# install "nss_wrapper" in case we need to fake "/etc/passwd" and "/etc/group" (especially for OpenShift)
-# https://github.com/docker-library/postgres/issues/359
-# https://cwrap.org/nss_wrapper.html
-RUN set -eux; \
- apt-get update; \
- apt-get install -y --no-install-recommends libnss-wrapper; \
- rm -rf /var/lib/apt/lists/*
-
-RUN mkdir /docker-entrypoint-initdb.d
-
-RUN set -ex; \
-# pub 4096R/ACCC4CF8 2011-10-13 [expires: 2019-07-02]
-# Key fingerprint = B97B 0AFC AA1A 47F0 44F2 44A0 7FCC 7D46 ACCC 4CF8
-# uid PostgreSQL Debian Repository
- key='B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8'; \
- export GNUPGHOME="$(mktemp -d)"; \
- gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys "$key"; \
- gpg --batch --export "$key" > /etc/apt/trusted.gpg.d/postgres.gpg; \
- command -v gpgconf > /dev/null && gpgconf --kill all; \
- rm -rf "$GNUPGHOME"; \
- apt-key list
-
-ENV PG_MAJOR 11
-ENV PG_VERSION 11.2-1.pgdg90+1
-
-RUN set -ex; \
- \
-# see note below about "*.pyc" files
- export PYTHONDONTWRITEBYTECODE=1; \
- \
- dpkgArch="$(dpkg --print-architecture)"; \
- case "$dpkgArch" in \
- amd64|i386|ppc64el) \
-# arches officialy built by upstream
- echo "deb http://apt.postgresql.org/pub/repos/apt/ stretch-pgdg main $PG_MAJOR" > /etc/apt/sources.list.d/pgdg.list; \
- apt-get update; \
- ;; \
- *) \
-# we're on an architecture upstream doesn't officially build for
-# let's build binaries from their published source packages
- echo "deb-src http://apt.postgresql.org/pub/repos/apt/ stretch-pgdg main $PG_MAJOR" > /etc/apt/sources.list.d/pgdg.list; \
- \
- case "$PG_MAJOR" in \
- 9.* | 10 ) ;; \
- *) \
-# https://github.com/docker-library/postgres/issues/484 (clang-6.0 required, only available in stretch-backports)
-# TODO remove this once we hit buster+
- echo 'deb http://deb.debian.org/debian stretch-backports main' >> /etc/apt/sources.list.d/pgdg.list; \
- ;; \
- esac; \
- \
- tempDir="$(mktemp -d)"; \
- cd "$tempDir"; \
- \
- savedAptMark="$(apt-mark showmanual)"; \
- \
-# build .deb files from upstream's source packages (which are verified by apt-get)
- apt-get update; \
- apt-get build-dep -y \
- postgresql-common pgdg-keyring \
- "postgresql-$PG_MAJOR=$PG_VERSION" \
- ; \
- DEB_BUILD_OPTIONS="nocheck parallel=$(nproc)" \
- apt-get source --compile \
- postgresql-common pgdg-keyring \
- "postgresql-$PG_MAJOR=$PG_VERSION" \
- ; \
-# we don't remove APT lists here because they get re-downloaded and removed later
- \
-# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
-# (which is done after we install the built packages so we don't have to redownload any overlapping dependencies)
- apt-mark showmanual | xargs apt-mark auto > /dev/null; \
- apt-mark manual $savedAptMark; \
- \
-# create a temporary local APT repo to install from (so that dependency resolution can be handled by APT, as it should be)
- ls -lAFh; \
- dpkg-scanpackages . > Packages; \
- grep '^Package: ' Packages; \
- echo "deb [ trusted=yes ] file://$tempDir ./" > /etc/apt/sources.list.d/temp.list; \
-# work around the following APT issue by using "Acquire::GzipIndexes=false" (overriding "/etc/apt/apt.conf.d/docker-gzip-indexes")
-# Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
-# ...
-# E: Failed to fetch store:/var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
- apt-get -o Acquire::GzipIndexes=false update; \
- ;; \
- esac; \
- \
- apt-get install -y postgresql-common; \
- sed -ri 's/#(create_main_cluster) .*$/\1 = false/' /etc/postgresql-common/createcluster.conf; \
- apt-get install -y \
- "postgresql-$PG_MAJOR=$PG_VERSION" \
- ; \
- \
- rm -rf /var/lib/apt/lists/*; \
- \
- if [ -n "$tempDir" ]; then \
-# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
- apt-get purge -y --auto-remove; \
- rm -rf "$tempDir" /etc/apt/sources.list.d/temp.list; \
- fi; \
- \
-# some of the steps above generate a lot of "*.pyc" files (and setting "PYTHONDONTWRITEBYTECODE" beforehand doesn't propagate properly for some reason), so we clean them up manually (as long as they aren't owned by a package)
- find /usr -name '*.pyc' -type f -exec bash -c 'for pyc; do dpkg -S "$pyc" &> /dev/null || rm -vf "$pyc"; done' -- '{}' +
-
-# make the sample config easier to munge (and "correct by default")
-RUN set -eux; \
- dpkg-divert --add --rename --divert "/usr/share/postgresql/postgresql.conf.sample.dpkg" "/usr/share/postgresql/$PG_MAJOR/postgresql.conf.sample"; \
- cp -v /usr/share/postgresql/postgresql.conf.sample.dpkg /usr/share/postgresql/postgresql.conf.sample; \
- ln -sv ../postgresql.conf.sample "/usr/share/postgresql/$PG_MAJOR/"; \
- sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/share/postgresql/postgresql.conf.sample; \
- grep -F "listen_addresses = '*'" /usr/share/postgresql/postgresql.conf.sample
-
-RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql
-
-ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
-ENV PGDATA /var/lib/postgresql/data
-RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" # this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values)
-VOLUME /var/lib/postgresql/data
-
-COPY docker-entrypoint.sh /usr/local/bin/
-RUN ln -s usr/local/bin/docker-entrypoint.sh / # backwards compat
-ENTRYPOINT ["docker-entrypoint.sh"]
-
-EXPOSE 5432
-CMD ["postgres"]
diff --git a/11/alpine/Dockerfile b/11/alpine/Dockerfile
deleted file mode 100644
index dba1969d6c..0000000000
--- a/11/alpine/Dockerfile
+++ /dev/null
@@ -1,152 +0,0 @@
-# vim:set ft=dockerfile:
-FROM alpine:3.9
-
-# alpine includes "postgres" user/group in base install
-# /etc/passwd:22:postgres:x:70:70::/var/lib/postgresql:/bin/sh
-# /etc/group:34:postgres:x:70:
-# the home directory for the postgres user, however, is not created by default
-# see https://github.com/docker-library/postgres/issues/274
-RUN set -ex; \
- postgresHome="$(getent passwd postgres)"; \
- postgresHome="$(echo "$postgresHome" | cut -d: -f6)"; \
- [ "$postgresHome" = '/var/lib/postgresql' ]; \
- mkdir -p "$postgresHome"; \
- chown -R postgres:postgres "$postgresHome"
-
-# su-exec (gosu-compatible) is installed further down
-
-# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
-# alpine doesn't require explicit locale-file generation
-ENV LANG en_US.utf8
-
-RUN mkdir /docker-entrypoint-initdb.d
-
-ENV PG_MAJOR 11
-ENV PG_VERSION 11.2
-ENV PG_SHA256 2676b9ce09c21978032070b6794696e0aa5a476e3d21d60afc036dc0a9c09405
-
-RUN set -ex \
- \
- && apk add --no-cache --virtual .fetch-deps \
- ca-certificates \
- openssl \
- tar \
- \
- && wget -O postgresql.tar.bz2 "https://ftp.postgresql.org/pub/source/v$PG_VERSION/postgresql-$PG_VERSION.tar.bz2" \
- && echo "$PG_SHA256 *postgresql.tar.bz2" | sha256sum -c - \
- && mkdir -p /usr/src/postgresql \
- && tar \
- --extract \
- --file postgresql.tar.bz2 \
- --directory /usr/src/postgresql \
- --strip-components 1 \
- && rm postgresql.tar.bz2 \
- \
- && apk add --no-cache --virtual .build-deps \
- bison \
- coreutils \
- dpkg-dev dpkg \
- flex \
- gcc \
-# krb5-dev \
- libc-dev \
- libedit-dev \
- libxml2-dev \
- libxslt-dev \
- make \
-# openldap-dev \
- openssl-dev \
-# configure: error: prove not found
- perl-utils \
-# configure: error: Perl module IPC::Run is required to run TAP tests
- perl-ipc-run \
-# perl-dev \
-# python-dev \
-# python3-dev \
-# tcl-dev \
- util-linux-dev \
- zlib-dev \
- icu-dev \
- \
- && cd /usr/src/postgresql \
-# update "DEFAULT_PGSOCKET_DIR" to "/var/run/postgresql" (matching Debian)
-# see https://anonscm.debian.org/git/pkg-postgresql/postgresql.git/tree/debian/patches/51-default-sockets-in-var.patch?id=8b539fcb3e093a521c095e70bdfa76887217b89f
- && awk '$1 == "#define" && $2 == "DEFAULT_PGSOCKET_DIR" && $3 == "\"/tmp\"" { $3 = "\"/var/run/postgresql\""; print; next } { print }' src/include/pg_config_manual.h > src/include/pg_config_manual.h.new \
- && grep '/var/run/postgresql' src/include/pg_config_manual.h.new \
- && mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h \
- && gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)" \
-# explicitly update autoconf config.guess and config.sub so they support more arches/libcs
- && wget -O config/config.guess 'https://git.savannah.gnu.org/cgit/config.git/plain/config.guess?id=7d3d27baf8107b630586c962c057e22149653deb' \
- && wget -O config/config.sub 'https://git.savannah.gnu.org/cgit/config.git/plain/config.sub?id=7d3d27baf8107b630586c962c057e22149653deb' \
-# configure options taken from:
-# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
- && ./configure \
- --build="$gnuArch" \
-# "/usr/src/postgresql/src/backend/access/common/tupconvert.c:105: undefined reference to `libintl_gettext'"
-# --enable-nls \
- --enable-integer-datetimes \
- --enable-thread-safety \
- --enable-tap-tests \
-# skip debugging info -- we want tiny size instead
-# --enable-debug \
- --disable-rpath \
- --with-uuid=e2fs \
- --with-gnu-ld \
- --with-pgport=5432 \
- --with-system-tzdata=/usr/share/zoneinfo \
- --prefix=/usr/local \
- --with-includes=/usr/local/include \
- --with-libraries=/usr/local/lib \
- \
-# these make our image abnormally large (at least 100MB larger), which seems uncouth for an "Alpine" (ie, "small") variant :)
-# --with-krb5 \
-# --with-gssapi \
-# --with-ldap \
-# --with-tcl \
-# --with-perl \
-# --with-python \
-# --with-pam \
- --with-openssl \
- --with-libxml \
- --with-libxslt \
- --with-icu \
- && make -j "$(nproc)" world \
- && make install-world \
- && make -C contrib install \
- \
- && runDeps="$( \
- scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \
- | tr ',' '\n' \
- | sort -u \
- | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
- )" \
- && apk add --no-cache --virtual .postgresql-rundeps \
- $runDeps \
- bash \
- su-exec \
-# tzdata is optional, but only adds around 1Mb to image size and is recommended by Django documentation:
-# https://docs.djangoproject.com/en/1.10/ref/databases/#optimizing-postgresql-s-configuration
- tzdata \
- && apk del .fetch-deps .build-deps \
- && cd / \
- && rm -rf \
- /usr/src/postgresql \
- /usr/local/share/doc \
- /usr/local/share/man \
- && find /usr/local -name '*.a' -delete
-
-# make the sample config easier to munge (and "correct by default")
-RUN sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample
-
-RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql
-
-ENV PGDATA /var/lib/postgresql/data
-RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" # this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values)
-VOLUME /var/lib/postgresql/data
-
-COPY docker-entrypoint.sh /usr/local/bin/
-RUN ln -s usr/local/bin/docker-entrypoint.sh / # backwards compat
-ENTRYPOINT ["docker-entrypoint.sh"]
-
-EXPOSE 5432
-CMD ["postgres"]
diff --git a/11/alpine/docker-entrypoint.sh b/11/alpine/docker-entrypoint.sh
deleted file mode 100755
index 6dce8a15c6..0000000000
--- a/11/alpine/docker-entrypoint.sh
+++ /dev/null
@@ -1,176 +0,0 @@
-#!/usr/bin/env bash
-set -Eeo pipefail
-# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
-
-# usage: file_env VAR [DEFAULT]
-# ie: file_env 'XYZ_DB_PASSWORD' 'example'
-# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
-# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
-file_env() {
- local var="$1"
- local fileVar="${var}_FILE"
- local def="${2:-}"
- if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
- echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
- exit 1
- fi
- local val="$def"
- if [ "${!var:-}" ]; then
- val="${!var}"
- elif [ "${!fileVar:-}" ]; then
- val="$(< "${!fileVar}")"
- fi
- export "$var"="$val"
- unset "$fileVar"
-}
-
-if [ "${1:0:1}" = '-' ]; then
- set -- postgres "$@"
-fi
-
-# allow the container to be started with `--user`
-if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then
- mkdir -p "$PGDATA"
- chown -R postgres "$PGDATA"
- chmod 700 "$PGDATA"
-
- mkdir -p /var/run/postgresql
- chown -R postgres /var/run/postgresql
- chmod 775 /var/run/postgresql
-
- # Create the transaction log directory before initdb is run (below) so the directory is owned by the correct user
- if [ "$POSTGRES_INITDB_WALDIR" ]; then
- mkdir -p "$POSTGRES_INITDB_WALDIR"
- chown -R postgres "$POSTGRES_INITDB_WALDIR"
- chmod 700 "$POSTGRES_INITDB_WALDIR"
- fi
-
- exec su-exec postgres "$BASH_SOURCE" "$@"
-fi
-
-if [ "$1" = 'postgres' ]; then
- mkdir -p "$PGDATA"
- chown -R "$(id -u)" "$PGDATA" 2>/dev/null || :
- chmod 700 "$PGDATA" 2>/dev/null || :
-
- # look specifically for PG_VERSION, as it is expected in the DB dir
- if [ ! -s "$PGDATA/PG_VERSION" ]; then
- # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
- # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
- if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then
- export LD_PRELOAD='/usr/lib/libnss_wrapper.so'
- export NSS_WRAPPER_PASSWD="$(mktemp)"
- export NSS_WRAPPER_GROUP="$(mktemp)"
- echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD"
- echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"
- fi
-
- file_env 'POSTGRES_USER' 'postgres'
- file_env 'POSTGRES_PASSWORD'
-
- file_env 'POSTGRES_INITDB_ARGS'
- if [ "$POSTGRES_INITDB_WALDIR" ]; then
- export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --waldir $POSTGRES_INITDB_WALDIR"
- fi
- eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"
-
- # unset/cleanup "nss_wrapper" bits
- if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then
- rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
- unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
- fi
-
- # check password first so we can output the warning before postgres
- # messes it up
- if [ -n "$POSTGRES_PASSWORD" ]; then
- authMethod=md5
-
- if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
- cat >&2 <<-'EOWARN'
-
- WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
-
- This will not work if used via PGPASSWORD with "psql".
-
- https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
- https://github.com/docker-library/postgres/issues/507
-
- EOWARN
- fi
- else
- # The - option suppresses leading tabs but *not* spaces. :)
- cat >&2 <<-'EOWARN'
- ****************************************************
- WARNING: No password has been set for the database.
- This will allow anyone with access to the
- Postgres port to access your database. In
- Docker's default configuration, this is
- effectively any other container on the same
- system.
-
- Use "-e POSTGRES_PASSWORD=password" to set
- it in "docker run".
- ****************************************************
- EOWARN
-
- authMethod=trust
- fi
-
- {
- echo
- echo "host all all all $authMethod"
- } >> "$PGDATA/pg_hba.conf"
-
- # internal start of server in order to allow set-up using psql-client
- # does not listen on external TCP/IP and waits until start finishes
- PGUSER="${PGUSER:-$POSTGRES_USER}" \
- pg_ctl -D "$PGDATA" \
- -o "-c listen_addresses=''" \
- -w start
-
- file_env 'POSTGRES_DB' "$POSTGRES_USER"
-
- export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
- psql=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password )
-
- if [ "$POSTGRES_DB" != 'postgres' ]; then
- "${psql[@]}" --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
- CREATE DATABASE :"db" ;
- EOSQL
- echo
- fi
- psql+=( --dbname "$POSTGRES_DB" )
-
- echo
- for f in /docker-entrypoint-initdb.d/*; do
- case "$f" in
- *.sh)
- # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
- # https://github.com/docker-library/postgres/pull/452
- if [ -x "$f" ]; then
- echo "$0: running $f"
- "$f"
- else
- echo "$0: sourcing $f"
- . "$f"
- fi
- ;;
- *.sql) echo "$0: running $f"; "${psql[@]}" -f "$f"; echo ;;
- *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | "${psql[@]}"; echo ;;
- *) echo "$0: ignoring $f" ;;
- esac
- echo
- done
-
- PGUSER="${PGUSER:-$POSTGRES_USER}" \
- pg_ctl -D "$PGDATA" -m fast -w stop
-
- unset PGPASSWORD
-
- echo
- echo 'PostgreSQL init process complete; ready for start up.'
- echo
- fi
-fi
-
-exec "$@"
diff --git a/11/docker-entrypoint.sh b/11/docker-entrypoint.sh
deleted file mode 100755
index 93ee4fba4d..0000000000
--- a/11/docker-entrypoint.sh
+++ /dev/null
@@ -1,176 +0,0 @@
-#!/usr/bin/env bash
-set -Eeo pipefail
-# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
-
-# usage: file_env VAR [DEFAULT]
-# ie: file_env 'XYZ_DB_PASSWORD' 'example'
-# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
-# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
-file_env() {
- local var="$1"
- local fileVar="${var}_FILE"
- local def="${2:-}"
- if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
- echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
- exit 1
- fi
- local val="$def"
- if [ "${!var:-}" ]; then
- val="${!var}"
- elif [ "${!fileVar:-}" ]; then
- val="$(< "${!fileVar}")"
- fi
- export "$var"="$val"
- unset "$fileVar"
-}
-
-if [ "${1:0:1}" = '-' ]; then
- set -- postgres "$@"
-fi
-
-# allow the container to be started with `--user`
-if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then
- mkdir -p "$PGDATA"
- chown -R postgres "$PGDATA"
- chmod 700 "$PGDATA"
-
- mkdir -p /var/run/postgresql
- chown -R postgres /var/run/postgresql
- chmod 775 /var/run/postgresql
-
- # Create the transaction log directory before initdb is run (below) so the directory is owned by the correct user
- if [ "$POSTGRES_INITDB_WALDIR" ]; then
- mkdir -p "$POSTGRES_INITDB_WALDIR"
- chown -R postgres "$POSTGRES_INITDB_WALDIR"
- chmod 700 "$POSTGRES_INITDB_WALDIR"
- fi
-
- exec gosu postgres "$BASH_SOURCE" "$@"
-fi
-
-if [ "$1" = 'postgres' ]; then
- mkdir -p "$PGDATA"
- chown -R "$(id -u)" "$PGDATA" 2>/dev/null || :
- chmod 700 "$PGDATA" 2>/dev/null || :
-
- # look specifically for PG_VERSION, as it is expected in the DB dir
- if [ ! -s "$PGDATA/PG_VERSION" ]; then
- # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
- # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
- if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then
- export LD_PRELOAD='/usr/lib/libnss_wrapper.so'
- export NSS_WRAPPER_PASSWD="$(mktemp)"
- export NSS_WRAPPER_GROUP="$(mktemp)"
- echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD"
- echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"
- fi
-
- file_env 'POSTGRES_USER' 'postgres'
- file_env 'POSTGRES_PASSWORD'
-
- file_env 'POSTGRES_INITDB_ARGS'
- if [ "$POSTGRES_INITDB_WALDIR" ]; then
- export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --waldir $POSTGRES_INITDB_WALDIR"
- fi
- eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"
-
- # unset/cleanup "nss_wrapper" bits
- if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then
- rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
- unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
- fi
-
- # check password first so we can output the warning before postgres
- # messes it up
- if [ -n "$POSTGRES_PASSWORD" ]; then
- authMethod=md5
-
- if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
- cat >&2 <<-'EOWARN'
-
- WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
-
- This will not work if used via PGPASSWORD with "psql".
-
- https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
- https://github.com/docker-library/postgres/issues/507
-
- EOWARN
- fi
- else
- # The - option suppresses leading tabs but *not* spaces. :)
- cat >&2 <<-'EOWARN'
- ****************************************************
- WARNING: No password has been set for the database.
- This will allow anyone with access to the
- Postgres port to access your database. In
- Docker's default configuration, this is
- effectively any other container on the same
- system.
-
- Use "-e POSTGRES_PASSWORD=password" to set
- it in "docker run".
- ****************************************************
- EOWARN
-
- authMethod=trust
- fi
-
- {
- echo
- echo "host all all all $authMethod"
- } >> "$PGDATA/pg_hba.conf"
-
- # internal start of server in order to allow set-up using psql-client
- # does not listen on external TCP/IP and waits until start finishes
- PGUSER="${PGUSER:-$POSTGRES_USER}" \
- pg_ctl -D "$PGDATA" \
- -o "-c listen_addresses=''" \
- -w start
-
- file_env 'POSTGRES_DB' "$POSTGRES_USER"
-
- export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
- psql=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password )
-
- if [ "$POSTGRES_DB" != 'postgres' ]; then
- "${psql[@]}" --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
- CREATE DATABASE :"db" ;
- EOSQL
- echo
- fi
- psql+=( --dbname "$POSTGRES_DB" )
-
- echo
- for f in /docker-entrypoint-initdb.d/*; do
- case "$f" in
- *.sh)
- # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
- # https://github.com/docker-library/postgres/pull/452
- if [ -x "$f" ]; then
- echo "$0: running $f"
- "$f"
- else
- echo "$0: sourcing $f"
- . "$f"
- fi
- ;;
- *.sql) echo "$0: running $f"; "${psql[@]}" -f "$f"; echo ;;
- *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | "${psql[@]}"; echo ;;
- *) echo "$0: ignoring $f" ;;
- esac
- echo
- done
-
- PGUSER="${PGUSER:-$POSTGRES_USER}" \
- pg_ctl -D "$PGDATA" -m fast -w stop
-
- unset PGPASSWORD
-
- echo
- echo 'PostgreSQL init process complete; ready for start up.'
- echo
- fi
-fi
-
-exec "$@"
diff --git a/13/alpine3.20/Dockerfile b/13/alpine3.20/Dockerfile
new file mode 100644
index 0000000000..a2f5e0918b
--- /dev/null
+++ b/13/alpine3.20/Dockerfile
@@ -0,0 +1,225 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM alpine:3.20
+
+# 70 is the standard uid/gid for "postgres" in Alpine
+# https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.21-stable
+RUN set -eux; \
+ addgroup -g 70 -S postgres; \
+ adduser -u 70 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \
+# also create the postgres user's home directory with appropriate permissions
+# see https://github.com/docker-library/postgres/issues/274
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
+
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ \
+ apk add --no-cache --virtual .gosu-deps \
+ ca-certificates \
+ dpkg \
+ gnupg \
+ ; \
+ \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ \
+# verify the signature
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ \
+# clean up fetch dependencies
+ apk del --no-network .gosu-deps; \
+ \
+ chmod +x /usr/local/bin/gosu; \
+# verify that the binary works
+ gosu --version; \
+ gosu nobody true
+RUN set -eux; ln -svf gosu /usr/local/bin/su-exec; su-exec nobody true # backwards compatibility (removed in PostgreSQL 17+)
+
+# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
+# alpine doesn't require explicit locale-file generation
+ENV LANG en_US.utf8
+
+RUN mkdir /docker-entrypoint-initdb.d
+
+ENV PG_MAJOR 13
+ENV PG_VERSION 13.21
+ENV PG_SHA256 dcda1294df45f033b0656cf7a8e4afbbc624c25e1b144aec79530f74d7ef4ab4
+
+ENV DOCKER_PG_LLVM_DEPS \
+ llvm15-dev \
+ clang15
+
+RUN set -eux; \
+ \
+ wget -O postgresql.tar.bz2 "https://ftp.postgresql.org/pub/source/v$PG_VERSION/postgresql-$PG_VERSION.tar.bz2"; \
+ echo "$PG_SHA256 *postgresql.tar.bz2" | sha256sum -c -; \
+ mkdir -p /usr/src/postgresql; \
+ tar \
+ --extract \
+ --file postgresql.tar.bz2 \
+ --directory /usr/src/postgresql \
+ --strip-components 1 \
+ ; \
+ rm postgresql.tar.bz2; \
+ \
+ apk add --no-cache --virtual .build-deps \
+ $DOCKER_PG_LLVM_DEPS \
+ bison \
+ coreutils \
+ dpkg-dev dpkg \
+ flex \
+ g++ \
+ gcc \
+ krb5-dev \
+ libc-dev \
+ libedit-dev \
+ libxml2-dev \
+ libxslt-dev \
+ linux-headers \
+ make \
+ openldap-dev \
+ openssl-dev \
+ perl-dev \
+ perl-ipc-run \
+ perl-utils \
+ python3-dev \
+ tcl-dev \
+ util-linux-dev \
+ zlib-dev \
+# https://www.postgresql.org/docs/10/static/release-10.html#id-1.11.6.9.5.13
+ icu-dev \
+ ; \
+ \
+ cd /usr/src/postgresql; \
+# update "DEFAULT_PGSOCKET_DIR" to "/var/run/postgresql" (matching Debian)
+# see https://anonscm.debian.org/git/pkg-postgresql/postgresql.git/tree/debian/patches/51-default-sockets-in-var.patch?id=8b539fcb3e093a521c095e70bdfa76887217b89f
+ awk '$1 == "#define" && $2 == "DEFAULT_PGSOCKET_DIR" && $3 == "\"/tmp\"" { $3 = "\"/var/run/postgresql\""; print; next } { print }' src/include/pg_config_manual.h > src/include/pg_config_manual.h.new; \
+ grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \
+ mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \
+ gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
+ \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.21-stable&id=40544ade947bec1798edb0f749f4e967e842624b#n172
+ export LLVM_CONFIG="/usr/lib/llvm15/bin/llvm-config"; \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.21-stable&id=40544ade947bec1798edb0f749f4e967e842624b#n177
+ export CLANG=clang-15; \
+ \
+# configure options taken from:
+# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
+ ./configure \
+ --enable-option-checking=fatal \
+ --build="$gnuArch" \
+# "/usr/src/postgresql/src/backend/access/common/tupconvert.c:105: undefined reference to `libintl_gettext'"
+# --enable-nls \
+ --enable-integer-datetimes \
+ --enable-thread-safety \
+ --enable-tap-tests \
+# skip debugging info -- we want tiny size instead
+# --enable-debug \
+ --disable-rpath \
+ --with-uuid=e2fs \
+ --with-gnu-ld \
+ --with-pgport=5432 \
+ --with-system-tzdata=/usr/share/zoneinfo \
+ --prefix=/usr/local \
+ --with-includes=/usr/local/include \
+ --with-libraries=/usr/local/lib \
+ --with-gssapi \
+ --with-ldap \
+ --with-tcl \
+ --with-perl \
+ --with-python \
+# --with-pam \
+ --with-openssl \
+ --with-libxml \
+ --with-libxslt \
+ --with-icu \
+ --with-llvm \
+ ; \
+ make -j "$(nproc)" world-bin; \
+ make install-world-bin; \
+ make -C contrib install; \
+ \
+ runDeps="$( \
+ scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \
+ | tr ',' '\n' \
+ | sort -u \
+ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
+# Remove plperl, plpython and pltcl dependencies by default to save image size
+# To use the pl extensions, those have to be installed in a derived image
+ | grep -v -e perl -e python -e tcl \
+ )"; \
+ apk add --no-cache --virtual .postgresql-rundeps \
+ $runDeps \
+ bash \
+ tzdata \
+ zstd \
+# https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split
+ icu-data-full \
+# nss_wrapper is not availble on ppc64le: "test case segfaults in ppc64le"
+# https://git.alpinelinux.org/aports/commit/testing/nss_wrapper/APKBUILD?h=3.17-stable&id=94d81ceeb58cff448d489bbcbe9a6d40c9991663
+ $([ "$(apk --print-arch)" != 'ppc64le' ] && echo 'nss_wrapper') \
+ ; \
+ apk del --no-network .build-deps; \
+ cd /; \
+ rm -rf \
+ /usr/src/postgresql \
+ /usr/local/share/doc \
+ /usr/local/share/man \
+ ; \
+ \
+ postgres --version
+
+# make the sample config easier to munge (and "correct by default")
+RUN set -eux; \
+ cp -v /usr/local/share/postgresql/postgresql.conf.sample /usr/local/share/postgresql/postgresql.conf.sample.orig; \
+ sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \
+ grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample
+
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
+
+ENV PGDATA /var/lib/postgresql/data
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
+VOLUME /var/lib/postgresql/data
+
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
+# calls "Fast Shutdown mode" wherein new connections are disallowed and any
+# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
+# flush tables to disk.
+#
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
+# about available PostgreSQL server shutdown signals.
+#
+# See also https://www.postgresql.org/docs/current/server-start.html for further
+# justification of this as the default value, namely that the example (and
+# shipped) systemd service files use the "Fast Shutdown mode" for service
+# termination.
+#
+STOPSIGNAL SIGINT
+#
+# An additional setting that is recommended for all users regardless of this
+# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
+# equivalent) for controlling how long to wait between sending the defined
+# STOPSIGNAL and sending SIGKILL.
+#
+# The default in most runtimes (such as Docker) is 10 seconds, and the
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
+# that even 90 seconds may not be long enough in many instances.
+
+EXPOSE 5432
+CMD ["postgres"]
diff --git a/13/alpine3.20/docker-ensure-initdb.sh b/13/alpine3.20/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..ae1f6b6b90
--- /dev/null
+++ b/13/alpine3.20/docker-ensure-initdb.sh
@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/13/alpine3.20/docker-entrypoint.sh b/13/alpine3.20/docker-entrypoint.sh
new file mode 100755
index 0000000000..ae40666ca1
--- /dev/null
+++ b/13/alpine3.20/docker-entrypoint.sh
@@ -0,0 +1,359 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+# ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+ local var="$1"
+ local fileVar="${var}_FILE"
+ local def="${2:-}"
+ if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+ printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+ exit 1
+ fi
+ local val="$def"
+ if [ "${!var:-}" ]; then
+ val="${!var}"
+ elif [ "${!fileVar:-}" ]; then
+ val="$(< "${!fileVar}")"
+ fi
+ export "$var"="$val"
+ unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+ # https://unix.stackexchange.com/a/215279
+ [ "${#FUNCNAME[@]}" -ge 2 ] \
+ && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+ && [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+ local user; user="$(id -u)"
+
+ mkdir -p "$PGDATA"
+ # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+ chmod 00700 "$PGDATA" || :
+
+ # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+ mkdir -p /var/run/postgresql || :
+ chmod 03775 /var/run/postgresql || :
+
+ # Create the transaction log directory before initdb is run so the directory is owned by the correct user
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ mkdir -p "$POSTGRES_INITDB_WALDIR"
+ if [ "$user" = '0' ]; then
+ find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+ fi
+ chmod 700 "$POSTGRES_INITDB_WALDIR"
+ fi
+
+ # allow the container to be started with `--user`
+ if [ "$user" = '0' ]; then
+ find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+ find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+ fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+ # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+ # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+ local uid; uid="$(id -u)"
+ if ! getent passwd "$uid" &> /dev/null; then
+ # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+ local wrapper
+ for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+ if [ -s "$wrapper" ]; then
+ NSS_WRAPPER_PASSWD="$(mktemp)"
+ NSS_WRAPPER_GROUP="$(mktemp)"
+ export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ local gid; gid="$(id -g)"
+ printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+ printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+ break
+ fi
+ done
+ fi
+
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+ fi
+
+ # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+ eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+ # unset/cleanup "nss_wrapper" bits
+ if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+ rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+ unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
+
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+
+ This will not work if used via PGPASSWORD with "psql".
+
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
+
+ EOWARN
+ fi
+ ;;
+ esac
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ # The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD to a non-empty value for the
+ superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+ You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+ connections without a password. This is *not* recommended.
+
+ See PostgreSQL documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ cat >&2 <<-'EOWARN'
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
+ EOWARN
+ fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+# ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+ # psql here for backwards compatibility "${psql[@]}"
+ psql=( docker_process_sql )
+
+ printf '\n'
+ local f
+ for f; do
+ case "$f" in
+ *.sh)
+ # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+ # https://github.com/docker-library/postgres/pull/452
+ if [ -x "$f" ]; then
+ printf '%s: running %s\n' "$0" "$f"
+ "$f"
+ else
+ printf '%s: sourcing %s\n' "$0" "$f"
+ . "$f"
+ fi
+ ;;
+ *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+ *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+ *) printf '%s: ignoring %s\n' "$0" "$f" ;;
+ esac
+ printf '\n'
+ done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+# ie: docker_process_sql -f my-file.sql
+# ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+ local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+ if [ -n "$POSTGRES_DB" ]; then
+ query_runner+=( --dbname "$POSTGRES_DB" )
+ fi
+
+ PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+ local dbAlreadyExists
+ dbAlreadyExists="$(
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+ SELECT 1 FROM pg_database WHERE datname = :'db' ;
+ EOSQL
+ )"
+ if [ -z "$dbAlreadyExists" ]; then
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+ CREATE DATABASE :"db" ;
+ EOSQL
+ printf '\n'
+ fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+ file_env 'POSTGRES_PASSWORD'
+
+ file_env 'POSTGRES_USER' 'postgres'
+ file_env 'POSTGRES_DB' "$POSTGRES_USER"
+ file_env 'POSTGRES_INITDB_ARGS'
+ : "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+ declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ # look specifically for PG_VERSION, as it is expected in the DB dir
+ if [ -s "$PGDATA/PG_VERSION" ]; then
+ DATABASE_ALREADY_EXISTS='true'
+ fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+ # default authentication method is md5 on versions before 14
+ # https://www.postgresql.org/about/news/postgresql-14-released-2318/
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+ local auth
+ # check the default/configured encryption and use that as the auth method
+ auth="$(postgres -C password_encryption "$@")"
+ : "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+ {
+ printf '\n'
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ printf '# warning trust is enabled for all connections\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+ fi
+ printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+ } >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+
+ # internal start of server in order to allow setup using psql client
+ # does not listen on external TCP/IP and waits until start finishes
+ set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
+ PGUSER="${PGUSER:-$POSTGRES_USER}" \
+ pg_ctl -D "$PGDATA" \
+ -o "$(printf '%q ' "$@")" \
+ -w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+ PGUSER="${PGUSER:-postgres}" \
+ pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+ local arg
+ for arg; do
+ case "$arg" in
+ # postgres --help | grep 'then exit'
+ # leaving out -C on purpose since it always fails and is unhelpful:
+ # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+ -'?'|--help|--describe-config|-V|--version)
+ return 0
+ ;;
+ esac
+ done
+ return 1
+}
+
+_main() {
+ # if first arg looks like a flag, assume we want to run postgres server
+ if [ "${1:0:1}" = '-' ]; then
+ set -- postgres "$@"
+ fi
+
+ if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+ docker_setup_env
+ # setup data directories and permissions (when run as root)
+ docker_create_db_directories
+ if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+ fi
+
+ # only run initialization on an empty data directory
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+
+ cat <<-'EOM'
+
+ PostgreSQL init process complete; ready for start up.
+
+ EOM
+ else
+ cat <<-'EOM'
+
+ PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+ EOM
+ fi
+ fi
+
+ exec "$@"
+}
+
+if ! _is_sourced; then
+ _main "$@"
+fi
diff --git a/13/alpine3.21/Dockerfile b/13/alpine3.21/Dockerfile
new file mode 100644
index 0000000000..50a47522ad
--- /dev/null
+++ b/13/alpine3.21/Dockerfile
@@ -0,0 +1,225 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM alpine:3.21
+
+# 70 is the standard uid/gid for "postgres" in Alpine
+# https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.21-stable
+RUN set -eux; \
+ addgroup -g 70 -S postgres; \
+ adduser -u 70 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \
+# also create the postgres user's home directory with appropriate permissions
+# see https://github.com/docker-library/postgres/issues/274
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
+
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ \
+ apk add --no-cache --virtual .gosu-deps \
+ ca-certificates \
+ dpkg \
+ gnupg \
+ ; \
+ \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ \
+# verify the signature
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ \
+# clean up fetch dependencies
+ apk del --no-network .gosu-deps; \
+ \
+ chmod +x /usr/local/bin/gosu; \
+# verify that the binary works
+ gosu --version; \
+ gosu nobody true
+RUN set -eux; ln -svf gosu /usr/local/bin/su-exec; su-exec nobody true # backwards compatibility (removed in PostgreSQL 17+)
+
+# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
+# alpine doesn't require explicit locale-file generation
+ENV LANG en_US.utf8
+
+RUN mkdir /docker-entrypoint-initdb.d
+
+ENV PG_MAJOR 13
+ENV PG_VERSION 13.21
+ENV PG_SHA256 dcda1294df45f033b0656cf7a8e4afbbc624c25e1b144aec79530f74d7ef4ab4
+
+ENV DOCKER_PG_LLVM_DEPS \
+ llvm19-dev \
+ clang19
+
+RUN set -eux; \
+ \
+ wget -O postgresql.tar.bz2 "https://ftp.postgresql.org/pub/source/v$PG_VERSION/postgresql-$PG_VERSION.tar.bz2"; \
+ echo "$PG_SHA256 *postgresql.tar.bz2" | sha256sum -c -; \
+ mkdir -p /usr/src/postgresql; \
+ tar \
+ --extract \
+ --file postgresql.tar.bz2 \
+ --directory /usr/src/postgresql \
+ --strip-components 1 \
+ ; \
+ rm postgresql.tar.bz2; \
+ \
+ apk add --no-cache --virtual .build-deps \
+ $DOCKER_PG_LLVM_DEPS \
+ bison \
+ coreutils \
+ dpkg-dev dpkg \
+ flex \
+ g++ \
+ gcc \
+ krb5-dev \
+ libc-dev \
+ libedit-dev \
+ libxml2-dev \
+ libxslt-dev \
+ linux-headers \
+ make \
+ openldap-dev \
+ openssl-dev \
+ perl-dev \
+ perl-ipc-run \
+ perl-utils \
+ python3-dev \
+ tcl-dev \
+ util-linux-dev \
+ zlib-dev \
+# https://www.postgresql.org/docs/10/static/release-10.html#id-1.11.6.9.5.13
+ icu-dev \
+ ; \
+ \
+ cd /usr/src/postgresql; \
+# update "DEFAULT_PGSOCKET_DIR" to "/var/run/postgresql" (matching Debian)
+# see https://anonscm.debian.org/git/pkg-postgresql/postgresql.git/tree/debian/patches/51-default-sockets-in-var.patch?id=8b539fcb3e093a521c095e70bdfa76887217b89f
+ awk '$1 == "#define" && $2 == "DEFAULT_PGSOCKET_DIR" && $3 == "\"/tmp\"" { $3 = "\"/var/run/postgresql\""; print; next } { print }' src/include/pg_config_manual.h > src/include/pg_config_manual.h.new; \
+ grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \
+ mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \
+ gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
+ \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.21-stable&id=40544ade947bec1798edb0f749f4e967e842624b#n172
+ export LLVM_CONFIG="/usr/lib/llvm19/bin/llvm-config"; \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.21-stable&id=40544ade947bec1798edb0f749f4e967e842624b#n177
+ export CLANG=clang-19; \
+ \
+# configure options taken from:
+# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
+ ./configure \
+ --enable-option-checking=fatal \
+ --build="$gnuArch" \
+# "/usr/src/postgresql/src/backend/access/common/tupconvert.c:105: undefined reference to `libintl_gettext'"
+# --enable-nls \
+ --enable-integer-datetimes \
+ --enable-thread-safety \
+ --enable-tap-tests \
+# skip debugging info -- we want tiny size instead
+# --enable-debug \
+ --disable-rpath \
+ --with-uuid=e2fs \
+ --with-gnu-ld \
+ --with-pgport=5432 \
+ --with-system-tzdata=/usr/share/zoneinfo \
+ --prefix=/usr/local \
+ --with-includes=/usr/local/include \
+ --with-libraries=/usr/local/lib \
+ --with-gssapi \
+ --with-ldap \
+ --with-tcl \
+ --with-perl \
+ --with-python \
+# --with-pam \
+ --with-openssl \
+ --with-libxml \
+ --with-libxslt \
+ --with-icu \
+ --with-llvm \
+ ; \
+ make -j "$(nproc)" world-bin; \
+ make install-world-bin; \
+ make -C contrib install; \
+ \
+ runDeps="$( \
+ scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \
+ | tr ',' '\n' \
+ | sort -u \
+ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
+# Remove plperl, plpython and pltcl dependencies by default to save image size
+# To use the pl extensions, those have to be installed in a derived image
+ | grep -v -e perl -e python -e tcl \
+ )"; \
+ apk add --no-cache --virtual .postgresql-rundeps \
+ $runDeps \
+ bash \
+ tzdata \
+ zstd \
+# https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split
+ icu-data-full \
+# nss_wrapper is not availble on ppc64le: "test case segfaults in ppc64le"
+# https://git.alpinelinux.org/aports/commit/testing/nss_wrapper/APKBUILD?h=3.17-stable&id=94d81ceeb58cff448d489bbcbe9a6d40c9991663
+ $([ "$(apk --print-arch)" != 'ppc64le' ] && echo 'nss_wrapper') \
+ ; \
+ apk del --no-network .build-deps; \
+ cd /; \
+ rm -rf \
+ /usr/src/postgresql \
+ /usr/local/share/doc \
+ /usr/local/share/man \
+ ; \
+ \
+ postgres --version
+
+# make the sample config easier to munge (and "correct by default")
+RUN set -eux; \
+ cp -v /usr/local/share/postgresql/postgresql.conf.sample /usr/local/share/postgresql/postgresql.conf.sample.orig; \
+ sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \
+ grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample
+
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
+
+ENV PGDATA /var/lib/postgresql/data
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
+VOLUME /var/lib/postgresql/data
+
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
+# calls "Fast Shutdown mode" wherein new connections are disallowed and any
+# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
+# flush tables to disk.
+#
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
+# about available PostgreSQL server shutdown signals.
+#
+# See also https://www.postgresql.org/docs/current/server-start.html for further
+# justification of this as the default value, namely that the example (and
+# shipped) systemd service files use the "Fast Shutdown mode" for service
+# termination.
+#
+STOPSIGNAL SIGINT
+#
+# An additional setting that is recommended for all users regardless of this
+# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
+# equivalent) for controlling how long to wait between sending the defined
+# STOPSIGNAL and sending SIGKILL.
+#
+# The default in most runtimes (such as Docker) is 10 seconds, and the
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
+# that even 90 seconds may not be long enough in many instances.
+
+EXPOSE 5432
+CMD ["postgres"]
diff --git a/13/alpine3.21/docker-ensure-initdb.sh b/13/alpine3.21/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..ae1f6b6b90
--- /dev/null
+++ b/13/alpine3.21/docker-ensure-initdb.sh
@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/13/alpine3.21/docker-entrypoint.sh b/13/alpine3.21/docker-entrypoint.sh
new file mode 100755
index 0000000000..ae40666ca1
--- /dev/null
+++ b/13/alpine3.21/docker-entrypoint.sh
@@ -0,0 +1,359 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+# ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+ local var="$1"
+ local fileVar="${var}_FILE"
+ local def="${2:-}"
+ if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+ printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+ exit 1
+ fi
+ local val="$def"
+ if [ "${!var:-}" ]; then
+ val="${!var}"
+ elif [ "${!fileVar:-}" ]; then
+ val="$(< "${!fileVar}")"
+ fi
+ export "$var"="$val"
+ unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+ # https://unix.stackexchange.com/a/215279
+ [ "${#FUNCNAME[@]}" -ge 2 ] \
+ && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+ && [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+ local user; user="$(id -u)"
+
+ mkdir -p "$PGDATA"
+ # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+ chmod 00700 "$PGDATA" || :
+
+ # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+ mkdir -p /var/run/postgresql || :
+ chmod 03775 /var/run/postgresql || :
+
+ # Create the transaction log directory before initdb is run so the directory is owned by the correct user
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ mkdir -p "$POSTGRES_INITDB_WALDIR"
+ if [ "$user" = '0' ]; then
+ find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+ fi
+ chmod 700 "$POSTGRES_INITDB_WALDIR"
+ fi
+
+ # allow the container to be started with `--user`
+ if [ "$user" = '0' ]; then
+ find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+ find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+ fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+ # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+ # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+ local uid; uid="$(id -u)"
+ if ! getent passwd "$uid" &> /dev/null; then
+ # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+ local wrapper
+ for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+ if [ -s "$wrapper" ]; then
+ NSS_WRAPPER_PASSWD="$(mktemp)"
+ NSS_WRAPPER_GROUP="$(mktemp)"
+ export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ local gid; gid="$(id -g)"
+ printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+ printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+ break
+ fi
+ done
+ fi
+
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+ fi
+
+ # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+ eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+ # unset/cleanup "nss_wrapper" bits
+ if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+ rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+ unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
+
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+
+ This will not work if used via PGPASSWORD with "psql".
+
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
+
+ EOWARN
+ fi
+ ;;
+ esac
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ # The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD to a non-empty value for the
+ superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+ You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+ connections without a password. This is *not* recommended.
+
+ See PostgreSQL documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ cat >&2 <<-'EOWARN'
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
+ EOWARN
+ fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+# ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+ # psql here for backwards compatibility "${psql[@]}"
+ psql=( docker_process_sql )
+
+ printf '\n'
+ local f
+ for f; do
+ case "$f" in
+ *.sh)
+ # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+ # https://github.com/docker-library/postgres/pull/452
+ if [ -x "$f" ]; then
+ printf '%s: running %s\n' "$0" "$f"
+ "$f"
+ else
+ printf '%s: sourcing %s\n' "$0" "$f"
+ . "$f"
+ fi
+ ;;
+ *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+ *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+ *) printf '%s: ignoring %s\n' "$0" "$f" ;;
+ esac
+ printf '\n'
+ done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+# ie: docker_process_sql -f my-file.sql
+# ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+ local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+ if [ -n "$POSTGRES_DB" ]; then
+ query_runner+=( --dbname "$POSTGRES_DB" )
+ fi
+
+ PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+ local dbAlreadyExists
+ dbAlreadyExists="$(
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+ SELECT 1 FROM pg_database WHERE datname = :'db' ;
+ EOSQL
+ )"
+ if [ -z "$dbAlreadyExists" ]; then
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+ CREATE DATABASE :"db" ;
+ EOSQL
+ printf '\n'
+ fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+ file_env 'POSTGRES_PASSWORD'
+
+ file_env 'POSTGRES_USER' 'postgres'
+ file_env 'POSTGRES_DB' "$POSTGRES_USER"
+ file_env 'POSTGRES_INITDB_ARGS'
+ : "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+ declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ # look specifically for PG_VERSION, as it is expected in the DB dir
+ if [ -s "$PGDATA/PG_VERSION" ]; then
+ DATABASE_ALREADY_EXISTS='true'
+ fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+ # default authentication method is md5 on versions before 14
+ # https://www.postgresql.org/about/news/postgresql-14-released-2318/
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+ local auth
+ # check the default/configured encryption and use that as the auth method
+ auth="$(postgres -C password_encryption "$@")"
+ : "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+ {
+ printf '\n'
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ printf '# warning trust is enabled for all connections\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+ fi
+ printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+ } >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+
+ # internal start of server in order to allow setup using psql client
+ # does not listen on external TCP/IP and waits until start finishes
+ set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
+ PGUSER="${PGUSER:-$POSTGRES_USER}" \
+ pg_ctl -D "$PGDATA" \
+ -o "$(printf '%q ' "$@")" \
+ -w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+ PGUSER="${PGUSER:-postgres}" \
+ pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+ local arg
+ for arg; do
+ case "$arg" in
+ # postgres --help | grep 'then exit'
+ # leaving out -C on purpose since it always fails and is unhelpful:
+ # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+ -'?'|--help|--describe-config|-V|--version)
+ return 0
+ ;;
+ esac
+ done
+ return 1
+}
+
+_main() {
+ # if first arg looks like a flag, assume we want to run postgres server
+ if [ "${1:0:1}" = '-' ]; then
+ set -- postgres "$@"
+ fi
+
+ if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+ docker_setup_env
+ # setup data directories and permissions (when run as root)
+ docker_create_db_directories
+ if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+ fi
+
+ # only run initialization on an empty data directory
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+
+ cat <<-'EOM'
+
+ PostgreSQL init process complete; ready for start up.
+
+ EOM
+ else
+ cat <<-'EOM'
+
+ PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+ EOM
+ fi
+ fi
+
+ exec "$@"
+}
+
+if ! _is_sourced; then
+ _main "$@"
+fi
diff --git a/13/bookworm/Dockerfile b/13/bookworm/Dockerfile
new file mode 100644
index 0000000000..3dd050a432
--- /dev/null
+++ b/13/bookworm/Dockerfile
@@ -0,0 +1,221 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM debian:bookworm-slim
+
+# explicitly set user/group IDs
+RUN set -eux; \
+ groupadd -r postgres --gid=999; \
+# https://salsa.debian.org/postgresql/postgresql-common/blob/997d842ee744687d99a2b2d95c1083a2615c79e8/debian/postgresql-common.postinst#L32-35
+ useradd -r -g postgres --uid=999 --home-dir=/var/lib/postgresql --shell=/bin/bash postgres; \
+# also create the postgres user's home directory with appropriate permissions
+# see https://github.com/docker-library/postgres/issues/274
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
+
+RUN set -ex; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ gnupg \
+# https://www.postgresql.org/docs/16/app-psql.html#APP-PSQL-META-COMMAND-PSET-PAGER
+# https://github.com/postgres/postgres/blob/REL_16_1/src/include/fe_utils/print.h#L25
+# (if "less" is available, it gets used as the default pager for psql, and it only adds ~1.5MiB to our image size)
+ less \
+ ; \
+ rm -rf /var/lib/apt/lists/*
+
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ savedAptMark="$(apt-mark showmanual)"; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends ca-certificates wget; \
+ rm -rf /var/lib/apt/lists/*; \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ apt-mark auto '.*' > /dev/null; \
+ [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \
+ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+ chmod +x /usr/local/bin/gosu; \
+ gosu --version; \
+ gosu nobody true
+
+# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
+RUN set -eux; \
+ if [ -f /etc/dpkg/dpkg.cfg.d/docker ]; then \
+# if this file exists, we're likely in "debian:xxx-slim", and locales are thus being excluded so we need to remove that exclusion (since we need locales)
+ grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
+ sed -ri '/\/usr\/share\/locale/d' /etc/dpkg/dpkg.cfg.d/docker; \
+ ! grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
+ fi; \
+ apt-get update; apt-get install -y --no-install-recommends locales; rm -rf /var/lib/apt/lists/*; \
+ echo 'en_US.UTF-8 UTF-8' >> /etc/locale.gen; \
+ locale-gen; \
+ locale -a | grep 'en_US.utf8'
+ENV LANG en_US.utf8
+
+RUN set -eux; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ libnss-wrapper \
+ xz-utils \
+ zstd \
+ ; \
+ rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /docker-entrypoint-initdb.d
+
+RUN set -ex; \
+# pub 4096R/ACCC4CF8 2011-10-13 [expires: 2019-07-02]
+# Key fingerprint = B97B 0AFC AA1A 47F0 44F2 44A0 7FCC 7D46 ACCC 4CF8
+# uid PostgreSQL Debian Repository
+ key='B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8'; \
+ export GNUPGHOME="$(mktemp -d)"; \
+ mkdir -p /usr/local/share/keyrings/; \
+ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \
+ gpg --batch --export --armor "$key" > /usr/local/share/keyrings/postgres.gpg.asc; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME"
+
+ENV PG_MAJOR 13
+ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
+
+ENV PG_VERSION 13.21-1.pgdg120+1
+
+RUN set -ex; \
+ \
+# see note below about "*.pyc" files
+ export PYTHONDONTWRITEBYTECODE=1; \
+ \
+ dpkgArch="$(dpkg --print-architecture)"; \
+ aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ bookworm-pgdg main $PG_MAJOR"; \
+ case "$dpkgArch" in \
+ amd64 | arm64 | ppc64el) \
+# arches officialy built by upstream
+ echo "deb $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \
+ apt-get update; \
+ ;; \
+ *) \
+# we're on an architecture upstream doesn't officially build for
+# let's build binaries from their published source packages
+ echo "deb-src $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \
+ \
+ savedAptMark="$(apt-mark showmanual)"; \
+ \
+ tempDir="$(mktemp -d)"; \
+ cd "$tempDir"; \
+ \
+# create a temporary local APT repo to install from (so that dependency resolution can be handled by APT, as it should be)
+ apt-get update; \
+ apt-get install -y --no-install-recommends dpkg-dev; \
+ echo "deb [ trusted=yes ] file://$tempDir ./" > /etc/apt/sources.list.d/temp.list; \
+ _update_repo() { \
+ dpkg-scanpackages . > Packages; \
+# work around the following APT issue by using "Acquire::GzipIndexes=false" (overriding "/etc/apt/apt.conf.d/docker-gzip-indexes")
+# Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+# ...
+# E: Failed to fetch store:/var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+ apt-get -o Acquire::GzipIndexes=false update; \
+ }; \
+ _update_repo; \
+ \
+# build .deb files from upstream's source packages (which are verified by apt-get)
+ nproc="$(nproc)"; \
+ export DEB_BUILD_OPTIONS="nocheck parallel=$nproc"; \
+# we have to build postgresql-common first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/99f44476e258cae6bf9e919219fa2c5414fa2876
+# (and it "Depends: pgdg-keyring")
+ apt-get build-dep -y postgresql-common pgdg-keyring; \
+ apt-get source --compile postgresql-common pgdg-keyring; \
+ _update_repo; \
+# we need DEBIAN_FRONTEND on postgresql-13 for slapd ("Please enter the password for the admin entry in your LDAP directory."); see https://bugs.debian.org/929417
+ DEBIAN_FRONTEND=noninteractive \
+ apt-get build-dep -y "postgresql-$PG_MAJOR=$PG_VERSION"; \
+ apt-get source --compile "postgresql-$PG_MAJOR=$PG_VERSION"; \
+ \
+# we don't remove APT lists here because they get re-downloaded and removed later
+ \
+# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
+# (which is done after we install the built packages so we don't have to redownload any overlapping dependencies)
+ apt-mark showmanual | xargs apt-mark auto > /dev/null; \
+ apt-mark manual $savedAptMark; \
+ \
+ ls -lAFh; \
+ _update_repo; \
+ grep '^Package: ' Packages; \
+ cd /; \
+ ;; \
+ esac; \
+ \
+ apt-get install -y --no-install-recommends postgresql-common; \
+ sed -ri 's/#(create_main_cluster) .*$/\1 = false/' /etc/postgresql-common/createcluster.conf; \
+ apt-get install -y --no-install-recommends \
+ "postgresql-$PG_MAJOR=$PG_VERSION" \
+ ; \
+ \
+ rm -rf /var/lib/apt/lists/*; \
+ \
+ if [ -n "$tempDir" ]; then \
+# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
+ apt-get purge -y --auto-remove; \
+ rm -rf "$tempDir" /etc/apt/sources.list.d/temp.list; \
+ fi; \
+ \
+# some of the steps above generate a lot of "*.pyc" files (and setting "PYTHONDONTWRITEBYTECODE" beforehand doesn't propagate properly for some reason), so we clean them up manually (as long as they aren't owned by a package)
+ find /usr -name '*.pyc' -type f -exec bash -c 'for pyc; do dpkg -S "$pyc" &> /dev/null || rm -vf "$pyc"; done' -- '{}' +; \
+ \
+ postgres --version
+
+# make the sample config easier to munge (and "correct by default")
+RUN set -eux; \
+ dpkg-divert --add --rename --divert "/usr/share/postgresql/postgresql.conf.sample.dpkg" "/usr/share/postgresql/$PG_MAJOR/postgresql.conf.sample"; \
+ cp -v /usr/share/postgresql/postgresql.conf.sample.dpkg /usr/share/postgresql/postgresql.conf.sample; \
+ ln -sv ../postgresql.conf.sample "/usr/share/postgresql/$PG_MAJOR/"; \
+ sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/share/postgresql/postgresql.conf.sample; \
+ grep -F "listen_addresses = '*'" /usr/share/postgresql/postgresql.conf.sample
+
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
+
+ENV PGDATA /var/lib/postgresql/data
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
+VOLUME /var/lib/postgresql/data
+
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
+# calls "Fast Shutdown mode" wherein new connections are disallowed and any
+# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
+# flush tables to disk.
+#
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
+# about available PostgreSQL server shutdown signals.
+#
+# See also https://www.postgresql.org/docs/current/server-start.html for further
+# justification of this as the default value, namely that the example (and
+# shipped) systemd service files use the "Fast Shutdown mode" for service
+# termination.
+#
+STOPSIGNAL SIGINT
+#
+# An additional setting that is recommended for all users regardless of this
+# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
+# equivalent) for controlling how long to wait between sending the defined
+# STOPSIGNAL and sending SIGKILL.
+#
+# The default in most runtimes (such as Docker) is 10 seconds, and the
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
+# that even 90 seconds may not be long enough in many instances.
+
+EXPOSE 5432
+CMD ["postgres"]
diff --git a/13/bookworm/docker-ensure-initdb.sh b/13/bookworm/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..ae1f6b6b90
--- /dev/null
+++ b/13/bookworm/docker-ensure-initdb.sh
@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/13/bookworm/docker-entrypoint.sh b/13/bookworm/docker-entrypoint.sh
new file mode 100755
index 0000000000..ae40666ca1
--- /dev/null
+++ b/13/bookworm/docker-entrypoint.sh
@@ -0,0 +1,359 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+# ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+ local var="$1"
+ local fileVar="${var}_FILE"
+ local def="${2:-}"
+ if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+ printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+ exit 1
+ fi
+ local val="$def"
+ if [ "${!var:-}" ]; then
+ val="${!var}"
+ elif [ "${!fileVar:-}" ]; then
+ val="$(< "${!fileVar}")"
+ fi
+ export "$var"="$val"
+ unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+ # https://unix.stackexchange.com/a/215279
+ [ "${#FUNCNAME[@]}" -ge 2 ] \
+ && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+ && [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+ local user; user="$(id -u)"
+
+ mkdir -p "$PGDATA"
+ # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+ chmod 00700 "$PGDATA" || :
+
+ # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+ mkdir -p /var/run/postgresql || :
+ chmod 03775 /var/run/postgresql || :
+
+ # Create the transaction log directory before initdb is run so the directory is owned by the correct user
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ mkdir -p "$POSTGRES_INITDB_WALDIR"
+ if [ "$user" = '0' ]; then
+ find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+ fi
+ chmod 700 "$POSTGRES_INITDB_WALDIR"
+ fi
+
+ # allow the container to be started with `--user`
+ if [ "$user" = '0' ]; then
+ find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+ find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+ fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+ # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+ # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+ local uid; uid="$(id -u)"
+ if ! getent passwd "$uid" &> /dev/null; then
+ # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+ local wrapper
+ for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+ if [ -s "$wrapper" ]; then
+ NSS_WRAPPER_PASSWD="$(mktemp)"
+ NSS_WRAPPER_GROUP="$(mktemp)"
+ export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ local gid; gid="$(id -g)"
+ printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+ printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+ break
+ fi
+ done
+ fi
+
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+ fi
+
+ # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+ eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+ # unset/cleanup "nss_wrapper" bits
+ if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+ rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+ unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
+
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+
+ This will not work if used via PGPASSWORD with "psql".
+
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
+
+ EOWARN
+ fi
+ ;;
+ esac
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ # The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD to a non-empty value for the
+ superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+ You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+ connections without a password. This is *not* recommended.
+
+ See PostgreSQL documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ cat >&2 <<-'EOWARN'
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
+ EOWARN
+ fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+# ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+ # psql here for backwards compatibility "${psql[@]}"
+ psql=( docker_process_sql )
+
+ printf '\n'
+ local f
+ for f; do
+ case "$f" in
+ *.sh)
+ # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+ # https://github.com/docker-library/postgres/pull/452
+ if [ -x "$f" ]; then
+ printf '%s: running %s\n' "$0" "$f"
+ "$f"
+ else
+ printf '%s: sourcing %s\n' "$0" "$f"
+ . "$f"
+ fi
+ ;;
+ *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+ *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+ *) printf '%s: ignoring %s\n' "$0" "$f" ;;
+ esac
+ printf '\n'
+ done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+# ie: docker_process_sql -f my-file.sql
+# ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+ local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+ if [ -n "$POSTGRES_DB" ]; then
+ query_runner+=( --dbname "$POSTGRES_DB" )
+ fi
+
+ PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+ local dbAlreadyExists
+ dbAlreadyExists="$(
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+ SELECT 1 FROM pg_database WHERE datname = :'db' ;
+ EOSQL
+ )"
+ if [ -z "$dbAlreadyExists" ]; then
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+ CREATE DATABASE :"db" ;
+ EOSQL
+ printf '\n'
+ fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+ file_env 'POSTGRES_PASSWORD'
+
+ file_env 'POSTGRES_USER' 'postgres'
+ file_env 'POSTGRES_DB' "$POSTGRES_USER"
+ file_env 'POSTGRES_INITDB_ARGS'
+ : "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+ declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ # look specifically for PG_VERSION, as it is expected in the DB dir
+ if [ -s "$PGDATA/PG_VERSION" ]; then
+ DATABASE_ALREADY_EXISTS='true'
+ fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+ # default authentication method is md5 on versions before 14
+ # https://www.postgresql.org/about/news/postgresql-14-released-2318/
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+ local auth
+ # check the default/configured encryption and use that as the auth method
+ auth="$(postgres -C password_encryption "$@")"
+ : "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+ {
+ printf '\n'
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ printf '# warning trust is enabled for all connections\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+ fi
+ printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+ } >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+
+ # internal start of server in order to allow setup using psql client
+ # does not listen on external TCP/IP and waits until start finishes
+ set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
+ PGUSER="${PGUSER:-$POSTGRES_USER}" \
+ pg_ctl -D "$PGDATA" \
+ -o "$(printf '%q ' "$@")" \
+ -w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+ PGUSER="${PGUSER:-postgres}" \
+ pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+ local arg
+ for arg; do
+ case "$arg" in
+ # postgres --help | grep 'then exit'
+ # leaving out -C on purpose since it always fails and is unhelpful:
+ # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+ -'?'|--help|--describe-config|-V|--version)
+ return 0
+ ;;
+ esac
+ done
+ return 1
+}
+
+_main() {
+ # if first arg looks like a flag, assume we want to run postgres server
+ if [ "${1:0:1}" = '-' ]; then
+ set -- postgres "$@"
+ fi
+
+ if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+ docker_setup_env
+ # setup data directories and permissions (when run as root)
+ docker_create_db_directories
+ if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+ fi
+
+ # only run initialization on an empty data directory
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+
+ cat <<-'EOM'
+
+ PostgreSQL init process complete; ready for start up.
+
+ EOM
+ else
+ cat <<-'EOM'
+
+ PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+ EOM
+ fi
+ fi
+
+ exec "$@"
+}
+
+if ! _is_sourced; then
+ _main "$@"
+fi
diff --git a/13/bullseye/Dockerfile b/13/bullseye/Dockerfile
new file mode 100644
index 0000000000..990363d494
--- /dev/null
+++ b/13/bullseye/Dockerfile
@@ -0,0 +1,221 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM debian:bullseye-slim
+
+# explicitly set user/group IDs
+RUN set -eux; \
+ groupadd -r postgres --gid=999; \
+# https://salsa.debian.org/postgresql/postgresql-common/blob/997d842ee744687d99a2b2d95c1083a2615c79e8/debian/postgresql-common.postinst#L32-35
+ useradd -r -g postgres --uid=999 --home-dir=/var/lib/postgresql --shell=/bin/bash postgres; \
+# also create the postgres user's home directory with appropriate permissions
+# see https://github.com/docker-library/postgres/issues/274
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
+
+RUN set -ex; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ gnupg \
+# https://www.postgresql.org/docs/16/app-psql.html#APP-PSQL-META-COMMAND-PSET-PAGER
+# https://github.com/postgres/postgres/blob/REL_16_1/src/include/fe_utils/print.h#L25
+# (if "less" is available, it gets used as the default pager for psql, and it only adds ~1.5MiB to our image size)
+ less \
+ ; \
+ rm -rf /var/lib/apt/lists/*
+
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ savedAptMark="$(apt-mark showmanual)"; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends ca-certificates wget; \
+ rm -rf /var/lib/apt/lists/*; \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ apt-mark auto '.*' > /dev/null; \
+ [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \
+ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+ chmod +x /usr/local/bin/gosu; \
+ gosu --version; \
+ gosu nobody true
+
+# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
+RUN set -eux; \
+ if [ -f /etc/dpkg/dpkg.cfg.d/docker ]; then \
+# if this file exists, we're likely in "debian:xxx-slim", and locales are thus being excluded so we need to remove that exclusion (since we need locales)
+ grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
+ sed -ri '/\/usr\/share\/locale/d' /etc/dpkg/dpkg.cfg.d/docker; \
+ ! grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
+ fi; \
+ apt-get update; apt-get install -y --no-install-recommends locales; rm -rf /var/lib/apt/lists/*; \
+ echo 'en_US.UTF-8 UTF-8' >> /etc/locale.gen; \
+ locale-gen; \
+ locale -a | grep 'en_US.utf8'
+ENV LANG en_US.utf8
+
+RUN set -eux; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ libnss-wrapper \
+ xz-utils \
+ zstd \
+ ; \
+ rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /docker-entrypoint-initdb.d
+
+RUN set -ex; \
+# pub 4096R/ACCC4CF8 2011-10-13 [expires: 2019-07-02]
+# Key fingerprint = B97B 0AFC AA1A 47F0 44F2 44A0 7FCC 7D46 ACCC 4CF8
+# uid PostgreSQL Debian Repository
+ key='B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8'; \
+ export GNUPGHOME="$(mktemp -d)"; \
+ mkdir -p /usr/local/share/keyrings/; \
+ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \
+ gpg --batch --export --armor "$key" > /usr/local/share/keyrings/postgres.gpg.asc; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME"
+
+ENV PG_MAJOR 13
+ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
+
+ENV PG_VERSION 13.21-1.pgdg110+1
+
+RUN set -ex; \
+ \
+# see note below about "*.pyc" files
+ export PYTHONDONTWRITEBYTECODE=1; \
+ \
+ dpkgArch="$(dpkg --print-architecture)"; \
+ aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ bullseye-pgdg main $PG_MAJOR"; \
+ case "$dpkgArch" in \
+ amd64 | arm64 | ppc64el) \
+# arches officialy built by upstream
+ echo "deb $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \
+ apt-get update; \
+ ;; \
+ *) \
+# we're on an architecture upstream doesn't officially build for
+# let's build binaries from their published source packages
+ echo "deb-src $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \
+ \
+ savedAptMark="$(apt-mark showmanual)"; \
+ \
+ tempDir="$(mktemp -d)"; \
+ cd "$tempDir"; \
+ \
+# create a temporary local APT repo to install from (so that dependency resolution can be handled by APT, as it should be)
+ apt-get update; \
+ apt-get install -y --no-install-recommends dpkg-dev; \
+ echo "deb [ trusted=yes ] file://$tempDir ./" > /etc/apt/sources.list.d/temp.list; \
+ _update_repo() { \
+ dpkg-scanpackages . > Packages; \
+# work around the following APT issue by using "Acquire::GzipIndexes=false" (overriding "/etc/apt/apt.conf.d/docker-gzip-indexes")
+# Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+# ...
+# E: Failed to fetch store:/var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+ apt-get -o Acquire::GzipIndexes=false update; \
+ }; \
+ _update_repo; \
+ \
+# build .deb files from upstream's source packages (which are verified by apt-get)
+ nproc="$(nproc)"; \
+ export DEB_BUILD_OPTIONS="nocheck parallel=$nproc"; \
+# we have to build postgresql-common first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/99f44476e258cae6bf9e919219fa2c5414fa2876
+# (and it "Depends: pgdg-keyring")
+ apt-get build-dep -y postgresql-common pgdg-keyring; \
+ apt-get source --compile postgresql-common pgdg-keyring; \
+ _update_repo; \
+# we need DEBIAN_FRONTEND on postgresql-13 for slapd ("Please enter the password for the admin entry in your LDAP directory."); see https://bugs.debian.org/929417
+ DEBIAN_FRONTEND=noninteractive \
+ apt-get build-dep -y "postgresql-$PG_MAJOR=$PG_VERSION"; \
+ apt-get source --compile "postgresql-$PG_MAJOR=$PG_VERSION"; \
+ \
+# we don't remove APT lists here because they get re-downloaded and removed later
+ \
+# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
+# (which is done after we install the built packages so we don't have to redownload any overlapping dependencies)
+ apt-mark showmanual | xargs apt-mark auto > /dev/null; \
+ apt-mark manual $savedAptMark; \
+ \
+ ls -lAFh; \
+ _update_repo; \
+ grep '^Package: ' Packages; \
+ cd /; \
+ ;; \
+ esac; \
+ \
+ apt-get install -y --no-install-recommends postgresql-common; \
+ sed -ri 's/#(create_main_cluster) .*$/\1 = false/' /etc/postgresql-common/createcluster.conf; \
+ apt-get install -y --no-install-recommends \
+ "postgresql-$PG_MAJOR=$PG_VERSION" \
+ ; \
+ \
+ rm -rf /var/lib/apt/lists/*; \
+ \
+ if [ -n "$tempDir" ]; then \
+# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
+ apt-get purge -y --auto-remove; \
+ rm -rf "$tempDir" /etc/apt/sources.list.d/temp.list; \
+ fi; \
+ \
+# some of the steps above generate a lot of "*.pyc" files (and setting "PYTHONDONTWRITEBYTECODE" beforehand doesn't propagate properly for some reason), so we clean them up manually (as long as they aren't owned by a package)
+ find /usr -name '*.pyc' -type f -exec bash -c 'for pyc; do dpkg -S "$pyc" &> /dev/null || rm -vf "$pyc"; done' -- '{}' +; \
+ \
+ postgres --version
+
+# make the sample config easier to munge (and "correct by default")
+RUN set -eux; \
+ dpkg-divert --add --rename --divert "/usr/share/postgresql/postgresql.conf.sample.dpkg" "/usr/share/postgresql/$PG_MAJOR/postgresql.conf.sample"; \
+ cp -v /usr/share/postgresql/postgresql.conf.sample.dpkg /usr/share/postgresql/postgresql.conf.sample; \
+ ln -sv ../postgresql.conf.sample "/usr/share/postgresql/$PG_MAJOR/"; \
+ sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/share/postgresql/postgresql.conf.sample; \
+ grep -F "listen_addresses = '*'" /usr/share/postgresql/postgresql.conf.sample
+
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
+
+ENV PGDATA /var/lib/postgresql/data
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
+VOLUME /var/lib/postgresql/data
+
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
+# calls "Fast Shutdown mode" wherein new connections are disallowed and any
+# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
+# flush tables to disk.
+#
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
+# about available PostgreSQL server shutdown signals.
+#
+# See also https://www.postgresql.org/docs/current/server-start.html for further
+# justification of this as the default value, namely that the example (and
+# shipped) systemd service files use the "Fast Shutdown mode" for service
+# termination.
+#
+STOPSIGNAL SIGINT
+#
+# An additional setting that is recommended for all users regardless of this
+# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
+# equivalent) for controlling how long to wait between sending the defined
+# STOPSIGNAL and sending SIGKILL.
+#
+# The default in most runtimes (such as Docker) is 10 seconds, and the
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
+# that even 90 seconds may not be long enough in many instances.
+
+EXPOSE 5432
+CMD ["postgres"]
diff --git a/13/bullseye/docker-ensure-initdb.sh b/13/bullseye/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..ae1f6b6b90
--- /dev/null
+++ b/13/bullseye/docker-ensure-initdb.sh
@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/13/bullseye/docker-entrypoint.sh b/13/bullseye/docker-entrypoint.sh
new file mode 100755
index 0000000000..ae40666ca1
--- /dev/null
+++ b/13/bullseye/docker-entrypoint.sh
@@ -0,0 +1,359 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+# ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+ local var="$1"
+ local fileVar="${var}_FILE"
+ local def="${2:-}"
+ if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+ printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+ exit 1
+ fi
+ local val="$def"
+ if [ "${!var:-}" ]; then
+ val="${!var}"
+ elif [ "${!fileVar:-}" ]; then
+ val="$(< "${!fileVar}")"
+ fi
+ export "$var"="$val"
+ unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+ # https://unix.stackexchange.com/a/215279
+ [ "${#FUNCNAME[@]}" -ge 2 ] \
+ && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+ && [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+ local user; user="$(id -u)"
+
+ mkdir -p "$PGDATA"
+ # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+ chmod 00700 "$PGDATA" || :
+
+ # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+ mkdir -p /var/run/postgresql || :
+ chmod 03775 /var/run/postgresql || :
+
+ # Create the transaction log directory before initdb is run so the directory is owned by the correct user
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ mkdir -p "$POSTGRES_INITDB_WALDIR"
+ if [ "$user" = '0' ]; then
+ find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+ fi
+ chmod 700 "$POSTGRES_INITDB_WALDIR"
+ fi
+
+ # allow the container to be started with `--user`
+ if [ "$user" = '0' ]; then
+ find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+ find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+ fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+ # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+ # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+ local uid; uid="$(id -u)"
+ if ! getent passwd "$uid" &> /dev/null; then
+ # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+ local wrapper
+ for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+ if [ -s "$wrapper" ]; then
+ NSS_WRAPPER_PASSWD="$(mktemp)"
+ NSS_WRAPPER_GROUP="$(mktemp)"
+ export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ local gid; gid="$(id -g)"
+ printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+ printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+ break
+ fi
+ done
+ fi
+
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+ fi
+
+ # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+ eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+ # unset/cleanup "nss_wrapper" bits
+ if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+ rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+ unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
+
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+
+ This will not work if used via PGPASSWORD with "psql".
+
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
+
+ EOWARN
+ fi
+ ;;
+ esac
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ # The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD to a non-empty value for the
+ superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+ You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+ connections without a password. This is *not* recommended.
+
+ See PostgreSQL documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ cat >&2 <<-'EOWARN'
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
+ EOWARN
+ fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+# ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+ # psql here for backwards compatibility "${psql[@]}"
+ psql=( docker_process_sql )
+
+ printf '\n'
+ local f
+ for f; do
+ case "$f" in
+ *.sh)
+ # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+ # https://github.com/docker-library/postgres/pull/452
+ if [ -x "$f" ]; then
+ printf '%s: running %s\n' "$0" "$f"
+ "$f"
+ else
+ printf '%s: sourcing %s\n' "$0" "$f"
+ . "$f"
+ fi
+ ;;
+ *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+ *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+ *) printf '%s: ignoring %s\n' "$0" "$f" ;;
+ esac
+ printf '\n'
+ done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+# ie: docker_process_sql -f my-file.sql
+# ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+ local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+ if [ -n "$POSTGRES_DB" ]; then
+ query_runner+=( --dbname "$POSTGRES_DB" )
+ fi
+
+ PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+ local dbAlreadyExists
+ dbAlreadyExists="$(
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+ SELECT 1 FROM pg_database WHERE datname = :'db' ;
+ EOSQL
+ )"
+ if [ -z "$dbAlreadyExists" ]; then
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+ CREATE DATABASE :"db" ;
+ EOSQL
+ printf '\n'
+ fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+ file_env 'POSTGRES_PASSWORD'
+
+ file_env 'POSTGRES_USER' 'postgres'
+ file_env 'POSTGRES_DB' "$POSTGRES_USER"
+ file_env 'POSTGRES_INITDB_ARGS'
+ : "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+ declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ # look specifically for PG_VERSION, as it is expected in the DB dir
+ if [ -s "$PGDATA/PG_VERSION" ]; then
+ DATABASE_ALREADY_EXISTS='true'
+ fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+ # default authentication method is md5 on versions before 14
+ # https://www.postgresql.org/about/news/postgresql-14-released-2318/
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+ local auth
+ # check the default/configured encryption and use that as the auth method
+ auth="$(postgres -C password_encryption "$@")"
+ : "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+ {
+ printf '\n'
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ printf '# warning trust is enabled for all connections\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+ fi
+ printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+ } >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+
+ # internal start of server in order to allow setup using psql client
+ # does not listen on external TCP/IP and waits until start finishes
+ set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
+ PGUSER="${PGUSER:-$POSTGRES_USER}" \
+ pg_ctl -D "$PGDATA" \
+ -o "$(printf '%q ' "$@")" \
+ -w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+ PGUSER="${PGUSER:-postgres}" \
+ pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+ local arg
+ for arg; do
+ case "$arg" in
+ # postgres --help | grep 'then exit'
+ # leaving out -C on purpose since it always fails and is unhelpful:
+ # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+ -'?'|--help|--describe-config|-V|--version)
+ return 0
+ ;;
+ esac
+ done
+ return 1
+}
+
+_main() {
+ # if first arg looks like a flag, assume we want to run postgres server
+ if [ "${1:0:1}" = '-' ]; then
+ set -- postgres "$@"
+ fi
+
+ if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+ docker_setup_env
+ # setup data directories and permissions (when run as root)
+ docker_create_db_directories
+ if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+ fi
+
+ # only run initialization on an empty data directory
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+
+ cat <<-'EOM'
+
+ PostgreSQL init process complete; ready for start up.
+
+ EOM
+ else
+ cat <<-'EOM'
+
+ PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+ EOM
+ fi
+ fi
+
+ exec "$@"
+}
+
+if ! _is_sourced; then
+ _main "$@"
+fi
diff --git a/14/alpine3.20/Dockerfile b/14/alpine3.20/Dockerfile
new file mode 100644
index 0000000000..9afc070826
--- /dev/null
+++ b/14/alpine3.20/Dockerfile
@@ -0,0 +1,228 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM alpine:3.20
+
+# 70 is the standard uid/gid for "postgres" in Alpine
+# https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.21-stable
+RUN set -eux; \
+ addgroup -g 70 -S postgres; \
+ adduser -u 70 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \
+# also create the postgres user's home directory with appropriate permissions
+# see https://github.com/docker-library/postgres/issues/274
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
+
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ \
+ apk add --no-cache --virtual .gosu-deps \
+ ca-certificates \
+ dpkg \
+ gnupg \
+ ; \
+ \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ \
+# verify the signature
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ \
+# clean up fetch dependencies
+ apk del --no-network .gosu-deps; \
+ \
+ chmod +x /usr/local/bin/gosu; \
+# verify that the binary works
+ gosu --version; \
+ gosu nobody true
+RUN set -eux; ln -svf gosu /usr/local/bin/su-exec; su-exec nobody true # backwards compatibility (removed in PostgreSQL 17+)
+
+# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
+# alpine doesn't require explicit locale-file generation
+ENV LANG en_US.utf8
+
+RUN mkdir /docker-entrypoint-initdb.d
+
+ENV PG_MAJOR 14
+ENV PG_VERSION 14.18
+ENV PG_SHA256 83ab29d6bfc3dc58b2ed3c664114fdfbeb6a0450c4b8d7fa69aee91e3ca14f8e
+
+ENV DOCKER_PG_LLVM_DEPS \
+ llvm15-dev \
+ clang15
+
+RUN set -eux; \
+ \
+ wget -O postgresql.tar.bz2 "https://ftp.postgresql.org/pub/source/v$PG_VERSION/postgresql-$PG_VERSION.tar.bz2"; \
+ echo "$PG_SHA256 *postgresql.tar.bz2" | sha256sum -c -; \
+ mkdir -p /usr/src/postgresql; \
+ tar \
+ --extract \
+ --file postgresql.tar.bz2 \
+ --directory /usr/src/postgresql \
+ --strip-components 1 \
+ ; \
+ rm postgresql.tar.bz2; \
+ \
+ apk add --no-cache --virtual .build-deps \
+ $DOCKER_PG_LLVM_DEPS \
+ bison \
+ coreutils \
+ dpkg-dev dpkg \
+ flex \
+ g++ \
+ gcc \
+ krb5-dev \
+ libc-dev \
+ libedit-dev \
+ libxml2-dev \
+ libxslt-dev \
+ linux-headers \
+ make \
+ openldap-dev \
+ openssl-dev \
+ perl-dev \
+ perl-ipc-run \
+ perl-utils \
+ python3-dev \
+ tcl-dev \
+ util-linux-dev \
+ zlib-dev \
+# https://www.postgresql.org/docs/10/static/release-10.html#id-1.11.6.9.5.13
+ icu-dev \
+# https://www.postgresql.org/docs/14/release-14.html#id-1.11.6.5.5.3.7
+ lz4-dev \
+ ; \
+ \
+ cd /usr/src/postgresql; \
+# update "DEFAULT_PGSOCKET_DIR" to "/var/run/postgresql" (matching Debian)
+# see https://anonscm.debian.org/git/pkg-postgresql/postgresql.git/tree/debian/patches/51-default-sockets-in-var.patch?id=8b539fcb3e093a521c095e70bdfa76887217b89f
+ awk '$1 == "#define" && $2 == "DEFAULT_PGSOCKET_DIR" && $3 == "\"/tmp\"" { $3 = "\"/var/run/postgresql\""; print; next } { print }' src/include/pg_config_manual.h > src/include/pg_config_manual.h.new; \
+ grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \
+ mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \
+ gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
+ \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.21-stable&id=40544ade947bec1798edb0f749f4e967e842624b#n172
+ export LLVM_CONFIG="/usr/lib/llvm15/bin/llvm-config"; \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.21-stable&id=40544ade947bec1798edb0f749f4e967e842624b#n177
+ export CLANG=clang-15; \
+ \
+# configure options taken from:
+# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
+ ./configure \
+ --enable-option-checking=fatal \
+ --build="$gnuArch" \
+# "/usr/src/postgresql/src/backend/access/common/tupconvert.c:105: undefined reference to `libintl_gettext'"
+# --enable-nls \
+ --enable-integer-datetimes \
+ --enable-thread-safety \
+ --enable-tap-tests \
+# skip debugging info -- we want tiny size instead
+# --enable-debug \
+ --disable-rpath \
+ --with-uuid=e2fs \
+ --with-gnu-ld \
+ --with-pgport=5432 \
+ --with-system-tzdata=/usr/share/zoneinfo \
+ --prefix=/usr/local \
+ --with-includes=/usr/local/include \
+ --with-libraries=/usr/local/lib \
+ --with-gssapi \
+ --with-ldap \
+ --with-tcl \
+ --with-perl \
+ --with-python \
+# --with-pam \
+ --with-openssl \
+ --with-libxml \
+ --with-libxslt \
+ --with-icu \
+ --with-llvm \
+ --with-lz4 \
+ ; \
+ make -j "$(nproc)" world-bin; \
+ make install-world-bin; \
+ make -C contrib install; \
+ \
+ runDeps="$( \
+ scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \
+ | tr ',' '\n' \
+ | sort -u \
+ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
+# Remove plperl, plpython and pltcl dependencies by default to save image size
+# To use the pl extensions, those have to be installed in a derived image
+ | grep -v -e perl -e python -e tcl \
+ )"; \
+ apk add --no-cache --virtual .postgresql-rundeps \
+ $runDeps \
+ bash \
+ tzdata \
+ zstd \
+# https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split
+ icu-data-full \
+# nss_wrapper is not availble on ppc64le: "test case segfaults in ppc64le"
+# https://git.alpinelinux.org/aports/commit/testing/nss_wrapper/APKBUILD?h=3.17-stable&id=94d81ceeb58cff448d489bbcbe9a6d40c9991663
+ $([ "$(apk --print-arch)" != 'ppc64le' ] && echo 'nss_wrapper') \
+ ; \
+ apk del --no-network .build-deps; \
+ cd /; \
+ rm -rf \
+ /usr/src/postgresql \
+ /usr/local/share/doc \
+ /usr/local/share/man \
+ ; \
+ \
+ postgres --version
+
+# make the sample config easier to munge (and "correct by default")
+RUN set -eux; \
+ cp -v /usr/local/share/postgresql/postgresql.conf.sample /usr/local/share/postgresql/postgresql.conf.sample.orig; \
+ sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \
+ grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample
+
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
+
+ENV PGDATA /var/lib/postgresql/data
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
+VOLUME /var/lib/postgresql/data
+
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
+# calls "Fast Shutdown mode" wherein new connections are disallowed and any
+# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
+# flush tables to disk.
+#
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
+# about available PostgreSQL server shutdown signals.
+#
+# See also https://www.postgresql.org/docs/current/server-start.html for further
+# justification of this as the default value, namely that the example (and
+# shipped) systemd service files use the "Fast Shutdown mode" for service
+# termination.
+#
+STOPSIGNAL SIGINT
+#
+# An additional setting that is recommended for all users regardless of this
+# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
+# equivalent) for controlling how long to wait between sending the defined
+# STOPSIGNAL and sending SIGKILL.
+#
+# The default in most runtimes (such as Docker) is 10 seconds, and the
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
+# that even 90 seconds may not be long enough in many instances.
+
+EXPOSE 5432
+CMD ["postgres"]
diff --git a/14/alpine3.20/docker-ensure-initdb.sh b/14/alpine3.20/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..ae1f6b6b90
--- /dev/null
+++ b/14/alpine3.20/docker-ensure-initdb.sh
@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/14/alpine3.20/docker-entrypoint.sh b/14/alpine3.20/docker-entrypoint.sh
new file mode 100755
index 0000000000..ae40666ca1
--- /dev/null
+++ b/14/alpine3.20/docker-entrypoint.sh
@@ -0,0 +1,359 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+# ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+ local var="$1"
+ local fileVar="${var}_FILE"
+ local def="${2:-}"
+ if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+ printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+ exit 1
+ fi
+ local val="$def"
+ if [ "${!var:-}" ]; then
+ val="${!var}"
+ elif [ "${!fileVar:-}" ]; then
+ val="$(< "${!fileVar}")"
+ fi
+ export "$var"="$val"
+ unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+ # https://unix.stackexchange.com/a/215279
+ [ "${#FUNCNAME[@]}" -ge 2 ] \
+ && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+ && [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+ local user; user="$(id -u)"
+
+ mkdir -p "$PGDATA"
+ # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+ chmod 00700 "$PGDATA" || :
+
+ # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+ mkdir -p /var/run/postgresql || :
+ chmod 03775 /var/run/postgresql || :
+
+ # Create the transaction log directory before initdb is run so the directory is owned by the correct user
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ mkdir -p "$POSTGRES_INITDB_WALDIR"
+ if [ "$user" = '0' ]; then
+ find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+ fi
+ chmod 700 "$POSTGRES_INITDB_WALDIR"
+ fi
+
+ # allow the container to be started with `--user`
+ if [ "$user" = '0' ]; then
+ find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+ find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+ fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+ # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+ # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+ local uid; uid="$(id -u)"
+ if ! getent passwd "$uid" &> /dev/null; then
+ # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+ local wrapper
+ for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+ if [ -s "$wrapper" ]; then
+ NSS_WRAPPER_PASSWD="$(mktemp)"
+ NSS_WRAPPER_GROUP="$(mktemp)"
+ export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ local gid; gid="$(id -g)"
+ printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+ printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+ break
+ fi
+ done
+ fi
+
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+ fi
+
+ # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+ eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+ # unset/cleanup "nss_wrapper" bits
+ if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+ rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+ unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
+
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+
+ This will not work if used via PGPASSWORD with "psql".
+
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
+
+ EOWARN
+ fi
+ ;;
+ esac
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ # The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD to a non-empty value for the
+ superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+ You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+ connections without a password. This is *not* recommended.
+
+ See PostgreSQL documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ cat >&2 <<-'EOWARN'
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
+ EOWARN
+ fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+# ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+ # psql here for backwards compatibility "${psql[@]}"
+ psql=( docker_process_sql )
+
+ printf '\n'
+ local f
+ for f; do
+ case "$f" in
+ *.sh)
+ # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+ # https://github.com/docker-library/postgres/pull/452
+ if [ -x "$f" ]; then
+ printf '%s: running %s\n' "$0" "$f"
+ "$f"
+ else
+ printf '%s: sourcing %s\n' "$0" "$f"
+ . "$f"
+ fi
+ ;;
+ *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+ *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+ *) printf '%s: ignoring %s\n' "$0" "$f" ;;
+ esac
+ printf '\n'
+ done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+# ie: docker_process_sql -f my-file.sql
+# ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+ local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+ if [ -n "$POSTGRES_DB" ]; then
+ query_runner+=( --dbname "$POSTGRES_DB" )
+ fi
+
+ PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+ local dbAlreadyExists
+ dbAlreadyExists="$(
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+ SELECT 1 FROM pg_database WHERE datname = :'db' ;
+ EOSQL
+ )"
+ if [ -z "$dbAlreadyExists" ]; then
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+ CREATE DATABASE :"db" ;
+ EOSQL
+ printf '\n'
+ fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+ file_env 'POSTGRES_PASSWORD'
+
+ file_env 'POSTGRES_USER' 'postgres'
+ file_env 'POSTGRES_DB' "$POSTGRES_USER"
+ file_env 'POSTGRES_INITDB_ARGS'
+ : "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+ declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ # look specifically for PG_VERSION, as it is expected in the DB dir
+ if [ -s "$PGDATA/PG_VERSION" ]; then
+ DATABASE_ALREADY_EXISTS='true'
+ fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+ # default authentication method is md5 on versions before 14
+ # https://www.postgresql.org/about/news/postgresql-14-released-2318/
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+ local auth
+ # check the default/configured encryption and use that as the auth method
+ auth="$(postgres -C password_encryption "$@")"
+ : "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+ {
+ printf '\n'
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ printf '# warning trust is enabled for all connections\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+ fi
+ printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+ } >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+
+ # internal start of server in order to allow setup using psql client
+ # does not listen on external TCP/IP and waits until start finishes
+ set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
+ PGUSER="${PGUSER:-$POSTGRES_USER}" \
+ pg_ctl -D "$PGDATA" \
+ -o "$(printf '%q ' "$@")" \
+ -w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+ PGUSER="${PGUSER:-postgres}" \
+ pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+ local arg
+ for arg; do
+ case "$arg" in
+ # postgres --help | grep 'then exit'
+ # leaving out -C on purpose since it always fails and is unhelpful:
+ # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+ -'?'|--help|--describe-config|-V|--version)
+ return 0
+ ;;
+ esac
+ done
+ return 1
+}
+
+_main() {
+ # if first arg looks like a flag, assume we want to run postgres server
+ if [ "${1:0:1}" = '-' ]; then
+ set -- postgres "$@"
+ fi
+
+ if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+ docker_setup_env
+ # setup data directories and permissions (when run as root)
+ docker_create_db_directories
+ if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+ fi
+
+ # only run initialization on an empty data directory
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+
+ cat <<-'EOM'
+
+ PostgreSQL init process complete; ready for start up.
+
+ EOM
+ else
+ cat <<-'EOM'
+
+ PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+ EOM
+ fi
+ fi
+
+ exec "$@"
+}
+
+if ! _is_sourced; then
+ _main "$@"
+fi
diff --git a/14/alpine3.21/Dockerfile b/14/alpine3.21/Dockerfile
new file mode 100644
index 0000000000..82d8aeba6c
--- /dev/null
+++ b/14/alpine3.21/Dockerfile
@@ -0,0 +1,228 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM alpine:3.21
+
+# 70 is the standard uid/gid for "postgres" in Alpine
+# https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.21-stable
+RUN set -eux; \
+ addgroup -g 70 -S postgres; \
+ adduser -u 70 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \
+# also create the postgres user's home directory with appropriate permissions
+# see https://github.com/docker-library/postgres/issues/274
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
+
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ \
+ apk add --no-cache --virtual .gosu-deps \
+ ca-certificates \
+ dpkg \
+ gnupg \
+ ; \
+ \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ \
+# verify the signature
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ \
+# clean up fetch dependencies
+ apk del --no-network .gosu-deps; \
+ \
+ chmod +x /usr/local/bin/gosu; \
+# verify that the binary works
+ gosu --version; \
+ gosu nobody true
+RUN set -eux; ln -svf gosu /usr/local/bin/su-exec; su-exec nobody true # backwards compatibility (removed in PostgreSQL 17+)
+
+# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
+# alpine doesn't require explicit locale-file generation
+ENV LANG en_US.utf8
+
+RUN mkdir /docker-entrypoint-initdb.d
+
+ENV PG_MAJOR 14
+ENV PG_VERSION 14.18
+ENV PG_SHA256 83ab29d6bfc3dc58b2ed3c664114fdfbeb6a0450c4b8d7fa69aee91e3ca14f8e
+
+ENV DOCKER_PG_LLVM_DEPS \
+ llvm19-dev \
+ clang19
+
+RUN set -eux; \
+ \
+ wget -O postgresql.tar.bz2 "https://ftp.postgresql.org/pub/source/v$PG_VERSION/postgresql-$PG_VERSION.tar.bz2"; \
+ echo "$PG_SHA256 *postgresql.tar.bz2" | sha256sum -c -; \
+ mkdir -p /usr/src/postgresql; \
+ tar \
+ --extract \
+ --file postgresql.tar.bz2 \
+ --directory /usr/src/postgresql \
+ --strip-components 1 \
+ ; \
+ rm postgresql.tar.bz2; \
+ \
+ apk add --no-cache --virtual .build-deps \
+ $DOCKER_PG_LLVM_DEPS \
+ bison \
+ coreutils \
+ dpkg-dev dpkg \
+ flex \
+ g++ \
+ gcc \
+ krb5-dev \
+ libc-dev \
+ libedit-dev \
+ libxml2-dev \
+ libxslt-dev \
+ linux-headers \
+ make \
+ openldap-dev \
+ openssl-dev \
+ perl-dev \
+ perl-ipc-run \
+ perl-utils \
+ python3-dev \
+ tcl-dev \
+ util-linux-dev \
+ zlib-dev \
+# https://www.postgresql.org/docs/10/static/release-10.html#id-1.11.6.9.5.13
+ icu-dev \
+# https://www.postgresql.org/docs/14/release-14.html#id-1.11.6.5.5.3.7
+ lz4-dev \
+ ; \
+ \
+ cd /usr/src/postgresql; \
+# update "DEFAULT_PGSOCKET_DIR" to "/var/run/postgresql" (matching Debian)
+# see https://anonscm.debian.org/git/pkg-postgresql/postgresql.git/tree/debian/patches/51-default-sockets-in-var.patch?id=8b539fcb3e093a521c095e70bdfa76887217b89f
+ awk '$1 == "#define" && $2 == "DEFAULT_PGSOCKET_DIR" && $3 == "\"/tmp\"" { $3 = "\"/var/run/postgresql\""; print; next } { print }' src/include/pg_config_manual.h > src/include/pg_config_manual.h.new; \
+ grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \
+ mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \
+ gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
+ \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.21-stable&id=40544ade947bec1798edb0f749f4e967e842624b#n172
+ export LLVM_CONFIG="/usr/lib/llvm19/bin/llvm-config"; \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.21-stable&id=40544ade947bec1798edb0f749f4e967e842624b#n177
+ export CLANG=clang-19; \
+ \
+# configure options taken from:
+# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
+ ./configure \
+ --enable-option-checking=fatal \
+ --build="$gnuArch" \
+# "/usr/src/postgresql/src/backend/access/common/tupconvert.c:105: undefined reference to `libintl_gettext'"
+# --enable-nls \
+ --enable-integer-datetimes \
+ --enable-thread-safety \
+ --enable-tap-tests \
+# skip debugging info -- we want tiny size instead
+# --enable-debug \
+ --disable-rpath \
+ --with-uuid=e2fs \
+ --with-gnu-ld \
+ --with-pgport=5432 \
+ --with-system-tzdata=/usr/share/zoneinfo \
+ --prefix=/usr/local \
+ --with-includes=/usr/local/include \
+ --with-libraries=/usr/local/lib \
+ --with-gssapi \
+ --with-ldap \
+ --with-tcl \
+ --with-perl \
+ --with-python \
+# --with-pam \
+ --with-openssl \
+ --with-libxml \
+ --with-libxslt \
+ --with-icu \
+ --with-llvm \
+ --with-lz4 \
+ ; \
+ make -j "$(nproc)" world-bin; \
+ make install-world-bin; \
+ make -C contrib install; \
+ \
+ runDeps="$( \
+ scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \
+ | tr ',' '\n' \
+ | sort -u \
+ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
+# Remove plperl, plpython and pltcl dependencies by default to save image size
+# To use the pl extensions, those have to be installed in a derived image
+ | grep -v -e perl -e python -e tcl \
+ )"; \
+ apk add --no-cache --virtual .postgresql-rundeps \
+ $runDeps \
+ bash \
+ tzdata \
+ zstd \
+# https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split
+ icu-data-full \
+# nss_wrapper is not availble on ppc64le: "test case segfaults in ppc64le"
+# https://git.alpinelinux.org/aports/commit/testing/nss_wrapper/APKBUILD?h=3.17-stable&id=94d81ceeb58cff448d489bbcbe9a6d40c9991663
+ $([ "$(apk --print-arch)" != 'ppc64le' ] && echo 'nss_wrapper') \
+ ; \
+ apk del --no-network .build-deps; \
+ cd /; \
+ rm -rf \
+ /usr/src/postgresql \
+ /usr/local/share/doc \
+ /usr/local/share/man \
+ ; \
+ \
+ postgres --version
+
+# make the sample config easier to munge (and "correct by default")
+RUN set -eux; \
+ cp -v /usr/local/share/postgresql/postgresql.conf.sample /usr/local/share/postgresql/postgresql.conf.sample.orig; \
+ sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \
+ grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample
+
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
+
+ENV PGDATA /var/lib/postgresql/data
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
+VOLUME /var/lib/postgresql/data
+
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
+# calls "Fast Shutdown mode" wherein new connections are disallowed and any
+# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
+# flush tables to disk.
+#
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
+# about available PostgreSQL server shutdown signals.
+#
+# See also https://www.postgresql.org/docs/current/server-start.html for further
+# justification of this as the default value, namely that the example (and
+# shipped) systemd service files use the "Fast Shutdown mode" for service
+# termination.
+#
+STOPSIGNAL SIGINT
+#
+# An additional setting that is recommended for all users regardless of this
+# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
+# equivalent) for controlling how long to wait between sending the defined
+# STOPSIGNAL and sending SIGKILL.
+#
+# The default in most runtimes (such as Docker) is 10 seconds, and the
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
+# that even 90 seconds may not be long enough in many instances.
+
+EXPOSE 5432
+CMD ["postgres"]
diff --git a/14/alpine3.21/docker-ensure-initdb.sh b/14/alpine3.21/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..ae1f6b6b90
--- /dev/null
+++ b/14/alpine3.21/docker-ensure-initdb.sh
@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/14/alpine3.21/docker-entrypoint.sh b/14/alpine3.21/docker-entrypoint.sh
new file mode 100755
index 0000000000..ae40666ca1
--- /dev/null
+++ b/14/alpine3.21/docker-entrypoint.sh
@@ -0,0 +1,359 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+# ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+ local var="$1"
+ local fileVar="${var}_FILE"
+ local def="${2:-}"
+ if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+ printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+ exit 1
+ fi
+ local val="$def"
+ if [ "${!var:-}" ]; then
+ val="${!var}"
+ elif [ "${!fileVar:-}" ]; then
+ val="$(< "${!fileVar}")"
+ fi
+ export "$var"="$val"
+ unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+ # https://unix.stackexchange.com/a/215279
+ [ "${#FUNCNAME[@]}" -ge 2 ] \
+ && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+ && [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+ local user; user="$(id -u)"
+
+ mkdir -p "$PGDATA"
+ # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+ chmod 00700 "$PGDATA" || :
+
+ # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+ mkdir -p /var/run/postgresql || :
+ chmod 03775 /var/run/postgresql || :
+
+ # Create the transaction log directory before initdb is run so the directory is owned by the correct user
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ mkdir -p "$POSTGRES_INITDB_WALDIR"
+ if [ "$user" = '0' ]; then
+ find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+ fi
+ chmod 700 "$POSTGRES_INITDB_WALDIR"
+ fi
+
+ # allow the container to be started with `--user`
+ if [ "$user" = '0' ]; then
+ find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+ find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+ fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+ # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+ # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+ local uid; uid="$(id -u)"
+ if ! getent passwd "$uid" &> /dev/null; then
+ # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+ local wrapper
+ for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+ if [ -s "$wrapper" ]; then
+ NSS_WRAPPER_PASSWD="$(mktemp)"
+ NSS_WRAPPER_GROUP="$(mktemp)"
+ export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ local gid; gid="$(id -g)"
+ printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+ printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+ break
+ fi
+ done
+ fi
+
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+ fi
+
+ # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+ eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+ # unset/cleanup "nss_wrapper" bits
+ if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+ rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+ unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
+
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+
+ This will not work if used via PGPASSWORD with "psql".
+
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
+
+ EOWARN
+ fi
+ ;;
+ esac
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ # The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD to a non-empty value for the
+ superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+ You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+ connections without a password. This is *not* recommended.
+
+ See PostgreSQL documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ cat >&2 <<-'EOWARN'
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
+ EOWARN
+ fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+# ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+ # psql here for backwards compatibility "${psql[@]}"
+ psql=( docker_process_sql )
+
+ printf '\n'
+ local f
+ for f; do
+ case "$f" in
+ *.sh)
+ # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+ # https://github.com/docker-library/postgres/pull/452
+ if [ -x "$f" ]; then
+ printf '%s: running %s\n' "$0" "$f"
+ "$f"
+ else
+ printf '%s: sourcing %s\n' "$0" "$f"
+ . "$f"
+ fi
+ ;;
+ *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+ *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+ *) printf '%s: ignoring %s\n' "$0" "$f" ;;
+ esac
+ printf '\n'
+ done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+# ie: docker_process_sql -f my-file.sql
+# ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+ local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+ if [ -n "$POSTGRES_DB" ]; then
+ query_runner+=( --dbname "$POSTGRES_DB" )
+ fi
+
+ PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+ local dbAlreadyExists
+ dbAlreadyExists="$(
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+ SELECT 1 FROM pg_database WHERE datname = :'db' ;
+ EOSQL
+ )"
+ if [ -z "$dbAlreadyExists" ]; then
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+ CREATE DATABASE :"db" ;
+ EOSQL
+ printf '\n'
+ fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+ file_env 'POSTGRES_PASSWORD'
+
+ file_env 'POSTGRES_USER' 'postgres'
+ file_env 'POSTGRES_DB' "$POSTGRES_USER"
+ file_env 'POSTGRES_INITDB_ARGS'
+ : "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+ declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ # look specifically for PG_VERSION, as it is expected in the DB dir
+ if [ -s "$PGDATA/PG_VERSION" ]; then
+ DATABASE_ALREADY_EXISTS='true'
+ fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+ # default authentication method is md5 on versions before 14
+ # https://www.postgresql.org/about/news/postgresql-14-released-2318/
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+ local auth
+ # check the default/configured encryption and use that as the auth method
+ auth="$(postgres -C password_encryption "$@")"
+ : "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+ {
+ printf '\n'
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ printf '# warning trust is enabled for all connections\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+ fi
+ printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+ } >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+
+ # internal start of server in order to allow setup using psql client
+ # does not listen on external TCP/IP and waits until start finishes
+ set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
+ PGUSER="${PGUSER:-$POSTGRES_USER}" \
+ pg_ctl -D "$PGDATA" \
+ -o "$(printf '%q ' "$@")" \
+ -w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+ PGUSER="${PGUSER:-postgres}" \
+ pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+ local arg
+ for arg; do
+ case "$arg" in
+ # postgres --help | grep 'then exit'
+ # leaving out -C on purpose since it always fails and is unhelpful:
+ # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+ -'?'|--help|--describe-config|-V|--version)
+ return 0
+ ;;
+ esac
+ done
+ return 1
+}
+
+_main() {
+ # if first arg looks like a flag, assume we want to run postgres server
+ if [ "${1:0:1}" = '-' ]; then
+ set -- postgres "$@"
+ fi
+
+ if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+ docker_setup_env
+ # setup data directories and permissions (when run as root)
+ docker_create_db_directories
+ if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+ fi
+
+ # only run initialization on an empty data directory
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+
+ cat <<-'EOM'
+
+ PostgreSQL init process complete; ready for start up.
+
+ EOM
+ else
+ cat <<-'EOM'
+
+ PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+ EOM
+ fi
+ fi
+
+ exec "$@"
+}
+
+if ! _is_sourced; then
+ _main "$@"
+fi
diff --git a/14/bookworm/Dockerfile b/14/bookworm/Dockerfile
new file mode 100644
index 0000000000..701a02cccd
--- /dev/null
+++ b/14/bookworm/Dockerfile
@@ -0,0 +1,219 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM debian:bookworm-slim
+
+# explicitly set user/group IDs
+RUN set -eux; \
+ groupadd -r postgres --gid=999; \
+# https://salsa.debian.org/postgresql/postgresql-common/blob/997d842ee744687d99a2b2d95c1083a2615c79e8/debian/postgresql-common.postinst#L32-35
+ useradd -r -g postgres --uid=999 --home-dir=/var/lib/postgresql --shell=/bin/bash postgres; \
+# also create the postgres user's home directory with appropriate permissions
+# see https://github.com/docker-library/postgres/issues/274
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
+
+RUN set -ex; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ gnupg \
+# https://www.postgresql.org/docs/16/app-psql.html#APP-PSQL-META-COMMAND-PSET-PAGER
+# https://github.com/postgres/postgres/blob/REL_16_1/src/include/fe_utils/print.h#L25
+# (if "less" is available, it gets used as the default pager for psql, and it only adds ~1.5MiB to our image size)
+ less \
+ ; \
+ rm -rf /var/lib/apt/lists/*
+
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ savedAptMark="$(apt-mark showmanual)"; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends ca-certificates wget; \
+ rm -rf /var/lib/apt/lists/*; \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ apt-mark auto '.*' > /dev/null; \
+ [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \
+ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+ chmod +x /usr/local/bin/gosu; \
+ gosu --version; \
+ gosu nobody true
+
+# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
+RUN set -eux; \
+ if [ -f /etc/dpkg/dpkg.cfg.d/docker ]; then \
+# if this file exists, we're likely in "debian:xxx-slim", and locales are thus being excluded so we need to remove that exclusion (since we need locales)
+ grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
+ sed -ri '/\/usr\/share\/locale/d' /etc/dpkg/dpkg.cfg.d/docker; \
+ ! grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
+ fi; \
+ apt-get update; apt-get install -y --no-install-recommends locales; rm -rf /var/lib/apt/lists/*; \
+ echo 'en_US.UTF-8 UTF-8' >> /etc/locale.gen; \
+ locale-gen; \
+ locale -a | grep 'en_US.utf8'
+ENV LANG en_US.utf8
+
+RUN set -eux; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ libnss-wrapper \
+ xz-utils \
+ zstd \
+ ; \
+ rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /docker-entrypoint-initdb.d
+
+RUN set -ex; \
+# pub 4096R/ACCC4CF8 2011-10-13 [expires: 2019-07-02]
+# Key fingerprint = B97B 0AFC AA1A 47F0 44F2 44A0 7FCC 7D46 ACCC 4CF8
+# uid PostgreSQL Debian Repository
+ key='B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8'; \
+ export GNUPGHOME="$(mktemp -d)"; \
+ mkdir -p /usr/local/share/keyrings/; \
+ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \
+ gpg --batch --export --armor "$key" > /usr/local/share/keyrings/postgres.gpg.asc; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME"
+
+ENV PG_MAJOR 14
+ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
+
+ENV PG_VERSION 14.18-1.pgdg120+1
+
+RUN set -ex; \
+ \
+# see note below about "*.pyc" files
+ export PYTHONDONTWRITEBYTECODE=1; \
+ \
+ dpkgArch="$(dpkg --print-architecture)"; \
+ aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ bookworm-pgdg main $PG_MAJOR"; \
+ case "$dpkgArch" in \
+ amd64 | arm64 | ppc64el) \
+# arches officialy built by upstream
+ echo "deb $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \
+ apt-get update; \
+ ;; \
+ *) \
+# we're on an architecture upstream doesn't officially build for
+# let's build binaries from their published source packages
+ echo "deb-src $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \
+ \
+ savedAptMark="$(apt-mark showmanual)"; \
+ \
+ tempDir="$(mktemp -d)"; \
+ cd "$tempDir"; \
+ \
+# create a temporary local APT repo to install from (so that dependency resolution can be handled by APT, as it should be)
+ apt-get update; \
+ apt-get install -y --no-install-recommends dpkg-dev; \
+ echo "deb [ trusted=yes ] file://$tempDir ./" > /etc/apt/sources.list.d/temp.list; \
+ _update_repo() { \
+ dpkg-scanpackages . > Packages; \
+# work around the following APT issue by using "Acquire::GzipIndexes=false" (overriding "/etc/apt/apt.conf.d/docker-gzip-indexes")
+# Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+# ...
+# E: Failed to fetch store:/var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+ apt-get -o Acquire::GzipIndexes=false update; \
+ }; \
+ _update_repo; \
+ \
+# build .deb files from upstream's source packages (which are verified by apt-get)
+ nproc="$(nproc)"; \
+ export DEB_BUILD_OPTIONS="nocheck parallel=$nproc"; \
+# we have to build postgresql-common first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/99f44476e258cae6bf9e919219fa2c5414fa2876
+# (and it "Depends: pgdg-keyring")
+ apt-get build-dep -y postgresql-common pgdg-keyring; \
+ apt-get source --compile postgresql-common pgdg-keyring; \
+ _update_repo; \
+ apt-get build-dep -y "postgresql-$PG_MAJOR=$PG_VERSION"; \
+ apt-get source --compile "postgresql-$PG_MAJOR=$PG_VERSION"; \
+ \
+# we don't remove APT lists here because they get re-downloaded and removed later
+ \
+# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
+# (which is done after we install the built packages so we don't have to redownload any overlapping dependencies)
+ apt-mark showmanual | xargs apt-mark auto > /dev/null; \
+ apt-mark manual $savedAptMark; \
+ \
+ ls -lAFh; \
+ _update_repo; \
+ grep '^Package: ' Packages; \
+ cd /; \
+ ;; \
+ esac; \
+ \
+ apt-get install -y --no-install-recommends postgresql-common; \
+ sed -ri 's/#(create_main_cluster) .*$/\1 = false/' /etc/postgresql-common/createcluster.conf; \
+ apt-get install -y --no-install-recommends \
+ "postgresql-$PG_MAJOR=$PG_VERSION" \
+ ; \
+ \
+ rm -rf /var/lib/apt/lists/*; \
+ \
+ if [ -n "$tempDir" ]; then \
+# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
+ apt-get purge -y --auto-remove; \
+ rm -rf "$tempDir" /etc/apt/sources.list.d/temp.list; \
+ fi; \
+ \
+# some of the steps above generate a lot of "*.pyc" files (and setting "PYTHONDONTWRITEBYTECODE" beforehand doesn't propagate properly for some reason), so we clean them up manually (as long as they aren't owned by a package)
+ find /usr -name '*.pyc' -type f -exec bash -c 'for pyc; do dpkg -S "$pyc" &> /dev/null || rm -vf "$pyc"; done' -- '{}' +; \
+ \
+ postgres --version
+
+# make the sample config easier to munge (and "correct by default")
+RUN set -eux; \
+ dpkg-divert --add --rename --divert "/usr/share/postgresql/postgresql.conf.sample.dpkg" "/usr/share/postgresql/$PG_MAJOR/postgresql.conf.sample"; \
+ cp -v /usr/share/postgresql/postgresql.conf.sample.dpkg /usr/share/postgresql/postgresql.conf.sample; \
+ ln -sv ../postgresql.conf.sample "/usr/share/postgresql/$PG_MAJOR/"; \
+ sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/share/postgresql/postgresql.conf.sample; \
+ grep -F "listen_addresses = '*'" /usr/share/postgresql/postgresql.conf.sample
+
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
+
+ENV PGDATA /var/lib/postgresql/data
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
+VOLUME /var/lib/postgresql/data
+
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
+# calls "Fast Shutdown mode" wherein new connections are disallowed and any
+# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
+# flush tables to disk.
+#
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
+# about available PostgreSQL server shutdown signals.
+#
+# See also https://www.postgresql.org/docs/current/server-start.html for further
+# justification of this as the default value, namely that the example (and
+# shipped) systemd service files use the "Fast Shutdown mode" for service
+# termination.
+#
+STOPSIGNAL SIGINT
+#
+# An additional setting that is recommended for all users regardless of this
+# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
+# equivalent) for controlling how long to wait between sending the defined
+# STOPSIGNAL and sending SIGKILL.
+#
+# The default in most runtimes (such as Docker) is 10 seconds, and the
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
+# that even 90 seconds may not be long enough in many instances.
+
+EXPOSE 5432
+CMD ["postgres"]
diff --git a/14/bookworm/docker-ensure-initdb.sh b/14/bookworm/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..ae1f6b6b90
--- /dev/null
+++ b/14/bookworm/docker-ensure-initdb.sh
@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/14/bookworm/docker-entrypoint.sh b/14/bookworm/docker-entrypoint.sh
new file mode 100755
index 0000000000..ae40666ca1
--- /dev/null
+++ b/14/bookworm/docker-entrypoint.sh
@@ -0,0 +1,359 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+# ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+ local var="$1"
+ local fileVar="${var}_FILE"
+ local def="${2:-}"
+ if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+ printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+ exit 1
+ fi
+ local val="$def"
+ if [ "${!var:-}" ]; then
+ val="${!var}"
+ elif [ "${!fileVar:-}" ]; then
+ val="$(< "${!fileVar}")"
+ fi
+ export "$var"="$val"
+ unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+ # https://unix.stackexchange.com/a/215279
+ [ "${#FUNCNAME[@]}" -ge 2 ] \
+ && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+ && [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+ local user; user="$(id -u)"
+
+ mkdir -p "$PGDATA"
+ # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+ chmod 00700 "$PGDATA" || :
+
+ # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+ mkdir -p /var/run/postgresql || :
+ chmod 03775 /var/run/postgresql || :
+
+ # Create the transaction log directory before initdb is run so the directory is owned by the correct user
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ mkdir -p "$POSTGRES_INITDB_WALDIR"
+ if [ "$user" = '0' ]; then
+ find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+ fi
+ chmod 700 "$POSTGRES_INITDB_WALDIR"
+ fi
+
+ # allow the container to be started with `--user`
+ if [ "$user" = '0' ]; then
+ find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+ find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+ fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+ # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+ # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+ local uid; uid="$(id -u)"
+ if ! getent passwd "$uid" &> /dev/null; then
+ # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+ local wrapper
+ for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+ if [ -s "$wrapper" ]; then
+ NSS_WRAPPER_PASSWD="$(mktemp)"
+ NSS_WRAPPER_GROUP="$(mktemp)"
+ export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ local gid; gid="$(id -g)"
+ printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+ printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+ break
+ fi
+ done
+ fi
+
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+ fi
+
+ # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+ eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+ # unset/cleanup "nss_wrapper" bits
+ if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+ rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+ unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
+
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+
+ This will not work if used via PGPASSWORD with "psql".
+
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
+
+ EOWARN
+ fi
+ ;;
+ esac
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ # The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD to a non-empty value for the
+ superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+ You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+ connections without a password. This is *not* recommended.
+
+ See PostgreSQL documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ cat >&2 <<-'EOWARN'
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
+ EOWARN
+ fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+# ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+ # psql here for backwards compatibility "${psql[@]}"
+ psql=( docker_process_sql )
+
+ printf '\n'
+ local f
+ for f; do
+ case "$f" in
+ *.sh)
+ # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+ # https://github.com/docker-library/postgres/pull/452
+ if [ -x "$f" ]; then
+ printf '%s: running %s\n' "$0" "$f"
+ "$f"
+ else
+ printf '%s: sourcing %s\n' "$0" "$f"
+ . "$f"
+ fi
+ ;;
+ *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+ *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+ *) printf '%s: ignoring %s\n' "$0" "$f" ;;
+ esac
+ printf '\n'
+ done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+# ie: docker_process_sql -f my-file.sql
+# ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+ local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+ if [ -n "$POSTGRES_DB" ]; then
+ query_runner+=( --dbname "$POSTGRES_DB" )
+ fi
+
+ PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+ local dbAlreadyExists
+ dbAlreadyExists="$(
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+ SELECT 1 FROM pg_database WHERE datname = :'db' ;
+ EOSQL
+ )"
+ if [ -z "$dbAlreadyExists" ]; then
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+ CREATE DATABASE :"db" ;
+ EOSQL
+ printf '\n'
+ fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+ file_env 'POSTGRES_PASSWORD'
+
+ file_env 'POSTGRES_USER' 'postgres'
+ file_env 'POSTGRES_DB' "$POSTGRES_USER"
+ file_env 'POSTGRES_INITDB_ARGS'
+ : "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+ declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ # look specifically for PG_VERSION, as it is expected in the DB dir
+ if [ -s "$PGDATA/PG_VERSION" ]; then
+ DATABASE_ALREADY_EXISTS='true'
+ fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+ # default authentication method is md5 on versions before 14
+ # https://www.postgresql.org/about/news/postgresql-14-released-2318/
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+ local auth
+ # check the default/configured encryption and use that as the auth method
+ auth="$(postgres -C password_encryption "$@")"
+ : "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+ {
+ printf '\n'
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ printf '# warning trust is enabled for all connections\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+ fi
+ printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+ } >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+
+ # internal start of server in order to allow setup using psql client
+ # does not listen on external TCP/IP and waits until start finishes
+ set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
+ PGUSER="${PGUSER:-$POSTGRES_USER}" \
+ pg_ctl -D "$PGDATA" \
+ -o "$(printf '%q ' "$@")" \
+ -w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+ PGUSER="${PGUSER:-postgres}" \
+ pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+ local arg
+ for arg; do
+ case "$arg" in
+ # postgres --help | grep 'then exit'
+ # leaving out -C on purpose since it always fails and is unhelpful:
+ # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+ -'?'|--help|--describe-config|-V|--version)
+ return 0
+ ;;
+ esac
+ done
+ return 1
+}
+
+_main() {
+ # if first arg looks like a flag, assume we want to run postgres server
+ if [ "${1:0:1}" = '-' ]; then
+ set -- postgres "$@"
+ fi
+
+ if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+ docker_setup_env
+ # setup data directories and permissions (when run as root)
+ docker_create_db_directories
+ if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+ fi
+
+ # only run initialization on an empty data directory
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+
+ cat <<-'EOM'
+
+ PostgreSQL init process complete; ready for start up.
+
+ EOM
+ else
+ cat <<-'EOM'
+
+ PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+ EOM
+ fi
+ fi
+
+ exec "$@"
+}
+
+if ! _is_sourced; then
+ _main "$@"
+fi
diff --git a/14/bullseye/Dockerfile b/14/bullseye/Dockerfile
new file mode 100644
index 0000000000..004e6777cd
--- /dev/null
+++ b/14/bullseye/Dockerfile
@@ -0,0 +1,219 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM debian:bullseye-slim
+
+# explicitly set user/group IDs
+RUN set -eux; \
+ groupadd -r postgres --gid=999; \
+# https://salsa.debian.org/postgresql/postgresql-common/blob/997d842ee744687d99a2b2d95c1083a2615c79e8/debian/postgresql-common.postinst#L32-35
+ useradd -r -g postgres --uid=999 --home-dir=/var/lib/postgresql --shell=/bin/bash postgres; \
+# also create the postgres user's home directory with appropriate permissions
+# see https://github.com/docker-library/postgres/issues/274
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
+
+RUN set -ex; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ gnupg \
+# https://www.postgresql.org/docs/16/app-psql.html#APP-PSQL-META-COMMAND-PSET-PAGER
+# https://github.com/postgres/postgres/blob/REL_16_1/src/include/fe_utils/print.h#L25
+# (if "less" is available, it gets used as the default pager for psql, and it only adds ~1.5MiB to our image size)
+ less \
+ ; \
+ rm -rf /var/lib/apt/lists/*
+
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ savedAptMark="$(apt-mark showmanual)"; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends ca-certificates wget; \
+ rm -rf /var/lib/apt/lists/*; \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ apt-mark auto '.*' > /dev/null; \
+ [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \
+ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+ chmod +x /usr/local/bin/gosu; \
+ gosu --version; \
+ gosu nobody true
+
+# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
+RUN set -eux; \
+ if [ -f /etc/dpkg/dpkg.cfg.d/docker ]; then \
+# if this file exists, we're likely in "debian:xxx-slim", and locales are thus being excluded so we need to remove that exclusion (since we need locales)
+ grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
+ sed -ri '/\/usr\/share\/locale/d' /etc/dpkg/dpkg.cfg.d/docker; \
+ ! grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
+ fi; \
+ apt-get update; apt-get install -y --no-install-recommends locales; rm -rf /var/lib/apt/lists/*; \
+ echo 'en_US.UTF-8 UTF-8' >> /etc/locale.gen; \
+ locale-gen; \
+ locale -a | grep 'en_US.utf8'
+ENV LANG en_US.utf8
+
+RUN set -eux; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ libnss-wrapper \
+ xz-utils \
+ zstd \
+ ; \
+ rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /docker-entrypoint-initdb.d
+
+RUN set -ex; \
+# pub 4096R/ACCC4CF8 2011-10-13 [expires: 2019-07-02]
+# Key fingerprint = B97B 0AFC AA1A 47F0 44F2 44A0 7FCC 7D46 ACCC 4CF8
+# uid PostgreSQL Debian Repository
+ key='B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8'; \
+ export GNUPGHOME="$(mktemp -d)"; \
+ mkdir -p /usr/local/share/keyrings/; \
+ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \
+ gpg --batch --export --armor "$key" > /usr/local/share/keyrings/postgres.gpg.asc; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME"
+
+ENV PG_MAJOR 14
+ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
+
+ENV PG_VERSION 14.18-1.pgdg110+1
+
+RUN set -ex; \
+ \
+# see note below about "*.pyc" files
+ export PYTHONDONTWRITEBYTECODE=1; \
+ \
+ dpkgArch="$(dpkg --print-architecture)"; \
+ aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ bullseye-pgdg main $PG_MAJOR"; \
+ case "$dpkgArch" in \
+ amd64 | arm64 | ppc64el) \
+# arches officialy built by upstream
+ echo "deb $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \
+ apt-get update; \
+ ;; \
+ *) \
+# we're on an architecture upstream doesn't officially build for
+# let's build binaries from their published source packages
+ echo "deb-src $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \
+ \
+ savedAptMark="$(apt-mark showmanual)"; \
+ \
+ tempDir="$(mktemp -d)"; \
+ cd "$tempDir"; \
+ \
+# create a temporary local APT repo to install from (so that dependency resolution can be handled by APT, as it should be)
+ apt-get update; \
+ apt-get install -y --no-install-recommends dpkg-dev; \
+ echo "deb [ trusted=yes ] file://$tempDir ./" > /etc/apt/sources.list.d/temp.list; \
+ _update_repo() { \
+ dpkg-scanpackages . > Packages; \
+# work around the following APT issue by using "Acquire::GzipIndexes=false" (overriding "/etc/apt/apt.conf.d/docker-gzip-indexes")
+# Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+# ...
+# E: Failed to fetch store:/var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+ apt-get -o Acquire::GzipIndexes=false update; \
+ }; \
+ _update_repo; \
+ \
+# build .deb files from upstream's source packages (which are verified by apt-get)
+ nproc="$(nproc)"; \
+ export DEB_BUILD_OPTIONS="nocheck parallel=$nproc"; \
+# we have to build postgresql-common first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/99f44476e258cae6bf9e919219fa2c5414fa2876
+# (and it "Depends: pgdg-keyring")
+ apt-get build-dep -y postgresql-common pgdg-keyring; \
+ apt-get source --compile postgresql-common pgdg-keyring; \
+ _update_repo; \
+ apt-get build-dep -y "postgresql-$PG_MAJOR=$PG_VERSION"; \
+ apt-get source --compile "postgresql-$PG_MAJOR=$PG_VERSION"; \
+ \
+# we don't remove APT lists here because they get re-downloaded and removed later
+ \
+# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
+# (which is done after we install the built packages so we don't have to redownload any overlapping dependencies)
+ apt-mark showmanual | xargs apt-mark auto > /dev/null; \
+ apt-mark manual $savedAptMark; \
+ \
+ ls -lAFh; \
+ _update_repo; \
+ grep '^Package: ' Packages; \
+ cd /; \
+ ;; \
+ esac; \
+ \
+ apt-get install -y --no-install-recommends postgresql-common; \
+ sed -ri 's/#(create_main_cluster) .*$/\1 = false/' /etc/postgresql-common/createcluster.conf; \
+ apt-get install -y --no-install-recommends \
+ "postgresql-$PG_MAJOR=$PG_VERSION" \
+ ; \
+ \
+ rm -rf /var/lib/apt/lists/*; \
+ \
+ if [ -n "$tempDir" ]; then \
+# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
+ apt-get purge -y --auto-remove; \
+ rm -rf "$tempDir" /etc/apt/sources.list.d/temp.list; \
+ fi; \
+ \
+# some of the steps above generate a lot of "*.pyc" files (and setting "PYTHONDONTWRITEBYTECODE" beforehand doesn't propagate properly for some reason), so we clean them up manually (as long as they aren't owned by a package)
+ find /usr -name '*.pyc' -type f -exec bash -c 'for pyc; do dpkg -S "$pyc" &> /dev/null || rm -vf "$pyc"; done' -- '{}' +; \
+ \
+ postgres --version
+
+# make the sample config easier to munge (and "correct by default")
+RUN set -eux; \
+ dpkg-divert --add --rename --divert "/usr/share/postgresql/postgresql.conf.sample.dpkg" "/usr/share/postgresql/$PG_MAJOR/postgresql.conf.sample"; \
+ cp -v /usr/share/postgresql/postgresql.conf.sample.dpkg /usr/share/postgresql/postgresql.conf.sample; \
+ ln -sv ../postgresql.conf.sample "/usr/share/postgresql/$PG_MAJOR/"; \
+ sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/share/postgresql/postgresql.conf.sample; \
+ grep -F "listen_addresses = '*'" /usr/share/postgresql/postgresql.conf.sample
+
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
+
+ENV PGDATA /var/lib/postgresql/data
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
+VOLUME /var/lib/postgresql/data
+
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
+# calls "Fast Shutdown mode" wherein new connections are disallowed and any
+# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
+# flush tables to disk.
+#
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
+# about available PostgreSQL server shutdown signals.
+#
+# See also https://www.postgresql.org/docs/current/server-start.html for further
+# justification of this as the default value, namely that the example (and
+# shipped) systemd service files use the "Fast Shutdown mode" for service
+# termination.
+#
+STOPSIGNAL SIGINT
+#
+# An additional setting that is recommended for all users regardless of this
+# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
+# equivalent) for controlling how long to wait between sending the defined
+# STOPSIGNAL and sending SIGKILL.
+#
+# The default in most runtimes (such as Docker) is 10 seconds, and the
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
+# that even 90 seconds may not be long enough in many instances.
+
+EXPOSE 5432
+CMD ["postgres"]
diff --git a/14/bullseye/docker-ensure-initdb.sh b/14/bullseye/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..ae1f6b6b90
--- /dev/null
+++ b/14/bullseye/docker-ensure-initdb.sh
@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/14/bullseye/docker-entrypoint.sh b/14/bullseye/docker-entrypoint.sh
new file mode 100755
index 0000000000..ae40666ca1
--- /dev/null
+++ b/14/bullseye/docker-entrypoint.sh
@@ -0,0 +1,359 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+# ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+ local var="$1"
+ local fileVar="${var}_FILE"
+ local def="${2:-}"
+ if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+ printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+ exit 1
+ fi
+ local val="$def"
+ if [ "${!var:-}" ]; then
+ val="${!var}"
+ elif [ "${!fileVar:-}" ]; then
+ val="$(< "${!fileVar}")"
+ fi
+ export "$var"="$val"
+ unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+ # https://unix.stackexchange.com/a/215279
+ [ "${#FUNCNAME[@]}" -ge 2 ] \
+ && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+ && [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+ local user; user="$(id -u)"
+
+ mkdir -p "$PGDATA"
+ # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+ chmod 00700 "$PGDATA" || :
+
+ # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+ mkdir -p /var/run/postgresql || :
+ chmod 03775 /var/run/postgresql || :
+
+ # Create the transaction log directory before initdb is run so the directory is owned by the correct user
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ mkdir -p "$POSTGRES_INITDB_WALDIR"
+ if [ "$user" = '0' ]; then
+ find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+ fi
+ chmod 700 "$POSTGRES_INITDB_WALDIR"
+ fi
+
+ # allow the container to be started with `--user`
+ if [ "$user" = '0' ]; then
+ find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+ find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+ fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+ # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+ # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+ local uid; uid="$(id -u)"
+ if ! getent passwd "$uid" &> /dev/null; then
+ # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+ local wrapper
+ for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+ if [ -s "$wrapper" ]; then
+ NSS_WRAPPER_PASSWD="$(mktemp)"
+ NSS_WRAPPER_GROUP="$(mktemp)"
+ export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ local gid; gid="$(id -g)"
+ printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+ printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+ break
+ fi
+ done
+ fi
+
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+ fi
+
+ # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+ eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+ # unset/cleanup "nss_wrapper" bits
+ if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+ rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+ unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
+
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+
+ This will not work if used via PGPASSWORD with "psql".
+
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
+
+ EOWARN
+ fi
+ ;;
+ esac
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ # The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD to a non-empty value for the
+ superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+ You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+ connections without a password. This is *not* recommended.
+
+ See PostgreSQL documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ cat >&2 <<-'EOWARN'
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
+ EOWARN
+ fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+# ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+ # psql here for backwards compatibility "${psql[@]}"
+ psql=( docker_process_sql )
+
+ printf '\n'
+ local f
+ for f; do
+ case "$f" in
+ *.sh)
+ # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+ # https://github.com/docker-library/postgres/pull/452
+ if [ -x "$f" ]; then
+ printf '%s: running %s\n' "$0" "$f"
+ "$f"
+ else
+ printf '%s: sourcing %s\n' "$0" "$f"
+ . "$f"
+ fi
+ ;;
+ *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+ *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+ *) printf '%s: ignoring %s\n' "$0" "$f" ;;
+ esac
+ printf '\n'
+ done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+# ie: docker_process_sql -f my-file.sql
+# ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+ local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+ if [ -n "$POSTGRES_DB" ]; then
+ query_runner+=( --dbname "$POSTGRES_DB" )
+ fi
+
+ PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+ local dbAlreadyExists
+ dbAlreadyExists="$(
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+ SELECT 1 FROM pg_database WHERE datname = :'db' ;
+ EOSQL
+ )"
+ if [ -z "$dbAlreadyExists" ]; then
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+ CREATE DATABASE :"db" ;
+ EOSQL
+ printf '\n'
+ fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+ file_env 'POSTGRES_PASSWORD'
+
+ file_env 'POSTGRES_USER' 'postgres'
+ file_env 'POSTGRES_DB' "$POSTGRES_USER"
+ file_env 'POSTGRES_INITDB_ARGS'
+ : "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+ declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ # look specifically for PG_VERSION, as it is expected in the DB dir
+ if [ -s "$PGDATA/PG_VERSION" ]; then
+ DATABASE_ALREADY_EXISTS='true'
+ fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+ # default authentication method is md5 on versions before 14
+ # https://www.postgresql.org/about/news/postgresql-14-released-2318/
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+ local auth
+ # check the default/configured encryption and use that as the auth method
+ auth="$(postgres -C password_encryption "$@")"
+ : "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+ {
+ printf '\n'
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ printf '# warning trust is enabled for all connections\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+ fi
+ printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+ } >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+
+ # internal start of server in order to allow setup using psql client
+ # does not listen on external TCP/IP and waits until start finishes
+ set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
+ PGUSER="${PGUSER:-$POSTGRES_USER}" \
+ pg_ctl -D "$PGDATA" \
+ -o "$(printf '%q ' "$@")" \
+ -w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+ PGUSER="${PGUSER:-postgres}" \
+ pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+ local arg
+ for arg; do
+ case "$arg" in
+ # postgres --help | grep 'then exit'
+ # leaving out -C on purpose since it always fails and is unhelpful:
+ # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+ -'?'|--help|--describe-config|-V|--version)
+ return 0
+ ;;
+ esac
+ done
+ return 1
+}
+
+_main() {
+ # if first arg looks like a flag, assume we want to run postgres server
+ if [ "${1:0:1}" = '-' ]; then
+ set -- postgres "$@"
+ fi
+
+ if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+ docker_setup_env
+ # setup data directories and permissions (when run as root)
+ docker_create_db_directories
+ if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+ fi
+
+ # only run initialization on an empty data directory
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+
+ cat <<-'EOM'
+
+ PostgreSQL init process complete; ready for start up.
+
+ EOM
+ else
+ cat <<-'EOM'
+
+ PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+ EOM
+ fi
+ fi
+
+ exec "$@"
+}
+
+if ! _is_sourced; then
+ _main "$@"
+fi
diff --git a/15/alpine3.20/Dockerfile b/15/alpine3.20/Dockerfile
new file mode 100644
index 0000000000..9fcb077803
--- /dev/null
+++ b/15/alpine3.20/Dockerfile
@@ -0,0 +1,231 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM alpine:3.20
+
+# 70 is the standard uid/gid for "postgres" in Alpine
+# https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.21-stable
+RUN set -eux; \
+ addgroup -g 70 -S postgres; \
+ adduser -u 70 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \
+# also create the postgres user's home directory with appropriate permissions
+# see https://github.com/docker-library/postgres/issues/274
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
+
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ \
+ apk add --no-cache --virtual .gosu-deps \
+ ca-certificates \
+ dpkg \
+ gnupg \
+ ; \
+ \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ \
+# verify the signature
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ \
+# clean up fetch dependencies
+ apk del --no-network .gosu-deps; \
+ \
+ chmod +x /usr/local/bin/gosu; \
+# verify that the binary works
+ gosu --version; \
+ gosu nobody true
+RUN set -eux; ln -svf gosu /usr/local/bin/su-exec; su-exec nobody true # backwards compatibility (removed in PostgreSQL 17+)
+
+# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
+# alpine doesn't require explicit locale-file generation
+ENV LANG en_US.utf8
+
+RUN mkdir /docker-entrypoint-initdb.d
+
+ENV PG_MAJOR 15
+ENV PG_VERSION 15.13
+ENV PG_SHA256 4f62e133d22ea08a0401b0840920e26698644d01a80c34341fb732dd0a90ca5d
+
+ENV DOCKER_PG_LLVM_DEPS \
+ llvm15-dev \
+ clang15
+
+RUN set -eux; \
+ \
+ wget -O postgresql.tar.bz2 "https://ftp.postgresql.org/pub/source/v$PG_VERSION/postgresql-$PG_VERSION.tar.bz2"; \
+ echo "$PG_SHA256 *postgresql.tar.bz2" | sha256sum -c -; \
+ mkdir -p /usr/src/postgresql; \
+ tar \
+ --extract \
+ --file postgresql.tar.bz2 \
+ --directory /usr/src/postgresql \
+ --strip-components 1 \
+ ; \
+ rm postgresql.tar.bz2; \
+ \
+ apk add --no-cache --virtual .build-deps \
+ $DOCKER_PG_LLVM_DEPS \
+ bison \
+ coreutils \
+ dpkg-dev dpkg \
+ flex \
+ g++ \
+ gcc \
+ krb5-dev \
+ libc-dev \
+ libedit-dev \
+ libxml2-dev \
+ libxslt-dev \
+ linux-headers \
+ make \
+ openldap-dev \
+ openssl-dev \
+ perl-dev \
+ perl-ipc-run \
+ perl-utils \
+ python3-dev \
+ tcl-dev \
+ util-linux-dev \
+ zlib-dev \
+# https://www.postgresql.org/docs/10/static/release-10.html#id-1.11.6.9.5.13
+ icu-dev \
+# https://www.postgresql.org/docs/14/release-14.html#id-1.11.6.5.5.3.7
+ lz4-dev \
+# https://www.postgresql.org/docs/15/release-15.html "--with-zstd to enable Zstandard builds"
+ zstd-dev \
+ ; \
+ \
+ cd /usr/src/postgresql; \
+# update "DEFAULT_PGSOCKET_DIR" to "/var/run/postgresql" (matching Debian)
+# see https://anonscm.debian.org/git/pkg-postgresql/postgresql.git/tree/debian/patches/51-default-sockets-in-var.patch?id=8b539fcb3e093a521c095e70bdfa76887217b89f
+ awk '$1 == "#define" && $2 == "DEFAULT_PGSOCKET_DIR" && $3 == "\"/tmp\"" { $3 = "\"/var/run/postgresql\""; print; next } { print }' src/include/pg_config_manual.h > src/include/pg_config_manual.h.new; \
+ grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \
+ mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \
+ gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
+ \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.21-stable&id=40544ade947bec1798edb0f749f4e967e842624b#n172
+ export LLVM_CONFIG="/usr/lib/llvm15/bin/llvm-config"; \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.21-stable&id=40544ade947bec1798edb0f749f4e967e842624b#n177
+ export CLANG=clang-15; \
+ \
+# configure options taken from:
+# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
+ ./configure \
+ --enable-option-checking=fatal \
+ --build="$gnuArch" \
+# "/usr/src/postgresql/src/backend/access/common/tupconvert.c:105: undefined reference to `libintl_gettext'"
+# --enable-nls \
+ --enable-integer-datetimes \
+ --enable-thread-safety \
+ --enable-tap-tests \
+# skip debugging info -- we want tiny size instead
+# --enable-debug \
+ --disable-rpath \
+ --with-uuid=e2fs \
+ --with-gnu-ld \
+ --with-pgport=5432 \
+ --with-system-tzdata=/usr/share/zoneinfo \
+ --prefix=/usr/local \
+ --with-includes=/usr/local/include \
+ --with-libraries=/usr/local/lib \
+ --with-gssapi \
+ --with-ldap \
+ --with-tcl \
+ --with-perl \
+ --with-python \
+# --with-pam \
+ --with-openssl \
+ --with-libxml \
+ --with-libxslt \
+ --with-icu \
+ --with-llvm \
+ --with-lz4 \
+ --with-zstd \
+ ; \
+ make -j "$(nproc)" world-bin; \
+ make install-world-bin; \
+ make -C contrib install; \
+ \
+ runDeps="$( \
+ scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \
+ | tr ',' '\n' \
+ | sort -u \
+ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
+# Remove plperl, plpython and pltcl dependencies by default to save image size
+# To use the pl extensions, those have to be installed in a derived image
+ | grep -v -e perl -e python -e tcl \
+ )"; \
+ apk add --no-cache --virtual .postgresql-rundeps \
+ $runDeps \
+ bash \
+ tzdata \
+ zstd \
+# https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split
+ icu-data-full \
+# nss_wrapper is not availble on ppc64le: "test case segfaults in ppc64le"
+# https://git.alpinelinux.org/aports/commit/testing/nss_wrapper/APKBUILD?h=3.17-stable&id=94d81ceeb58cff448d489bbcbe9a6d40c9991663
+ $([ "$(apk --print-arch)" != 'ppc64le' ] && echo 'nss_wrapper') \
+ ; \
+ apk del --no-network .build-deps; \
+ cd /; \
+ rm -rf \
+ /usr/src/postgresql \
+ /usr/local/share/doc \
+ /usr/local/share/man \
+ ; \
+ \
+ postgres --version
+
+# make the sample config easier to munge (and "correct by default")
+RUN set -eux; \
+ cp -v /usr/local/share/postgresql/postgresql.conf.sample /usr/local/share/postgresql/postgresql.conf.sample.orig; \
+ sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \
+ grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample
+
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
+
+ENV PGDATA /var/lib/postgresql/data
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
+VOLUME /var/lib/postgresql/data
+
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
+# calls "Fast Shutdown mode" wherein new connections are disallowed and any
+# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
+# flush tables to disk.
+#
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
+# about available PostgreSQL server shutdown signals.
+#
+# See also https://www.postgresql.org/docs/current/server-start.html for further
+# justification of this as the default value, namely that the example (and
+# shipped) systemd service files use the "Fast Shutdown mode" for service
+# termination.
+#
+STOPSIGNAL SIGINT
+#
+# An additional setting that is recommended for all users regardless of this
+# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
+# equivalent) for controlling how long to wait between sending the defined
+# STOPSIGNAL and sending SIGKILL.
+#
+# The default in most runtimes (such as Docker) is 10 seconds, and the
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
+# that even 90 seconds may not be long enough in many instances.
+
+EXPOSE 5432
+CMD ["postgres"]
diff --git a/15/alpine3.20/docker-ensure-initdb.sh b/15/alpine3.20/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..ae1f6b6b90
--- /dev/null
+++ b/15/alpine3.20/docker-ensure-initdb.sh
@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/15/alpine3.20/docker-entrypoint.sh b/15/alpine3.20/docker-entrypoint.sh
new file mode 100755
index 0000000000..ae40666ca1
--- /dev/null
+++ b/15/alpine3.20/docker-entrypoint.sh
@@ -0,0 +1,359 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+# ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+ local var="$1"
+ local fileVar="${var}_FILE"
+ local def="${2:-}"
+ if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+ printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+ exit 1
+ fi
+ local val="$def"
+ if [ "${!var:-}" ]; then
+ val="${!var}"
+ elif [ "${!fileVar:-}" ]; then
+ val="$(< "${!fileVar}")"
+ fi
+ export "$var"="$val"
+ unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+ # https://unix.stackexchange.com/a/215279
+ [ "${#FUNCNAME[@]}" -ge 2 ] \
+ && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+ && [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+ local user; user="$(id -u)"
+
+ mkdir -p "$PGDATA"
+ # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+ chmod 00700 "$PGDATA" || :
+
+ # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+ mkdir -p /var/run/postgresql || :
+ chmod 03775 /var/run/postgresql || :
+
+ # Create the transaction log directory before initdb is run so the directory is owned by the correct user
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ mkdir -p "$POSTGRES_INITDB_WALDIR"
+ if [ "$user" = '0' ]; then
+ find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+ fi
+ chmod 700 "$POSTGRES_INITDB_WALDIR"
+ fi
+
+ # allow the container to be started with `--user`
+ if [ "$user" = '0' ]; then
+ find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+ find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+ fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+ # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+ # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+ local uid; uid="$(id -u)"
+ if ! getent passwd "$uid" &> /dev/null; then
+ # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+ local wrapper
+ for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+ if [ -s "$wrapper" ]; then
+ NSS_WRAPPER_PASSWD="$(mktemp)"
+ NSS_WRAPPER_GROUP="$(mktemp)"
+ export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ local gid; gid="$(id -g)"
+ printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+ printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+ break
+ fi
+ done
+ fi
+
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+ fi
+
+ # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+ eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+ # unset/cleanup "nss_wrapper" bits
+ if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+ rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+ unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
+
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+
+ This will not work if used via PGPASSWORD with "psql".
+
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
+
+ EOWARN
+ fi
+ ;;
+ esac
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ # The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD to a non-empty value for the
+ superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+ You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+ connections without a password. This is *not* recommended.
+
+ See PostgreSQL documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ cat >&2 <<-'EOWARN'
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
+ EOWARN
+ fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+# ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+ # psql here for backwards compatibility "${psql[@]}"
+ psql=( docker_process_sql )
+
+ printf '\n'
+ local f
+ for f; do
+ case "$f" in
+ *.sh)
+ # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+ # https://github.com/docker-library/postgres/pull/452
+ if [ -x "$f" ]; then
+ printf '%s: running %s\n' "$0" "$f"
+ "$f"
+ else
+ printf '%s: sourcing %s\n' "$0" "$f"
+ . "$f"
+ fi
+ ;;
+ *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+ *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+ *) printf '%s: ignoring %s\n' "$0" "$f" ;;
+ esac
+ printf '\n'
+ done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+# ie: docker_process_sql -f my-file.sql
+# ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+ local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+ if [ -n "$POSTGRES_DB" ]; then
+ query_runner+=( --dbname "$POSTGRES_DB" )
+ fi
+
+ PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+ local dbAlreadyExists
+ dbAlreadyExists="$(
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+ SELECT 1 FROM pg_database WHERE datname = :'db' ;
+ EOSQL
+ )"
+ if [ -z "$dbAlreadyExists" ]; then
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+ CREATE DATABASE :"db" ;
+ EOSQL
+ printf '\n'
+ fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+ file_env 'POSTGRES_PASSWORD'
+
+ file_env 'POSTGRES_USER' 'postgres'
+ file_env 'POSTGRES_DB' "$POSTGRES_USER"
+ file_env 'POSTGRES_INITDB_ARGS'
+ : "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+ declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ # look specifically for PG_VERSION, as it is expected in the DB dir
+ if [ -s "$PGDATA/PG_VERSION" ]; then
+ DATABASE_ALREADY_EXISTS='true'
+ fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+ # default authentication method is md5 on versions before 14
+ # https://www.postgresql.org/about/news/postgresql-14-released-2318/
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+ local auth
+ # check the default/configured encryption and use that as the auth method
+ auth="$(postgres -C password_encryption "$@")"
+ : "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+ {
+ printf '\n'
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ printf '# warning trust is enabled for all connections\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+ fi
+ printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+ } >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+
+ # internal start of server in order to allow setup using psql client
+ # does not listen on external TCP/IP and waits until start finishes
+ set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
+ PGUSER="${PGUSER:-$POSTGRES_USER}" \
+ pg_ctl -D "$PGDATA" \
+ -o "$(printf '%q ' "$@")" \
+ -w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+ PGUSER="${PGUSER:-postgres}" \
+ pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+ local arg
+ for arg; do
+ case "$arg" in
+ # postgres --help | grep 'then exit'
+ # leaving out -C on purpose since it always fails and is unhelpful:
+ # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+ -'?'|--help|--describe-config|-V|--version)
+ return 0
+ ;;
+ esac
+ done
+ return 1
+}
+
+_main() {
+ # if first arg looks like a flag, assume we want to run postgres server
+ if [ "${1:0:1}" = '-' ]; then
+ set -- postgres "$@"
+ fi
+
+ if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+ docker_setup_env
+ # setup data directories and permissions (when run as root)
+ docker_create_db_directories
+ if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+ fi
+
+ # only run initialization on an empty data directory
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+
+ cat <<-'EOM'
+
+ PostgreSQL init process complete; ready for start up.
+
+ EOM
+ else
+ cat <<-'EOM'
+
+ PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+ EOM
+ fi
+ fi
+
+ exec "$@"
+}
+
+if ! _is_sourced; then
+ _main "$@"
+fi
diff --git a/15/alpine3.21/Dockerfile b/15/alpine3.21/Dockerfile
new file mode 100644
index 0000000000..203cab4d45
--- /dev/null
+++ b/15/alpine3.21/Dockerfile
@@ -0,0 +1,231 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM alpine:3.21
+
+# 70 is the standard uid/gid for "postgres" in Alpine
+# https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.21-stable
+RUN set -eux; \
+ addgroup -g 70 -S postgres; \
+ adduser -u 70 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \
+# also create the postgres user's home directory with appropriate permissions
+# see https://github.com/docker-library/postgres/issues/274
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
+
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ \
+ apk add --no-cache --virtual .gosu-deps \
+ ca-certificates \
+ dpkg \
+ gnupg \
+ ; \
+ \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ \
+# verify the signature
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ \
+# clean up fetch dependencies
+ apk del --no-network .gosu-deps; \
+ \
+ chmod +x /usr/local/bin/gosu; \
+# verify that the binary works
+ gosu --version; \
+ gosu nobody true
+RUN set -eux; ln -svf gosu /usr/local/bin/su-exec; su-exec nobody true # backwards compatibility (removed in PostgreSQL 17+)
+
+# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
+# alpine doesn't require explicit locale-file generation
+ENV LANG en_US.utf8
+
+RUN mkdir /docker-entrypoint-initdb.d
+
+ENV PG_MAJOR 15
+ENV PG_VERSION 15.13
+ENV PG_SHA256 4f62e133d22ea08a0401b0840920e26698644d01a80c34341fb732dd0a90ca5d
+
+ENV DOCKER_PG_LLVM_DEPS \
+ llvm19-dev \
+ clang19
+
+RUN set -eux; \
+ \
+ wget -O postgresql.tar.bz2 "https://ftp.postgresql.org/pub/source/v$PG_VERSION/postgresql-$PG_VERSION.tar.bz2"; \
+ echo "$PG_SHA256 *postgresql.tar.bz2" | sha256sum -c -; \
+ mkdir -p /usr/src/postgresql; \
+ tar \
+ --extract \
+ --file postgresql.tar.bz2 \
+ --directory /usr/src/postgresql \
+ --strip-components 1 \
+ ; \
+ rm postgresql.tar.bz2; \
+ \
+ apk add --no-cache --virtual .build-deps \
+ $DOCKER_PG_LLVM_DEPS \
+ bison \
+ coreutils \
+ dpkg-dev dpkg \
+ flex \
+ g++ \
+ gcc \
+ krb5-dev \
+ libc-dev \
+ libedit-dev \
+ libxml2-dev \
+ libxslt-dev \
+ linux-headers \
+ make \
+ openldap-dev \
+ openssl-dev \
+ perl-dev \
+ perl-ipc-run \
+ perl-utils \
+ python3-dev \
+ tcl-dev \
+ util-linux-dev \
+ zlib-dev \
+# https://www.postgresql.org/docs/10/static/release-10.html#id-1.11.6.9.5.13
+ icu-dev \
+# https://www.postgresql.org/docs/14/release-14.html#id-1.11.6.5.5.3.7
+ lz4-dev \
+# https://www.postgresql.org/docs/15/release-15.html "--with-zstd to enable Zstandard builds"
+ zstd-dev \
+ ; \
+ \
+ cd /usr/src/postgresql; \
+# update "DEFAULT_PGSOCKET_DIR" to "/var/run/postgresql" (matching Debian)
+# see https://anonscm.debian.org/git/pkg-postgresql/postgresql.git/tree/debian/patches/51-default-sockets-in-var.patch?id=8b539fcb3e093a521c095e70bdfa76887217b89f
+ awk '$1 == "#define" && $2 == "DEFAULT_PGSOCKET_DIR" && $3 == "\"/tmp\"" { $3 = "\"/var/run/postgresql\""; print; next } { print }' src/include/pg_config_manual.h > src/include/pg_config_manual.h.new; \
+ grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \
+ mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \
+ gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
+ \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.21-stable&id=40544ade947bec1798edb0f749f4e967e842624b#n172
+ export LLVM_CONFIG="/usr/lib/llvm19/bin/llvm-config"; \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.21-stable&id=40544ade947bec1798edb0f749f4e967e842624b#n177
+ export CLANG=clang-19; \
+ \
+# configure options taken from:
+# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
+ ./configure \
+ --enable-option-checking=fatal \
+ --build="$gnuArch" \
+# "/usr/src/postgresql/src/backend/access/common/tupconvert.c:105: undefined reference to `libintl_gettext'"
+# --enable-nls \
+ --enable-integer-datetimes \
+ --enable-thread-safety \
+ --enable-tap-tests \
+# skip debugging info -- we want tiny size instead
+# --enable-debug \
+ --disable-rpath \
+ --with-uuid=e2fs \
+ --with-gnu-ld \
+ --with-pgport=5432 \
+ --with-system-tzdata=/usr/share/zoneinfo \
+ --prefix=/usr/local \
+ --with-includes=/usr/local/include \
+ --with-libraries=/usr/local/lib \
+ --with-gssapi \
+ --with-ldap \
+ --with-tcl \
+ --with-perl \
+ --with-python \
+# --with-pam \
+ --with-openssl \
+ --with-libxml \
+ --with-libxslt \
+ --with-icu \
+ --with-llvm \
+ --with-lz4 \
+ --with-zstd \
+ ; \
+ make -j "$(nproc)" world-bin; \
+ make install-world-bin; \
+ make -C contrib install; \
+ \
+ runDeps="$( \
+ scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \
+ | tr ',' '\n' \
+ | sort -u \
+ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
+# Remove plperl, plpython and pltcl dependencies by default to save image size
+# To use the pl extensions, those have to be installed in a derived image
+ | grep -v -e perl -e python -e tcl \
+ )"; \
+ apk add --no-cache --virtual .postgresql-rundeps \
+ $runDeps \
+ bash \
+ tzdata \
+ zstd \
+# https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split
+ icu-data-full \
+# nss_wrapper is not availble on ppc64le: "test case segfaults in ppc64le"
+# https://git.alpinelinux.org/aports/commit/testing/nss_wrapper/APKBUILD?h=3.17-stable&id=94d81ceeb58cff448d489bbcbe9a6d40c9991663
+ $([ "$(apk --print-arch)" != 'ppc64le' ] && echo 'nss_wrapper') \
+ ; \
+ apk del --no-network .build-deps; \
+ cd /; \
+ rm -rf \
+ /usr/src/postgresql \
+ /usr/local/share/doc \
+ /usr/local/share/man \
+ ; \
+ \
+ postgres --version
+
+# make the sample config easier to munge (and "correct by default")
+RUN set -eux; \
+ cp -v /usr/local/share/postgresql/postgresql.conf.sample /usr/local/share/postgresql/postgresql.conf.sample.orig; \
+ sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \
+ grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample
+
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
+
+ENV PGDATA /var/lib/postgresql/data
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
+VOLUME /var/lib/postgresql/data
+
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
+# calls "Fast Shutdown mode" wherein new connections are disallowed and any
+# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
+# flush tables to disk.
+#
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
+# about available PostgreSQL server shutdown signals.
+#
+# See also https://www.postgresql.org/docs/current/server-start.html for further
+# justification of this as the default value, namely that the example (and
+# shipped) systemd service files use the "Fast Shutdown mode" for service
+# termination.
+#
+STOPSIGNAL SIGINT
+#
+# An additional setting that is recommended for all users regardless of this
+# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
+# equivalent) for controlling how long to wait between sending the defined
+# STOPSIGNAL and sending SIGKILL.
+#
+# The default in most runtimes (such as Docker) is 10 seconds, and the
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
+# that even 90 seconds may not be long enough in many instances.
+
+EXPOSE 5432
+CMD ["postgres"]
diff --git a/15/alpine3.21/docker-ensure-initdb.sh b/15/alpine3.21/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..ae1f6b6b90
--- /dev/null
+++ b/15/alpine3.21/docker-ensure-initdb.sh
@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/15/alpine3.21/docker-entrypoint.sh b/15/alpine3.21/docker-entrypoint.sh
new file mode 100755
index 0000000000..ae40666ca1
--- /dev/null
+++ b/15/alpine3.21/docker-entrypoint.sh
@@ -0,0 +1,359 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+# ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+ local var="$1"
+ local fileVar="${var}_FILE"
+ local def="${2:-}"
+ if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+ printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+ exit 1
+ fi
+ local val="$def"
+ if [ "${!var:-}" ]; then
+ val="${!var}"
+ elif [ "${!fileVar:-}" ]; then
+ val="$(< "${!fileVar}")"
+ fi
+ export "$var"="$val"
+ unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+ # https://unix.stackexchange.com/a/215279
+ [ "${#FUNCNAME[@]}" -ge 2 ] \
+ && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+ && [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+ local user; user="$(id -u)"
+
+ mkdir -p "$PGDATA"
+ # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+ chmod 00700 "$PGDATA" || :
+
+ # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+ mkdir -p /var/run/postgresql || :
+ chmod 03775 /var/run/postgresql || :
+
+ # Create the transaction log directory before initdb is run so the directory is owned by the correct user
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ mkdir -p "$POSTGRES_INITDB_WALDIR"
+ if [ "$user" = '0' ]; then
+ find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+ fi
+ chmod 700 "$POSTGRES_INITDB_WALDIR"
+ fi
+
+ # allow the container to be started with `--user`
+ if [ "$user" = '0' ]; then
+ find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+ find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+ fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+ # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+ # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+ local uid; uid="$(id -u)"
+ if ! getent passwd "$uid" &> /dev/null; then
+ # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+ local wrapper
+ for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+ if [ -s "$wrapper" ]; then
+ NSS_WRAPPER_PASSWD="$(mktemp)"
+ NSS_WRAPPER_GROUP="$(mktemp)"
+ export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ local gid; gid="$(id -g)"
+ printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+ printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+ break
+ fi
+ done
+ fi
+
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+ fi
+
+ # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+ eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+ # unset/cleanup "nss_wrapper" bits
+ if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+ rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+ unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
+
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+
+ This will not work if used via PGPASSWORD with "psql".
+
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
+
+ EOWARN
+ fi
+ ;;
+ esac
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ # The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD to a non-empty value for the
+ superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+ You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+ connections without a password. This is *not* recommended.
+
+ See PostgreSQL documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ cat >&2 <<-'EOWARN'
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
+ EOWARN
+ fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+# ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+ # psql here for backwards compatibility "${psql[@]}"
+ psql=( docker_process_sql )
+
+ printf '\n'
+ local f
+ for f; do
+ case "$f" in
+ *.sh)
+ # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+ # https://github.com/docker-library/postgres/pull/452
+ if [ -x "$f" ]; then
+ printf '%s: running %s\n' "$0" "$f"
+ "$f"
+ else
+ printf '%s: sourcing %s\n' "$0" "$f"
+ . "$f"
+ fi
+ ;;
+ *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+ *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+ *) printf '%s: ignoring %s\n' "$0" "$f" ;;
+ esac
+ printf '\n'
+ done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+# ie: docker_process_sql -f my-file.sql
+# ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+ local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+ if [ -n "$POSTGRES_DB" ]; then
+ query_runner+=( --dbname "$POSTGRES_DB" )
+ fi
+
+ PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+ local dbAlreadyExists
+ dbAlreadyExists="$(
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+ SELECT 1 FROM pg_database WHERE datname = :'db' ;
+ EOSQL
+ )"
+ if [ -z "$dbAlreadyExists" ]; then
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+ CREATE DATABASE :"db" ;
+ EOSQL
+ printf '\n'
+ fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+ file_env 'POSTGRES_PASSWORD'
+
+ file_env 'POSTGRES_USER' 'postgres'
+ file_env 'POSTGRES_DB' "$POSTGRES_USER"
+ file_env 'POSTGRES_INITDB_ARGS'
+ : "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+ declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ # look specifically for PG_VERSION, as it is expected in the DB dir
+ if [ -s "$PGDATA/PG_VERSION" ]; then
+ DATABASE_ALREADY_EXISTS='true'
+ fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+ # default authentication method is md5 on versions before 14
+ # https://www.postgresql.org/about/news/postgresql-14-released-2318/
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+ local auth
+ # check the default/configured encryption and use that as the auth method
+ auth="$(postgres -C password_encryption "$@")"
+ : "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+ {
+ printf '\n'
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ printf '# warning trust is enabled for all connections\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+ fi
+ printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+ } >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+
+ # internal start of server in order to allow setup using psql client
+ # does not listen on external TCP/IP and waits until start finishes
+ set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
+ PGUSER="${PGUSER:-$POSTGRES_USER}" \
+ pg_ctl -D "$PGDATA" \
+ -o "$(printf '%q ' "$@")" \
+ -w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+ PGUSER="${PGUSER:-postgres}" \
+ pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+ local arg
+ for arg; do
+ case "$arg" in
+ # postgres --help | grep 'then exit'
+ # leaving out -C on purpose since it always fails and is unhelpful:
+ # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+ -'?'|--help|--describe-config|-V|--version)
+ return 0
+ ;;
+ esac
+ done
+ return 1
+}
+
+_main() {
+ # if first arg looks like a flag, assume we want to run postgres server
+ if [ "${1:0:1}" = '-' ]; then
+ set -- postgres "$@"
+ fi
+
+ if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+ docker_setup_env
+ # setup data directories and permissions (when run as root)
+ docker_create_db_directories
+ if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+ fi
+
+ # only run initialization on an empty data directory
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+
+ cat <<-'EOM'
+
+ PostgreSQL init process complete; ready for start up.
+
+ EOM
+ else
+ cat <<-'EOM'
+
+ PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+ EOM
+ fi
+ fi
+
+ exec "$@"
+}
+
+if ! _is_sourced; then
+ _main "$@"
+fi
diff --git a/15/bookworm/Dockerfile b/15/bookworm/Dockerfile
new file mode 100644
index 0000000000..953f19a827
--- /dev/null
+++ b/15/bookworm/Dockerfile
@@ -0,0 +1,219 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM debian:bookworm-slim
+
+# explicitly set user/group IDs
+RUN set -eux; \
+ groupadd -r postgres --gid=999; \
+# https://salsa.debian.org/postgresql/postgresql-common/blob/997d842ee744687d99a2b2d95c1083a2615c79e8/debian/postgresql-common.postinst#L32-35
+ useradd -r -g postgres --uid=999 --home-dir=/var/lib/postgresql --shell=/bin/bash postgres; \
+# also create the postgres user's home directory with appropriate permissions
+# see https://github.com/docker-library/postgres/issues/274
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
+
+RUN set -ex; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ gnupg \
+# https://www.postgresql.org/docs/16/app-psql.html#APP-PSQL-META-COMMAND-PSET-PAGER
+# https://github.com/postgres/postgres/blob/REL_16_1/src/include/fe_utils/print.h#L25
+# (if "less" is available, it gets used as the default pager for psql, and it only adds ~1.5MiB to our image size)
+ less \
+ ; \
+ rm -rf /var/lib/apt/lists/*
+
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ savedAptMark="$(apt-mark showmanual)"; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends ca-certificates wget; \
+ rm -rf /var/lib/apt/lists/*; \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ apt-mark auto '.*' > /dev/null; \
+ [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \
+ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+ chmod +x /usr/local/bin/gosu; \
+ gosu --version; \
+ gosu nobody true
+
+# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
+RUN set -eux; \
+ if [ -f /etc/dpkg/dpkg.cfg.d/docker ]; then \
+# if this file exists, we're likely in "debian:xxx-slim", and locales are thus being excluded so we need to remove that exclusion (since we need locales)
+ grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
+ sed -ri '/\/usr\/share\/locale/d' /etc/dpkg/dpkg.cfg.d/docker; \
+ ! grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
+ fi; \
+ apt-get update; apt-get install -y --no-install-recommends locales; rm -rf /var/lib/apt/lists/*; \
+ echo 'en_US.UTF-8 UTF-8' >> /etc/locale.gen; \
+ locale-gen; \
+ locale -a | grep 'en_US.utf8'
+ENV LANG en_US.utf8
+
+RUN set -eux; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ libnss-wrapper \
+ xz-utils \
+ zstd \
+ ; \
+ rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /docker-entrypoint-initdb.d
+
+RUN set -ex; \
+# pub 4096R/ACCC4CF8 2011-10-13 [expires: 2019-07-02]
+# Key fingerprint = B97B 0AFC AA1A 47F0 44F2 44A0 7FCC 7D46 ACCC 4CF8
+# uid PostgreSQL Debian Repository
+ key='B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8'; \
+ export GNUPGHOME="$(mktemp -d)"; \
+ mkdir -p /usr/local/share/keyrings/; \
+ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \
+ gpg --batch --export --armor "$key" > /usr/local/share/keyrings/postgres.gpg.asc; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME"
+
+ENV PG_MAJOR 15
+ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
+
+ENV PG_VERSION 15.13-1.pgdg120+1
+
+RUN set -ex; \
+ \
+# see note below about "*.pyc" files
+ export PYTHONDONTWRITEBYTECODE=1; \
+ \
+ dpkgArch="$(dpkg --print-architecture)"; \
+ aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ bookworm-pgdg main $PG_MAJOR"; \
+ case "$dpkgArch" in \
+ amd64 | arm64 | ppc64el) \
+# arches officialy built by upstream
+ echo "deb $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \
+ apt-get update; \
+ ;; \
+ *) \
+# we're on an architecture upstream doesn't officially build for
+# let's build binaries from their published source packages
+ echo "deb-src $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \
+ \
+ savedAptMark="$(apt-mark showmanual)"; \
+ \
+ tempDir="$(mktemp -d)"; \
+ cd "$tempDir"; \
+ \
+# create a temporary local APT repo to install from (so that dependency resolution can be handled by APT, as it should be)
+ apt-get update; \
+ apt-get install -y --no-install-recommends dpkg-dev; \
+ echo "deb [ trusted=yes ] file://$tempDir ./" > /etc/apt/sources.list.d/temp.list; \
+ _update_repo() { \
+ dpkg-scanpackages . > Packages; \
+# work around the following APT issue by using "Acquire::GzipIndexes=false" (overriding "/etc/apt/apt.conf.d/docker-gzip-indexes")
+# Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+# ...
+# E: Failed to fetch store:/var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+ apt-get -o Acquire::GzipIndexes=false update; \
+ }; \
+ _update_repo; \
+ \
+# build .deb files from upstream's source packages (which are verified by apt-get)
+ nproc="$(nproc)"; \
+ export DEB_BUILD_OPTIONS="nocheck parallel=$nproc"; \
+# we have to build postgresql-common first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/99f44476e258cae6bf9e919219fa2c5414fa2876
+# (and it "Depends: pgdg-keyring")
+ apt-get build-dep -y postgresql-common pgdg-keyring; \
+ apt-get source --compile postgresql-common pgdg-keyring; \
+ _update_repo; \
+ apt-get build-dep -y "postgresql-$PG_MAJOR=$PG_VERSION"; \
+ apt-get source --compile "postgresql-$PG_MAJOR=$PG_VERSION"; \
+ \
+# we don't remove APT lists here because they get re-downloaded and removed later
+ \
+# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
+# (which is done after we install the built packages so we don't have to redownload any overlapping dependencies)
+ apt-mark showmanual | xargs apt-mark auto > /dev/null; \
+ apt-mark manual $savedAptMark; \
+ \
+ ls -lAFh; \
+ _update_repo; \
+ grep '^Package: ' Packages; \
+ cd /; \
+ ;; \
+ esac; \
+ \
+ apt-get install -y --no-install-recommends postgresql-common; \
+ sed -ri 's/#(create_main_cluster) .*$/\1 = false/' /etc/postgresql-common/createcluster.conf; \
+ apt-get install -y --no-install-recommends \
+ "postgresql-$PG_MAJOR=$PG_VERSION" \
+ ; \
+ \
+ rm -rf /var/lib/apt/lists/*; \
+ \
+ if [ -n "$tempDir" ]; then \
+# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
+ apt-get purge -y --auto-remove; \
+ rm -rf "$tempDir" /etc/apt/sources.list.d/temp.list; \
+ fi; \
+ \
+# some of the steps above generate a lot of "*.pyc" files (and setting "PYTHONDONTWRITEBYTECODE" beforehand doesn't propagate properly for some reason), so we clean them up manually (as long as they aren't owned by a package)
+ find /usr -name '*.pyc' -type f -exec bash -c 'for pyc; do dpkg -S "$pyc" &> /dev/null || rm -vf "$pyc"; done' -- '{}' +; \
+ \
+ postgres --version
+
+# make the sample config easier to munge (and "correct by default")
+RUN set -eux; \
+ dpkg-divert --add --rename --divert "/usr/share/postgresql/postgresql.conf.sample.dpkg" "/usr/share/postgresql/$PG_MAJOR/postgresql.conf.sample"; \
+ cp -v /usr/share/postgresql/postgresql.conf.sample.dpkg /usr/share/postgresql/postgresql.conf.sample; \
+ ln -sv ../postgresql.conf.sample "/usr/share/postgresql/$PG_MAJOR/"; \
+ sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/share/postgresql/postgresql.conf.sample; \
+ grep -F "listen_addresses = '*'" /usr/share/postgresql/postgresql.conf.sample
+
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
+
+ENV PGDATA /var/lib/postgresql/data
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
+VOLUME /var/lib/postgresql/data
+
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
+# calls "Fast Shutdown mode" wherein new connections are disallowed and any
+# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
+# flush tables to disk.
+#
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
+# about available PostgreSQL server shutdown signals.
+#
+# See also https://www.postgresql.org/docs/current/server-start.html for further
+# justification of this as the default value, namely that the example (and
+# shipped) systemd service files use the "Fast Shutdown mode" for service
+# termination.
+#
+STOPSIGNAL SIGINT
+#
+# An additional setting that is recommended for all users regardless of this
+# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
+# equivalent) for controlling how long to wait between sending the defined
+# STOPSIGNAL and sending SIGKILL.
+#
+# The default in most runtimes (such as Docker) is 10 seconds, and the
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
+# that even 90 seconds may not be long enough in many instances.
+
+EXPOSE 5432
+CMD ["postgres"]
diff --git a/15/bookworm/docker-ensure-initdb.sh b/15/bookworm/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..ae1f6b6b90
--- /dev/null
+++ b/15/bookworm/docker-ensure-initdb.sh
@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/15/bookworm/docker-entrypoint.sh b/15/bookworm/docker-entrypoint.sh
new file mode 100755
index 0000000000..ae40666ca1
--- /dev/null
+++ b/15/bookworm/docker-entrypoint.sh
@@ -0,0 +1,359 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+# ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+ local var="$1"
+ local fileVar="${var}_FILE"
+ local def="${2:-}"
+ if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+ printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+ exit 1
+ fi
+ local val="$def"
+ if [ "${!var:-}" ]; then
+ val="${!var}"
+ elif [ "${!fileVar:-}" ]; then
+ val="$(< "${!fileVar}")"
+ fi
+ export "$var"="$val"
+ unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+ # https://unix.stackexchange.com/a/215279
+ [ "${#FUNCNAME[@]}" -ge 2 ] \
+ && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+ && [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+ local user; user="$(id -u)"
+
+ mkdir -p "$PGDATA"
+ # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+ chmod 00700 "$PGDATA" || :
+
+ # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+ mkdir -p /var/run/postgresql || :
+ chmod 03775 /var/run/postgresql || :
+
+ # Create the transaction log directory before initdb is run so the directory is owned by the correct user
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ mkdir -p "$POSTGRES_INITDB_WALDIR"
+ if [ "$user" = '0' ]; then
+ find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+ fi
+ chmod 700 "$POSTGRES_INITDB_WALDIR"
+ fi
+
+ # allow the container to be started with `--user`
+ if [ "$user" = '0' ]; then
+ find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+ find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+ fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+ # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+ # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+ local uid; uid="$(id -u)"
+ if ! getent passwd "$uid" &> /dev/null; then
+ # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+ local wrapper
+ for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+ if [ -s "$wrapper" ]; then
+ NSS_WRAPPER_PASSWD="$(mktemp)"
+ NSS_WRAPPER_GROUP="$(mktemp)"
+ export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ local gid; gid="$(id -g)"
+ printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+ printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+ break
+ fi
+ done
+ fi
+
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+ fi
+
+ # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+ eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+ # unset/cleanup "nss_wrapper" bits
+ if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+ rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+ unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
+
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+
+ This will not work if used via PGPASSWORD with "psql".
+
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
+
+ EOWARN
+ fi
+ ;;
+ esac
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ # The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD to a non-empty value for the
+ superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+ You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+ connections without a password. This is *not* recommended.
+
+ See PostgreSQL documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ cat >&2 <<-'EOWARN'
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
+ EOWARN
+ fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+# ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+ # psql here for backwards compatibility "${psql[@]}"
+ psql=( docker_process_sql )
+
+ printf '\n'
+ local f
+ for f; do
+ case "$f" in
+ *.sh)
+ # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+ # https://github.com/docker-library/postgres/pull/452
+ if [ -x "$f" ]; then
+ printf '%s: running %s\n' "$0" "$f"
+ "$f"
+ else
+ printf '%s: sourcing %s\n' "$0" "$f"
+ . "$f"
+ fi
+ ;;
+ *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+ *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+ *) printf '%s: ignoring %s\n' "$0" "$f" ;;
+ esac
+ printf '\n'
+ done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+# ie: docker_process_sql -f my-file.sql
+# ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+ local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+ if [ -n "$POSTGRES_DB" ]; then
+ query_runner+=( --dbname "$POSTGRES_DB" )
+ fi
+
+ PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+ local dbAlreadyExists
+ dbAlreadyExists="$(
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+ SELECT 1 FROM pg_database WHERE datname = :'db' ;
+ EOSQL
+ )"
+ if [ -z "$dbAlreadyExists" ]; then
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+ CREATE DATABASE :"db" ;
+ EOSQL
+ printf '\n'
+ fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+ file_env 'POSTGRES_PASSWORD'
+
+ file_env 'POSTGRES_USER' 'postgres'
+ file_env 'POSTGRES_DB' "$POSTGRES_USER"
+ file_env 'POSTGRES_INITDB_ARGS'
+ : "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+ declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ # look specifically for PG_VERSION, as it is expected in the DB dir
+ if [ -s "$PGDATA/PG_VERSION" ]; then
+ DATABASE_ALREADY_EXISTS='true'
+ fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+ # default authentication method is md5 on versions before 14
+ # https://www.postgresql.org/about/news/postgresql-14-released-2318/
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+ local auth
+ # check the default/configured encryption and use that as the auth method
+ auth="$(postgres -C password_encryption "$@")"
+ : "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+ {
+ printf '\n'
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ printf '# warning trust is enabled for all connections\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+ fi
+ printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+ } >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+
+ # internal start of server in order to allow setup using psql client
+ # does not listen on external TCP/IP and waits until start finishes
+ set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
+ PGUSER="${PGUSER:-$POSTGRES_USER}" \
+ pg_ctl -D "$PGDATA" \
+ -o "$(printf '%q ' "$@")" \
+ -w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+ PGUSER="${PGUSER:-postgres}" \
+ pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+ local arg
+ for arg; do
+ case "$arg" in
+ # postgres --help | grep 'then exit'
+ # leaving out -C on purpose since it always fails and is unhelpful:
+ # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+ -'?'|--help|--describe-config|-V|--version)
+ return 0
+ ;;
+ esac
+ done
+ return 1
+}
+
+_main() {
+ # if first arg looks like a flag, assume we want to run postgres server
+ if [ "${1:0:1}" = '-' ]; then
+ set -- postgres "$@"
+ fi
+
+ if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+ docker_setup_env
+ # setup data directories and permissions (when run as root)
+ docker_create_db_directories
+ if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+ fi
+
+ # only run initialization on an empty data directory
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+
+ cat <<-'EOM'
+
+ PostgreSQL init process complete; ready for start up.
+
+ EOM
+ else
+ cat <<-'EOM'
+
+ PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+ EOM
+ fi
+ fi
+
+ exec "$@"
+}
+
+if ! _is_sourced; then
+ _main "$@"
+fi
diff --git a/15/bullseye/Dockerfile b/15/bullseye/Dockerfile
new file mode 100644
index 0000000000..af49faecc7
--- /dev/null
+++ b/15/bullseye/Dockerfile
@@ -0,0 +1,219 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM debian:bullseye-slim
+
+# explicitly set user/group IDs
+RUN set -eux; \
+ groupadd -r postgres --gid=999; \
+# https://salsa.debian.org/postgresql/postgresql-common/blob/997d842ee744687d99a2b2d95c1083a2615c79e8/debian/postgresql-common.postinst#L32-35
+ useradd -r -g postgres --uid=999 --home-dir=/var/lib/postgresql --shell=/bin/bash postgres; \
+# also create the postgres user's home directory with appropriate permissions
+# see https://github.com/docker-library/postgres/issues/274
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
+
+RUN set -ex; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ gnupg \
+# https://www.postgresql.org/docs/16/app-psql.html#APP-PSQL-META-COMMAND-PSET-PAGER
+# https://github.com/postgres/postgres/blob/REL_16_1/src/include/fe_utils/print.h#L25
+# (if "less" is available, it gets used as the default pager for psql, and it only adds ~1.5MiB to our image size)
+ less \
+ ; \
+ rm -rf /var/lib/apt/lists/*
+
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ savedAptMark="$(apt-mark showmanual)"; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends ca-certificates wget; \
+ rm -rf /var/lib/apt/lists/*; \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ apt-mark auto '.*' > /dev/null; \
+ [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \
+ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+ chmod +x /usr/local/bin/gosu; \
+ gosu --version; \
+ gosu nobody true
+
+# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
+RUN set -eux; \
+ if [ -f /etc/dpkg/dpkg.cfg.d/docker ]; then \
+# if this file exists, we're likely in "debian:xxx-slim", and locales are thus being excluded so we need to remove that exclusion (since we need locales)
+ grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
+ sed -ri '/\/usr\/share\/locale/d' /etc/dpkg/dpkg.cfg.d/docker; \
+ ! grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
+ fi; \
+ apt-get update; apt-get install -y --no-install-recommends locales; rm -rf /var/lib/apt/lists/*; \
+ echo 'en_US.UTF-8 UTF-8' >> /etc/locale.gen; \
+ locale-gen; \
+ locale -a | grep 'en_US.utf8'
+ENV LANG en_US.utf8
+
+RUN set -eux; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ libnss-wrapper \
+ xz-utils \
+ zstd \
+ ; \
+ rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /docker-entrypoint-initdb.d
+
+RUN set -ex; \
+# pub 4096R/ACCC4CF8 2011-10-13 [expires: 2019-07-02]
+# Key fingerprint = B97B 0AFC AA1A 47F0 44F2 44A0 7FCC 7D46 ACCC 4CF8
+# uid PostgreSQL Debian Repository
+ key='B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8'; \
+ export GNUPGHOME="$(mktemp -d)"; \
+ mkdir -p /usr/local/share/keyrings/; \
+ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \
+ gpg --batch --export --armor "$key" > /usr/local/share/keyrings/postgres.gpg.asc; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME"
+
+ENV PG_MAJOR 15
+ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
+
+ENV PG_VERSION 15.13-1.pgdg110+1
+
+RUN set -ex; \
+ \
+# see note below about "*.pyc" files
+ export PYTHONDONTWRITEBYTECODE=1; \
+ \
+ dpkgArch="$(dpkg --print-architecture)"; \
+ aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ bullseye-pgdg main $PG_MAJOR"; \
+ case "$dpkgArch" in \
+ amd64 | arm64 | ppc64el) \
+# arches officialy built by upstream
+ echo "deb $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \
+ apt-get update; \
+ ;; \
+ *) \
+# we're on an architecture upstream doesn't officially build for
+# let's build binaries from their published source packages
+ echo "deb-src $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \
+ \
+ savedAptMark="$(apt-mark showmanual)"; \
+ \
+ tempDir="$(mktemp -d)"; \
+ cd "$tempDir"; \
+ \
+# create a temporary local APT repo to install from (so that dependency resolution can be handled by APT, as it should be)
+ apt-get update; \
+ apt-get install -y --no-install-recommends dpkg-dev; \
+ echo "deb [ trusted=yes ] file://$tempDir ./" > /etc/apt/sources.list.d/temp.list; \
+ _update_repo() { \
+ dpkg-scanpackages . > Packages; \
+# work around the following APT issue by using "Acquire::GzipIndexes=false" (overriding "/etc/apt/apt.conf.d/docker-gzip-indexes")
+# Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+# ...
+# E: Failed to fetch store:/var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+ apt-get -o Acquire::GzipIndexes=false update; \
+ }; \
+ _update_repo; \
+ \
+# build .deb files from upstream's source packages (which are verified by apt-get)
+ nproc="$(nproc)"; \
+ export DEB_BUILD_OPTIONS="nocheck parallel=$nproc"; \
+# we have to build postgresql-common first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/99f44476e258cae6bf9e919219fa2c5414fa2876
+# (and it "Depends: pgdg-keyring")
+ apt-get build-dep -y postgresql-common pgdg-keyring; \
+ apt-get source --compile postgresql-common pgdg-keyring; \
+ _update_repo; \
+ apt-get build-dep -y "postgresql-$PG_MAJOR=$PG_VERSION"; \
+ apt-get source --compile "postgresql-$PG_MAJOR=$PG_VERSION"; \
+ \
+# we don't remove APT lists here because they get re-downloaded and removed later
+ \
+# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
+# (which is done after we install the built packages so we don't have to redownload any overlapping dependencies)
+ apt-mark showmanual | xargs apt-mark auto > /dev/null; \
+ apt-mark manual $savedAptMark; \
+ \
+ ls -lAFh; \
+ _update_repo; \
+ grep '^Package: ' Packages; \
+ cd /; \
+ ;; \
+ esac; \
+ \
+ apt-get install -y --no-install-recommends postgresql-common; \
+ sed -ri 's/#(create_main_cluster) .*$/\1 = false/' /etc/postgresql-common/createcluster.conf; \
+ apt-get install -y --no-install-recommends \
+ "postgresql-$PG_MAJOR=$PG_VERSION" \
+ ; \
+ \
+ rm -rf /var/lib/apt/lists/*; \
+ \
+ if [ -n "$tempDir" ]; then \
+# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
+ apt-get purge -y --auto-remove; \
+ rm -rf "$tempDir" /etc/apt/sources.list.d/temp.list; \
+ fi; \
+ \
+# some of the steps above generate a lot of "*.pyc" files (and setting "PYTHONDONTWRITEBYTECODE" beforehand doesn't propagate properly for some reason), so we clean them up manually (as long as they aren't owned by a package)
+ find /usr -name '*.pyc' -type f -exec bash -c 'for pyc; do dpkg -S "$pyc" &> /dev/null || rm -vf "$pyc"; done' -- '{}' +; \
+ \
+ postgres --version
+
+# make the sample config easier to munge (and "correct by default")
+RUN set -eux; \
+ dpkg-divert --add --rename --divert "/usr/share/postgresql/postgresql.conf.sample.dpkg" "/usr/share/postgresql/$PG_MAJOR/postgresql.conf.sample"; \
+ cp -v /usr/share/postgresql/postgresql.conf.sample.dpkg /usr/share/postgresql/postgresql.conf.sample; \
+ ln -sv ../postgresql.conf.sample "/usr/share/postgresql/$PG_MAJOR/"; \
+ sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/share/postgresql/postgresql.conf.sample; \
+ grep -F "listen_addresses = '*'" /usr/share/postgresql/postgresql.conf.sample
+
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
+
+ENV PGDATA /var/lib/postgresql/data
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
+VOLUME /var/lib/postgresql/data
+
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
+# calls "Fast Shutdown mode" wherein new connections are disallowed and any
+# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
+# flush tables to disk.
+#
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
+# about available PostgreSQL server shutdown signals.
+#
+# See also https://www.postgresql.org/docs/current/server-start.html for further
+# justification of this as the default value, namely that the example (and
+# shipped) systemd service files use the "Fast Shutdown mode" for service
+# termination.
+#
+STOPSIGNAL SIGINT
+#
+# An additional setting that is recommended for all users regardless of this
+# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
+# equivalent) for controlling how long to wait between sending the defined
+# STOPSIGNAL and sending SIGKILL.
+#
+# The default in most runtimes (such as Docker) is 10 seconds, and the
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
+# that even 90 seconds may not be long enough in many instances.
+
+EXPOSE 5432
+CMD ["postgres"]
diff --git a/15/bullseye/docker-ensure-initdb.sh b/15/bullseye/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..ae1f6b6b90
--- /dev/null
+++ b/15/bullseye/docker-ensure-initdb.sh
@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/15/bullseye/docker-entrypoint.sh b/15/bullseye/docker-entrypoint.sh
new file mode 100755
index 0000000000..ae40666ca1
--- /dev/null
+++ b/15/bullseye/docker-entrypoint.sh
@@ -0,0 +1,359 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+# ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+ local var="$1"
+ local fileVar="${var}_FILE"
+ local def="${2:-}"
+ if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+ printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+ exit 1
+ fi
+ local val="$def"
+ if [ "${!var:-}" ]; then
+ val="${!var}"
+ elif [ "${!fileVar:-}" ]; then
+ val="$(< "${!fileVar}")"
+ fi
+ export "$var"="$val"
+ unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+ # https://unix.stackexchange.com/a/215279
+ [ "${#FUNCNAME[@]}" -ge 2 ] \
+ && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+ && [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+ local user; user="$(id -u)"
+
+ mkdir -p "$PGDATA"
+ # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+ chmod 00700 "$PGDATA" || :
+
+ # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+ mkdir -p /var/run/postgresql || :
+ chmod 03775 /var/run/postgresql || :
+
+ # Create the transaction log directory before initdb is run so the directory is owned by the correct user
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ mkdir -p "$POSTGRES_INITDB_WALDIR"
+ if [ "$user" = '0' ]; then
+ find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+ fi
+ chmod 700 "$POSTGRES_INITDB_WALDIR"
+ fi
+
+ # allow the container to be started with `--user`
+ if [ "$user" = '0' ]; then
+ find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+ find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+ fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+ # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+ # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+ local uid; uid="$(id -u)"
+ if ! getent passwd "$uid" &> /dev/null; then
+ # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+ local wrapper
+ for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+ if [ -s "$wrapper" ]; then
+ NSS_WRAPPER_PASSWD="$(mktemp)"
+ NSS_WRAPPER_GROUP="$(mktemp)"
+ export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ local gid; gid="$(id -g)"
+ printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+ printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+ break
+ fi
+ done
+ fi
+
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+ fi
+
+ # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+ eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+ # unset/cleanup "nss_wrapper" bits
+ if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+ rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+ unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
+
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+
+ This will not work if used via PGPASSWORD with "psql".
+
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
+
+ EOWARN
+ fi
+ ;;
+ esac
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ # The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD to a non-empty value for the
+ superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+ You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+ connections without a password. This is *not* recommended.
+
+ See PostgreSQL documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ cat >&2 <<-'EOWARN'
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
+ EOWARN
+ fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+# ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+ # psql here for backwards compatibility "${psql[@]}"
+ psql=( docker_process_sql )
+
+ printf '\n'
+ local f
+ for f; do
+ case "$f" in
+ *.sh)
+ # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+ # https://github.com/docker-library/postgres/pull/452
+ if [ -x "$f" ]; then
+ printf '%s: running %s\n' "$0" "$f"
+ "$f"
+ else
+ printf '%s: sourcing %s\n' "$0" "$f"
+ . "$f"
+ fi
+ ;;
+ *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+ *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+ *) printf '%s: ignoring %s\n' "$0" "$f" ;;
+ esac
+ printf '\n'
+ done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+# ie: docker_process_sql -f my-file.sql
+# ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+ local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+ if [ -n "$POSTGRES_DB" ]; then
+ query_runner+=( --dbname "$POSTGRES_DB" )
+ fi
+
+ PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+ local dbAlreadyExists
+ dbAlreadyExists="$(
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+ SELECT 1 FROM pg_database WHERE datname = :'db' ;
+ EOSQL
+ )"
+ if [ -z "$dbAlreadyExists" ]; then
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+ CREATE DATABASE :"db" ;
+ EOSQL
+ printf '\n'
+ fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+ file_env 'POSTGRES_PASSWORD'
+
+ file_env 'POSTGRES_USER' 'postgres'
+ file_env 'POSTGRES_DB' "$POSTGRES_USER"
+ file_env 'POSTGRES_INITDB_ARGS'
+ : "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+ declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ # look specifically for PG_VERSION, as it is expected in the DB dir
+ if [ -s "$PGDATA/PG_VERSION" ]; then
+ DATABASE_ALREADY_EXISTS='true'
+ fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+ # default authentication method is md5 on versions before 14
+ # https://www.postgresql.org/about/news/postgresql-14-released-2318/
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+ local auth
+ # check the default/configured encryption and use that as the auth method
+ auth="$(postgres -C password_encryption "$@")"
+ : "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+ {
+ printf '\n'
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ printf '# warning trust is enabled for all connections\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+ fi
+ printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+ } >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+
+ # internal start of server in order to allow setup using psql client
+ # does not listen on external TCP/IP and waits until start finishes
+ set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
+ PGUSER="${PGUSER:-$POSTGRES_USER}" \
+ pg_ctl -D "$PGDATA" \
+ -o "$(printf '%q ' "$@")" \
+ -w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+ PGUSER="${PGUSER:-postgres}" \
+ pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+ local arg
+ for arg; do
+ case "$arg" in
+ # postgres --help | grep 'then exit'
+ # leaving out -C on purpose since it always fails and is unhelpful:
+ # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+ -'?'|--help|--describe-config|-V|--version)
+ return 0
+ ;;
+ esac
+ done
+ return 1
+}
+
+_main() {
+ # if first arg looks like a flag, assume we want to run postgres server
+ if [ "${1:0:1}" = '-' ]; then
+ set -- postgres "$@"
+ fi
+
+ if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+ docker_setup_env
+ # setup data directories and permissions (when run as root)
+ docker_create_db_directories
+ if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+ fi
+
+ # only run initialization on an empty data directory
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+
+ cat <<-'EOM'
+
+ PostgreSQL init process complete; ready for start up.
+
+ EOM
+ else
+ cat <<-'EOM'
+
+ PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+ EOM
+ fi
+ fi
+
+ exec "$@"
+}
+
+if ! _is_sourced; then
+ _main "$@"
+fi
diff --git a/16/alpine3.20/Dockerfile b/16/alpine3.20/Dockerfile
new file mode 100644
index 0000000000..6095fa9396
--- /dev/null
+++ b/16/alpine3.20/Dockerfile
@@ -0,0 +1,230 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM alpine:3.20
+
+# 70 is the standard uid/gid for "postgres" in Alpine
+# https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.21-stable
+RUN set -eux; \
+ addgroup -g 70 -S postgres; \
+ adduser -u 70 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \
+# also create the postgres user's home directory with appropriate permissions
+# see https://github.com/docker-library/postgres/issues/274
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
+
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ \
+ apk add --no-cache --virtual .gosu-deps \
+ ca-certificates \
+ dpkg \
+ gnupg \
+ ; \
+ \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ \
+# verify the signature
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ \
+# clean up fetch dependencies
+ apk del --no-network .gosu-deps; \
+ \
+ chmod +x /usr/local/bin/gosu; \
+# verify that the binary works
+ gosu --version; \
+ gosu nobody true
+RUN set -eux; ln -svf gosu /usr/local/bin/su-exec; su-exec nobody true # backwards compatibility (removed in PostgreSQL 17+)
+
+# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
+# alpine doesn't require explicit locale-file generation
+ENV LANG en_US.utf8
+
+RUN mkdir /docker-entrypoint-initdb.d
+
+ENV PG_MAJOR 16
+ENV PG_VERSION 16.9
+ENV PG_SHA256 07c00fb824df0a0c295f249f44691b86e3266753b380c96f633c3311e10bd005
+
+ENV DOCKER_PG_LLVM_DEPS \
+ llvm15-dev \
+ clang15
+
+RUN set -eux; \
+ \
+ wget -O postgresql.tar.bz2 "https://ftp.postgresql.org/pub/source/v$PG_VERSION/postgresql-$PG_VERSION.tar.bz2"; \
+ echo "$PG_SHA256 *postgresql.tar.bz2" | sha256sum -c -; \
+ mkdir -p /usr/src/postgresql; \
+ tar \
+ --extract \
+ --file postgresql.tar.bz2 \
+ --directory /usr/src/postgresql \
+ --strip-components 1 \
+ ; \
+ rm postgresql.tar.bz2; \
+ \
+ apk add --no-cache --virtual .build-deps \
+ $DOCKER_PG_LLVM_DEPS \
+ bison \
+ coreutils \
+ dpkg-dev dpkg \
+ flex \
+ g++ \
+ gcc \
+ krb5-dev \
+ libc-dev \
+ libedit-dev \
+ libxml2-dev \
+ libxslt-dev \
+ linux-headers \
+ make \
+ openldap-dev \
+ openssl-dev \
+ perl-dev \
+ perl-ipc-run \
+ perl-utils \
+ python3-dev \
+ tcl-dev \
+ util-linux-dev \
+ zlib-dev \
+# https://www.postgresql.org/docs/10/static/release-10.html#id-1.11.6.9.5.13
+ icu-dev \
+# https://www.postgresql.org/docs/14/release-14.html#id-1.11.6.5.5.3.7
+ lz4-dev \
+# https://www.postgresql.org/docs/15/release-15.html "--with-zstd to enable Zstandard builds"
+ zstd-dev \
+ ; \
+ \
+ cd /usr/src/postgresql; \
+# update "DEFAULT_PGSOCKET_DIR" to "/var/run/postgresql" (matching Debian)
+# see https://anonscm.debian.org/git/pkg-postgresql/postgresql.git/tree/debian/patches/51-default-sockets-in-var.patch?id=8b539fcb3e093a521c095e70bdfa76887217b89f
+ awk '$1 == "#define" && $2 == "DEFAULT_PGSOCKET_DIR" && $3 == "\"/tmp\"" { $3 = "\"/var/run/postgresql\""; print; next } { print }' src/include/pg_config_manual.h > src/include/pg_config_manual.h.new; \
+ grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \
+ mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \
+ gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
+ \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.21-stable&id=40544ade947bec1798edb0f749f4e967e842624b#n172
+ export LLVM_CONFIG="/usr/lib/llvm15/bin/llvm-config"; \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.21-stable&id=40544ade947bec1798edb0f749f4e967e842624b#n177
+ export CLANG=clang-15; \
+ \
+# configure options taken from:
+# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
+ ./configure \
+ --enable-option-checking=fatal \
+ --build="$gnuArch" \
+# "/usr/src/postgresql/src/backend/access/common/tupconvert.c:105: undefined reference to `libintl_gettext'"
+# --enable-nls \
+ --enable-integer-datetimes \
+ --enable-thread-safety \
+ --enable-tap-tests \
+# skip debugging info -- we want tiny size instead
+# --enable-debug \
+ --disable-rpath \
+ --with-uuid=e2fs \
+ --with-pgport=5432 \
+ --with-system-tzdata=/usr/share/zoneinfo \
+ --prefix=/usr/local \
+ --with-includes=/usr/local/include \
+ --with-libraries=/usr/local/lib \
+ --with-gssapi \
+ --with-ldap \
+ --with-tcl \
+ --with-perl \
+ --with-python \
+# --with-pam \
+ --with-openssl \
+ --with-libxml \
+ --with-libxslt \
+ --with-icu \
+ --with-llvm \
+ --with-lz4 \
+ --with-zstd \
+ ; \
+ make -j "$(nproc)" world-bin; \
+ make install-world-bin; \
+ make -C contrib install; \
+ \
+ runDeps="$( \
+ scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \
+ | tr ',' '\n' \
+ | sort -u \
+ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
+# Remove plperl, plpython and pltcl dependencies by default to save image size
+# To use the pl extensions, those have to be installed in a derived image
+ | grep -v -e perl -e python -e tcl \
+ )"; \
+ apk add --no-cache --virtual .postgresql-rundeps \
+ $runDeps \
+ bash \
+ tzdata \
+ zstd \
+# https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split
+ icu-data-full \
+# nss_wrapper is not availble on ppc64le: "test case segfaults in ppc64le"
+# https://git.alpinelinux.org/aports/commit/testing/nss_wrapper/APKBUILD?h=3.17-stable&id=94d81ceeb58cff448d489bbcbe9a6d40c9991663
+ $([ "$(apk --print-arch)" != 'ppc64le' ] && echo 'nss_wrapper') \
+ ; \
+ apk del --no-network .build-deps; \
+ cd /; \
+ rm -rf \
+ /usr/src/postgresql \
+ /usr/local/share/doc \
+ /usr/local/share/man \
+ ; \
+ \
+ postgres --version
+
+# make the sample config easier to munge (and "correct by default")
+RUN set -eux; \
+ cp -v /usr/local/share/postgresql/postgresql.conf.sample /usr/local/share/postgresql/postgresql.conf.sample.orig; \
+ sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \
+ grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample
+
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
+
+ENV PGDATA /var/lib/postgresql/data
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
+VOLUME /var/lib/postgresql/data
+
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
+# calls "Fast Shutdown mode" wherein new connections are disallowed and any
+# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
+# flush tables to disk.
+#
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
+# about available PostgreSQL server shutdown signals.
+#
+# See also https://www.postgresql.org/docs/current/server-start.html for further
+# justification of this as the default value, namely that the example (and
+# shipped) systemd service files use the "Fast Shutdown mode" for service
+# termination.
+#
+STOPSIGNAL SIGINT
+#
+# An additional setting that is recommended for all users regardless of this
+# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
+# equivalent) for controlling how long to wait between sending the defined
+# STOPSIGNAL and sending SIGKILL.
+#
+# The default in most runtimes (such as Docker) is 10 seconds, and the
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
+# that even 90 seconds may not be long enough in many instances.
+
+EXPOSE 5432
+CMD ["postgres"]
diff --git a/16/alpine3.20/docker-ensure-initdb.sh b/16/alpine3.20/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..ae1f6b6b90
--- /dev/null
+++ b/16/alpine3.20/docker-ensure-initdb.sh
@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/16/alpine3.20/docker-entrypoint.sh b/16/alpine3.20/docker-entrypoint.sh
new file mode 100755
index 0000000000..ae40666ca1
--- /dev/null
+++ b/16/alpine3.20/docker-entrypoint.sh
@@ -0,0 +1,359 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+# ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+ local var="$1"
+ local fileVar="${var}_FILE"
+ local def="${2:-}"
+ if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+ printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+ exit 1
+ fi
+ local val="$def"
+ if [ "${!var:-}" ]; then
+ val="${!var}"
+ elif [ "${!fileVar:-}" ]; then
+ val="$(< "${!fileVar}")"
+ fi
+ export "$var"="$val"
+ unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+ # https://unix.stackexchange.com/a/215279
+ [ "${#FUNCNAME[@]}" -ge 2 ] \
+ && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+ && [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+ local user; user="$(id -u)"
+
+ mkdir -p "$PGDATA"
+ # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+ chmod 00700 "$PGDATA" || :
+
+ # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+ mkdir -p /var/run/postgresql || :
+ chmod 03775 /var/run/postgresql || :
+
+ # Create the transaction log directory before initdb is run so the directory is owned by the correct user
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ mkdir -p "$POSTGRES_INITDB_WALDIR"
+ if [ "$user" = '0' ]; then
+ find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+ fi
+ chmod 700 "$POSTGRES_INITDB_WALDIR"
+ fi
+
+ # allow the container to be started with `--user`
+ if [ "$user" = '0' ]; then
+ find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+ find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+ fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+ # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+ # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+ local uid; uid="$(id -u)"
+ if ! getent passwd "$uid" &> /dev/null; then
+ # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+ local wrapper
+ for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+ if [ -s "$wrapper" ]; then
+ NSS_WRAPPER_PASSWD="$(mktemp)"
+ NSS_WRAPPER_GROUP="$(mktemp)"
+ export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ local gid; gid="$(id -g)"
+ printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+ printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+ break
+ fi
+ done
+ fi
+
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+ fi
+
+ # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+ eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+ # unset/cleanup "nss_wrapper" bits
+ if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+ rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+ unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
+
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+
+ This will not work if used via PGPASSWORD with "psql".
+
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
+
+ EOWARN
+ fi
+ ;;
+ esac
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ # The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD to a non-empty value for the
+ superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+ You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+ connections without a password. This is *not* recommended.
+
+ See PostgreSQL documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ cat >&2 <<-'EOWARN'
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
+ EOWARN
+ fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+# ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+ # psql here for backwards compatibility "${psql[@]}"
+ psql=( docker_process_sql )
+
+ printf '\n'
+ local f
+ for f; do
+ case "$f" in
+ *.sh)
+ # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+ # https://github.com/docker-library/postgres/pull/452
+ if [ -x "$f" ]; then
+ printf '%s: running %s\n' "$0" "$f"
+ "$f"
+ else
+ printf '%s: sourcing %s\n' "$0" "$f"
+ . "$f"
+ fi
+ ;;
+ *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+ *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+ *) printf '%s: ignoring %s\n' "$0" "$f" ;;
+ esac
+ printf '\n'
+ done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+# ie: docker_process_sql -f my-file.sql
+# ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+ local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+ if [ -n "$POSTGRES_DB" ]; then
+ query_runner+=( --dbname "$POSTGRES_DB" )
+ fi
+
+ PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+ local dbAlreadyExists
+ dbAlreadyExists="$(
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+ SELECT 1 FROM pg_database WHERE datname = :'db' ;
+ EOSQL
+ )"
+ if [ -z "$dbAlreadyExists" ]; then
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+ CREATE DATABASE :"db" ;
+ EOSQL
+ printf '\n'
+ fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+ file_env 'POSTGRES_PASSWORD'
+
+ file_env 'POSTGRES_USER' 'postgres'
+ file_env 'POSTGRES_DB' "$POSTGRES_USER"
+ file_env 'POSTGRES_INITDB_ARGS'
+ : "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+ declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ # look specifically for PG_VERSION, as it is expected in the DB dir
+ if [ -s "$PGDATA/PG_VERSION" ]; then
+ DATABASE_ALREADY_EXISTS='true'
+ fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+ # default authentication method is md5 on versions before 14
+ # https://www.postgresql.org/about/news/postgresql-14-released-2318/
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+ local auth
+ # check the default/configured encryption and use that as the auth method
+ auth="$(postgres -C password_encryption "$@")"
+ : "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+ {
+ printf '\n'
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ printf '# warning trust is enabled for all connections\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+ fi
+ printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+ } >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+
+ # internal start of server in order to allow setup using psql client
+ # does not listen on external TCP/IP and waits until start finishes
+ set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
+ PGUSER="${PGUSER:-$POSTGRES_USER}" \
+ pg_ctl -D "$PGDATA" \
+ -o "$(printf '%q ' "$@")" \
+ -w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+ PGUSER="${PGUSER:-postgres}" \
+ pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+ local arg
+ for arg; do
+ case "$arg" in
+ # postgres --help | grep 'then exit'
+ # leaving out -C on purpose since it always fails and is unhelpful:
+ # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+ -'?'|--help|--describe-config|-V|--version)
+ return 0
+ ;;
+ esac
+ done
+ return 1
+}
+
+_main() {
+ # if first arg looks like a flag, assume we want to run postgres server
+ if [ "${1:0:1}" = '-' ]; then
+ set -- postgres "$@"
+ fi
+
+ if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+ docker_setup_env
+ # setup data directories and permissions (when run as root)
+ docker_create_db_directories
+ if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+ fi
+
+ # only run initialization on an empty data directory
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+
+ cat <<-'EOM'
+
+ PostgreSQL init process complete; ready for start up.
+
+ EOM
+ else
+ cat <<-'EOM'
+
+ PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+ EOM
+ fi
+ fi
+
+ exec "$@"
+}
+
+if ! _is_sourced; then
+ _main "$@"
+fi
diff --git a/16/alpine3.21/Dockerfile b/16/alpine3.21/Dockerfile
new file mode 100644
index 0000000000..21f38d7596
--- /dev/null
+++ b/16/alpine3.21/Dockerfile
@@ -0,0 +1,230 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM alpine:3.21
+
+# 70 is the standard uid/gid for "postgres" in Alpine
+# https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.21-stable
+RUN set -eux; \
+ addgroup -g 70 -S postgres; \
+ adduser -u 70 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \
+# also create the postgres user's home directory with appropriate permissions
+# see https://github.com/docker-library/postgres/issues/274
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
+
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ \
+ apk add --no-cache --virtual .gosu-deps \
+ ca-certificates \
+ dpkg \
+ gnupg \
+ ; \
+ \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ \
+# verify the signature
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ \
+# clean up fetch dependencies
+ apk del --no-network .gosu-deps; \
+ \
+ chmod +x /usr/local/bin/gosu; \
+# verify that the binary works
+ gosu --version; \
+ gosu nobody true
+RUN set -eux; ln -svf gosu /usr/local/bin/su-exec; su-exec nobody true # backwards compatibility (removed in PostgreSQL 17+)
+
+# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
+# alpine doesn't require explicit locale-file generation
+ENV LANG en_US.utf8
+
+RUN mkdir /docker-entrypoint-initdb.d
+
+ENV PG_MAJOR 16
+ENV PG_VERSION 16.9
+ENV PG_SHA256 07c00fb824df0a0c295f249f44691b86e3266753b380c96f633c3311e10bd005
+
+ENV DOCKER_PG_LLVM_DEPS \
+ llvm19-dev \
+ clang19
+
+RUN set -eux; \
+ \
+ wget -O postgresql.tar.bz2 "https://ftp.postgresql.org/pub/source/v$PG_VERSION/postgresql-$PG_VERSION.tar.bz2"; \
+ echo "$PG_SHA256 *postgresql.tar.bz2" | sha256sum -c -; \
+ mkdir -p /usr/src/postgresql; \
+ tar \
+ --extract \
+ --file postgresql.tar.bz2 \
+ --directory /usr/src/postgresql \
+ --strip-components 1 \
+ ; \
+ rm postgresql.tar.bz2; \
+ \
+ apk add --no-cache --virtual .build-deps \
+ $DOCKER_PG_LLVM_DEPS \
+ bison \
+ coreutils \
+ dpkg-dev dpkg \
+ flex \
+ g++ \
+ gcc \
+ krb5-dev \
+ libc-dev \
+ libedit-dev \
+ libxml2-dev \
+ libxslt-dev \
+ linux-headers \
+ make \
+ openldap-dev \
+ openssl-dev \
+ perl-dev \
+ perl-ipc-run \
+ perl-utils \
+ python3-dev \
+ tcl-dev \
+ util-linux-dev \
+ zlib-dev \
+# https://www.postgresql.org/docs/10/static/release-10.html#id-1.11.6.9.5.13
+ icu-dev \
+# https://www.postgresql.org/docs/14/release-14.html#id-1.11.6.5.5.3.7
+ lz4-dev \
+# https://www.postgresql.org/docs/15/release-15.html "--with-zstd to enable Zstandard builds"
+ zstd-dev \
+ ; \
+ \
+ cd /usr/src/postgresql; \
+# update "DEFAULT_PGSOCKET_DIR" to "/var/run/postgresql" (matching Debian)
+# see https://anonscm.debian.org/git/pkg-postgresql/postgresql.git/tree/debian/patches/51-default-sockets-in-var.patch?id=8b539fcb3e093a521c095e70bdfa76887217b89f
+ awk '$1 == "#define" && $2 == "DEFAULT_PGSOCKET_DIR" && $3 == "\"/tmp\"" { $3 = "\"/var/run/postgresql\""; print; next } { print }' src/include/pg_config_manual.h > src/include/pg_config_manual.h.new; \
+ grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \
+ mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \
+ gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
+ \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.21-stable&id=40544ade947bec1798edb0f749f4e967e842624b#n172
+ export LLVM_CONFIG="/usr/lib/llvm19/bin/llvm-config"; \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.21-stable&id=40544ade947bec1798edb0f749f4e967e842624b#n177
+ export CLANG=clang-19; \
+ \
+# configure options taken from:
+# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
+ ./configure \
+ --enable-option-checking=fatal \
+ --build="$gnuArch" \
+# "/usr/src/postgresql/src/backend/access/common/tupconvert.c:105: undefined reference to `libintl_gettext'"
+# --enable-nls \
+ --enable-integer-datetimes \
+ --enable-thread-safety \
+ --enable-tap-tests \
+# skip debugging info -- we want tiny size instead
+# --enable-debug \
+ --disable-rpath \
+ --with-uuid=e2fs \
+ --with-pgport=5432 \
+ --with-system-tzdata=/usr/share/zoneinfo \
+ --prefix=/usr/local \
+ --with-includes=/usr/local/include \
+ --with-libraries=/usr/local/lib \
+ --with-gssapi \
+ --with-ldap \
+ --with-tcl \
+ --with-perl \
+ --with-python \
+# --with-pam \
+ --with-openssl \
+ --with-libxml \
+ --with-libxslt \
+ --with-icu \
+ --with-llvm \
+ --with-lz4 \
+ --with-zstd \
+ ; \
+ make -j "$(nproc)" world-bin; \
+ make install-world-bin; \
+ make -C contrib install; \
+ \
+ runDeps="$( \
+ scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \
+ | tr ',' '\n' \
+ | sort -u \
+ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
+# Remove plperl, plpython and pltcl dependencies by default to save image size
+# To use the pl extensions, those have to be installed in a derived image
+ | grep -v -e perl -e python -e tcl \
+ )"; \
+ apk add --no-cache --virtual .postgresql-rundeps \
+ $runDeps \
+ bash \
+ tzdata \
+ zstd \
+# https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split
+ icu-data-full \
+# nss_wrapper is not availble on ppc64le: "test case segfaults in ppc64le"
+# https://git.alpinelinux.org/aports/commit/testing/nss_wrapper/APKBUILD?h=3.17-stable&id=94d81ceeb58cff448d489bbcbe9a6d40c9991663
+ $([ "$(apk --print-arch)" != 'ppc64le' ] && echo 'nss_wrapper') \
+ ; \
+ apk del --no-network .build-deps; \
+ cd /; \
+ rm -rf \
+ /usr/src/postgresql \
+ /usr/local/share/doc \
+ /usr/local/share/man \
+ ; \
+ \
+ postgres --version
+
+# make the sample config easier to munge (and "correct by default")
+RUN set -eux; \
+ cp -v /usr/local/share/postgresql/postgresql.conf.sample /usr/local/share/postgresql/postgresql.conf.sample.orig; \
+ sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \
+ grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample
+
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
+
+ENV PGDATA /var/lib/postgresql/data
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
+VOLUME /var/lib/postgresql/data
+
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
+# calls "Fast Shutdown mode" wherein new connections are disallowed and any
+# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
+# flush tables to disk.
+#
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
+# about available PostgreSQL server shutdown signals.
+#
+# See also https://www.postgresql.org/docs/current/server-start.html for further
+# justification of this as the default value, namely that the example (and
+# shipped) systemd service files use the "Fast Shutdown mode" for service
+# termination.
+#
+STOPSIGNAL SIGINT
+#
+# An additional setting that is recommended for all users regardless of this
+# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
+# equivalent) for controlling how long to wait between sending the defined
+# STOPSIGNAL and sending SIGKILL.
+#
+# The default in most runtimes (such as Docker) is 10 seconds, and the
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
+# that even 90 seconds may not be long enough in many instances.
+
+EXPOSE 5432
+CMD ["postgres"]
diff --git a/16/alpine3.21/docker-ensure-initdb.sh b/16/alpine3.21/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..ae1f6b6b90
--- /dev/null
+++ b/16/alpine3.21/docker-ensure-initdb.sh
@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/16/alpine3.21/docker-entrypoint.sh b/16/alpine3.21/docker-entrypoint.sh
new file mode 100755
index 0000000000..ae40666ca1
--- /dev/null
+++ b/16/alpine3.21/docker-entrypoint.sh
@@ -0,0 +1,359 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+# ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+ local var="$1"
+ local fileVar="${var}_FILE"
+ local def="${2:-}"
+ if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+ printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+ exit 1
+ fi
+ local val="$def"
+ if [ "${!var:-}" ]; then
+ val="${!var}"
+ elif [ "${!fileVar:-}" ]; then
+ val="$(< "${!fileVar}")"
+ fi
+ export "$var"="$val"
+ unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+ # https://unix.stackexchange.com/a/215279
+ [ "${#FUNCNAME[@]}" -ge 2 ] \
+ && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+ && [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+ local user; user="$(id -u)"
+
+ mkdir -p "$PGDATA"
+ # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+ chmod 00700 "$PGDATA" || :
+
+ # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+ mkdir -p /var/run/postgresql || :
+ chmod 03775 /var/run/postgresql || :
+
+ # Create the transaction log directory before initdb is run so the directory is owned by the correct user
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ mkdir -p "$POSTGRES_INITDB_WALDIR"
+ if [ "$user" = '0' ]; then
+ find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+ fi
+ chmod 700 "$POSTGRES_INITDB_WALDIR"
+ fi
+
+ # allow the container to be started with `--user`
+ if [ "$user" = '0' ]; then
+ find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+ find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+ fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+ # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+ # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+ local uid; uid="$(id -u)"
+ if ! getent passwd "$uid" &> /dev/null; then
+ # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+ local wrapper
+ for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+ if [ -s "$wrapper" ]; then
+ NSS_WRAPPER_PASSWD="$(mktemp)"
+ NSS_WRAPPER_GROUP="$(mktemp)"
+ export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ local gid; gid="$(id -g)"
+ printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+ printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+ break
+ fi
+ done
+ fi
+
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+ fi
+
+ # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+ eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+ # unset/cleanup "nss_wrapper" bits
+ if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+ rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+ unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
+
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+
+ This will not work if used via PGPASSWORD with "psql".
+
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
+
+ EOWARN
+ fi
+ ;;
+ esac
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ # The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD to a non-empty value for the
+ superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+ You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+ connections without a password. This is *not* recommended.
+
+ See PostgreSQL documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ cat >&2 <<-'EOWARN'
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
+ EOWARN
+ fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+# ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+ # psql here for backwards compatibility "${psql[@]}"
+ psql=( docker_process_sql )
+
+ printf '\n'
+ local f
+ for f; do
+ case "$f" in
+ *.sh)
+ # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+ # https://github.com/docker-library/postgres/pull/452
+ if [ -x "$f" ]; then
+ printf '%s: running %s\n' "$0" "$f"
+ "$f"
+ else
+ printf '%s: sourcing %s\n' "$0" "$f"
+ . "$f"
+ fi
+ ;;
+ *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+ *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+ *) printf '%s: ignoring %s\n' "$0" "$f" ;;
+ esac
+ printf '\n'
+ done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+# ie: docker_process_sql -f my-file.sql
+# ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+ local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+ if [ -n "$POSTGRES_DB" ]; then
+ query_runner+=( --dbname "$POSTGRES_DB" )
+ fi
+
+ PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+ local dbAlreadyExists
+ dbAlreadyExists="$(
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+ SELECT 1 FROM pg_database WHERE datname = :'db' ;
+ EOSQL
+ )"
+ if [ -z "$dbAlreadyExists" ]; then
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+ CREATE DATABASE :"db" ;
+ EOSQL
+ printf '\n'
+ fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+ file_env 'POSTGRES_PASSWORD'
+
+ file_env 'POSTGRES_USER' 'postgres'
+ file_env 'POSTGRES_DB' "$POSTGRES_USER"
+ file_env 'POSTGRES_INITDB_ARGS'
+ : "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+ declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ # look specifically for PG_VERSION, as it is expected in the DB dir
+ if [ -s "$PGDATA/PG_VERSION" ]; then
+ DATABASE_ALREADY_EXISTS='true'
+ fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+ # default authentication method is md5 on versions before 14
+ # https://www.postgresql.org/about/news/postgresql-14-released-2318/
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+ local auth
+ # check the default/configured encryption and use that as the auth method
+ auth="$(postgres -C password_encryption "$@")"
+ : "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+ {
+ printf '\n'
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ printf '# warning trust is enabled for all connections\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+ fi
+ printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+ } >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+
+ # internal start of server in order to allow setup using psql client
+ # does not listen on external TCP/IP and waits until start finishes
+ set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
+ PGUSER="${PGUSER:-$POSTGRES_USER}" \
+ pg_ctl -D "$PGDATA" \
+ -o "$(printf '%q ' "$@")" \
+ -w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+ PGUSER="${PGUSER:-postgres}" \
+ pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+ local arg
+ for arg; do
+ case "$arg" in
+ # postgres --help | grep 'then exit'
+ # leaving out -C on purpose since it always fails and is unhelpful:
+ # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+ -'?'|--help|--describe-config|-V|--version)
+ return 0
+ ;;
+ esac
+ done
+ return 1
+}
+
+_main() {
+ # if first arg looks like a flag, assume we want to run postgres server
+ if [ "${1:0:1}" = '-' ]; then
+ set -- postgres "$@"
+ fi
+
+ if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+ docker_setup_env
+ # setup data directories and permissions (when run as root)
+ docker_create_db_directories
+ if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+ fi
+
+ # only run initialization on an empty data directory
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+
+ cat <<-'EOM'
+
+ PostgreSQL init process complete; ready for start up.
+
+ EOM
+ else
+ cat <<-'EOM'
+
+ PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+ EOM
+ fi
+ fi
+
+ exec "$@"
+}
+
+if ! _is_sourced; then
+ _main "$@"
+fi
diff --git a/16/bookworm/Dockerfile b/16/bookworm/Dockerfile
new file mode 100644
index 0000000000..57ce9f7b06
--- /dev/null
+++ b/16/bookworm/Dockerfile
@@ -0,0 +1,219 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM debian:bookworm-slim
+
+# explicitly set user/group IDs
+RUN set -eux; \
+ groupadd -r postgres --gid=999; \
+# https://salsa.debian.org/postgresql/postgresql-common/blob/997d842ee744687d99a2b2d95c1083a2615c79e8/debian/postgresql-common.postinst#L32-35
+ useradd -r -g postgres --uid=999 --home-dir=/var/lib/postgresql --shell=/bin/bash postgres; \
+# also create the postgres user's home directory with appropriate permissions
+# see https://github.com/docker-library/postgres/issues/274
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
+
+RUN set -ex; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ gnupg \
+# https://www.postgresql.org/docs/16/app-psql.html#APP-PSQL-META-COMMAND-PSET-PAGER
+# https://github.com/postgres/postgres/blob/REL_16_1/src/include/fe_utils/print.h#L25
+# (if "less" is available, it gets used as the default pager for psql, and it only adds ~1.5MiB to our image size)
+ less \
+ ; \
+ rm -rf /var/lib/apt/lists/*
+
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ savedAptMark="$(apt-mark showmanual)"; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends ca-certificates wget; \
+ rm -rf /var/lib/apt/lists/*; \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ apt-mark auto '.*' > /dev/null; \
+ [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \
+ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+ chmod +x /usr/local/bin/gosu; \
+ gosu --version; \
+ gosu nobody true
+
+# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
+RUN set -eux; \
+ if [ -f /etc/dpkg/dpkg.cfg.d/docker ]; then \
+# if this file exists, we're likely in "debian:xxx-slim", and locales are thus being excluded so we need to remove that exclusion (since we need locales)
+ grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
+ sed -ri '/\/usr\/share\/locale/d' /etc/dpkg/dpkg.cfg.d/docker; \
+ ! grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
+ fi; \
+ apt-get update; apt-get install -y --no-install-recommends locales; rm -rf /var/lib/apt/lists/*; \
+ echo 'en_US.UTF-8 UTF-8' >> /etc/locale.gen; \
+ locale-gen; \
+ locale -a | grep 'en_US.utf8'
+ENV LANG en_US.utf8
+
+RUN set -eux; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ libnss-wrapper \
+ xz-utils \
+ zstd \
+ ; \
+ rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /docker-entrypoint-initdb.d
+
+RUN set -ex; \
+# pub 4096R/ACCC4CF8 2011-10-13 [expires: 2019-07-02]
+# Key fingerprint = B97B 0AFC AA1A 47F0 44F2 44A0 7FCC 7D46 ACCC 4CF8
+# uid PostgreSQL Debian Repository
+ key='B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8'; \
+ export GNUPGHOME="$(mktemp -d)"; \
+ mkdir -p /usr/local/share/keyrings/; \
+ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \
+ gpg --batch --export --armor "$key" > /usr/local/share/keyrings/postgres.gpg.asc; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME"
+
+ENV PG_MAJOR 16
+ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
+
+ENV PG_VERSION 16.9-1.pgdg120+1
+
+RUN set -ex; \
+ \
+# see note below about "*.pyc" files
+ export PYTHONDONTWRITEBYTECODE=1; \
+ \
+ dpkgArch="$(dpkg --print-architecture)"; \
+ aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ bookworm-pgdg main $PG_MAJOR"; \
+ case "$dpkgArch" in \
+ amd64 | arm64 | ppc64el) \
+# arches officialy built by upstream
+ echo "deb $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \
+ apt-get update; \
+ ;; \
+ *) \
+# we're on an architecture upstream doesn't officially build for
+# let's build binaries from their published source packages
+ echo "deb-src $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \
+ \
+ savedAptMark="$(apt-mark showmanual)"; \
+ \
+ tempDir="$(mktemp -d)"; \
+ cd "$tempDir"; \
+ \
+# create a temporary local APT repo to install from (so that dependency resolution can be handled by APT, as it should be)
+ apt-get update; \
+ apt-get install -y --no-install-recommends dpkg-dev; \
+ echo "deb [ trusted=yes ] file://$tempDir ./" > /etc/apt/sources.list.d/temp.list; \
+ _update_repo() { \
+ dpkg-scanpackages . > Packages; \
+# work around the following APT issue by using "Acquire::GzipIndexes=false" (overriding "/etc/apt/apt.conf.d/docker-gzip-indexes")
+# Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+# ...
+# E: Failed to fetch store:/var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+ apt-get -o Acquire::GzipIndexes=false update; \
+ }; \
+ _update_repo; \
+ \
+# build .deb files from upstream's source packages (which are verified by apt-get)
+ nproc="$(nproc)"; \
+ export DEB_BUILD_OPTIONS="nocheck parallel=$nproc"; \
+# we have to build postgresql-common first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/99f44476e258cae6bf9e919219fa2c5414fa2876
+# (and it "Depends: pgdg-keyring")
+ apt-get build-dep -y postgresql-common pgdg-keyring; \
+ apt-get source --compile postgresql-common pgdg-keyring; \
+ _update_repo; \
+ apt-get build-dep -y "postgresql-$PG_MAJOR=$PG_VERSION"; \
+ apt-get source --compile "postgresql-$PG_MAJOR=$PG_VERSION"; \
+ \
+# we don't remove APT lists here because they get re-downloaded and removed later
+ \
+# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
+# (which is done after we install the built packages so we don't have to redownload any overlapping dependencies)
+ apt-mark showmanual | xargs apt-mark auto > /dev/null; \
+ apt-mark manual $savedAptMark; \
+ \
+ ls -lAFh; \
+ _update_repo; \
+ grep '^Package: ' Packages; \
+ cd /; \
+ ;; \
+ esac; \
+ \
+ apt-get install -y --no-install-recommends postgresql-common; \
+ sed -ri 's/#(create_main_cluster) .*$/\1 = false/' /etc/postgresql-common/createcluster.conf; \
+ apt-get install -y --no-install-recommends \
+ "postgresql-$PG_MAJOR=$PG_VERSION" \
+ ; \
+ \
+ rm -rf /var/lib/apt/lists/*; \
+ \
+ if [ -n "$tempDir" ]; then \
+# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
+ apt-get purge -y --auto-remove; \
+ rm -rf "$tempDir" /etc/apt/sources.list.d/temp.list; \
+ fi; \
+ \
+# some of the steps above generate a lot of "*.pyc" files (and setting "PYTHONDONTWRITEBYTECODE" beforehand doesn't propagate properly for some reason), so we clean them up manually (as long as they aren't owned by a package)
+ find /usr -name '*.pyc' -type f -exec bash -c 'for pyc; do dpkg -S "$pyc" &> /dev/null || rm -vf "$pyc"; done' -- '{}' +; \
+ \
+ postgres --version
+
+# make the sample config easier to munge (and "correct by default")
+RUN set -eux; \
+ dpkg-divert --add --rename --divert "/usr/share/postgresql/postgresql.conf.sample.dpkg" "/usr/share/postgresql/$PG_MAJOR/postgresql.conf.sample"; \
+ cp -v /usr/share/postgresql/postgresql.conf.sample.dpkg /usr/share/postgresql/postgresql.conf.sample; \
+ ln -sv ../postgresql.conf.sample "/usr/share/postgresql/$PG_MAJOR/"; \
+ sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/share/postgresql/postgresql.conf.sample; \
+ grep -F "listen_addresses = '*'" /usr/share/postgresql/postgresql.conf.sample
+
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
+
+ENV PGDATA /var/lib/postgresql/data
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
+VOLUME /var/lib/postgresql/data
+
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
+# calls "Fast Shutdown mode" wherein new connections are disallowed and any
+# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
+# flush tables to disk.
+#
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
+# about available PostgreSQL server shutdown signals.
+#
+# See also https://www.postgresql.org/docs/current/server-start.html for further
+# justification of this as the default value, namely that the example (and
+# shipped) systemd service files use the "Fast Shutdown mode" for service
+# termination.
+#
+STOPSIGNAL SIGINT
+#
+# An additional setting that is recommended for all users regardless of this
+# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
+# equivalent) for controlling how long to wait between sending the defined
+# STOPSIGNAL and sending SIGKILL.
+#
+# The default in most runtimes (such as Docker) is 10 seconds, and the
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
+# that even 90 seconds may not be long enough in many instances.
+
+EXPOSE 5432
+CMD ["postgres"]
diff --git a/16/bookworm/docker-ensure-initdb.sh b/16/bookworm/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..ae1f6b6b90
--- /dev/null
+++ b/16/bookworm/docker-ensure-initdb.sh
@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/16/bookworm/docker-entrypoint.sh b/16/bookworm/docker-entrypoint.sh
new file mode 100755
index 0000000000..ae40666ca1
--- /dev/null
+++ b/16/bookworm/docker-entrypoint.sh
@@ -0,0 +1,359 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+# ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+ local var="$1"
+ local fileVar="${var}_FILE"
+ local def="${2:-}"
+ if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+ printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+ exit 1
+ fi
+ local val="$def"
+ if [ "${!var:-}" ]; then
+ val="${!var}"
+ elif [ "${!fileVar:-}" ]; then
+ val="$(< "${!fileVar}")"
+ fi
+ export "$var"="$val"
+ unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+ # https://unix.stackexchange.com/a/215279
+ [ "${#FUNCNAME[@]}" -ge 2 ] \
+ && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+ && [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+ local user; user="$(id -u)"
+
+ mkdir -p "$PGDATA"
+ # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+ chmod 00700 "$PGDATA" || :
+
+ # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+ mkdir -p /var/run/postgresql || :
+ chmod 03775 /var/run/postgresql || :
+
+ # Create the transaction log directory before initdb is run so the directory is owned by the correct user
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ mkdir -p "$POSTGRES_INITDB_WALDIR"
+ if [ "$user" = '0' ]; then
+ find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+ fi
+ chmod 700 "$POSTGRES_INITDB_WALDIR"
+ fi
+
+ # allow the container to be started with `--user`
+ if [ "$user" = '0' ]; then
+ find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+ find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+ fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+ # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+ # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+ local uid; uid="$(id -u)"
+ if ! getent passwd "$uid" &> /dev/null; then
+ # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+ local wrapper
+ for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+ if [ -s "$wrapper" ]; then
+ NSS_WRAPPER_PASSWD="$(mktemp)"
+ NSS_WRAPPER_GROUP="$(mktemp)"
+ export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ local gid; gid="$(id -g)"
+ printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+ printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+ break
+ fi
+ done
+ fi
+
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+ fi
+
+ # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+ eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+ # unset/cleanup "nss_wrapper" bits
+ if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+ rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+ unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
+
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+
+ This will not work if used via PGPASSWORD with "psql".
+
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
+
+ EOWARN
+ fi
+ ;;
+ esac
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ # The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD to a non-empty value for the
+ superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+ You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+ connections without a password. This is *not* recommended.
+
+ See PostgreSQL documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ cat >&2 <<-'EOWARN'
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
+ EOWARN
+ fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+# ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+ # psql here for backwards compatibility "${psql[@]}"
+ psql=( docker_process_sql )
+
+ printf '\n'
+ local f
+ for f; do
+ case "$f" in
+ *.sh)
+ # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+ # https://github.com/docker-library/postgres/pull/452
+ if [ -x "$f" ]; then
+ printf '%s: running %s\n' "$0" "$f"
+ "$f"
+ else
+ printf '%s: sourcing %s\n' "$0" "$f"
+ . "$f"
+ fi
+ ;;
+ *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+ *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+ *) printf '%s: ignoring %s\n' "$0" "$f" ;;
+ esac
+ printf '\n'
+ done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+# ie: docker_process_sql -f my-file.sql
+# ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+ local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+ if [ -n "$POSTGRES_DB" ]; then
+ query_runner+=( --dbname "$POSTGRES_DB" )
+ fi
+
+ PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+ local dbAlreadyExists
+ dbAlreadyExists="$(
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+ SELECT 1 FROM pg_database WHERE datname = :'db' ;
+ EOSQL
+ )"
+ if [ -z "$dbAlreadyExists" ]; then
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+ CREATE DATABASE :"db" ;
+ EOSQL
+ printf '\n'
+ fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+ file_env 'POSTGRES_PASSWORD'
+
+ file_env 'POSTGRES_USER' 'postgres'
+ file_env 'POSTGRES_DB' "$POSTGRES_USER"
+ file_env 'POSTGRES_INITDB_ARGS'
+ : "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+ declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ # look specifically for PG_VERSION, as it is expected in the DB dir
+ if [ -s "$PGDATA/PG_VERSION" ]; then
+ DATABASE_ALREADY_EXISTS='true'
+ fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+ # default authentication method is md5 on versions before 14
+ # https://www.postgresql.org/about/news/postgresql-14-released-2318/
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+ local auth
+ # check the default/configured encryption and use that as the auth method
+ auth="$(postgres -C password_encryption "$@")"
+ : "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+ {
+ printf '\n'
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ printf '# warning trust is enabled for all connections\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+ fi
+ printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+ } >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+
+ # internal start of server in order to allow setup using psql client
+ # does not listen on external TCP/IP and waits until start finishes
+ set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
+ PGUSER="${PGUSER:-$POSTGRES_USER}" \
+ pg_ctl -D "$PGDATA" \
+ -o "$(printf '%q ' "$@")" \
+ -w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+ PGUSER="${PGUSER:-postgres}" \
+ pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+ local arg
+ for arg; do
+ case "$arg" in
+ # postgres --help | grep 'then exit'
+ # leaving out -C on purpose since it always fails and is unhelpful:
+ # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+ -'?'|--help|--describe-config|-V|--version)
+ return 0
+ ;;
+ esac
+ done
+ return 1
+}
+
+_main() {
+ # if first arg looks like a flag, assume we want to run postgres server
+ if [ "${1:0:1}" = '-' ]; then
+ set -- postgres "$@"
+ fi
+
+ if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+ docker_setup_env
+ # setup data directories and permissions (when run as root)
+ docker_create_db_directories
+ if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+ fi
+
+ # only run initialization on an empty data directory
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+
+ cat <<-'EOM'
+
+ PostgreSQL init process complete; ready for start up.
+
+ EOM
+ else
+ cat <<-'EOM'
+
+ PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+ EOM
+ fi
+ fi
+
+ exec "$@"
+}
+
+if ! _is_sourced; then
+ _main "$@"
+fi
diff --git a/16/bullseye/Dockerfile b/16/bullseye/Dockerfile
new file mode 100644
index 0000000000..54f864c29e
--- /dev/null
+++ b/16/bullseye/Dockerfile
@@ -0,0 +1,219 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM debian:bullseye-slim
+
+# explicitly set user/group IDs
+RUN set -eux; \
+ groupadd -r postgres --gid=999; \
+# https://salsa.debian.org/postgresql/postgresql-common/blob/997d842ee744687d99a2b2d95c1083a2615c79e8/debian/postgresql-common.postinst#L32-35
+ useradd -r -g postgres --uid=999 --home-dir=/var/lib/postgresql --shell=/bin/bash postgres; \
+# also create the postgres user's home directory with appropriate permissions
+# see https://github.com/docker-library/postgres/issues/274
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
+
+RUN set -ex; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ gnupg \
+# https://www.postgresql.org/docs/16/app-psql.html#APP-PSQL-META-COMMAND-PSET-PAGER
+# https://github.com/postgres/postgres/blob/REL_16_1/src/include/fe_utils/print.h#L25
+# (if "less" is available, it gets used as the default pager for psql, and it only adds ~1.5MiB to our image size)
+ less \
+ ; \
+ rm -rf /var/lib/apt/lists/*
+
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ savedAptMark="$(apt-mark showmanual)"; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends ca-certificates wget; \
+ rm -rf /var/lib/apt/lists/*; \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ apt-mark auto '.*' > /dev/null; \
+ [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \
+ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+ chmod +x /usr/local/bin/gosu; \
+ gosu --version; \
+ gosu nobody true
+
+# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
+RUN set -eux; \
+ if [ -f /etc/dpkg/dpkg.cfg.d/docker ]; then \
+# if this file exists, we're likely in "debian:xxx-slim", and locales are thus being excluded so we need to remove that exclusion (since we need locales)
+ grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
+ sed -ri '/\/usr\/share\/locale/d' /etc/dpkg/dpkg.cfg.d/docker; \
+ ! grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
+ fi; \
+ apt-get update; apt-get install -y --no-install-recommends locales; rm -rf /var/lib/apt/lists/*; \
+ echo 'en_US.UTF-8 UTF-8' >> /etc/locale.gen; \
+ locale-gen; \
+ locale -a | grep 'en_US.utf8'
+ENV LANG en_US.utf8
+
+RUN set -eux; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ libnss-wrapper \
+ xz-utils \
+ zstd \
+ ; \
+ rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /docker-entrypoint-initdb.d
+
+RUN set -ex; \
+# pub 4096R/ACCC4CF8 2011-10-13 [expires: 2019-07-02]
+# Key fingerprint = B97B 0AFC AA1A 47F0 44F2 44A0 7FCC 7D46 ACCC 4CF8
+# uid PostgreSQL Debian Repository
+ key='B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8'; \
+ export GNUPGHOME="$(mktemp -d)"; \
+ mkdir -p /usr/local/share/keyrings/; \
+ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \
+ gpg --batch --export --armor "$key" > /usr/local/share/keyrings/postgres.gpg.asc; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME"
+
+ENV PG_MAJOR 16
+ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
+
+ENV PG_VERSION 16.9-1.pgdg110+1
+
+RUN set -ex; \
+ \
+# see note below about "*.pyc" files
+ export PYTHONDONTWRITEBYTECODE=1; \
+ \
+ dpkgArch="$(dpkg --print-architecture)"; \
+ aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ bullseye-pgdg main $PG_MAJOR"; \
+ case "$dpkgArch" in \
+ amd64 | arm64 | ppc64el) \
+# arches officialy built by upstream
+ echo "deb $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \
+ apt-get update; \
+ ;; \
+ *) \
+# we're on an architecture upstream doesn't officially build for
+# let's build binaries from their published source packages
+ echo "deb-src $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \
+ \
+ savedAptMark="$(apt-mark showmanual)"; \
+ \
+ tempDir="$(mktemp -d)"; \
+ cd "$tempDir"; \
+ \
+# create a temporary local APT repo to install from (so that dependency resolution can be handled by APT, as it should be)
+ apt-get update; \
+ apt-get install -y --no-install-recommends dpkg-dev; \
+ echo "deb [ trusted=yes ] file://$tempDir ./" > /etc/apt/sources.list.d/temp.list; \
+ _update_repo() { \
+ dpkg-scanpackages . > Packages; \
+# work around the following APT issue by using "Acquire::GzipIndexes=false" (overriding "/etc/apt/apt.conf.d/docker-gzip-indexes")
+# Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+# ...
+# E: Failed to fetch store:/var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+ apt-get -o Acquire::GzipIndexes=false update; \
+ }; \
+ _update_repo; \
+ \
+# build .deb files from upstream's source packages (which are verified by apt-get)
+ nproc="$(nproc)"; \
+ export DEB_BUILD_OPTIONS="nocheck parallel=$nproc"; \
+# we have to build postgresql-common first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/99f44476e258cae6bf9e919219fa2c5414fa2876
+# (and it "Depends: pgdg-keyring")
+ apt-get build-dep -y postgresql-common pgdg-keyring; \
+ apt-get source --compile postgresql-common pgdg-keyring; \
+ _update_repo; \
+ apt-get build-dep -y "postgresql-$PG_MAJOR=$PG_VERSION"; \
+ apt-get source --compile "postgresql-$PG_MAJOR=$PG_VERSION"; \
+ \
+# we don't remove APT lists here because they get re-downloaded and removed later
+ \
+# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
+# (which is done after we install the built packages so we don't have to redownload any overlapping dependencies)
+ apt-mark showmanual | xargs apt-mark auto > /dev/null; \
+ apt-mark manual $savedAptMark; \
+ \
+ ls -lAFh; \
+ _update_repo; \
+ grep '^Package: ' Packages; \
+ cd /; \
+ ;; \
+ esac; \
+ \
+ apt-get install -y --no-install-recommends postgresql-common; \
+ sed -ri 's/#(create_main_cluster) .*$/\1 = false/' /etc/postgresql-common/createcluster.conf; \
+ apt-get install -y --no-install-recommends \
+ "postgresql-$PG_MAJOR=$PG_VERSION" \
+ ; \
+ \
+ rm -rf /var/lib/apt/lists/*; \
+ \
+ if [ -n "$tempDir" ]; then \
+# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
+ apt-get purge -y --auto-remove; \
+ rm -rf "$tempDir" /etc/apt/sources.list.d/temp.list; \
+ fi; \
+ \
+# some of the steps above generate a lot of "*.pyc" files (and setting "PYTHONDONTWRITEBYTECODE" beforehand doesn't propagate properly for some reason), so we clean them up manually (as long as they aren't owned by a package)
+ find /usr -name '*.pyc' -type f -exec bash -c 'for pyc; do dpkg -S "$pyc" &> /dev/null || rm -vf "$pyc"; done' -- '{}' +; \
+ \
+ postgres --version
+
+# make the sample config easier to munge (and "correct by default")
+RUN set -eux; \
+ dpkg-divert --add --rename --divert "/usr/share/postgresql/postgresql.conf.sample.dpkg" "/usr/share/postgresql/$PG_MAJOR/postgresql.conf.sample"; \
+ cp -v /usr/share/postgresql/postgresql.conf.sample.dpkg /usr/share/postgresql/postgresql.conf.sample; \
+ ln -sv ../postgresql.conf.sample "/usr/share/postgresql/$PG_MAJOR/"; \
+ sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/share/postgresql/postgresql.conf.sample; \
+ grep -F "listen_addresses = '*'" /usr/share/postgresql/postgresql.conf.sample
+
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
+
+ENV PGDATA /var/lib/postgresql/data
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
+VOLUME /var/lib/postgresql/data
+
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
+# calls "Fast Shutdown mode" wherein new connections are disallowed and any
+# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
+# flush tables to disk.
+#
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
+# about available PostgreSQL server shutdown signals.
+#
+# See also https://www.postgresql.org/docs/current/server-start.html for further
+# justification of this as the default value, namely that the example (and
+# shipped) systemd service files use the "Fast Shutdown mode" for service
+# termination.
+#
+STOPSIGNAL SIGINT
+#
+# An additional setting that is recommended for all users regardless of this
+# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
+# equivalent) for controlling how long to wait between sending the defined
+# STOPSIGNAL and sending SIGKILL.
+#
+# The default in most runtimes (such as Docker) is 10 seconds, and the
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
+# that even 90 seconds may not be long enough in many instances.
+
+EXPOSE 5432
+CMD ["postgres"]
diff --git a/16/bullseye/docker-ensure-initdb.sh b/16/bullseye/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..ae1f6b6b90
--- /dev/null
+++ b/16/bullseye/docker-ensure-initdb.sh
@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/16/bullseye/docker-entrypoint.sh b/16/bullseye/docker-entrypoint.sh
new file mode 100755
index 0000000000..ae40666ca1
--- /dev/null
+++ b/16/bullseye/docker-entrypoint.sh
@@ -0,0 +1,359 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+# ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+ local var="$1"
+ local fileVar="${var}_FILE"
+ local def="${2:-}"
+ if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+ printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+ exit 1
+ fi
+ local val="$def"
+ if [ "${!var:-}" ]; then
+ val="${!var}"
+ elif [ "${!fileVar:-}" ]; then
+ val="$(< "${!fileVar}")"
+ fi
+ export "$var"="$val"
+ unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+ # https://unix.stackexchange.com/a/215279
+ [ "${#FUNCNAME[@]}" -ge 2 ] \
+ && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+ && [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+ local user; user="$(id -u)"
+
+ mkdir -p "$PGDATA"
+ # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+ chmod 00700 "$PGDATA" || :
+
+ # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+ mkdir -p /var/run/postgresql || :
+ chmod 03775 /var/run/postgresql || :
+
+ # Create the transaction log directory before initdb is run so the directory is owned by the correct user
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ mkdir -p "$POSTGRES_INITDB_WALDIR"
+ if [ "$user" = '0' ]; then
+ find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+ fi
+ chmod 700 "$POSTGRES_INITDB_WALDIR"
+ fi
+
+ # allow the container to be started with `--user`
+ if [ "$user" = '0' ]; then
+ find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+ find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+ fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+ # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+ # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+ local uid; uid="$(id -u)"
+ if ! getent passwd "$uid" &> /dev/null; then
+ # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+ local wrapper
+ for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+ if [ -s "$wrapper" ]; then
+ NSS_WRAPPER_PASSWD="$(mktemp)"
+ NSS_WRAPPER_GROUP="$(mktemp)"
+ export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ local gid; gid="$(id -g)"
+ printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+ printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+ break
+ fi
+ done
+ fi
+
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+ fi
+
+ # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+ eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+ # unset/cleanup "nss_wrapper" bits
+ if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+ rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+ unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
+
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+
+ This will not work if used via PGPASSWORD with "psql".
+
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
+
+ EOWARN
+ fi
+ ;;
+ esac
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ # The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD to a non-empty value for the
+ superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+ You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+ connections without a password. This is *not* recommended.
+
+ See PostgreSQL documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ cat >&2 <<-'EOWARN'
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
+ EOWARN
+ fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+# ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+ # psql here for backwards compatibility "${psql[@]}"
+ psql=( docker_process_sql )
+
+ printf '\n'
+ local f
+ for f; do
+ case "$f" in
+ *.sh)
+ # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+ # https://github.com/docker-library/postgres/pull/452
+ if [ -x "$f" ]; then
+ printf '%s: running %s\n' "$0" "$f"
+ "$f"
+ else
+ printf '%s: sourcing %s\n' "$0" "$f"
+ . "$f"
+ fi
+ ;;
+ *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+ *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+ *) printf '%s: ignoring %s\n' "$0" "$f" ;;
+ esac
+ printf '\n'
+ done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+# ie: docker_process_sql -f my-file.sql
+# ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+ local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+ if [ -n "$POSTGRES_DB" ]; then
+ query_runner+=( --dbname "$POSTGRES_DB" )
+ fi
+
+ PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+ local dbAlreadyExists
+ dbAlreadyExists="$(
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+ SELECT 1 FROM pg_database WHERE datname = :'db' ;
+ EOSQL
+ )"
+ if [ -z "$dbAlreadyExists" ]; then
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+ CREATE DATABASE :"db" ;
+ EOSQL
+ printf '\n'
+ fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+ file_env 'POSTGRES_PASSWORD'
+
+ file_env 'POSTGRES_USER' 'postgres'
+ file_env 'POSTGRES_DB' "$POSTGRES_USER"
+ file_env 'POSTGRES_INITDB_ARGS'
+ : "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+ declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ # look specifically for PG_VERSION, as it is expected in the DB dir
+ if [ -s "$PGDATA/PG_VERSION" ]; then
+ DATABASE_ALREADY_EXISTS='true'
+ fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+ # default authentication method is md5 on versions before 14
+ # https://www.postgresql.org/about/news/postgresql-14-released-2318/
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+ local auth
+ # check the default/configured encryption and use that as the auth method
+ auth="$(postgres -C password_encryption "$@")"
+ : "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+ {
+ printf '\n'
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ printf '# warning trust is enabled for all connections\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+ fi
+ printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+ } >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+
+ # internal start of server in order to allow setup using psql client
+ # does not listen on external TCP/IP and waits until start finishes
+ set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
+ PGUSER="${PGUSER:-$POSTGRES_USER}" \
+ pg_ctl -D "$PGDATA" \
+ -o "$(printf '%q ' "$@")" \
+ -w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+ PGUSER="${PGUSER:-postgres}" \
+ pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+ local arg
+ for arg; do
+ case "$arg" in
+ # postgres --help | grep 'then exit'
+ # leaving out -C on purpose since it always fails and is unhelpful:
+ # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+ -'?'|--help|--describe-config|-V|--version)
+ return 0
+ ;;
+ esac
+ done
+ return 1
+}
+
+_main() {
+ # if first arg looks like a flag, assume we want to run postgres server
+ if [ "${1:0:1}" = '-' ]; then
+ set -- postgres "$@"
+ fi
+
+ if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+ docker_setup_env
+ # setup data directories and permissions (when run as root)
+ docker_create_db_directories
+ if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+ fi
+
+ # only run initialization on an empty data directory
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+
+ cat <<-'EOM'
+
+ PostgreSQL init process complete; ready for start up.
+
+ EOM
+ else
+ cat <<-'EOM'
+
+ PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+ EOM
+ fi
+ fi
+
+ exec "$@"
+}
+
+if ! _is_sourced; then
+ _main "$@"
+fi
diff --git a/17/alpine3.20/Dockerfile b/17/alpine3.20/Dockerfile
new file mode 100644
index 0000000000..bcf17f32a0
--- /dev/null
+++ b/17/alpine3.20/Dockerfile
@@ -0,0 +1,228 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM alpine:3.20
+
+# 70 is the standard uid/gid for "postgres" in Alpine
+# https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.21-stable
+RUN set -eux; \
+ addgroup -g 70 -S postgres; \
+ adduser -u 70 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \
+# also create the postgres user's home directory with appropriate permissions
+# see https://github.com/docker-library/postgres/issues/274
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
+
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ \
+ apk add --no-cache --virtual .gosu-deps \
+ ca-certificates \
+ dpkg \
+ gnupg \
+ ; \
+ \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ \
+# verify the signature
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ \
+# clean up fetch dependencies
+ apk del --no-network .gosu-deps; \
+ \
+ chmod +x /usr/local/bin/gosu; \
+# verify that the binary works
+ gosu --version; \
+ gosu nobody true
+
+# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
+# alpine doesn't require explicit locale-file generation
+ENV LANG en_US.utf8
+
+RUN mkdir /docker-entrypoint-initdb.d
+
+ENV PG_MAJOR 17
+ENV PG_VERSION 17.5
+ENV PG_SHA256 fcb7ab38e23b264d1902cb25e6adafb4525a6ebcbd015434aeef9eda80f528d8
+
+ENV DOCKER_PG_LLVM_DEPS \
+ llvm15-dev \
+ clang15
+
+RUN set -eux; \
+ \
+ wget -O postgresql.tar.bz2 "https://ftp.postgresql.org/pub/source/v$PG_VERSION/postgresql-$PG_VERSION.tar.bz2"; \
+ echo "$PG_SHA256 *postgresql.tar.bz2" | sha256sum -c -; \
+ mkdir -p /usr/src/postgresql; \
+ tar \
+ --extract \
+ --file postgresql.tar.bz2 \
+ --directory /usr/src/postgresql \
+ --strip-components 1 \
+ ; \
+ rm postgresql.tar.bz2; \
+ \
+ apk add --no-cache --virtual .build-deps \
+ $DOCKER_PG_LLVM_DEPS \
+ bison \
+ coreutils \
+ dpkg-dev dpkg \
+ flex \
+ g++ \
+ gcc \
+ krb5-dev \
+ libc-dev \
+ libedit-dev \
+ libxml2-dev \
+ libxslt-dev \
+ linux-headers \
+ make \
+ openldap-dev \
+ openssl-dev \
+ perl-dev \
+ perl-ipc-run \
+ perl-utils \
+ python3-dev \
+ tcl-dev \
+ util-linux-dev \
+ zlib-dev \
+# https://www.postgresql.org/docs/10/static/release-10.html#id-1.11.6.9.5.13
+ icu-dev \
+# https://www.postgresql.org/docs/14/release-14.html#id-1.11.6.5.5.3.7
+ lz4-dev \
+# https://www.postgresql.org/docs/15/release-15.html "--with-zstd to enable Zstandard builds"
+ zstd-dev \
+ ; \
+ \
+ cd /usr/src/postgresql; \
+# update "DEFAULT_PGSOCKET_DIR" to "/var/run/postgresql" (matching Debian)
+# see https://anonscm.debian.org/git/pkg-postgresql/postgresql.git/tree/debian/patches/51-default-sockets-in-var.patch?id=8b539fcb3e093a521c095e70bdfa76887217b89f
+ awk '$1 == "#define" && $2 == "DEFAULT_PGSOCKET_DIR" && $3 == "\"/tmp\"" { $3 = "\"/var/run/postgresql\""; print; next } { print }' src/include/pg_config_manual.h > src/include/pg_config_manual.h.new; \
+ grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \
+ mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \
+ gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
+ \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.21-stable&id=40544ade947bec1798edb0f749f4e967e842624b#n172
+ export LLVM_CONFIG="/usr/lib/llvm15/bin/llvm-config"; \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.21-stable&id=40544ade947bec1798edb0f749f4e967e842624b#n177
+ export CLANG=clang-15; \
+ \
+# configure options taken from:
+# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
+ ./configure \
+ --enable-option-checking=fatal \
+ --build="$gnuArch" \
+# "/usr/src/postgresql/src/backend/access/common/tupconvert.c:105: undefined reference to `libintl_gettext'"
+# --enable-nls \
+ --enable-integer-datetimes \
+ --enable-tap-tests \
+# skip debugging info -- we want tiny size instead
+# --enable-debug \
+ --disable-rpath \
+ --with-uuid=e2fs \
+ --with-pgport=5432 \
+ --with-system-tzdata=/usr/share/zoneinfo \
+ --prefix=/usr/local \
+ --with-includes=/usr/local/include \
+ --with-libraries=/usr/local/lib \
+ --with-gssapi \
+ --with-ldap \
+ --with-tcl \
+ --with-perl \
+ --with-python \
+# --with-pam \
+ --with-openssl \
+ --with-libxml \
+ --with-libxslt \
+ --with-icu \
+ --with-llvm \
+ --with-lz4 \
+ --with-zstd \
+ ; \
+ make -j "$(nproc)" world-bin; \
+ make install-world-bin; \
+ make -C contrib install; \
+ \
+ runDeps="$( \
+ scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \
+ | tr ',' '\n' \
+ | sort -u \
+ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
+# Remove plperl, plpython and pltcl dependencies by default to save image size
+# To use the pl extensions, those have to be installed in a derived image
+ | grep -v -e perl -e python -e tcl \
+ )"; \
+ apk add --no-cache --virtual .postgresql-rundeps \
+ $runDeps \
+ bash \
+ tzdata \
+ zstd \
+# https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split
+ icu-data-full \
+# nss_wrapper is not availble on ppc64le: "test case segfaults in ppc64le"
+# https://git.alpinelinux.org/aports/commit/testing/nss_wrapper/APKBUILD?h=3.17-stable&id=94d81ceeb58cff448d489bbcbe9a6d40c9991663
+ $([ "$(apk --print-arch)" != 'ppc64le' ] && echo 'nss_wrapper') \
+ ; \
+ apk del --no-network .build-deps; \
+ cd /; \
+ rm -rf \
+ /usr/src/postgresql \
+ /usr/local/share/doc \
+ /usr/local/share/man \
+ ; \
+ \
+ postgres --version
+
+# make the sample config easier to munge (and "correct by default")
+RUN set -eux; \
+ cp -v /usr/local/share/postgresql/postgresql.conf.sample /usr/local/share/postgresql/postgresql.conf.sample.orig; \
+ sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \
+ grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample
+
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
+
+ENV PGDATA /var/lib/postgresql/data
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
+VOLUME /var/lib/postgresql/data
+
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
+# calls "Fast Shutdown mode" wherein new connections are disallowed and any
+# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
+# flush tables to disk.
+#
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
+# about available PostgreSQL server shutdown signals.
+#
+# See also https://www.postgresql.org/docs/current/server-start.html for further
+# justification of this as the default value, namely that the example (and
+# shipped) systemd service files use the "Fast Shutdown mode" for service
+# termination.
+#
+STOPSIGNAL SIGINT
+#
+# An additional setting that is recommended for all users regardless of this
+# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
+# equivalent) for controlling how long to wait between sending the defined
+# STOPSIGNAL and sending SIGKILL.
+#
+# The default in most runtimes (such as Docker) is 10 seconds, and the
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
+# that even 90 seconds may not be long enough in many instances.
+
+EXPOSE 5432
+CMD ["postgres"]
diff --git a/17/alpine3.20/docker-ensure-initdb.sh b/17/alpine3.20/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..ae1f6b6b90
--- /dev/null
+++ b/17/alpine3.20/docker-ensure-initdb.sh
@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/17/alpine3.20/docker-entrypoint.sh b/17/alpine3.20/docker-entrypoint.sh
new file mode 100755
index 0000000000..ae40666ca1
--- /dev/null
+++ b/17/alpine3.20/docker-entrypoint.sh
@@ -0,0 +1,359 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+# ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+ local var="$1"
+ local fileVar="${var}_FILE"
+ local def="${2:-}"
+ if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+ printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+ exit 1
+ fi
+ local val="$def"
+ if [ "${!var:-}" ]; then
+ val="${!var}"
+ elif [ "${!fileVar:-}" ]; then
+ val="$(< "${!fileVar}")"
+ fi
+ export "$var"="$val"
+ unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+ # https://unix.stackexchange.com/a/215279
+ [ "${#FUNCNAME[@]}" -ge 2 ] \
+ && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+ && [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+ local user; user="$(id -u)"
+
+ mkdir -p "$PGDATA"
+ # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+ chmod 00700 "$PGDATA" || :
+
+ # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+ mkdir -p /var/run/postgresql || :
+ chmod 03775 /var/run/postgresql || :
+
+ # Create the transaction log directory before initdb is run so the directory is owned by the correct user
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ mkdir -p "$POSTGRES_INITDB_WALDIR"
+ if [ "$user" = '0' ]; then
+ find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+ fi
+ chmod 700 "$POSTGRES_INITDB_WALDIR"
+ fi
+
+ # allow the container to be started with `--user`
+ if [ "$user" = '0' ]; then
+ find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+ find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+ fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+ # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+ # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+ local uid; uid="$(id -u)"
+ if ! getent passwd "$uid" &> /dev/null; then
+ # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+ local wrapper
+ for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+ if [ -s "$wrapper" ]; then
+ NSS_WRAPPER_PASSWD="$(mktemp)"
+ NSS_WRAPPER_GROUP="$(mktemp)"
+ export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ local gid; gid="$(id -g)"
+ printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+ printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+ break
+ fi
+ done
+ fi
+
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+ fi
+
+ # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+ eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+ # unset/cleanup "nss_wrapper" bits
+ if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+ rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+ unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
+
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+
+ This will not work if used via PGPASSWORD with "psql".
+
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
+
+ EOWARN
+ fi
+ ;;
+ esac
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ # The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD to a non-empty value for the
+ superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+ You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+ connections without a password. This is *not* recommended.
+
+ See PostgreSQL documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ cat >&2 <<-'EOWARN'
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
+ EOWARN
+ fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+# ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+ # psql here for backwards compatibility "${psql[@]}"
+ psql=( docker_process_sql )
+
+ printf '\n'
+ local f
+ for f; do
+ case "$f" in
+ *.sh)
+ # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+ # https://github.com/docker-library/postgres/pull/452
+ if [ -x "$f" ]; then
+ printf '%s: running %s\n' "$0" "$f"
+ "$f"
+ else
+ printf '%s: sourcing %s\n' "$0" "$f"
+ . "$f"
+ fi
+ ;;
+ *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+ *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+ *) printf '%s: ignoring %s\n' "$0" "$f" ;;
+ esac
+ printf '\n'
+ done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+# ie: docker_process_sql -f my-file.sql
+# ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+ local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+ if [ -n "$POSTGRES_DB" ]; then
+ query_runner+=( --dbname "$POSTGRES_DB" )
+ fi
+
+ PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+ local dbAlreadyExists
+ dbAlreadyExists="$(
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+ SELECT 1 FROM pg_database WHERE datname = :'db' ;
+ EOSQL
+ )"
+ if [ -z "$dbAlreadyExists" ]; then
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+ CREATE DATABASE :"db" ;
+ EOSQL
+ printf '\n'
+ fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+ file_env 'POSTGRES_PASSWORD'
+
+ file_env 'POSTGRES_USER' 'postgres'
+ file_env 'POSTGRES_DB' "$POSTGRES_USER"
+ file_env 'POSTGRES_INITDB_ARGS'
+ : "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+ declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ # look specifically for PG_VERSION, as it is expected in the DB dir
+ if [ -s "$PGDATA/PG_VERSION" ]; then
+ DATABASE_ALREADY_EXISTS='true'
+ fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+ # default authentication method is md5 on versions before 14
+ # https://www.postgresql.org/about/news/postgresql-14-released-2318/
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+ local auth
+ # check the default/configured encryption and use that as the auth method
+ auth="$(postgres -C password_encryption "$@")"
+ : "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+ {
+ printf '\n'
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ printf '# warning trust is enabled for all connections\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+ fi
+ printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+ } >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+
+ # internal start of server in order to allow setup using psql client
+ # does not listen on external TCP/IP and waits until start finishes
+ set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
+ PGUSER="${PGUSER:-$POSTGRES_USER}" \
+ pg_ctl -D "$PGDATA" \
+ -o "$(printf '%q ' "$@")" \
+ -w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+ PGUSER="${PGUSER:-postgres}" \
+ pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+ local arg
+ for arg; do
+ case "$arg" in
+ # postgres --help | grep 'then exit'
+ # leaving out -C on purpose since it always fails and is unhelpful:
+ # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+ -'?'|--help|--describe-config|-V|--version)
+ return 0
+ ;;
+ esac
+ done
+ return 1
+}
+
+_main() {
+ # if first arg looks like a flag, assume we want to run postgres server
+ if [ "${1:0:1}" = '-' ]; then
+ set -- postgres "$@"
+ fi
+
+ if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+ docker_setup_env
+ # setup data directories and permissions (when run as root)
+ docker_create_db_directories
+ if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+ fi
+
+ # only run initialization on an empty data directory
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+
+ cat <<-'EOM'
+
+ PostgreSQL init process complete; ready for start up.
+
+ EOM
+ else
+ cat <<-'EOM'
+
+ PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+ EOM
+ fi
+ fi
+
+ exec "$@"
+}
+
+if ! _is_sourced; then
+ _main "$@"
+fi
diff --git a/17/alpine3.21/Dockerfile b/17/alpine3.21/Dockerfile
new file mode 100644
index 0000000000..9e4bf205bd
--- /dev/null
+++ b/17/alpine3.21/Dockerfile
@@ -0,0 +1,228 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM alpine:3.21
+
+# 70 is the standard uid/gid for "postgres" in Alpine
+# https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.21-stable
+RUN set -eux; \
+ addgroup -g 70 -S postgres; \
+ adduser -u 70 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \
+# also create the postgres user's home directory with appropriate permissions
+# see https://github.com/docker-library/postgres/issues/274
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
+
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ \
+ apk add --no-cache --virtual .gosu-deps \
+ ca-certificates \
+ dpkg \
+ gnupg \
+ ; \
+ \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ \
+# verify the signature
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ \
+# clean up fetch dependencies
+ apk del --no-network .gosu-deps; \
+ \
+ chmod +x /usr/local/bin/gosu; \
+# verify that the binary works
+ gosu --version; \
+ gosu nobody true
+
+# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
+# alpine doesn't require explicit locale-file generation
+ENV LANG en_US.utf8
+
+RUN mkdir /docker-entrypoint-initdb.d
+
+ENV PG_MAJOR 17
+ENV PG_VERSION 17.5
+ENV PG_SHA256 fcb7ab38e23b264d1902cb25e6adafb4525a6ebcbd015434aeef9eda80f528d8
+
+ENV DOCKER_PG_LLVM_DEPS \
+ llvm19-dev \
+ clang19
+
+RUN set -eux; \
+ \
+ wget -O postgresql.tar.bz2 "https://ftp.postgresql.org/pub/source/v$PG_VERSION/postgresql-$PG_VERSION.tar.bz2"; \
+ echo "$PG_SHA256 *postgresql.tar.bz2" | sha256sum -c -; \
+ mkdir -p /usr/src/postgresql; \
+ tar \
+ --extract \
+ --file postgresql.tar.bz2 \
+ --directory /usr/src/postgresql \
+ --strip-components 1 \
+ ; \
+ rm postgresql.tar.bz2; \
+ \
+ apk add --no-cache --virtual .build-deps \
+ $DOCKER_PG_LLVM_DEPS \
+ bison \
+ coreutils \
+ dpkg-dev dpkg \
+ flex \
+ g++ \
+ gcc \
+ krb5-dev \
+ libc-dev \
+ libedit-dev \
+ libxml2-dev \
+ libxslt-dev \
+ linux-headers \
+ make \
+ openldap-dev \
+ openssl-dev \
+ perl-dev \
+ perl-ipc-run \
+ perl-utils \
+ python3-dev \
+ tcl-dev \
+ util-linux-dev \
+ zlib-dev \
+# https://www.postgresql.org/docs/10/static/release-10.html#id-1.11.6.9.5.13
+ icu-dev \
+# https://www.postgresql.org/docs/14/release-14.html#id-1.11.6.5.5.3.7
+ lz4-dev \
+# https://www.postgresql.org/docs/15/release-15.html "--with-zstd to enable Zstandard builds"
+ zstd-dev \
+ ; \
+ \
+ cd /usr/src/postgresql; \
+# update "DEFAULT_PGSOCKET_DIR" to "/var/run/postgresql" (matching Debian)
+# see https://anonscm.debian.org/git/pkg-postgresql/postgresql.git/tree/debian/patches/51-default-sockets-in-var.patch?id=8b539fcb3e093a521c095e70bdfa76887217b89f
+ awk '$1 == "#define" && $2 == "DEFAULT_PGSOCKET_DIR" && $3 == "\"/tmp\"" { $3 = "\"/var/run/postgresql\""; print; next } { print }' src/include/pg_config_manual.h > src/include/pg_config_manual.h.new; \
+ grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \
+ mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \
+ gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
+ \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.21-stable&id=40544ade947bec1798edb0f749f4e967e842624b#n172
+ export LLVM_CONFIG="/usr/lib/llvm19/bin/llvm-config"; \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.21-stable&id=40544ade947bec1798edb0f749f4e967e842624b#n177
+ export CLANG=clang-19; \
+ \
+# configure options taken from:
+# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
+ ./configure \
+ --enable-option-checking=fatal \
+ --build="$gnuArch" \
+# "/usr/src/postgresql/src/backend/access/common/tupconvert.c:105: undefined reference to `libintl_gettext'"
+# --enable-nls \
+ --enable-integer-datetimes \
+ --enable-tap-tests \
+# skip debugging info -- we want tiny size instead
+# --enable-debug \
+ --disable-rpath \
+ --with-uuid=e2fs \
+ --with-pgport=5432 \
+ --with-system-tzdata=/usr/share/zoneinfo \
+ --prefix=/usr/local \
+ --with-includes=/usr/local/include \
+ --with-libraries=/usr/local/lib \
+ --with-gssapi \
+ --with-ldap \
+ --with-tcl \
+ --with-perl \
+ --with-python \
+# --with-pam \
+ --with-openssl \
+ --with-libxml \
+ --with-libxslt \
+ --with-icu \
+ --with-llvm \
+ --with-lz4 \
+ --with-zstd \
+ ; \
+ make -j "$(nproc)" world-bin; \
+ make install-world-bin; \
+ make -C contrib install; \
+ \
+ runDeps="$( \
+ scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \
+ | tr ',' '\n' \
+ | sort -u \
+ | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
+# Remove plperl, plpython and pltcl dependencies by default to save image size
+# To use the pl extensions, those have to be installed in a derived image
+ | grep -v -e perl -e python -e tcl \
+ )"; \
+ apk add --no-cache --virtual .postgresql-rundeps \
+ $runDeps \
+ bash \
+ tzdata \
+ zstd \
+# https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split
+ icu-data-full \
+# nss_wrapper is not availble on ppc64le: "test case segfaults in ppc64le"
+# https://git.alpinelinux.org/aports/commit/testing/nss_wrapper/APKBUILD?h=3.17-stable&id=94d81ceeb58cff448d489bbcbe9a6d40c9991663
+ $([ "$(apk --print-arch)" != 'ppc64le' ] && echo 'nss_wrapper') \
+ ; \
+ apk del --no-network .build-deps; \
+ cd /; \
+ rm -rf \
+ /usr/src/postgresql \
+ /usr/local/share/doc \
+ /usr/local/share/man \
+ ; \
+ \
+ postgres --version
+
+# make the sample config easier to munge (and "correct by default")
+RUN set -eux; \
+ cp -v /usr/local/share/postgresql/postgresql.conf.sample /usr/local/share/postgresql/postgresql.conf.sample.orig; \
+ sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \
+ grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample
+
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
+
+ENV PGDATA /var/lib/postgresql/data
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
+VOLUME /var/lib/postgresql/data
+
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
+# calls "Fast Shutdown mode" wherein new connections are disallowed and any
+# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
+# flush tables to disk.
+#
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
+# about available PostgreSQL server shutdown signals.
+#
+# See also https://www.postgresql.org/docs/current/server-start.html for further
+# justification of this as the default value, namely that the example (and
+# shipped) systemd service files use the "Fast Shutdown mode" for service
+# termination.
+#
+STOPSIGNAL SIGINT
+#
+# An additional setting that is recommended for all users regardless of this
+# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
+# equivalent) for controlling how long to wait between sending the defined
+# STOPSIGNAL and sending SIGKILL.
+#
+# The default in most runtimes (such as Docker) is 10 seconds, and the
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
+# that even 90 seconds may not be long enough in many instances.
+
+EXPOSE 5432
+CMD ["postgres"]
diff --git a/17/alpine3.21/docker-ensure-initdb.sh b/17/alpine3.21/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..ae1f6b6b90
--- /dev/null
+++ b/17/alpine3.21/docker-ensure-initdb.sh
@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/17/alpine3.21/docker-entrypoint.sh b/17/alpine3.21/docker-entrypoint.sh
new file mode 100755
index 0000000000..ae40666ca1
--- /dev/null
+++ b/17/alpine3.21/docker-entrypoint.sh
@@ -0,0 +1,359 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+# ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+ local var="$1"
+ local fileVar="${var}_FILE"
+ local def="${2:-}"
+ if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+ printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+ exit 1
+ fi
+ local val="$def"
+ if [ "${!var:-}" ]; then
+ val="${!var}"
+ elif [ "${!fileVar:-}" ]; then
+ val="$(< "${!fileVar}")"
+ fi
+ export "$var"="$val"
+ unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+ # https://unix.stackexchange.com/a/215279
+ [ "${#FUNCNAME[@]}" -ge 2 ] \
+ && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+ && [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+ local user; user="$(id -u)"
+
+ mkdir -p "$PGDATA"
+ # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+ chmod 00700 "$PGDATA" || :
+
+ # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+ mkdir -p /var/run/postgresql || :
+ chmod 03775 /var/run/postgresql || :
+
+ # Create the transaction log directory before initdb is run so the directory is owned by the correct user
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ mkdir -p "$POSTGRES_INITDB_WALDIR"
+ if [ "$user" = '0' ]; then
+ find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+ fi
+ chmod 700 "$POSTGRES_INITDB_WALDIR"
+ fi
+
+ # allow the container to be started with `--user`
+ if [ "$user" = '0' ]; then
+ find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+ find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+ fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+ # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+ # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+ local uid; uid="$(id -u)"
+ if ! getent passwd "$uid" &> /dev/null; then
+ # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+ local wrapper
+ for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+ if [ -s "$wrapper" ]; then
+ NSS_WRAPPER_PASSWD="$(mktemp)"
+ NSS_WRAPPER_GROUP="$(mktemp)"
+ export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ local gid; gid="$(id -g)"
+ printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+ printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+ break
+ fi
+ done
+ fi
+
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+ fi
+
+ # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+ eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+ # unset/cleanup "nss_wrapper" bits
+ if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+ rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+ unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
+
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+
+ This will not work if used via PGPASSWORD with "psql".
+
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
+
+ EOWARN
+ fi
+ ;;
+ esac
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ # The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD to a non-empty value for the
+ superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+ You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+ connections without a password. This is *not* recommended.
+
+ See PostgreSQL documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ cat >&2 <<-'EOWARN'
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
+ EOWARN
+ fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+# ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+ # psql here for backwards compatibility "${psql[@]}"
+ psql=( docker_process_sql )
+
+ printf '\n'
+ local f
+ for f; do
+ case "$f" in
+ *.sh)
+ # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+ # https://github.com/docker-library/postgres/pull/452
+ if [ -x "$f" ]; then
+ printf '%s: running %s\n' "$0" "$f"
+ "$f"
+ else
+ printf '%s: sourcing %s\n' "$0" "$f"
+ . "$f"
+ fi
+ ;;
+ *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+ *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+ *) printf '%s: ignoring %s\n' "$0" "$f" ;;
+ esac
+ printf '\n'
+ done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+# ie: docker_process_sql -f my-file.sql
+# ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+ local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+ if [ -n "$POSTGRES_DB" ]; then
+ query_runner+=( --dbname "$POSTGRES_DB" )
+ fi
+
+ PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+ local dbAlreadyExists
+ dbAlreadyExists="$(
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+ SELECT 1 FROM pg_database WHERE datname = :'db' ;
+ EOSQL
+ )"
+ if [ -z "$dbAlreadyExists" ]; then
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+ CREATE DATABASE :"db" ;
+ EOSQL
+ printf '\n'
+ fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+ file_env 'POSTGRES_PASSWORD'
+
+ file_env 'POSTGRES_USER' 'postgres'
+ file_env 'POSTGRES_DB' "$POSTGRES_USER"
+ file_env 'POSTGRES_INITDB_ARGS'
+ : "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+ declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ # look specifically for PG_VERSION, as it is expected in the DB dir
+ if [ -s "$PGDATA/PG_VERSION" ]; then
+ DATABASE_ALREADY_EXISTS='true'
+ fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+ # default authentication method is md5 on versions before 14
+ # https://www.postgresql.org/about/news/postgresql-14-released-2318/
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+ local auth
+ # check the default/configured encryption and use that as the auth method
+ auth="$(postgres -C password_encryption "$@")"
+ : "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+ {
+ printf '\n'
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ printf '# warning trust is enabled for all connections\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+ fi
+ printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+ } >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+
+ # internal start of server in order to allow setup using psql client
+ # does not listen on external TCP/IP and waits until start finishes
+ set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
+ PGUSER="${PGUSER:-$POSTGRES_USER}" \
+ pg_ctl -D "$PGDATA" \
+ -o "$(printf '%q ' "$@")" \
+ -w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+ PGUSER="${PGUSER:-postgres}" \
+ pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+ local arg
+ for arg; do
+ case "$arg" in
+ # postgres --help | grep 'then exit'
+ # leaving out -C on purpose since it always fails and is unhelpful:
+ # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+ -'?'|--help|--describe-config|-V|--version)
+ return 0
+ ;;
+ esac
+ done
+ return 1
+}
+
+_main() {
+ # if first arg looks like a flag, assume we want to run postgres server
+ if [ "${1:0:1}" = '-' ]; then
+ set -- postgres "$@"
+ fi
+
+ if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+ docker_setup_env
+ # setup data directories and permissions (when run as root)
+ docker_create_db_directories
+ if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+ fi
+
+ # only run initialization on an empty data directory
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+
+ cat <<-'EOM'
+
+ PostgreSQL init process complete; ready for start up.
+
+ EOM
+ else
+ cat <<-'EOM'
+
+ PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+ EOM
+ fi
+ fi
+
+ exec "$@"
+}
+
+if ! _is_sourced; then
+ _main "$@"
+fi
diff --git a/17/bookworm/Dockerfile b/17/bookworm/Dockerfile
new file mode 100644
index 0000000000..eca1c04f03
--- /dev/null
+++ b/17/bookworm/Dockerfile
@@ -0,0 +1,219 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM debian:bookworm-slim
+
+# explicitly set user/group IDs
+RUN set -eux; \
+ groupadd -r postgres --gid=999; \
+# https://salsa.debian.org/postgresql/postgresql-common/blob/997d842ee744687d99a2b2d95c1083a2615c79e8/debian/postgresql-common.postinst#L32-35
+ useradd -r -g postgres --uid=999 --home-dir=/var/lib/postgresql --shell=/bin/bash postgres; \
+# also create the postgres user's home directory with appropriate permissions
+# see https://github.com/docker-library/postgres/issues/274
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
+
+RUN set -ex; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ gnupg \
+# https://www.postgresql.org/docs/16/app-psql.html#APP-PSQL-META-COMMAND-PSET-PAGER
+# https://github.com/postgres/postgres/blob/REL_16_1/src/include/fe_utils/print.h#L25
+# (if "less" is available, it gets used as the default pager for psql, and it only adds ~1.5MiB to our image size)
+ less \
+ ; \
+ rm -rf /var/lib/apt/lists/*
+
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ savedAptMark="$(apt-mark showmanual)"; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends ca-certificates wget; \
+ rm -rf /var/lib/apt/lists/*; \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ apt-mark auto '.*' > /dev/null; \
+ [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \
+ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+ chmod +x /usr/local/bin/gosu; \
+ gosu --version; \
+ gosu nobody true
+
+# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
+RUN set -eux; \
+ if [ -f /etc/dpkg/dpkg.cfg.d/docker ]; then \
+# if this file exists, we're likely in "debian:xxx-slim", and locales are thus being excluded so we need to remove that exclusion (since we need locales)
+ grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
+ sed -ri '/\/usr\/share\/locale/d' /etc/dpkg/dpkg.cfg.d/docker; \
+ ! grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
+ fi; \
+ apt-get update; apt-get install -y --no-install-recommends locales; rm -rf /var/lib/apt/lists/*; \
+ echo 'en_US.UTF-8 UTF-8' >> /etc/locale.gen; \
+ locale-gen; \
+ locale -a | grep 'en_US.utf8'
+ENV LANG en_US.utf8
+
+RUN set -eux; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ libnss-wrapper \
+ xz-utils \
+ zstd \
+ ; \
+ rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /docker-entrypoint-initdb.d
+
+RUN set -ex; \
+# pub 4096R/ACCC4CF8 2011-10-13 [expires: 2019-07-02]
+# Key fingerprint = B97B 0AFC AA1A 47F0 44F2 44A0 7FCC 7D46 ACCC 4CF8
+# uid PostgreSQL Debian Repository
+ key='B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8'; \
+ export GNUPGHOME="$(mktemp -d)"; \
+ mkdir -p /usr/local/share/keyrings/; \
+ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \
+ gpg --batch --export --armor "$key" > /usr/local/share/keyrings/postgres.gpg.asc; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME"
+
+ENV PG_MAJOR 17
+ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
+
+ENV PG_VERSION 17.5-1.pgdg120+1
+
+RUN set -ex; \
+ \
+# see note below about "*.pyc" files
+ export PYTHONDONTWRITEBYTECODE=1; \
+ \
+ dpkgArch="$(dpkg --print-architecture)"; \
+ aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ bookworm-pgdg main $PG_MAJOR"; \
+ case "$dpkgArch" in \
+ amd64 | arm64 | ppc64el) \
+# arches officialy built by upstream
+ echo "deb $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \
+ apt-get update; \
+ ;; \
+ *) \
+# we're on an architecture upstream doesn't officially build for
+# let's build binaries from their published source packages
+ echo "deb-src $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \
+ \
+ savedAptMark="$(apt-mark showmanual)"; \
+ \
+ tempDir="$(mktemp -d)"; \
+ cd "$tempDir"; \
+ \
+# create a temporary local APT repo to install from (so that dependency resolution can be handled by APT, as it should be)
+ apt-get update; \
+ apt-get install -y --no-install-recommends dpkg-dev; \
+ echo "deb [ trusted=yes ] file://$tempDir ./" > /etc/apt/sources.list.d/temp.list; \
+ _update_repo() { \
+ dpkg-scanpackages . > Packages; \
+# work around the following APT issue by using "Acquire::GzipIndexes=false" (overriding "/etc/apt/apt.conf.d/docker-gzip-indexes")
+# Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+# ...
+# E: Failed to fetch store:/var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+ apt-get -o Acquire::GzipIndexes=false update; \
+ }; \
+ _update_repo; \
+ \
+# build .deb files from upstream's source packages (which are verified by apt-get)
+ nproc="$(nproc)"; \
+ export DEB_BUILD_OPTIONS="nocheck parallel=$nproc"; \
+# we have to build postgresql-common first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/99f44476e258cae6bf9e919219fa2c5414fa2876
+# (and it "Depends: pgdg-keyring")
+ apt-get build-dep -y postgresql-common pgdg-keyring; \
+ apt-get source --compile postgresql-common pgdg-keyring; \
+ _update_repo; \
+ apt-get build-dep -y "postgresql-$PG_MAJOR=$PG_VERSION"; \
+ apt-get source --compile "postgresql-$PG_MAJOR=$PG_VERSION"; \
+ \
+# we don't remove APT lists here because they get re-downloaded and removed later
+ \
+# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
+# (which is done after we install the built packages so we don't have to redownload any overlapping dependencies)
+ apt-mark showmanual | xargs apt-mark auto > /dev/null; \
+ apt-mark manual $savedAptMark; \
+ \
+ ls -lAFh; \
+ _update_repo; \
+ grep '^Package: ' Packages; \
+ cd /; \
+ ;; \
+ esac; \
+ \
+ apt-get install -y --no-install-recommends postgresql-common; \
+ sed -ri 's/#(create_main_cluster) .*$/\1 = false/' /etc/postgresql-common/createcluster.conf; \
+ apt-get install -y --no-install-recommends \
+ "postgresql-$PG_MAJOR=$PG_VERSION" \
+ ; \
+ \
+ rm -rf /var/lib/apt/lists/*; \
+ \
+ if [ -n "$tempDir" ]; then \
+# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
+ apt-get purge -y --auto-remove; \
+ rm -rf "$tempDir" /etc/apt/sources.list.d/temp.list; \
+ fi; \
+ \
+# some of the steps above generate a lot of "*.pyc" files (and setting "PYTHONDONTWRITEBYTECODE" beforehand doesn't propagate properly for some reason), so we clean them up manually (as long as they aren't owned by a package)
+ find /usr -name '*.pyc' -type f -exec bash -c 'for pyc; do dpkg -S "$pyc" &> /dev/null || rm -vf "$pyc"; done' -- '{}' +; \
+ \
+ postgres --version
+
+# make the sample config easier to munge (and "correct by default")
+RUN set -eux; \
+ dpkg-divert --add --rename --divert "/usr/share/postgresql/postgresql.conf.sample.dpkg" "/usr/share/postgresql/$PG_MAJOR/postgresql.conf.sample"; \
+ cp -v /usr/share/postgresql/postgresql.conf.sample.dpkg /usr/share/postgresql/postgresql.conf.sample; \
+ ln -sv ../postgresql.conf.sample "/usr/share/postgresql/$PG_MAJOR/"; \
+ sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/share/postgresql/postgresql.conf.sample; \
+ grep -F "listen_addresses = '*'" /usr/share/postgresql/postgresql.conf.sample
+
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
+
+ENV PGDATA /var/lib/postgresql/data
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
+VOLUME /var/lib/postgresql/data
+
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
+# calls "Fast Shutdown mode" wherein new connections are disallowed and any
+# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
+# flush tables to disk.
+#
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
+# about available PostgreSQL server shutdown signals.
+#
+# See also https://www.postgresql.org/docs/current/server-start.html for further
+# justification of this as the default value, namely that the example (and
+# shipped) systemd service files use the "Fast Shutdown mode" for service
+# termination.
+#
+STOPSIGNAL SIGINT
+#
+# An additional setting that is recommended for all users regardless of this
+# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
+# equivalent) for controlling how long to wait between sending the defined
+# STOPSIGNAL and sending SIGKILL.
+#
+# The default in most runtimes (such as Docker) is 10 seconds, and the
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
+# that even 90 seconds may not be long enough in many instances.
+
+EXPOSE 5432
+CMD ["postgres"]
diff --git a/17/bookworm/docker-ensure-initdb.sh b/17/bookworm/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..ae1f6b6b90
--- /dev/null
+++ b/17/bookworm/docker-ensure-initdb.sh
@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/17/bookworm/docker-entrypoint.sh b/17/bookworm/docker-entrypoint.sh
new file mode 100755
index 0000000000..ae40666ca1
--- /dev/null
+++ b/17/bookworm/docker-entrypoint.sh
@@ -0,0 +1,359 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+# ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+ local var="$1"
+ local fileVar="${var}_FILE"
+ local def="${2:-}"
+ if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+ printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+ exit 1
+ fi
+ local val="$def"
+ if [ "${!var:-}" ]; then
+ val="${!var}"
+ elif [ "${!fileVar:-}" ]; then
+ val="$(< "${!fileVar}")"
+ fi
+ export "$var"="$val"
+ unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+ # https://unix.stackexchange.com/a/215279
+ [ "${#FUNCNAME[@]}" -ge 2 ] \
+ && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+ && [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+ local user; user="$(id -u)"
+
+ mkdir -p "$PGDATA"
+ # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+ chmod 00700 "$PGDATA" || :
+
+ # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+ mkdir -p /var/run/postgresql || :
+ chmod 03775 /var/run/postgresql || :
+
+ # Create the transaction log directory before initdb is run so the directory is owned by the correct user
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ mkdir -p "$POSTGRES_INITDB_WALDIR"
+ if [ "$user" = '0' ]; then
+ find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+ fi
+ chmod 700 "$POSTGRES_INITDB_WALDIR"
+ fi
+
+ # allow the container to be started with `--user`
+ if [ "$user" = '0' ]; then
+ find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+ find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+ fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+ # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+ # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+ local uid; uid="$(id -u)"
+ if ! getent passwd "$uid" &> /dev/null; then
+ # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+ local wrapper
+ for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+ if [ -s "$wrapper" ]; then
+ NSS_WRAPPER_PASSWD="$(mktemp)"
+ NSS_WRAPPER_GROUP="$(mktemp)"
+ export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ local gid; gid="$(id -g)"
+ printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+ printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+ break
+ fi
+ done
+ fi
+
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+ fi
+
+ # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+ eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+ # unset/cleanup "nss_wrapper" bits
+ if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+ rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+ unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
+
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+
+ This will not work if used via PGPASSWORD with "psql".
+
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
+
+ EOWARN
+ fi
+ ;;
+ esac
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ # The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD to a non-empty value for the
+ superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+ You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+ connections without a password. This is *not* recommended.
+
+ See PostgreSQL documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ cat >&2 <<-'EOWARN'
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
+ EOWARN
+ fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+# ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+ # psql here for backwards compatibility "${psql[@]}"
+ psql=( docker_process_sql )
+
+ printf '\n'
+ local f
+ for f; do
+ case "$f" in
+ *.sh)
+ # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+ # https://github.com/docker-library/postgres/pull/452
+ if [ -x "$f" ]; then
+ printf '%s: running %s\n' "$0" "$f"
+ "$f"
+ else
+ printf '%s: sourcing %s\n' "$0" "$f"
+ . "$f"
+ fi
+ ;;
+ *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+ *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+ *) printf '%s: ignoring %s\n' "$0" "$f" ;;
+ esac
+ printf '\n'
+ done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+# ie: docker_process_sql -f my-file.sql
+# ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+ local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+ if [ -n "$POSTGRES_DB" ]; then
+ query_runner+=( --dbname "$POSTGRES_DB" )
+ fi
+
+ PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+ local dbAlreadyExists
+ dbAlreadyExists="$(
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+ SELECT 1 FROM pg_database WHERE datname = :'db' ;
+ EOSQL
+ )"
+ if [ -z "$dbAlreadyExists" ]; then
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+ CREATE DATABASE :"db" ;
+ EOSQL
+ printf '\n'
+ fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+ file_env 'POSTGRES_PASSWORD'
+
+ file_env 'POSTGRES_USER' 'postgres'
+ file_env 'POSTGRES_DB' "$POSTGRES_USER"
+ file_env 'POSTGRES_INITDB_ARGS'
+ : "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+ declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ # look specifically for PG_VERSION, as it is expected in the DB dir
+ if [ -s "$PGDATA/PG_VERSION" ]; then
+ DATABASE_ALREADY_EXISTS='true'
+ fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+ # default authentication method is md5 on versions before 14
+ # https://www.postgresql.org/about/news/postgresql-14-released-2318/
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+ local auth
+ # check the default/configured encryption and use that as the auth method
+ auth="$(postgres -C password_encryption "$@")"
+ : "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+ {
+ printf '\n'
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ printf '# warning trust is enabled for all connections\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+ fi
+ printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+ } >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+
+ # internal start of server in order to allow setup using psql client
+ # does not listen on external TCP/IP and waits until start finishes
+ set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
+ PGUSER="${PGUSER:-$POSTGRES_USER}" \
+ pg_ctl -D "$PGDATA" \
+ -o "$(printf '%q ' "$@")" \
+ -w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+ PGUSER="${PGUSER:-postgres}" \
+ pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+ local arg
+ for arg; do
+ case "$arg" in
+ # postgres --help | grep 'then exit'
+ # leaving out -C on purpose since it always fails and is unhelpful:
+ # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+ -'?'|--help|--describe-config|-V|--version)
+ return 0
+ ;;
+ esac
+ done
+ return 1
+}
+
+_main() {
+ # if first arg looks like a flag, assume we want to run postgres server
+ if [ "${1:0:1}" = '-' ]; then
+ set -- postgres "$@"
+ fi
+
+ if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+ docker_setup_env
+ # setup data directories and permissions (when run as root)
+ docker_create_db_directories
+ if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+ fi
+
+ # only run initialization on an empty data directory
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+
+ cat <<-'EOM'
+
+ PostgreSQL init process complete; ready for start up.
+
+ EOM
+ else
+ cat <<-'EOM'
+
+ PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+ EOM
+ fi
+ fi
+
+ exec "$@"
+}
+
+if ! _is_sourced; then
+ _main "$@"
+fi
diff --git a/17/bullseye/Dockerfile b/17/bullseye/Dockerfile
new file mode 100644
index 0000000000..90b92bba46
--- /dev/null
+++ b/17/bullseye/Dockerfile
@@ -0,0 +1,219 @@
+#
+# NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+#
+# PLEASE DO NOT EDIT IT DIRECTLY.
+#
+
+FROM debian:bullseye-slim
+
+# explicitly set user/group IDs
+RUN set -eux; \
+ groupadd -r postgres --gid=999; \
+# https://salsa.debian.org/postgresql/postgresql-common/blob/997d842ee744687d99a2b2d95c1083a2615c79e8/debian/postgresql-common.postinst#L32-35
+ useradd -r -g postgres --uid=999 --home-dir=/var/lib/postgresql --shell=/bin/bash postgres; \
+# also create the postgres user's home directory with appropriate permissions
+# see https://github.com/docker-library/postgres/issues/274
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
+
+RUN set -ex; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ gnupg \
+# https://www.postgresql.org/docs/16/app-psql.html#APP-PSQL-META-COMMAND-PSET-PAGER
+# https://github.com/postgres/postgres/blob/REL_16_1/src/include/fe_utils/print.h#L25
+# (if "less" is available, it gets used as the default pager for psql, and it only adds ~1.5MiB to our image size)
+ less \
+ ; \
+ rm -rf /var/lib/apt/lists/*
+
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ savedAptMark="$(apt-mark showmanual)"; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends ca-certificates wget; \
+ rm -rf /var/lib/apt/lists/*; \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ apt-mark auto '.*' > /dev/null; \
+ [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \
+ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+ chmod +x /usr/local/bin/gosu; \
+ gosu --version; \
+ gosu nobody true
+
+# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
+RUN set -eux; \
+ if [ -f /etc/dpkg/dpkg.cfg.d/docker ]; then \
+# if this file exists, we're likely in "debian:xxx-slim", and locales are thus being excluded so we need to remove that exclusion (since we need locales)
+ grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
+ sed -ri '/\/usr\/share\/locale/d' /etc/dpkg/dpkg.cfg.d/docker; \
+ ! grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
+ fi; \
+ apt-get update; apt-get install -y --no-install-recommends locales; rm -rf /var/lib/apt/lists/*; \
+ echo 'en_US.UTF-8 UTF-8' >> /etc/locale.gen; \
+ locale-gen; \
+ locale -a | grep 'en_US.utf8'
+ENV LANG en_US.utf8
+
+RUN set -eux; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ libnss-wrapper \
+ xz-utils \
+ zstd \
+ ; \
+ rm -rf /var/lib/apt/lists/*
+
+RUN mkdir /docker-entrypoint-initdb.d
+
+RUN set -ex; \
+# pub 4096R/ACCC4CF8 2011-10-13 [expires: 2019-07-02]
+# Key fingerprint = B97B 0AFC AA1A 47F0 44F2 44A0 7FCC 7D46 ACCC 4CF8
+# uid PostgreSQL Debian Repository
+ key='B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8'; \
+ export GNUPGHOME="$(mktemp -d)"; \
+ mkdir -p /usr/local/share/keyrings/; \
+ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \
+ gpg --batch --export --armor "$key" > /usr/local/share/keyrings/postgres.gpg.asc; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME"
+
+ENV PG_MAJOR 17
+ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
+
+ENV PG_VERSION 17.5-1.pgdg110+1
+
+RUN set -ex; \
+ \
+# see note below about "*.pyc" files
+ export PYTHONDONTWRITEBYTECODE=1; \
+ \
+ dpkgArch="$(dpkg --print-architecture)"; \
+ aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ bullseye-pgdg main $PG_MAJOR"; \
+ case "$dpkgArch" in \
+ amd64 | arm64 | ppc64el) \
+# arches officialy built by upstream
+ echo "deb $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \
+ apt-get update; \
+ ;; \
+ *) \
+# we're on an architecture upstream doesn't officially build for
+# let's build binaries from their published source packages
+ echo "deb-src $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \
+ \
+ savedAptMark="$(apt-mark showmanual)"; \
+ \
+ tempDir="$(mktemp -d)"; \
+ cd "$tempDir"; \
+ \
+# create a temporary local APT repo to install from (so that dependency resolution can be handled by APT, as it should be)
+ apt-get update; \
+ apt-get install -y --no-install-recommends dpkg-dev; \
+ echo "deb [ trusted=yes ] file://$tempDir ./" > /etc/apt/sources.list.d/temp.list; \
+ _update_repo() { \
+ dpkg-scanpackages . > Packages; \
+# work around the following APT issue by using "Acquire::GzipIndexes=false" (overriding "/etc/apt/apt.conf.d/docker-gzip-indexes")
+# Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+# ...
+# E: Failed to fetch store:/var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+ apt-get -o Acquire::GzipIndexes=false update; \
+ }; \
+ _update_repo; \
+ \
+# build .deb files from upstream's source packages (which are verified by apt-get)
+ nproc="$(nproc)"; \
+ export DEB_BUILD_OPTIONS="nocheck parallel=$nproc"; \
+# we have to build postgresql-common first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/99f44476e258cae6bf9e919219fa2c5414fa2876
+# (and it "Depends: pgdg-keyring")
+ apt-get build-dep -y postgresql-common pgdg-keyring; \
+ apt-get source --compile postgresql-common pgdg-keyring; \
+ _update_repo; \
+ apt-get build-dep -y "postgresql-$PG_MAJOR=$PG_VERSION"; \
+ apt-get source --compile "postgresql-$PG_MAJOR=$PG_VERSION"; \
+ \
+# we don't remove APT lists here because they get re-downloaded and removed later
+ \
+# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
+# (which is done after we install the built packages so we don't have to redownload any overlapping dependencies)
+ apt-mark showmanual | xargs apt-mark auto > /dev/null; \
+ apt-mark manual $savedAptMark; \
+ \
+ ls -lAFh; \
+ _update_repo; \
+ grep '^Package: ' Packages; \
+ cd /; \
+ ;; \
+ esac; \
+ \
+ apt-get install -y --no-install-recommends postgresql-common; \
+ sed -ri 's/#(create_main_cluster) .*$/\1 = false/' /etc/postgresql-common/createcluster.conf; \
+ apt-get install -y --no-install-recommends \
+ "postgresql-$PG_MAJOR=$PG_VERSION" \
+ ; \
+ \
+ rm -rf /var/lib/apt/lists/*; \
+ \
+ if [ -n "$tempDir" ]; then \
+# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
+ apt-get purge -y --auto-remove; \
+ rm -rf "$tempDir" /etc/apt/sources.list.d/temp.list; \
+ fi; \
+ \
+# some of the steps above generate a lot of "*.pyc" files (and setting "PYTHONDONTWRITEBYTECODE" beforehand doesn't propagate properly for some reason), so we clean them up manually (as long as they aren't owned by a package)
+ find /usr -name '*.pyc' -type f -exec bash -c 'for pyc; do dpkg -S "$pyc" &> /dev/null || rm -vf "$pyc"; done' -- '{}' +; \
+ \
+ postgres --version
+
+# make the sample config easier to munge (and "correct by default")
+RUN set -eux; \
+ dpkg-divert --add --rename --divert "/usr/share/postgresql/postgresql.conf.sample.dpkg" "/usr/share/postgresql/$PG_MAJOR/postgresql.conf.sample"; \
+ cp -v /usr/share/postgresql/postgresql.conf.sample.dpkg /usr/share/postgresql/postgresql.conf.sample; \
+ ln -sv ../postgresql.conf.sample "/usr/share/postgresql/$PG_MAJOR/"; \
+ sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/share/postgresql/postgresql.conf.sample; \
+ grep -F "listen_addresses = '*'" /usr/share/postgresql/postgresql.conf.sample
+
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
+
+ENV PGDATA /var/lib/postgresql/data
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
+VOLUME /var/lib/postgresql/data
+
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
+# calls "Fast Shutdown mode" wherein new connections are disallowed and any
+# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
+# flush tables to disk.
+#
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
+# about available PostgreSQL server shutdown signals.
+#
+# See also https://www.postgresql.org/docs/current/server-start.html for further
+# justification of this as the default value, namely that the example (and
+# shipped) systemd service files use the "Fast Shutdown mode" for service
+# termination.
+#
+STOPSIGNAL SIGINT
+#
+# An additional setting that is recommended for all users regardless of this
+# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
+# equivalent) for controlling how long to wait between sending the defined
+# STOPSIGNAL and sending SIGKILL.
+#
+# The default in most runtimes (such as Docker) is 10 seconds, and the
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
+# that even 90 seconds may not be long enough in many instances.
+
+EXPOSE 5432
+CMD ["postgres"]
diff --git a/17/bullseye/docker-ensure-initdb.sh b/17/bullseye/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..ae1f6b6b90
--- /dev/null
+++ b/17/bullseye/docker-ensure-initdb.sh
@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/17/bullseye/docker-entrypoint.sh b/17/bullseye/docker-entrypoint.sh
new file mode 100755
index 0000000000..ae40666ca1
--- /dev/null
+++ b/17/bullseye/docker-entrypoint.sh
@@ -0,0 +1,359 @@
+#!/usr/bin/env bash
+set -Eeo pipefail
+# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
+
+# usage: file_env VAR [DEFAULT]
+# ie: file_env 'XYZ_DB_PASSWORD' 'example'
+# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
+# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
+file_env() {
+ local var="$1"
+ local fileVar="${var}_FILE"
+ local def="${2:-}"
+ if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+ printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
+ exit 1
+ fi
+ local val="$def"
+ if [ "${!var:-}" ]; then
+ val="${!var}"
+ elif [ "${!fileVar:-}" ]; then
+ val="$(< "${!fileVar}")"
+ fi
+ export "$var"="$val"
+ unset "$fileVar"
+}
+
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+ # https://unix.stackexchange.com/a/215279
+ [ "${#FUNCNAME[@]}" -ge 2 ] \
+ && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+ && [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+ local user; user="$(id -u)"
+
+ mkdir -p "$PGDATA"
+ # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+ chmod 00700 "$PGDATA" || :
+
+ # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+ mkdir -p /var/run/postgresql || :
+ chmod 03775 /var/run/postgresql || :
+
+ # Create the transaction log directory before initdb is run so the directory is owned by the correct user
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ mkdir -p "$POSTGRES_INITDB_WALDIR"
+ if [ "$user" = '0' ]; then
+ find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+ fi
+ chmod 700 "$POSTGRES_INITDB_WALDIR"
+ fi
+
+ # allow the container to be started with `--user`
+ if [ "$user" = '0' ]; then
+ find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+ find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+ fi
+}
+
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+ # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+ # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+ local uid; uid="$(id -u)"
+ if ! getent passwd "$uid" &> /dev/null; then
+ # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+ local wrapper
+ for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+ if [ -s "$wrapper" ]; then
+ NSS_WRAPPER_PASSWD="$(mktemp)"
+ NSS_WRAPPER_GROUP="$(mktemp)"
+ export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ local gid; gid="$(id -g)"
+ printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+ printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+ break
+ fi
+ done
+ fi
+
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+ fi
+
+ # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+ eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
+
+ # unset/cleanup "nss_wrapper" bits
+ if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+ rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+ unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ fi
+}
+
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
+ if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
+ cat >&2 <<-'EOWARN'
+
+ WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
+
+ This will not work if used via PGPASSWORD with "psql".
+
+ https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
+ https://github.com/docker-library/postgres/issues/507
+
+ EOWARN
+ fi
+ ;;
+ esac
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ # The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD to a non-empty value for the
+ superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+ You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+ connections without a password. This is *not* recommended.
+
+ See PostgreSQL documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ cat >&2 <<-'EOWARN'
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
+ EOWARN
+ fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+# ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+ # psql here for backwards compatibility "${psql[@]}"
+ psql=( docker_process_sql )
+
+ printf '\n'
+ local f
+ for f; do
+ case "$f" in
+ *.sh)
+ # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+ # https://github.com/docker-library/postgres/pull/452
+ if [ -x "$f" ]; then
+ printf '%s: running %s\n' "$0" "$f"
+ "$f"
+ else
+ printf '%s: sourcing %s\n' "$0" "$f"
+ . "$f"
+ fi
+ ;;
+ *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+ *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+ *) printf '%s: ignoring %s\n' "$0" "$f" ;;
+ esac
+ printf '\n'
+ done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+# ie: docker_process_sql -f my-file.sql
+# ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+ local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+ if [ -n "$POSTGRES_DB" ]; then
+ query_runner+=( --dbname "$POSTGRES_DB" )
+ fi
+
+ PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+ local dbAlreadyExists
+ dbAlreadyExists="$(
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+ SELECT 1 FROM pg_database WHERE datname = :'db' ;
+ EOSQL
+ )"
+ if [ -z "$dbAlreadyExists" ]; then
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+ CREATE DATABASE :"db" ;
+ EOSQL
+ printf '\n'
+ fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+ file_env 'POSTGRES_PASSWORD'
+
+ file_env 'POSTGRES_USER' 'postgres'
+ file_env 'POSTGRES_DB' "$POSTGRES_USER"
+ file_env 'POSTGRES_INITDB_ARGS'
+ : "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+ declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ # look specifically for PG_VERSION, as it is expected in the DB dir
+ if [ -s "$PGDATA/PG_VERSION" ]; then
+ DATABASE_ALREADY_EXISTS='true'
+ fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+ # default authentication method is md5 on versions before 14
+ # https://www.postgresql.org/about/news/postgresql-14-released-2318/
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+ local auth
+ # check the default/configured encryption and use that as the auth method
+ auth="$(postgres -C password_encryption "$@")"
+ : "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+ {
+ printf '\n'
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ printf '# warning trust is enabled for all connections\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
+ fi
+ printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+ } >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+
+ # internal start of server in order to allow setup using psql client
+ # does not listen on external TCP/IP and waits until start finishes
+ set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
+
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
+ PGUSER="${PGUSER:-$POSTGRES_USER}" \
+ pg_ctl -D "$PGDATA" \
+ -o "$(printf '%q ' "$@")" \
+ -w start
+}
+
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+ PGUSER="${PGUSER:-postgres}" \
+ pg_ctl -D "$PGDATA" -m fast -w stop
+}
+
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+ local arg
+ for arg; do
+ case "$arg" in
+ # postgres --help | grep 'then exit'
+ # leaving out -C on purpose since it always fails and is unhelpful:
+ # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+ -'?'|--help|--describe-config|-V|--version)
+ return 0
+ ;;
+ esac
+ done
+ return 1
+}
+
+_main() {
+ # if first arg looks like a flag, assume we want to run postgres server
+ if [ "${1:0:1}" = '-' ]; then
+ set -- postgres "$@"
+ fi
+
+ if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+ docker_setup_env
+ # setup data directories and permissions (when run as root)
+ docker_create_db_directories
+ if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+ fi
+
+ # only run initialization on an empty data directory
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+
+ cat <<-'EOM'
+
+ PostgreSQL init process complete; ready for start up.
+
+ EOM
+ else
+ cat <<-'EOM'
+
+ PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+ EOM
+ fi
+ fi
+
+ exec "$@"
+}
+
+if ! _is_sourced; then
+ _main "$@"
+fi
diff --git a/9.4/Dockerfile b/9.4/Dockerfile
deleted file mode 100644
index 03c92b5ca0..0000000000
--- a/9.4/Dockerfile
+++ /dev/null
@@ -1,176 +0,0 @@
-# vim:set ft=dockerfile:
-FROM debian:stretch-slim
-
-RUN set -ex; \
- if ! command -v gpg > /dev/null; then \
- apt-get update; \
- apt-get install -y --no-install-recommends \
- gnupg \
- dirmngr \
- ; \
- rm -rf /var/lib/apt/lists/*; \
- fi
-
-# explicitly set user/group IDs
-RUN set -eux; \
- groupadd -r postgres --gid=999; \
-# https://salsa.debian.org/postgresql/postgresql-common/blob/997d842ee744687d99a2b2d95c1083a2615c79e8/debian/postgresql-common.postinst#L32-35
- useradd -r -g postgres --uid=999 --home-dir=/var/lib/postgresql --shell=/bin/bash postgres; \
-# also create the postgres user's home directory with appropriate permissions
-# see https://github.com/docker-library/postgres/issues/274
- mkdir -p /var/lib/postgresql; \
- chown -R postgres:postgres /var/lib/postgresql
-
-# grab gosu for easy step-down from root
-ENV GOSU_VERSION 1.11
-RUN set -x \
- && apt-get update && apt-get install -y --no-install-recommends ca-certificates wget && rm -rf /var/lib/apt/lists/* \
- && wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture)" \
- && wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture).asc" \
- && export GNUPGHOME="$(mktemp -d)" \
- && gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 \
- && gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu \
- && { command -v gpgconf > /dev/null && gpgconf --kill all || :; } \
- && rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc \
- && chmod +x /usr/local/bin/gosu \
- && gosu nobody true \
- && apt-get purge -y --auto-remove ca-certificates wget
-
-# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
-RUN set -eux; \
- if [ -f /etc/dpkg/dpkg.cfg.d/docker ]; then \
-# if this file exists, we're likely in "debian:xxx-slim", and locales are thus being excluded so we need to remove that exclusion (since we need locales)
- grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
- sed -ri '/\/usr\/share\/locale/d' /etc/dpkg/dpkg.cfg.d/docker; \
- ! grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
- fi; \
- apt-get update; apt-get install -y locales; rm -rf /var/lib/apt/lists/*; \
- localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
-ENV LANG en_US.utf8
-
-# install "nss_wrapper" in case we need to fake "/etc/passwd" and "/etc/group" (especially for OpenShift)
-# https://github.com/docker-library/postgres/issues/359
-# https://cwrap.org/nss_wrapper.html
-RUN set -eux; \
- apt-get update; \
- apt-get install -y --no-install-recommends libnss-wrapper; \
- rm -rf /var/lib/apt/lists/*
-
-RUN mkdir /docker-entrypoint-initdb.d
-
-RUN set -ex; \
-# pub 4096R/ACCC4CF8 2011-10-13 [expires: 2019-07-02]
-# Key fingerprint = B97B 0AFC AA1A 47F0 44F2 44A0 7FCC 7D46 ACCC 4CF8
-# uid PostgreSQL Debian Repository
- key='B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8'; \
- export GNUPGHOME="$(mktemp -d)"; \
- gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys "$key"; \
- gpg --batch --export "$key" > /etc/apt/trusted.gpg.d/postgres.gpg; \
- command -v gpgconf > /dev/null && gpgconf --kill all; \
- rm -rf "$GNUPGHOME"; \
- apt-key list
-
-ENV PG_MAJOR 9.4
-ENV PG_VERSION 9.4.21-1.pgdg90+1
-
-RUN set -ex; \
- \
-# see note below about "*.pyc" files
- export PYTHONDONTWRITEBYTECODE=1; \
- \
- dpkgArch="$(dpkg --print-architecture)"; \
- case "$dpkgArch" in \
- amd64|i386|ppc64el) \
-# arches officialy built by upstream
- echo "deb http://apt.postgresql.org/pub/repos/apt/ stretch-pgdg main $PG_MAJOR" > /etc/apt/sources.list.d/pgdg.list; \
- apt-get update; \
- ;; \
- *) \
-# we're on an architecture upstream doesn't officially build for
-# let's build binaries from their published source packages
- echo "deb-src http://apt.postgresql.org/pub/repos/apt/ stretch-pgdg main $PG_MAJOR" > /etc/apt/sources.list.d/pgdg.list; \
- \
- case "$PG_MAJOR" in \
- 9.* | 10 ) ;; \
- *) \
-# https://github.com/docker-library/postgres/issues/484 (clang-6.0 required, only available in stretch-backports)
-# TODO remove this once we hit buster+
- echo 'deb http://deb.debian.org/debian stretch-backports main' >> /etc/apt/sources.list.d/pgdg.list; \
- ;; \
- esac; \
- \
- tempDir="$(mktemp -d)"; \
- cd "$tempDir"; \
- \
- savedAptMark="$(apt-mark showmanual)"; \
- \
-# build .deb files from upstream's source packages (which are verified by apt-get)
- apt-get update; \
- apt-get build-dep -y \
- postgresql-common pgdg-keyring \
- "postgresql-$PG_MAJOR=$PG_VERSION" \
- ; \
- DEB_BUILD_OPTIONS="nocheck parallel=$(nproc)" \
- apt-get source --compile \
- postgresql-common pgdg-keyring \
- "postgresql-$PG_MAJOR=$PG_VERSION" \
- ; \
-# we don't remove APT lists here because they get re-downloaded and removed later
- \
-# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
-# (which is done after we install the built packages so we don't have to redownload any overlapping dependencies)
- apt-mark showmanual | xargs apt-mark auto > /dev/null; \
- apt-mark manual $savedAptMark; \
- \
-# create a temporary local APT repo to install from (so that dependency resolution can be handled by APT, as it should be)
- ls -lAFh; \
- dpkg-scanpackages . > Packages; \
- grep '^Package: ' Packages; \
- echo "deb [ trusted=yes ] file://$tempDir ./" > /etc/apt/sources.list.d/temp.list; \
-# work around the following APT issue by using "Acquire::GzipIndexes=false" (overriding "/etc/apt/apt.conf.d/docker-gzip-indexes")
-# Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
-# ...
-# E: Failed to fetch store:/var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
- apt-get -o Acquire::GzipIndexes=false update; \
- ;; \
- esac; \
- \
- apt-get install -y postgresql-common; \
- sed -ri 's/#(create_main_cluster) .*$/\1 = false/' /etc/postgresql-common/createcluster.conf; \
- apt-get install -y \
- "postgresql-$PG_MAJOR=$PG_VERSION" \
- "postgresql-contrib-$PG_MAJOR=$PG_VERSION" \
- ; \
- \
- rm -rf /var/lib/apt/lists/*; \
- \
- if [ -n "$tempDir" ]; then \
-# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
- apt-get purge -y --auto-remove; \
- rm -rf "$tempDir" /etc/apt/sources.list.d/temp.list; \
- fi; \
- \
-# some of the steps above generate a lot of "*.pyc" files (and setting "PYTHONDONTWRITEBYTECODE" beforehand doesn't propagate properly for some reason), so we clean them up manually (as long as they aren't owned by a package)
- find /usr -name '*.pyc' -type f -exec bash -c 'for pyc; do dpkg -S "$pyc" &> /dev/null || rm -vf "$pyc"; done' -- '{}' +
-
-# make the sample config easier to munge (and "correct by default")
-RUN set -eux; \
- dpkg-divert --add --rename --divert "/usr/share/postgresql/postgresql.conf.sample.dpkg" "/usr/share/postgresql/$PG_MAJOR/postgresql.conf.sample"; \
- cp -v /usr/share/postgresql/postgresql.conf.sample.dpkg /usr/share/postgresql/postgresql.conf.sample; \
- ln -sv ../postgresql.conf.sample "/usr/share/postgresql/$PG_MAJOR/"; \
- sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/share/postgresql/postgresql.conf.sample; \
- grep -F "listen_addresses = '*'" /usr/share/postgresql/postgresql.conf.sample
-
-RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql
-
-ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
-ENV PGDATA /var/lib/postgresql/data
-RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" # this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values)
-VOLUME /var/lib/postgresql/data
-
-COPY docker-entrypoint.sh /usr/local/bin/
-RUN ln -s usr/local/bin/docker-entrypoint.sh / # backwards compat
-ENTRYPOINT ["docker-entrypoint.sh"]
-
-EXPOSE 5432
-CMD ["postgres"]
diff --git a/9.4/alpine/Dockerfile b/9.4/alpine/Dockerfile
deleted file mode 100644
index 0a7538232f..0000000000
--- a/9.4/alpine/Dockerfile
+++ /dev/null
@@ -1,150 +0,0 @@
-# vim:set ft=dockerfile:
-FROM alpine:3.9
-
-# alpine includes "postgres" user/group in base install
-# /etc/passwd:22:postgres:x:70:70::/var/lib/postgresql:/bin/sh
-# /etc/group:34:postgres:x:70:
-# the home directory for the postgres user, however, is not created by default
-# see https://github.com/docker-library/postgres/issues/274
-RUN set -ex; \
- postgresHome="$(getent passwd postgres)"; \
- postgresHome="$(echo "$postgresHome" | cut -d: -f6)"; \
- [ "$postgresHome" = '/var/lib/postgresql' ]; \
- mkdir -p "$postgresHome"; \
- chown -R postgres:postgres "$postgresHome"
-
-# su-exec (gosu-compatible) is installed further down
-
-# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
-# alpine doesn't require explicit locale-file generation
-ENV LANG en_US.utf8
-
-RUN mkdir /docker-entrypoint-initdb.d
-
-ENV PG_MAJOR 9.4
-ENV PG_VERSION 9.4.21
-ENV PG_SHA256 0049b4d239a00654e792997aff32a0be7a6bdd922b5ca97f1a06797cd4d06006
-
-RUN set -ex \
- \
- && apk add --no-cache --virtual .fetch-deps \
- ca-certificates \
- openssl \
- tar \
- \
- && wget -O postgresql.tar.bz2 "https://ftp.postgresql.org/pub/source/v$PG_VERSION/postgresql-$PG_VERSION.tar.bz2" \
- && echo "$PG_SHA256 *postgresql.tar.bz2" | sha256sum -c - \
- && mkdir -p /usr/src/postgresql \
- && tar \
- --extract \
- --file postgresql.tar.bz2 \
- --directory /usr/src/postgresql \
- --strip-components 1 \
- && rm postgresql.tar.bz2 \
- \
- && apk add --no-cache --virtual .build-deps \
- bison \
- coreutils \
- dpkg-dev dpkg \
- flex \
- gcc \
-# krb5-dev \
- libc-dev \
- libedit-dev \
- libxml2-dev \
- libxslt-dev \
- make \
-# openldap-dev \
- openssl-dev \
-# configure: error: prove not found
- perl-utils \
-# configure: error: Perl module IPC::Run is required to run TAP tests
- perl-ipc-run \
-# perl-dev \
-# python-dev \
-# python3-dev \
-# tcl-dev \
- util-linux-dev \
- zlib-dev \
- \
- && cd /usr/src/postgresql \
-# update "DEFAULT_PGSOCKET_DIR" to "/var/run/postgresql" (matching Debian)
-# see https://anonscm.debian.org/git/pkg-postgresql/postgresql.git/tree/debian/patches/51-default-sockets-in-var.patch?id=8b539fcb3e093a521c095e70bdfa76887217b89f
- && awk '$1 == "#define" && $2 == "DEFAULT_PGSOCKET_DIR" && $3 == "\"/tmp\"" { $3 = "\"/var/run/postgresql\""; print; next } { print }' src/include/pg_config_manual.h > src/include/pg_config_manual.h.new \
- && grep '/var/run/postgresql' src/include/pg_config_manual.h.new \
- && mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h \
- && gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)" \
-# explicitly update autoconf config.guess and config.sub so they support more arches/libcs
- && wget -O config/config.guess 'https://git.savannah.gnu.org/cgit/config.git/plain/config.guess?id=7d3d27baf8107b630586c962c057e22149653deb' \
- && wget -O config/config.sub 'https://git.savannah.gnu.org/cgit/config.git/plain/config.sub?id=7d3d27baf8107b630586c962c057e22149653deb' \
-# configure options taken from:
-# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
- && ./configure \
- --build="$gnuArch" \
-# "/usr/src/postgresql/src/backend/access/common/tupconvert.c:105: undefined reference to `libintl_gettext'"
-# --enable-nls \
- --enable-integer-datetimes \
- --enable-thread-safety \
- --enable-tap-tests \
-# skip debugging info -- we want tiny size instead
-# --enable-debug \
- --disable-rpath \
- --with-uuid=e2fs \
- --with-gnu-ld \
- --with-pgport=5432 \
- --with-system-tzdata=/usr/share/zoneinfo \
- --prefix=/usr/local \
- --with-includes=/usr/local/include \
- --with-libraries=/usr/local/lib \
- \
-# these make our image abnormally large (at least 100MB larger), which seems uncouth for an "Alpine" (ie, "small") variant :)
-# --with-krb5 \
-# --with-gssapi \
-# --with-ldap \
-# --with-tcl \
-# --with-perl \
-# --with-python \
-# --with-pam \
- --with-openssl \
- --with-libxml \
- --with-libxslt \
- && make -j "$(nproc)" world \
- && make install-world \
- && make -C contrib install \
- \
- && runDeps="$( \
- scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \
- | tr ',' '\n' \
- | sort -u \
- | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
- )" \
- && apk add --no-cache --virtual .postgresql-rundeps \
- $runDeps \
- bash \
- su-exec \
-# tzdata is optional, but only adds around 1Mb to image size and is recommended by Django documentation:
-# https://docs.djangoproject.com/en/1.10/ref/databases/#optimizing-postgresql-s-configuration
- tzdata \
- && apk del .fetch-deps .build-deps \
- && cd / \
- && rm -rf \
- /usr/src/postgresql \
- /usr/local/share/doc \
- /usr/local/share/man \
- && find /usr/local -name '*.a' -delete
-
-# make the sample config easier to munge (and "correct by default")
-RUN sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample
-
-RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql
-
-ENV PGDATA /var/lib/postgresql/data
-RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" # this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values)
-VOLUME /var/lib/postgresql/data
-
-COPY docker-entrypoint.sh /usr/local/bin/
-RUN ln -s usr/local/bin/docker-entrypoint.sh / # backwards compat
-ENTRYPOINT ["docker-entrypoint.sh"]
-
-EXPOSE 5432
-CMD ["postgres"]
diff --git a/9.4/alpine/docker-entrypoint.sh b/9.4/alpine/docker-entrypoint.sh
deleted file mode 100755
index 8f9cfcc92c..0000000000
--- a/9.4/alpine/docker-entrypoint.sh
+++ /dev/null
@@ -1,176 +0,0 @@
-#!/usr/bin/env bash
-set -Eeo pipefail
-# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
-
-# usage: file_env VAR [DEFAULT]
-# ie: file_env 'XYZ_DB_PASSWORD' 'example'
-# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
-# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
-file_env() {
- local var="$1"
- local fileVar="${var}_FILE"
- local def="${2:-}"
- if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
- echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
- exit 1
- fi
- local val="$def"
- if [ "${!var:-}" ]; then
- val="${!var}"
- elif [ "${!fileVar:-}" ]; then
- val="$(< "${!fileVar}")"
- fi
- export "$var"="$val"
- unset "$fileVar"
-}
-
-if [ "${1:0:1}" = '-' ]; then
- set -- postgres "$@"
-fi
-
-# allow the container to be started with `--user`
-if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then
- mkdir -p "$PGDATA"
- chown -R postgres "$PGDATA"
- chmod 700 "$PGDATA"
-
- mkdir -p /var/run/postgresql
- chown -R postgres /var/run/postgresql
- chmod 775 /var/run/postgresql
-
- # Create the transaction log directory before initdb is run (below) so the directory is owned by the correct user
- if [ "$POSTGRES_INITDB_XLOGDIR" ]; then
- mkdir -p "$POSTGRES_INITDB_XLOGDIR"
- chown -R postgres "$POSTGRES_INITDB_XLOGDIR"
- chmod 700 "$POSTGRES_INITDB_XLOGDIR"
- fi
-
- exec su-exec postgres "$BASH_SOURCE" "$@"
-fi
-
-if [ "$1" = 'postgres' ]; then
- mkdir -p "$PGDATA"
- chown -R "$(id -u)" "$PGDATA" 2>/dev/null || :
- chmod 700 "$PGDATA" 2>/dev/null || :
-
- # look specifically for PG_VERSION, as it is expected in the DB dir
- if [ ! -s "$PGDATA/PG_VERSION" ]; then
- # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
- # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
- if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then
- export LD_PRELOAD='/usr/lib/libnss_wrapper.so'
- export NSS_WRAPPER_PASSWD="$(mktemp)"
- export NSS_WRAPPER_GROUP="$(mktemp)"
- echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD"
- echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"
- fi
-
- file_env 'POSTGRES_USER' 'postgres'
- file_env 'POSTGRES_PASSWORD'
-
- file_env 'POSTGRES_INITDB_ARGS'
- if [ "$POSTGRES_INITDB_XLOGDIR" ]; then
- export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --xlogdir $POSTGRES_INITDB_XLOGDIR"
- fi
- eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"
-
- # unset/cleanup "nss_wrapper" bits
- if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then
- rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
- unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
- fi
-
- # check password first so we can output the warning before postgres
- # messes it up
- if [ -n "$POSTGRES_PASSWORD" ]; then
- authMethod=md5
-
- if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
- cat >&2 <<-'EOWARN'
-
- WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
-
- This will not work if used via PGPASSWORD with "psql".
-
- https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
- https://github.com/docker-library/postgres/issues/507
-
- EOWARN
- fi
- else
- # The - option suppresses leading tabs but *not* spaces. :)
- cat >&2 <<-'EOWARN'
- ****************************************************
- WARNING: No password has been set for the database.
- This will allow anyone with access to the
- Postgres port to access your database. In
- Docker's default configuration, this is
- effectively any other container on the same
- system.
-
- Use "-e POSTGRES_PASSWORD=password" to set
- it in "docker run".
- ****************************************************
- EOWARN
-
- authMethod=trust
- fi
-
- {
- echo
- echo "host all all all $authMethod"
- } >> "$PGDATA/pg_hba.conf"
-
- # internal start of server in order to allow set-up using psql-client
- # does not listen on external TCP/IP and waits until start finishes
- PGUSER="${PGUSER:-$POSTGRES_USER}" \
- pg_ctl -D "$PGDATA" \
- -o "-c listen_addresses=''" \
- -w start
-
- file_env 'POSTGRES_DB' "$POSTGRES_USER"
-
- export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
- psql=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password )
-
- if [ "$POSTGRES_DB" != 'postgres' ]; then
- "${psql[@]}" --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
- CREATE DATABASE :"db" ;
- EOSQL
- echo
- fi
- psql+=( --dbname "$POSTGRES_DB" )
-
- echo
- for f in /docker-entrypoint-initdb.d/*; do
- case "$f" in
- *.sh)
- # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
- # https://github.com/docker-library/postgres/pull/452
- if [ -x "$f" ]; then
- echo "$0: running $f"
- "$f"
- else
- echo "$0: sourcing $f"
- . "$f"
- fi
- ;;
- *.sql) echo "$0: running $f"; "${psql[@]}" -f "$f"; echo ;;
- *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | "${psql[@]}"; echo ;;
- *) echo "$0: ignoring $f" ;;
- esac
- echo
- done
-
- PGUSER="${PGUSER:-$POSTGRES_USER}" \
- pg_ctl -D "$PGDATA" -m fast -w stop
-
- unset PGPASSWORD
-
- echo
- echo 'PostgreSQL init process complete; ready for start up.'
- echo
- fi
-fi
-
-exec "$@"
diff --git a/9.4/docker-entrypoint.sh b/9.4/docker-entrypoint.sh
deleted file mode 100755
index 3f984a1649..0000000000
--- a/9.4/docker-entrypoint.sh
+++ /dev/null
@@ -1,176 +0,0 @@
-#!/usr/bin/env bash
-set -Eeo pipefail
-# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
-
-# usage: file_env VAR [DEFAULT]
-# ie: file_env 'XYZ_DB_PASSWORD' 'example'
-# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
-# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
-file_env() {
- local var="$1"
- local fileVar="${var}_FILE"
- local def="${2:-}"
- if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
- echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
- exit 1
- fi
- local val="$def"
- if [ "${!var:-}" ]; then
- val="${!var}"
- elif [ "${!fileVar:-}" ]; then
- val="$(< "${!fileVar}")"
- fi
- export "$var"="$val"
- unset "$fileVar"
-}
-
-if [ "${1:0:1}" = '-' ]; then
- set -- postgres "$@"
-fi
-
-# allow the container to be started with `--user`
-if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then
- mkdir -p "$PGDATA"
- chown -R postgres "$PGDATA"
- chmod 700 "$PGDATA"
-
- mkdir -p /var/run/postgresql
- chown -R postgres /var/run/postgresql
- chmod 775 /var/run/postgresql
-
- # Create the transaction log directory before initdb is run (below) so the directory is owned by the correct user
- if [ "$POSTGRES_INITDB_XLOGDIR" ]; then
- mkdir -p "$POSTGRES_INITDB_XLOGDIR"
- chown -R postgres "$POSTGRES_INITDB_XLOGDIR"
- chmod 700 "$POSTGRES_INITDB_XLOGDIR"
- fi
-
- exec gosu postgres "$BASH_SOURCE" "$@"
-fi
-
-if [ "$1" = 'postgres' ]; then
- mkdir -p "$PGDATA"
- chown -R "$(id -u)" "$PGDATA" 2>/dev/null || :
- chmod 700 "$PGDATA" 2>/dev/null || :
-
- # look specifically for PG_VERSION, as it is expected in the DB dir
- if [ ! -s "$PGDATA/PG_VERSION" ]; then
- # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
- # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
- if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then
- export LD_PRELOAD='/usr/lib/libnss_wrapper.so'
- export NSS_WRAPPER_PASSWD="$(mktemp)"
- export NSS_WRAPPER_GROUP="$(mktemp)"
- echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD"
- echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"
- fi
-
- file_env 'POSTGRES_USER' 'postgres'
- file_env 'POSTGRES_PASSWORD'
-
- file_env 'POSTGRES_INITDB_ARGS'
- if [ "$POSTGRES_INITDB_XLOGDIR" ]; then
- export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --xlogdir $POSTGRES_INITDB_XLOGDIR"
- fi
- eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"
-
- # unset/cleanup "nss_wrapper" bits
- if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then
- rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
- unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
- fi
-
- # check password first so we can output the warning before postgres
- # messes it up
- if [ -n "$POSTGRES_PASSWORD" ]; then
- authMethod=md5
-
- if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
- cat >&2 <<-'EOWARN'
-
- WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
-
- This will not work if used via PGPASSWORD with "psql".
-
- https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
- https://github.com/docker-library/postgres/issues/507
-
- EOWARN
- fi
- else
- # The - option suppresses leading tabs but *not* spaces. :)
- cat >&2 <<-'EOWARN'
- ****************************************************
- WARNING: No password has been set for the database.
- This will allow anyone with access to the
- Postgres port to access your database. In
- Docker's default configuration, this is
- effectively any other container on the same
- system.
-
- Use "-e POSTGRES_PASSWORD=password" to set
- it in "docker run".
- ****************************************************
- EOWARN
-
- authMethod=trust
- fi
-
- {
- echo
- echo "host all all all $authMethod"
- } >> "$PGDATA/pg_hba.conf"
-
- # internal start of server in order to allow set-up using psql-client
- # does not listen on external TCP/IP and waits until start finishes
- PGUSER="${PGUSER:-$POSTGRES_USER}" \
- pg_ctl -D "$PGDATA" \
- -o "-c listen_addresses=''" \
- -w start
-
- file_env 'POSTGRES_DB' "$POSTGRES_USER"
-
- export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
- psql=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password )
-
- if [ "$POSTGRES_DB" != 'postgres' ]; then
- "${psql[@]}" --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
- CREATE DATABASE :"db" ;
- EOSQL
- echo
- fi
- psql+=( --dbname "$POSTGRES_DB" )
-
- echo
- for f in /docker-entrypoint-initdb.d/*; do
- case "$f" in
- *.sh)
- # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
- # https://github.com/docker-library/postgres/pull/452
- if [ -x "$f" ]; then
- echo "$0: running $f"
- "$f"
- else
- echo "$0: sourcing $f"
- . "$f"
- fi
- ;;
- *.sql) echo "$0: running $f"; "${psql[@]}" -f "$f"; echo ;;
- *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | "${psql[@]}"; echo ;;
- *) echo "$0: ignoring $f" ;;
- esac
- echo
- done
-
- PGUSER="${PGUSER:-$POSTGRES_USER}" \
- pg_ctl -D "$PGDATA" -m fast -w stop
-
- unset PGPASSWORD
-
- echo
- echo 'PostgreSQL init process complete; ready for start up.'
- echo
- fi
-fi
-
-exec "$@"
diff --git a/9.5/Dockerfile b/9.5/Dockerfile
deleted file mode 100644
index e2ad04b93c..0000000000
--- a/9.5/Dockerfile
+++ /dev/null
@@ -1,176 +0,0 @@
-# vim:set ft=dockerfile:
-FROM debian:stretch-slim
-
-RUN set -ex; \
- if ! command -v gpg > /dev/null; then \
- apt-get update; \
- apt-get install -y --no-install-recommends \
- gnupg \
- dirmngr \
- ; \
- rm -rf /var/lib/apt/lists/*; \
- fi
-
-# explicitly set user/group IDs
-RUN set -eux; \
- groupadd -r postgres --gid=999; \
-# https://salsa.debian.org/postgresql/postgresql-common/blob/997d842ee744687d99a2b2d95c1083a2615c79e8/debian/postgresql-common.postinst#L32-35
- useradd -r -g postgres --uid=999 --home-dir=/var/lib/postgresql --shell=/bin/bash postgres; \
-# also create the postgres user's home directory with appropriate permissions
-# see https://github.com/docker-library/postgres/issues/274
- mkdir -p /var/lib/postgresql; \
- chown -R postgres:postgres /var/lib/postgresql
-
-# grab gosu for easy step-down from root
-ENV GOSU_VERSION 1.11
-RUN set -x \
- && apt-get update && apt-get install -y --no-install-recommends ca-certificates wget && rm -rf /var/lib/apt/lists/* \
- && wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture)" \
- && wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture).asc" \
- && export GNUPGHOME="$(mktemp -d)" \
- && gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 \
- && gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu \
- && { command -v gpgconf > /dev/null && gpgconf --kill all || :; } \
- && rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc \
- && chmod +x /usr/local/bin/gosu \
- && gosu nobody true \
- && apt-get purge -y --auto-remove ca-certificates wget
-
-# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
-RUN set -eux; \
- if [ -f /etc/dpkg/dpkg.cfg.d/docker ]; then \
-# if this file exists, we're likely in "debian:xxx-slim", and locales are thus being excluded so we need to remove that exclusion (since we need locales)
- grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
- sed -ri '/\/usr\/share\/locale/d' /etc/dpkg/dpkg.cfg.d/docker; \
- ! grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
- fi; \
- apt-get update; apt-get install -y locales; rm -rf /var/lib/apt/lists/*; \
- localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
-ENV LANG en_US.utf8
-
-# install "nss_wrapper" in case we need to fake "/etc/passwd" and "/etc/group" (especially for OpenShift)
-# https://github.com/docker-library/postgres/issues/359
-# https://cwrap.org/nss_wrapper.html
-RUN set -eux; \
- apt-get update; \
- apt-get install -y --no-install-recommends libnss-wrapper; \
- rm -rf /var/lib/apt/lists/*
-
-RUN mkdir /docker-entrypoint-initdb.d
-
-RUN set -ex; \
-# pub 4096R/ACCC4CF8 2011-10-13 [expires: 2019-07-02]
-# Key fingerprint = B97B 0AFC AA1A 47F0 44F2 44A0 7FCC 7D46 ACCC 4CF8
-# uid PostgreSQL Debian Repository
- key='B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8'; \
- export GNUPGHOME="$(mktemp -d)"; \
- gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys "$key"; \
- gpg --batch --export "$key" > /etc/apt/trusted.gpg.d/postgres.gpg; \
- command -v gpgconf > /dev/null && gpgconf --kill all; \
- rm -rf "$GNUPGHOME"; \
- apt-key list
-
-ENV PG_MAJOR 9.5
-ENV PG_VERSION 9.5.16-1.pgdg90+1
-
-RUN set -ex; \
- \
-# see note below about "*.pyc" files
- export PYTHONDONTWRITEBYTECODE=1; \
- \
- dpkgArch="$(dpkg --print-architecture)"; \
- case "$dpkgArch" in \
- amd64|i386|ppc64el) \
-# arches officialy built by upstream
- echo "deb http://apt.postgresql.org/pub/repos/apt/ stretch-pgdg main $PG_MAJOR" > /etc/apt/sources.list.d/pgdg.list; \
- apt-get update; \
- ;; \
- *) \
-# we're on an architecture upstream doesn't officially build for
-# let's build binaries from their published source packages
- echo "deb-src http://apt.postgresql.org/pub/repos/apt/ stretch-pgdg main $PG_MAJOR" > /etc/apt/sources.list.d/pgdg.list; \
- \
- case "$PG_MAJOR" in \
- 9.* | 10 ) ;; \
- *) \
-# https://github.com/docker-library/postgres/issues/484 (clang-6.0 required, only available in stretch-backports)
-# TODO remove this once we hit buster+
- echo 'deb http://deb.debian.org/debian stretch-backports main' >> /etc/apt/sources.list.d/pgdg.list; \
- ;; \
- esac; \
- \
- tempDir="$(mktemp -d)"; \
- cd "$tempDir"; \
- \
- savedAptMark="$(apt-mark showmanual)"; \
- \
-# build .deb files from upstream's source packages (which are verified by apt-get)
- apt-get update; \
- apt-get build-dep -y \
- postgresql-common pgdg-keyring \
- "postgresql-$PG_MAJOR=$PG_VERSION" \
- ; \
- DEB_BUILD_OPTIONS="nocheck parallel=$(nproc)" \
- apt-get source --compile \
- postgresql-common pgdg-keyring \
- "postgresql-$PG_MAJOR=$PG_VERSION" \
- ; \
-# we don't remove APT lists here because they get re-downloaded and removed later
- \
-# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
-# (which is done after we install the built packages so we don't have to redownload any overlapping dependencies)
- apt-mark showmanual | xargs apt-mark auto > /dev/null; \
- apt-mark manual $savedAptMark; \
- \
-# create a temporary local APT repo to install from (so that dependency resolution can be handled by APT, as it should be)
- ls -lAFh; \
- dpkg-scanpackages . > Packages; \
- grep '^Package: ' Packages; \
- echo "deb [ trusted=yes ] file://$tempDir ./" > /etc/apt/sources.list.d/temp.list; \
-# work around the following APT issue by using "Acquire::GzipIndexes=false" (overriding "/etc/apt/apt.conf.d/docker-gzip-indexes")
-# Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
-# ...
-# E: Failed to fetch store:/var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
- apt-get -o Acquire::GzipIndexes=false update; \
- ;; \
- esac; \
- \
- apt-get install -y postgresql-common; \
- sed -ri 's/#(create_main_cluster) .*$/\1 = false/' /etc/postgresql-common/createcluster.conf; \
- apt-get install -y \
- "postgresql-$PG_MAJOR=$PG_VERSION" \
- "postgresql-contrib-$PG_MAJOR=$PG_VERSION" \
- ; \
- \
- rm -rf /var/lib/apt/lists/*; \
- \
- if [ -n "$tempDir" ]; then \
-# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
- apt-get purge -y --auto-remove; \
- rm -rf "$tempDir" /etc/apt/sources.list.d/temp.list; \
- fi; \
- \
-# some of the steps above generate a lot of "*.pyc" files (and setting "PYTHONDONTWRITEBYTECODE" beforehand doesn't propagate properly for some reason), so we clean them up manually (as long as they aren't owned by a package)
- find /usr -name '*.pyc' -type f -exec bash -c 'for pyc; do dpkg -S "$pyc" &> /dev/null || rm -vf "$pyc"; done' -- '{}' +
-
-# make the sample config easier to munge (and "correct by default")
-RUN set -eux; \
- dpkg-divert --add --rename --divert "/usr/share/postgresql/postgresql.conf.sample.dpkg" "/usr/share/postgresql/$PG_MAJOR/postgresql.conf.sample"; \
- cp -v /usr/share/postgresql/postgresql.conf.sample.dpkg /usr/share/postgresql/postgresql.conf.sample; \
- ln -sv ../postgresql.conf.sample "/usr/share/postgresql/$PG_MAJOR/"; \
- sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/share/postgresql/postgresql.conf.sample; \
- grep -F "listen_addresses = '*'" /usr/share/postgresql/postgresql.conf.sample
-
-RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql
-
-ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
-ENV PGDATA /var/lib/postgresql/data
-RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" # this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values)
-VOLUME /var/lib/postgresql/data
-
-COPY docker-entrypoint.sh /usr/local/bin/
-RUN ln -s usr/local/bin/docker-entrypoint.sh / # backwards compat
-ENTRYPOINT ["docker-entrypoint.sh"]
-
-EXPOSE 5432
-CMD ["postgres"]
diff --git a/9.5/alpine/Dockerfile b/9.5/alpine/Dockerfile
deleted file mode 100644
index 81565f137a..0000000000
--- a/9.5/alpine/Dockerfile
+++ /dev/null
@@ -1,150 +0,0 @@
-# vim:set ft=dockerfile:
-FROM alpine:3.9
-
-# alpine includes "postgres" user/group in base install
-# /etc/passwd:22:postgres:x:70:70::/var/lib/postgresql:/bin/sh
-# /etc/group:34:postgres:x:70:
-# the home directory for the postgres user, however, is not created by default
-# see https://github.com/docker-library/postgres/issues/274
-RUN set -ex; \
- postgresHome="$(getent passwd postgres)"; \
- postgresHome="$(echo "$postgresHome" | cut -d: -f6)"; \
- [ "$postgresHome" = '/var/lib/postgresql' ]; \
- mkdir -p "$postgresHome"; \
- chown -R postgres:postgres "$postgresHome"
-
-# su-exec (gosu-compatible) is installed further down
-
-# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
-# alpine doesn't require explicit locale-file generation
-ENV LANG en_US.utf8
-
-RUN mkdir /docker-entrypoint-initdb.d
-
-ENV PG_MAJOR 9.5
-ENV PG_VERSION 9.5.16
-ENV PG_SHA256 a4576c95d4dcee8d4b7835b333d38e909848222e4b87895878bb1c026206e131
-
-RUN set -ex \
- \
- && apk add --no-cache --virtual .fetch-deps \
- ca-certificates \
- openssl \
- tar \
- \
- && wget -O postgresql.tar.bz2 "https://ftp.postgresql.org/pub/source/v$PG_VERSION/postgresql-$PG_VERSION.tar.bz2" \
- && echo "$PG_SHA256 *postgresql.tar.bz2" | sha256sum -c - \
- && mkdir -p /usr/src/postgresql \
- && tar \
- --extract \
- --file postgresql.tar.bz2 \
- --directory /usr/src/postgresql \
- --strip-components 1 \
- && rm postgresql.tar.bz2 \
- \
- && apk add --no-cache --virtual .build-deps \
- bison \
- coreutils \
- dpkg-dev dpkg \
- flex \
- gcc \
-# krb5-dev \
- libc-dev \
- libedit-dev \
- libxml2-dev \
- libxslt-dev \
- make \
-# openldap-dev \
- openssl-dev \
-# configure: error: prove not found
- perl-utils \
-# configure: error: Perl module IPC::Run is required to run TAP tests
- perl-ipc-run \
-# perl-dev \
-# python-dev \
-# python3-dev \
-# tcl-dev \
- util-linux-dev \
- zlib-dev \
- \
- && cd /usr/src/postgresql \
-# update "DEFAULT_PGSOCKET_DIR" to "/var/run/postgresql" (matching Debian)
-# see https://anonscm.debian.org/git/pkg-postgresql/postgresql.git/tree/debian/patches/51-default-sockets-in-var.patch?id=8b539fcb3e093a521c095e70bdfa76887217b89f
- && awk '$1 == "#define" && $2 == "DEFAULT_PGSOCKET_DIR" && $3 == "\"/tmp\"" { $3 = "\"/var/run/postgresql\""; print; next } { print }' src/include/pg_config_manual.h > src/include/pg_config_manual.h.new \
- && grep '/var/run/postgresql' src/include/pg_config_manual.h.new \
- && mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h \
- && gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)" \
-# explicitly update autoconf config.guess and config.sub so they support more arches/libcs
- && wget -O config/config.guess 'https://git.savannah.gnu.org/cgit/config.git/plain/config.guess?id=7d3d27baf8107b630586c962c057e22149653deb' \
- && wget -O config/config.sub 'https://git.savannah.gnu.org/cgit/config.git/plain/config.sub?id=7d3d27baf8107b630586c962c057e22149653deb' \
-# configure options taken from:
-# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
- && ./configure \
- --build="$gnuArch" \
-# "/usr/src/postgresql/src/backend/access/common/tupconvert.c:105: undefined reference to `libintl_gettext'"
-# --enable-nls \
- --enable-integer-datetimes \
- --enable-thread-safety \
- --enable-tap-tests \
-# skip debugging info -- we want tiny size instead
-# --enable-debug \
- --disable-rpath \
- --with-uuid=e2fs \
- --with-gnu-ld \
- --with-pgport=5432 \
- --with-system-tzdata=/usr/share/zoneinfo \
- --prefix=/usr/local \
- --with-includes=/usr/local/include \
- --with-libraries=/usr/local/lib \
- \
-# these make our image abnormally large (at least 100MB larger), which seems uncouth for an "Alpine" (ie, "small") variant :)
-# --with-krb5 \
-# --with-gssapi \
-# --with-ldap \
-# --with-tcl \
-# --with-perl \
-# --with-python \
-# --with-pam \
- --with-openssl \
- --with-libxml \
- --with-libxslt \
- && make -j "$(nproc)" world \
- && make install-world \
- && make -C contrib install \
- \
- && runDeps="$( \
- scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \
- | tr ',' '\n' \
- | sort -u \
- | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
- )" \
- && apk add --no-cache --virtual .postgresql-rundeps \
- $runDeps \
- bash \
- su-exec \
-# tzdata is optional, but only adds around 1Mb to image size and is recommended by Django documentation:
-# https://docs.djangoproject.com/en/1.10/ref/databases/#optimizing-postgresql-s-configuration
- tzdata \
- && apk del .fetch-deps .build-deps \
- && cd / \
- && rm -rf \
- /usr/src/postgresql \
- /usr/local/share/doc \
- /usr/local/share/man \
- && find /usr/local -name '*.a' -delete
-
-# make the sample config easier to munge (and "correct by default")
-RUN sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample
-
-RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql
-
-ENV PGDATA /var/lib/postgresql/data
-RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" # this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values)
-VOLUME /var/lib/postgresql/data
-
-COPY docker-entrypoint.sh /usr/local/bin/
-RUN ln -s usr/local/bin/docker-entrypoint.sh / # backwards compat
-ENTRYPOINT ["docker-entrypoint.sh"]
-
-EXPOSE 5432
-CMD ["postgres"]
diff --git a/9.5/alpine/docker-entrypoint.sh b/9.5/alpine/docker-entrypoint.sh
deleted file mode 100755
index 8f9cfcc92c..0000000000
--- a/9.5/alpine/docker-entrypoint.sh
+++ /dev/null
@@ -1,176 +0,0 @@
-#!/usr/bin/env bash
-set -Eeo pipefail
-# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
-
-# usage: file_env VAR [DEFAULT]
-# ie: file_env 'XYZ_DB_PASSWORD' 'example'
-# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
-# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
-file_env() {
- local var="$1"
- local fileVar="${var}_FILE"
- local def="${2:-}"
- if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
- echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
- exit 1
- fi
- local val="$def"
- if [ "${!var:-}" ]; then
- val="${!var}"
- elif [ "${!fileVar:-}" ]; then
- val="$(< "${!fileVar}")"
- fi
- export "$var"="$val"
- unset "$fileVar"
-}
-
-if [ "${1:0:1}" = '-' ]; then
- set -- postgres "$@"
-fi
-
-# allow the container to be started with `--user`
-if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then
- mkdir -p "$PGDATA"
- chown -R postgres "$PGDATA"
- chmod 700 "$PGDATA"
-
- mkdir -p /var/run/postgresql
- chown -R postgres /var/run/postgresql
- chmod 775 /var/run/postgresql
-
- # Create the transaction log directory before initdb is run (below) so the directory is owned by the correct user
- if [ "$POSTGRES_INITDB_XLOGDIR" ]; then
- mkdir -p "$POSTGRES_INITDB_XLOGDIR"
- chown -R postgres "$POSTGRES_INITDB_XLOGDIR"
- chmod 700 "$POSTGRES_INITDB_XLOGDIR"
- fi
-
- exec su-exec postgres "$BASH_SOURCE" "$@"
-fi
-
-if [ "$1" = 'postgres' ]; then
- mkdir -p "$PGDATA"
- chown -R "$(id -u)" "$PGDATA" 2>/dev/null || :
- chmod 700 "$PGDATA" 2>/dev/null || :
-
- # look specifically for PG_VERSION, as it is expected in the DB dir
- if [ ! -s "$PGDATA/PG_VERSION" ]; then
- # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
- # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
- if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then
- export LD_PRELOAD='/usr/lib/libnss_wrapper.so'
- export NSS_WRAPPER_PASSWD="$(mktemp)"
- export NSS_WRAPPER_GROUP="$(mktemp)"
- echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD"
- echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"
- fi
-
- file_env 'POSTGRES_USER' 'postgres'
- file_env 'POSTGRES_PASSWORD'
-
- file_env 'POSTGRES_INITDB_ARGS'
- if [ "$POSTGRES_INITDB_XLOGDIR" ]; then
- export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --xlogdir $POSTGRES_INITDB_XLOGDIR"
- fi
- eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"
-
- # unset/cleanup "nss_wrapper" bits
- if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then
- rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
- unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
- fi
-
- # check password first so we can output the warning before postgres
- # messes it up
- if [ -n "$POSTGRES_PASSWORD" ]; then
- authMethod=md5
-
- if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
- cat >&2 <<-'EOWARN'
-
- WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
-
- This will not work if used via PGPASSWORD with "psql".
-
- https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
- https://github.com/docker-library/postgres/issues/507
-
- EOWARN
- fi
- else
- # The - option suppresses leading tabs but *not* spaces. :)
- cat >&2 <<-'EOWARN'
- ****************************************************
- WARNING: No password has been set for the database.
- This will allow anyone with access to the
- Postgres port to access your database. In
- Docker's default configuration, this is
- effectively any other container on the same
- system.
-
- Use "-e POSTGRES_PASSWORD=password" to set
- it in "docker run".
- ****************************************************
- EOWARN
-
- authMethod=trust
- fi
-
- {
- echo
- echo "host all all all $authMethod"
- } >> "$PGDATA/pg_hba.conf"
-
- # internal start of server in order to allow set-up using psql-client
- # does not listen on external TCP/IP and waits until start finishes
- PGUSER="${PGUSER:-$POSTGRES_USER}" \
- pg_ctl -D "$PGDATA" \
- -o "-c listen_addresses=''" \
- -w start
-
- file_env 'POSTGRES_DB' "$POSTGRES_USER"
-
- export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
- psql=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password )
-
- if [ "$POSTGRES_DB" != 'postgres' ]; then
- "${psql[@]}" --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
- CREATE DATABASE :"db" ;
- EOSQL
- echo
- fi
- psql+=( --dbname "$POSTGRES_DB" )
-
- echo
- for f in /docker-entrypoint-initdb.d/*; do
- case "$f" in
- *.sh)
- # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
- # https://github.com/docker-library/postgres/pull/452
- if [ -x "$f" ]; then
- echo "$0: running $f"
- "$f"
- else
- echo "$0: sourcing $f"
- . "$f"
- fi
- ;;
- *.sql) echo "$0: running $f"; "${psql[@]}" -f "$f"; echo ;;
- *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | "${psql[@]}"; echo ;;
- *) echo "$0: ignoring $f" ;;
- esac
- echo
- done
-
- PGUSER="${PGUSER:-$POSTGRES_USER}" \
- pg_ctl -D "$PGDATA" -m fast -w stop
-
- unset PGPASSWORD
-
- echo
- echo 'PostgreSQL init process complete; ready for start up.'
- echo
- fi
-fi
-
-exec "$@"
diff --git a/9.5/docker-entrypoint.sh b/9.5/docker-entrypoint.sh
deleted file mode 100755
index 3f984a1649..0000000000
--- a/9.5/docker-entrypoint.sh
+++ /dev/null
@@ -1,176 +0,0 @@
-#!/usr/bin/env bash
-set -Eeo pipefail
-# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
-
-# usage: file_env VAR [DEFAULT]
-# ie: file_env 'XYZ_DB_PASSWORD' 'example'
-# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
-# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
-file_env() {
- local var="$1"
- local fileVar="${var}_FILE"
- local def="${2:-}"
- if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
- echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
- exit 1
- fi
- local val="$def"
- if [ "${!var:-}" ]; then
- val="${!var}"
- elif [ "${!fileVar:-}" ]; then
- val="$(< "${!fileVar}")"
- fi
- export "$var"="$val"
- unset "$fileVar"
-}
-
-if [ "${1:0:1}" = '-' ]; then
- set -- postgres "$@"
-fi
-
-# allow the container to be started with `--user`
-if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then
- mkdir -p "$PGDATA"
- chown -R postgres "$PGDATA"
- chmod 700 "$PGDATA"
-
- mkdir -p /var/run/postgresql
- chown -R postgres /var/run/postgresql
- chmod 775 /var/run/postgresql
-
- # Create the transaction log directory before initdb is run (below) so the directory is owned by the correct user
- if [ "$POSTGRES_INITDB_XLOGDIR" ]; then
- mkdir -p "$POSTGRES_INITDB_XLOGDIR"
- chown -R postgres "$POSTGRES_INITDB_XLOGDIR"
- chmod 700 "$POSTGRES_INITDB_XLOGDIR"
- fi
-
- exec gosu postgres "$BASH_SOURCE" "$@"
-fi
-
-if [ "$1" = 'postgres' ]; then
- mkdir -p "$PGDATA"
- chown -R "$(id -u)" "$PGDATA" 2>/dev/null || :
- chmod 700 "$PGDATA" 2>/dev/null || :
-
- # look specifically for PG_VERSION, as it is expected in the DB dir
- if [ ! -s "$PGDATA/PG_VERSION" ]; then
- # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
- # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
- if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then
- export LD_PRELOAD='/usr/lib/libnss_wrapper.so'
- export NSS_WRAPPER_PASSWD="$(mktemp)"
- export NSS_WRAPPER_GROUP="$(mktemp)"
- echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD"
- echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"
- fi
-
- file_env 'POSTGRES_USER' 'postgres'
- file_env 'POSTGRES_PASSWORD'
-
- file_env 'POSTGRES_INITDB_ARGS'
- if [ "$POSTGRES_INITDB_XLOGDIR" ]; then
- export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --xlogdir $POSTGRES_INITDB_XLOGDIR"
- fi
- eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"
-
- # unset/cleanup "nss_wrapper" bits
- if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then
- rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
- unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
- fi
-
- # check password first so we can output the warning before postgres
- # messes it up
- if [ -n "$POSTGRES_PASSWORD" ]; then
- authMethod=md5
-
- if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
- cat >&2 <<-'EOWARN'
-
- WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
-
- This will not work if used via PGPASSWORD with "psql".
-
- https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
- https://github.com/docker-library/postgres/issues/507
-
- EOWARN
- fi
- else
- # The - option suppresses leading tabs but *not* spaces. :)
- cat >&2 <<-'EOWARN'
- ****************************************************
- WARNING: No password has been set for the database.
- This will allow anyone with access to the
- Postgres port to access your database. In
- Docker's default configuration, this is
- effectively any other container on the same
- system.
-
- Use "-e POSTGRES_PASSWORD=password" to set
- it in "docker run".
- ****************************************************
- EOWARN
-
- authMethod=trust
- fi
-
- {
- echo
- echo "host all all all $authMethod"
- } >> "$PGDATA/pg_hba.conf"
-
- # internal start of server in order to allow set-up using psql-client
- # does not listen on external TCP/IP and waits until start finishes
- PGUSER="${PGUSER:-$POSTGRES_USER}" \
- pg_ctl -D "$PGDATA" \
- -o "-c listen_addresses=''" \
- -w start
-
- file_env 'POSTGRES_DB' "$POSTGRES_USER"
-
- export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
- psql=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password )
-
- if [ "$POSTGRES_DB" != 'postgres' ]; then
- "${psql[@]}" --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
- CREATE DATABASE :"db" ;
- EOSQL
- echo
- fi
- psql+=( --dbname "$POSTGRES_DB" )
-
- echo
- for f in /docker-entrypoint-initdb.d/*; do
- case "$f" in
- *.sh)
- # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
- # https://github.com/docker-library/postgres/pull/452
- if [ -x "$f" ]; then
- echo "$0: running $f"
- "$f"
- else
- echo "$0: sourcing $f"
- . "$f"
- fi
- ;;
- *.sql) echo "$0: running $f"; "${psql[@]}" -f "$f"; echo ;;
- *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | "${psql[@]}"; echo ;;
- *) echo "$0: ignoring $f" ;;
- esac
- echo
- done
-
- PGUSER="${PGUSER:-$POSTGRES_USER}" \
- pg_ctl -D "$PGDATA" -m fast -w stop
-
- unset PGPASSWORD
-
- echo
- echo 'PostgreSQL init process complete; ready for start up.'
- echo
- fi
-fi
-
-exec "$@"
diff --git a/9.6/Dockerfile b/9.6/Dockerfile
deleted file mode 100644
index 39e0f9b943..0000000000
--- a/9.6/Dockerfile
+++ /dev/null
@@ -1,176 +0,0 @@
-# vim:set ft=dockerfile:
-FROM debian:stretch-slim
-
-RUN set -ex; \
- if ! command -v gpg > /dev/null; then \
- apt-get update; \
- apt-get install -y --no-install-recommends \
- gnupg \
- dirmngr \
- ; \
- rm -rf /var/lib/apt/lists/*; \
- fi
-
-# explicitly set user/group IDs
-RUN set -eux; \
- groupadd -r postgres --gid=999; \
-# https://salsa.debian.org/postgresql/postgresql-common/blob/997d842ee744687d99a2b2d95c1083a2615c79e8/debian/postgresql-common.postinst#L32-35
- useradd -r -g postgres --uid=999 --home-dir=/var/lib/postgresql --shell=/bin/bash postgres; \
-# also create the postgres user's home directory with appropriate permissions
-# see https://github.com/docker-library/postgres/issues/274
- mkdir -p /var/lib/postgresql; \
- chown -R postgres:postgres /var/lib/postgresql
-
-# grab gosu for easy step-down from root
-ENV GOSU_VERSION 1.11
-RUN set -x \
- && apt-get update && apt-get install -y --no-install-recommends ca-certificates wget && rm -rf /var/lib/apt/lists/* \
- && wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture)" \
- && wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture).asc" \
- && export GNUPGHOME="$(mktemp -d)" \
- && gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 \
- && gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu \
- && { command -v gpgconf > /dev/null && gpgconf --kill all || :; } \
- && rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc \
- && chmod +x /usr/local/bin/gosu \
- && gosu nobody true \
- && apt-get purge -y --auto-remove ca-certificates wget
-
-# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
-RUN set -eux; \
- if [ -f /etc/dpkg/dpkg.cfg.d/docker ]; then \
-# if this file exists, we're likely in "debian:xxx-slim", and locales are thus being excluded so we need to remove that exclusion (since we need locales)
- grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
- sed -ri '/\/usr\/share\/locale/d' /etc/dpkg/dpkg.cfg.d/docker; \
- ! grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
- fi; \
- apt-get update; apt-get install -y locales; rm -rf /var/lib/apt/lists/*; \
- localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
-ENV LANG en_US.utf8
-
-# install "nss_wrapper" in case we need to fake "/etc/passwd" and "/etc/group" (especially for OpenShift)
-# https://github.com/docker-library/postgres/issues/359
-# https://cwrap.org/nss_wrapper.html
-RUN set -eux; \
- apt-get update; \
- apt-get install -y --no-install-recommends libnss-wrapper; \
- rm -rf /var/lib/apt/lists/*
-
-RUN mkdir /docker-entrypoint-initdb.d
-
-RUN set -ex; \
-# pub 4096R/ACCC4CF8 2011-10-13 [expires: 2019-07-02]
-# Key fingerprint = B97B 0AFC AA1A 47F0 44F2 44A0 7FCC 7D46 ACCC 4CF8
-# uid PostgreSQL Debian Repository
- key='B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8'; \
- export GNUPGHOME="$(mktemp -d)"; \
- gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys "$key"; \
- gpg --batch --export "$key" > /etc/apt/trusted.gpg.d/postgres.gpg; \
- command -v gpgconf > /dev/null && gpgconf --kill all; \
- rm -rf "$GNUPGHOME"; \
- apt-key list
-
-ENV PG_MAJOR 9.6
-ENV PG_VERSION 9.6.12-1.pgdg90+1
-
-RUN set -ex; \
- \
-# see note below about "*.pyc" files
- export PYTHONDONTWRITEBYTECODE=1; \
- \
- dpkgArch="$(dpkg --print-architecture)"; \
- case "$dpkgArch" in \
- amd64|i386|ppc64el) \
-# arches officialy built by upstream
- echo "deb http://apt.postgresql.org/pub/repos/apt/ stretch-pgdg main $PG_MAJOR" > /etc/apt/sources.list.d/pgdg.list; \
- apt-get update; \
- ;; \
- *) \
-# we're on an architecture upstream doesn't officially build for
-# let's build binaries from their published source packages
- echo "deb-src http://apt.postgresql.org/pub/repos/apt/ stretch-pgdg main $PG_MAJOR" > /etc/apt/sources.list.d/pgdg.list; \
- \
- case "$PG_MAJOR" in \
- 9.* | 10 ) ;; \
- *) \
-# https://github.com/docker-library/postgres/issues/484 (clang-6.0 required, only available in stretch-backports)
-# TODO remove this once we hit buster+
- echo 'deb http://deb.debian.org/debian stretch-backports main' >> /etc/apt/sources.list.d/pgdg.list; \
- ;; \
- esac; \
- \
- tempDir="$(mktemp -d)"; \
- cd "$tempDir"; \
- \
- savedAptMark="$(apt-mark showmanual)"; \
- \
-# build .deb files from upstream's source packages (which are verified by apt-get)
- apt-get update; \
- apt-get build-dep -y \
- postgresql-common pgdg-keyring \
- "postgresql-$PG_MAJOR=$PG_VERSION" \
- ; \
- DEB_BUILD_OPTIONS="nocheck parallel=$(nproc)" \
- apt-get source --compile \
- postgresql-common pgdg-keyring \
- "postgresql-$PG_MAJOR=$PG_VERSION" \
- ; \
-# we don't remove APT lists here because they get re-downloaded and removed later
- \
-# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
-# (which is done after we install the built packages so we don't have to redownload any overlapping dependencies)
- apt-mark showmanual | xargs apt-mark auto > /dev/null; \
- apt-mark manual $savedAptMark; \
- \
-# create a temporary local APT repo to install from (so that dependency resolution can be handled by APT, as it should be)
- ls -lAFh; \
- dpkg-scanpackages . > Packages; \
- grep '^Package: ' Packages; \
- echo "deb [ trusted=yes ] file://$tempDir ./" > /etc/apt/sources.list.d/temp.list; \
-# work around the following APT issue by using "Acquire::GzipIndexes=false" (overriding "/etc/apt/apt.conf.d/docker-gzip-indexes")
-# Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
-# ...
-# E: Failed to fetch store:/var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
- apt-get -o Acquire::GzipIndexes=false update; \
- ;; \
- esac; \
- \
- apt-get install -y postgresql-common; \
- sed -ri 's/#(create_main_cluster) .*$/\1 = false/' /etc/postgresql-common/createcluster.conf; \
- apt-get install -y \
- "postgresql-$PG_MAJOR=$PG_VERSION" \
- "postgresql-contrib-$PG_MAJOR=$PG_VERSION" \
- ; \
- \
- rm -rf /var/lib/apt/lists/*; \
- \
- if [ -n "$tempDir" ]; then \
-# if we have leftovers from building, let's purge them (including extra, unnecessary build deps)
- apt-get purge -y --auto-remove; \
- rm -rf "$tempDir" /etc/apt/sources.list.d/temp.list; \
- fi; \
- \
-# some of the steps above generate a lot of "*.pyc" files (and setting "PYTHONDONTWRITEBYTECODE" beforehand doesn't propagate properly for some reason), so we clean them up manually (as long as they aren't owned by a package)
- find /usr -name '*.pyc' -type f -exec bash -c 'for pyc; do dpkg -S "$pyc" &> /dev/null || rm -vf "$pyc"; done' -- '{}' +
-
-# make the sample config easier to munge (and "correct by default")
-RUN set -eux; \
- dpkg-divert --add --rename --divert "/usr/share/postgresql/postgresql.conf.sample.dpkg" "/usr/share/postgresql/$PG_MAJOR/postgresql.conf.sample"; \
- cp -v /usr/share/postgresql/postgresql.conf.sample.dpkg /usr/share/postgresql/postgresql.conf.sample; \
- ln -sv ../postgresql.conf.sample "/usr/share/postgresql/$PG_MAJOR/"; \
- sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/share/postgresql/postgresql.conf.sample; \
- grep -F "listen_addresses = '*'" /usr/share/postgresql/postgresql.conf.sample
-
-RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql
-
-ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
-ENV PGDATA /var/lib/postgresql/data
-RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" # this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values)
-VOLUME /var/lib/postgresql/data
-
-COPY docker-entrypoint.sh /usr/local/bin/
-RUN ln -s usr/local/bin/docker-entrypoint.sh / # backwards compat
-ENTRYPOINT ["docker-entrypoint.sh"]
-
-EXPOSE 5432
-CMD ["postgres"]
diff --git a/9.6/alpine/Dockerfile b/9.6/alpine/Dockerfile
deleted file mode 100644
index 06039a110c..0000000000
--- a/9.6/alpine/Dockerfile
+++ /dev/null
@@ -1,150 +0,0 @@
-# vim:set ft=dockerfile:
-FROM alpine:3.9
-
-# alpine includes "postgres" user/group in base install
-# /etc/passwd:22:postgres:x:70:70::/var/lib/postgresql:/bin/sh
-# /etc/group:34:postgres:x:70:
-# the home directory for the postgres user, however, is not created by default
-# see https://github.com/docker-library/postgres/issues/274
-RUN set -ex; \
- postgresHome="$(getent passwd postgres)"; \
- postgresHome="$(echo "$postgresHome" | cut -d: -f6)"; \
- [ "$postgresHome" = '/var/lib/postgresql' ]; \
- mkdir -p "$postgresHome"; \
- chown -R postgres:postgres "$postgresHome"
-
-# su-exec (gosu-compatible) is installed further down
-
-# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
-# alpine doesn't require explicit locale-file generation
-ENV LANG en_US.utf8
-
-RUN mkdir /docker-entrypoint-initdb.d
-
-ENV PG_MAJOR 9.6
-ENV PG_VERSION 9.6.12
-ENV PG_SHA256 2e8c8446ba94767bda8a26cf5a2152bf0ae68a86aaebf894132a763084579d84
-
-RUN set -ex \
- \
- && apk add --no-cache --virtual .fetch-deps \
- ca-certificates \
- openssl \
- tar \
- \
- && wget -O postgresql.tar.bz2 "https://ftp.postgresql.org/pub/source/v$PG_VERSION/postgresql-$PG_VERSION.tar.bz2" \
- && echo "$PG_SHA256 *postgresql.tar.bz2" | sha256sum -c - \
- && mkdir -p /usr/src/postgresql \
- && tar \
- --extract \
- --file postgresql.tar.bz2 \
- --directory /usr/src/postgresql \
- --strip-components 1 \
- && rm postgresql.tar.bz2 \
- \
- && apk add --no-cache --virtual .build-deps \
- bison \
- coreutils \
- dpkg-dev dpkg \
- flex \
- gcc \
-# krb5-dev \
- libc-dev \
- libedit-dev \
- libxml2-dev \
- libxslt-dev \
- make \
-# openldap-dev \
- openssl-dev \
-# configure: error: prove not found
- perl-utils \
-# configure: error: Perl module IPC::Run is required to run TAP tests
- perl-ipc-run \
-# perl-dev \
-# python-dev \
-# python3-dev \
-# tcl-dev \
- util-linux-dev \
- zlib-dev \
- \
- && cd /usr/src/postgresql \
-# update "DEFAULT_PGSOCKET_DIR" to "/var/run/postgresql" (matching Debian)
-# see https://anonscm.debian.org/git/pkg-postgresql/postgresql.git/tree/debian/patches/51-default-sockets-in-var.patch?id=8b539fcb3e093a521c095e70bdfa76887217b89f
- && awk '$1 == "#define" && $2 == "DEFAULT_PGSOCKET_DIR" && $3 == "\"/tmp\"" { $3 = "\"/var/run/postgresql\""; print; next } { print }' src/include/pg_config_manual.h > src/include/pg_config_manual.h.new \
- && grep '/var/run/postgresql' src/include/pg_config_manual.h.new \
- && mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h \
- && gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)" \
-# explicitly update autoconf config.guess and config.sub so they support more arches/libcs
- && wget -O config/config.guess 'https://git.savannah.gnu.org/cgit/config.git/plain/config.guess?id=7d3d27baf8107b630586c962c057e22149653deb' \
- && wget -O config/config.sub 'https://git.savannah.gnu.org/cgit/config.git/plain/config.sub?id=7d3d27baf8107b630586c962c057e22149653deb' \
-# configure options taken from:
-# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
- && ./configure \
- --build="$gnuArch" \
-# "/usr/src/postgresql/src/backend/access/common/tupconvert.c:105: undefined reference to `libintl_gettext'"
-# --enable-nls \
- --enable-integer-datetimes \
- --enable-thread-safety \
- --enable-tap-tests \
-# skip debugging info -- we want tiny size instead
-# --enable-debug \
- --disable-rpath \
- --with-uuid=e2fs \
- --with-gnu-ld \
- --with-pgport=5432 \
- --with-system-tzdata=/usr/share/zoneinfo \
- --prefix=/usr/local \
- --with-includes=/usr/local/include \
- --with-libraries=/usr/local/lib \
- \
-# these make our image abnormally large (at least 100MB larger), which seems uncouth for an "Alpine" (ie, "small") variant :)
-# --with-krb5 \
-# --with-gssapi \
-# --with-ldap \
-# --with-tcl \
-# --with-perl \
-# --with-python \
-# --with-pam \
- --with-openssl \
- --with-libxml \
- --with-libxslt \
- && make -j "$(nproc)" world \
- && make install-world \
- && make -C contrib install \
- \
- && runDeps="$( \
- scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \
- | tr ',' '\n' \
- | sort -u \
- | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
- )" \
- && apk add --no-cache --virtual .postgresql-rundeps \
- $runDeps \
- bash \
- su-exec \
-# tzdata is optional, but only adds around 1Mb to image size and is recommended by Django documentation:
-# https://docs.djangoproject.com/en/1.10/ref/databases/#optimizing-postgresql-s-configuration
- tzdata \
- && apk del .fetch-deps .build-deps \
- && cd / \
- && rm -rf \
- /usr/src/postgresql \
- /usr/local/share/doc \
- /usr/local/share/man \
- && find /usr/local -name '*.a' -delete
-
-# make the sample config easier to munge (and "correct by default")
-RUN sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample
-
-RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql
-
-ENV PGDATA /var/lib/postgresql/data
-RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" # this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values)
-VOLUME /var/lib/postgresql/data
-
-COPY docker-entrypoint.sh /usr/local/bin/
-RUN ln -s usr/local/bin/docker-entrypoint.sh / # backwards compat
-ENTRYPOINT ["docker-entrypoint.sh"]
-
-EXPOSE 5432
-CMD ["postgres"]
diff --git a/9.6/alpine/docker-entrypoint.sh b/9.6/alpine/docker-entrypoint.sh
deleted file mode 100755
index 8f9cfcc92c..0000000000
--- a/9.6/alpine/docker-entrypoint.sh
+++ /dev/null
@@ -1,176 +0,0 @@
-#!/usr/bin/env bash
-set -Eeo pipefail
-# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
-
-# usage: file_env VAR [DEFAULT]
-# ie: file_env 'XYZ_DB_PASSWORD' 'example'
-# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
-# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
-file_env() {
- local var="$1"
- local fileVar="${var}_FILE"
- local def="${2:-}"
- if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
- echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
- exit 1
- fi
- local val="$def"
- if [ "${!var:-}" ]; then
- val="${!var}"
- elif [ "${!fileVar:-}" ]; then
- val="$(< "${!fileVar}")"
- fi
- export "$var"="$val"
- unset "$fileVar"
-}
-
-if [ "${1:0:1}" = '-' ]; then
- set -- postgres "$@"
-fi
-
-# allow the container to be started with `--user`
-if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then
- mkdir -p "$PGDATA"
- chown -R postgres "$PGDATA"
- chmod 700 "$PGDATA"
-
- mkdir -p /var/run/postgresql
- chown -R postgres /var/run/postgresql
- chmod 775 /var/run/postgresql
-
- # Create the transaction log directory before initdb is run (below) so the directory is owned by the correct user
- if [ "$POSTGRES_INITDB_XLOGDIR" ]; then
- mkdir -p "$POSTGRES_INITDB_XLOGDIR"
- chown -R postgres "$POSTGRES_INITDB_XLOGDIR"
- chmod 700 "$POSTGRES_INITDB_XLOGDIR"
- fi
-
- exec su-exec postgres "$BASH_SOURCE" "$@"
-fi
-
-if [ "$1" = 'postgres' ]; then
- mkdir -p "$PGDATA"
- chown -R "$(id -u)" "$PGDATA" 2>/dev/null || :
- chmod 700 "$PGDATA" 2>/dev/null || :
-
- # look specifically for PG_VERSION, as it is expected in the DB dir
- if [ ! -s "$PGDATA/PG_VERSION" ]; then
- # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
- # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
- if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then
- export LD_PRELOAD='/usr/lib/libnss_wrapper.so'
- export NSS_WRAPPER_PASSWD="$(mktemp)"
- export NSS_WRAPPER_GROUP="$(mktemp)"
- echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD"
- echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"
- fi
-
- file_env 'POSTGRES_USER' 'postgres'
- file_env 'POSTGRES_PASSWORD'
-
- file_env 'POSTGRES_INITDB_ARGS'
- if [ "$POSTGRES_INITDB_XLOGDIR" ]; then
- export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --xlogdir $POSTGRES_INITDB_XLOGDIR"
- fi
- eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"
-
- # unset/cleanup "nss_wrapper" bits
- if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then
- rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
- unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
- fi
-
- # check password first so we can output the warning before postgres
- # messes it up
- if [ -n "$POSTGRES_PASSWORD" ]; then
- authMethod=md5
-
- if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
- cat >&2 <<-'EOWARN'
-
- WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
-
- This will not work if used via PGPASSWORD with "psql".
-
- https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
- https://github.com/docker-library/postgres/issues/507
-
- EOWARN
- fi
- else
- # The - option suppresses leading tabs but *not* spaces. :)
- cat >&2 <<-'EOWARN'
- ****************************************************
- WARNING: No password has been set for the database.
- This will allow anyone with access to the
- Postgres port to access your database. In
- Docker's default configuration, this is
- effectively any other container on the same
- system.
-
- Use "-e POSTGRES_PASSWORD=password" to set
- it in "docker run".
- ****************************************************
- EOWARN
-
- authMethod=trust
- fi
-
- {
- echo
- echo "host all all all $authMethod"
- } >> "$PGDATA/pg_hba.conf"
-
- # internal start of server in order to allow set-up using psql-client
- # does not listen on external TCP/IP and waits until start finishes
- PGUSER="${PGUSER:-$POSTGRES_USER}" \
- pg_ctl -D "$PGDATA" \
- -o "-c listen_addresses=''" \
- -w start
-
- file_env 'POSTGRES_DB' "$POSTGRES_USER"
-
- export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
- psql=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password )
-
- if [ "$POSTGRES_DB" != 'postgres' ]; then
- "${psql[@]}" --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
- CREATE DATABASE :"db" ;
- EOSQL
- echo
- fi
- psql+=( --dbname "$POSTGRES_DB" )
-
- echo
- for f in /docker-entrypoint-initdb.d/*; do
- case "$f" in
- *.sh)
- # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
- # https://github.com/docker-library/postgres/pull/452
- if [ -x "$f" ]; then
- echo "$0: running $f"
- "$f"
- else
- echo "$0: sourcing $f"
- . "$f"
- fi
- ;;
- *.sql) echo "$0: running $f"; "${psql[@]}" -f "$f"; echo ;;
- *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | "${psql[@]}"; echo ;;
- *) echo "$0: ignoring $f" ;;
- esac
- echo
- done
-
- PGUSER="${PGUSER:-$POSTGRES_USER}" \
- pg_ctl -D "$PGDATA" -m fast -w stop
-
- unset PGPASSWORD
-
- echo
- echo 'PostgreSQL init process complete; ready for start up.'
- echo
- fi
-fi
-
-exec "$@"
diff --git a/9.6/docker-entrypoint.sh b/9.6/docker-entrypoint.sh
deleted file mode 100755
index 3f984a1649..0000000000
--- a/9.6/docker-entrypoint.sh
+++ /dev/null
@@ -1,176 +0,0 @@
-#!/usr/bin/env bash
-set -Eeo pipefail
-# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
-
-# usage: file_env VAR [DEFAULT]
-# ie: file_env 'XYZ_DB_PASSWORD' 'example'
-# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
-# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
-file_env() {
- local var="$1"
- local fileVar="${var}_FILE"
- local def="${2:-}"
- if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
- echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
- exit 1
- fi
- local val="$def"
- if [ "${!var:-}" ]; then
- val="${!var}"
- elif [ "${!fileVar:-}" ]; then
- val="$(< "${!fileVar}")"
- fi
- export "$var"="$val"
- unset "$fileVar"
-}
-
-if [ "${1:0:1}" = '-' ]; then
- set -- postgres "$@"
-fi
-
-# allow the container to be started with `--user`
-if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then
- mkdir -p "$PGDATA"
- chown -R postgres "$PGDATA"
- chmod 700 "$PGDATA"
-
- mkdir -p /var/run/postgresql
- chown -R postgres /var/run/postgresql
- chmod 775 /var/run/postgresql
-
- # Create the transaction log directory before initdb is run (below) so the directory is owned by the correct user
- if [ "$POSTGRES_INITDB_XLOGDIR" ]; then
- mkdir -p "$POSTGRES_INITDB_XLOGDIR"
- chown -R postgres "$POSTGRES_INITDB_XLOGDIR"
- chmod 700 "$POSTGRES_INITDB_XLOGDIR"
- fi
-
- exec gosu postgres "$BASH_SOURCE" "$@"
-fi
-
-if [ "$1" = 'postgres' ]; then
- mkdir -p "$PGDATA"
- chown -R "$(id -u)" "$PGDATA" 2>/dev/null || :
- chmod 700 "$PGDATA" 2>/dev/null || :
-
- # look specifically for PG_VERSION, as it is expected in the DB dir
- if [ ! -s "$PGDATA/PG_VERSION" ]; then
- # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
- # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
- if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then
- export LD_PRELOAD='/usr/lib/libnss_wrapper.so'
- export NSS_WRAPPER_PASSWD="$(mktemp)"
- export NSS_WRAPPER_GROUP="$(mktemp)"
- echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD"
- echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"
- fi
-
- file_env 'POSTGRES_USER' 'postgres'
- file_env 'POSTGRES_PASSWORD'
-
- file_env 'POSTGRES_INITDB_ARGS'
- if [ "$POSTGRES_INITDB_XLOGDIR" ]; then
- export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --xlogdir $POSTGRES_INITDB_XLOGDIR"
- fi
- eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"
-
- # unset/cleanup "nss_wrapper" bits
- if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then
- rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
- unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
- fi
-
- # check password first so we can output the warning before postgres
- # messes it up
- if [ -n "$POSTGRES_PASSWORD" ]; then
- authMethod=md5
-
- if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
- cat >&2 <<-'EOWARN'
-
- WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.
-
- This will not work if used via PGPASSWORD with "psql".
-
- https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)
- https://github.com/docker-library/postgres/issues/507
-
- EOWARN
- fi
- else
- # The - option suppresses leading tabs but *not* spaces. :)
- cat >&2 <<-'EOWARN'
- ****************************************************
- WARNING: No password has been set for the database.
- This will allow anyone with access to the
- Postgres port to access your database. In
- Docker's default configuration, this is
- effectively any other container on the same
- system.
-
- Use "-e POSTGRES_PASSWORD=password" to set
- it in "docker run".
- ****************************************************
- EOWARN
-
- authMethod=trust
- fi
-
- {
- echo
- echo "host all all all $authMethod"
- } >> "$PGDATA/pg_hba.conf"
-
- # internal start of server in order to allow set-up using psql-client
- # does not listen on external TCP/IP and waits until start finishes
- PGUSER="${PGUSER:-$POSTGRES_USER}" \
- pg_ctl -D "$PGDATA" \
- -o "-c listen_addresses=''" \
- -w start
-
- file_env 'POSTGRES_DB' "$POSTGRES_USER"
-
- export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
- psql=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password )
-
- if [ "$POSTGRES_DB" != 'postgres' ]; then
- "${psql[@]}" --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
- CREATE DATABASE :"db" ;
- EOSQL
- echo
- fi
- psql+=( --dbname "$POSTGRES_DB" )
-
- echo
- for f in /docker-entrypoint-initdb.d/*; do
- case "$f" in
- *.sh)
- # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
- # https://github.com/docker-library/postgres/pull/452
- if [ -x "$f" ]; then
- echo "$0: running $f"
- "$f"
- else
- echo "$0: sourcing $f"
- . "$f"
- fi
- ;;
- *.sql) echo "$0: running $f"; "${psql[@]}" -f "$f"; echo ;;
- *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | "${psql[@]}"; echo ;;
- *) echo "$0: ignoring $f" ;;
- esac
- echo
- done
-
- PGUSER="${PGUSER:-$POSTGRES_USER}" \
- pg_ctl -D "$PGDATA" -m fast -w stop
-
- unset PGPASSWORD
-
- echo
- echo 'PostgreSQL init process complete; ready for start up.'
- echo
- fi
-fi
-
-exec "$@"
diff --git a/Dockerfile-alpine.template b/Dockerfile-alpine.template
index 170316abc6..d0c90d18c8 100644
--- a/Dockerfile-alpine.template
+++ b/Dockerfile-alpine.template
@@ -1,19 +1,50 @@
-# vim:set ft=dockerfile:
-FROM alpine:%%ALPINE-VERSION%%
+{{
+ def alpine_version:
+ env.variant | ltrimstr("alpine")
+-}}
+FROM alpine:{{ alpine_version }}
-# alpine includes "postgres" user/group in base install
-# /etc/passwd:22:postgres:x:70:70::/var/lib/postgresql:/bin/sh
-# /etc/group:34:postgres:x:70:
-# the home directory for the postgres user, however, is not created by default
+# 70 is the standard uid/gid for "postgres" in Alpine
+# https://git.alpinelinux.org/aports/tree/main/postgresql-common/postgresql-common.pre-install?h=3.21-stable
+RUN set -eux; \
+ addgroup -g 70 -S postgres; \
+ adduser -u 70 -S -D -G postgres -H -h /var/lib/postgresql -s /bin/sh postgres; \
+# also create the postgres user's home directory with appropriate permissions
# see https://github.com/docker-library/postgres/issues/274
-RUN set -ex; \
- postgresHome="$(getent passwd postgres)"; \
- postgresHome="$(echo "$postgresHome" | cut -d: -f6)"; \
- [ "$postgresHome" = '/var/lib/postgresql' ]; \
- mkdir -p "$postgresHome"; \
- chown -R postgres:postgres "$postgresHome"
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
-# su-exec (gosu-compatible) is installed further down
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ \
+ apk add --no-cache --virtual .gosu-deps \
+ ca-certificates \
+ dpkg \
+ gnupg \
+ ; \
+ \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ \
+# verify the signature
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ \
+# clean up fetch dependencies
+ apk del --no-network .gosu-deps; \
+ \
+ chmod +x /usr/local/bin/gosu; \
+# verify that the binary works
+ gosu --version; \
+ gosu nobody true
+{{ if env.version | IN("13", "14", "15", "16") then ( -}}
+RUN set -eux; ln -svf gosu /usr/local/bin/su-exec; su-exec nobody true # backwards compatibility (removed in PostgreSQL 17+)
+{{ ) else "" end -}}
# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
# alpine doesn't require explicit locale-file generation
@@ -21,134 +52,203 @@ ENV LANG en_US.utf8
RUN mkdir /docker-entrypoint-initdb.d
-ENV PG_MAJOR %%PG_MAJOR%%
-ENV PG_VERSION %%PG_VERSION%%
-ENV PG_SHA256 %%PG_SHA256%%
+ENV PG_MAJOR {{ env.version }}
+ENV PG_VERSION {{ .version }}
+ENV PG_SHA256 {{ .sha256 }}
-%%OSSP_UUID_ENV_VARS%%
-RUN set -ex \
- \
- && apk add --no-cache --virtual .fetch-deps \
- ca-certificates \
- openssl \
- tar \
+{{
+ def llvmver:
+ if alpine_version | split(".") | map(tonumber) < [3, 21] then
+ "15"
+ else
+ "19"
+ end
+-}}
+ENV DOCKER_PG_LLVM_DEPS \
+ llvm{{ llvmver }}-dev \
+ clang{{ llvmver }}
+
+RUN set -eux; \
\
- && wget -O postgresql.tar.bz2 "https://ftp.postgresql.org/pub/source/v$PG_VERSION/postgresql-$PG_VERSION.tar.bz2" \
- && echo "$PG_SHA256 *postgresql.tar.bz2" | sha256sum -c - \
- && mkdir -p /usr/src/postgresql \
- && tar \
+ wget -O postgresql.tar.bz2 "https://ftp.postgresql.org/pub/source/v$PG_VERSION/postgresql-$PG_VERSION.tar.bz2"; \
+ echo "$PG_SHA256 *postgresql.tar.bz2" | sha256sum -c -; \
+ mkdir -p /usr/src/postgresql; \
+ tar \
--extract \
--file postgresql.tar.bz2 \
--directory /usr/src/postgresql \
--strip-components 1 \
- && rm postgresql.tar.bz2 \
+ ; \
+ rm postgresql.tar.bz2; \
\
- && apk add --no-cache --virtual .build-deps \
+ apk add --no-cache --virtual .build-deps \
+ $DOCKER_PG_LLVM_DEPS \
bison \
coreutils \
dpkg-dev dpkg \
flex \
+ g++ \
gcc \
-# krb5-dev \
+ krb5-dev \
libc-dev \
libedit-dev \
libxml2-dev \
libxslt-dev \
+ linux-headers \
make \
-# openldap-dev \
+ openldap-dev \
openssl-dev \
-# configure: error: prove not found
- perl-utils \
-# configure: error: Perl module IPC::Run is required to run TAP tests
+ perl-dev \
perl-ipc-run \
-# perl-dev \
-# python-dev \
-# python3-dev \
-# tcl-dev \
+ perl-utils \
+ python3-dev \
+ tcl-dev \
util-linux-dev \
zlib-dev \
+# https://www.postgresql.org/docs/10/static/release-10.html#id-1.11.6.9.5.13
icu-dev \
+{{ if .major >= 14 then ( -}}
+# https://www.postgresql.org/docs/14/release-14.html#id-1.11.6.5.5.3.7
+ lz4-dev \
+{{ ) else "" end -}}
+{{ if .major >= 15 then ( -}}
+# https://www.postgresql.org/docs/15/release-15.html "--with-zstd to enable Zstandard builds"
+ zstd-dev \
+{{ ) else "" end -}}
+ ; \
\
-%%INSTALL_OSSP_UUID%%
- && cd /usr/src/postgresql \
+ cd /usr/src/postgresql; \
# update "DEFAULT_PGSOCKET_DIR" to "/var/run/postgresql" (matching Debian)
# see https://anonscm.debian.org/git/pkg-postgresql/postgresql.git/tree/debian/patches/51-default-sockets-in-var.patch?id=8b539fcb3e093a521c095e70bdfa76887217b89f
- && awk '$1 == "#define" && $2 == "DEFAULT_PGSOCKET_DIR" && $3 == "\"/tmp\"" { $3 = "\"/var/run/postgresql\""; print; next } { print }' src/include/pg_config_manual.h > src/include/pg_config_manual.h.new \
- && grep '/var/run/postgresql' src/include/pg_config_manual.h.new \
- && mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h \
- && gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)" \
-# explicitly update autoconf config.guess and config.sub so they support more arches/libcs
- && wget -O config/config.guess 'https://git.savannah.gnu.org/cgit/config.git/plain/config.guess?id=7d3d27baf8107b630586c962c057e22149653deb' \
- && wget -O config/config.sub 'https://git.savannah.gnu.org/cgit/config.git/plain/config.sub?id=7d3d27baf8107b630586c962c057e22149653deb' \
+ awk '$1 == "#define" && $2 == "DEFAULT_PGSOCKET_DIR" && $3 == "\"/tmp\"" { $3 = "\"/var/run/postgresql\""; print; next } { print }' src/include/pg_config_manual.h > src/include/pg_config_manual.h.new; \
+ grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \
+ mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \
+ gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \
+ \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.21-stable&id=40544ade947bec1798edb0f749f4e967e842624b#n172
+ export LLVM_CONFIG="/usr/lib/llvm{{ llvmver }}/bin/llvm-config"; \
+# https://git.alpinelinux.org/aports/tree/community/postgresql15/APKBUILD?h=3.21-stable&id=40544ade947bec1798edb0f749f4e967e842624b#n177
+ export CLANG=clang-{{ llvmver }}; \
+ \
# configure options taken from:
# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5
- && ./configure \
+ ./configure \
+ --enable-option-checking=fatal \
--build="$gnuArch" \
# "/usr/src/postgresql/src/backend/access/common/tupconvert.c:105: undefined reference to `libintl_gettext'"
# --enable-nls \
--enable-integer-datetimes \
+{{ if .major <= 16 then ( -}}
+{{ # in 17: this option is reversed. you need to disable it -}}
--enable-thread-safety \
+{{ ) else "" end -}}
--enable-tap-tests \
# skip debugging info -- we want tiny size instead
# --enable-debug \
--disable-rpath \
- %%UUID_CONFIG_FLAG%% \
+ --with-uuid=e2fs \
+{{ # in 16: "configure: error: unrecognized options: --with-gnu-ld" -}}
+{{ # https://github.com/postgres/postgres/commit/9db49fc5bfdc0126be03f4b8986013e59d93b91d -}}
+{{ if .major <= 15 then ( -}}
--with-gnu-ld \
+{{ ) else "" end -}}
--with-pgport=5432 \
--with-system-tzdata=/usr/share/zoneinfo \
--prefix=/usr/local \
--with-includes=/usr/local/include \
--with-libraries=/usr/local/lib \
- \
-# these make our image abnormally large (at least 100MB larger), which seems uncouth for an "Alpine" (ie, "small") variant :)
-# --with-krb5 \
-# --with-gssapi \
-# --with-ldap \
-# --with-tcl \
-# --with-perl \
-# --with-python \
+ --with-gssapi \
+ --with-ldap \
+ --with-tcl \
+ --with-perl \
+ --with-python \
# --with-pam \
--with-openssl \
--with-libxml \
--with-libxslt \
--with-icu \
- && make -j "$(nproc)" world \
- && make install-world \
- && make -C contrib install \
+ --with-llvm \
+{{ if .major >= 14 then ( -}}
+ --with-lz4 \
+{{ ) else "" end -}}
+{{ if .major >= 15 then ( -}}
+ --with-zstd \
+{{ ) else "" end -}}
+ ; \
+ make -j "$(nproc)" world-bin; \
+ make install-world-bin; \
+ make -C contrib install; \
\
- && runDeps="$( \
+ runDeps="$( \
scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \
| tr ',' '\n' \
| sort -u \
| awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \
- )" \
- && apk add --no-cache --virtual .postgresql-rundeps \
+# Remove plperl, plpython and pltcl dependencies by default to save image size
+# To use the pl extensions, those have to be installed in a derived image
+ | grep -v -e perl -e python -e tcl \
+ )"; \
+ apk add --no-cache --virtual .postgresql-rundeps \
$runDeps \
bash \
- su-exec \
-# tzdata is optional, but only adds around 1Mb to image size and is recommended by Django documentation:
-# https://docs.djangoproject.com/en/1.10/ref/databases/#optimizing-postgresql-s-configuration
tzdata \
- && apk del .fetch-deps .build-deps \
- && cd / \
- && rm -rf \
+ zstd \
+# https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split
+ icu-data-full \
+# nss_wrapper is not availble on ppc64le: "test case segfaults in ppc64le"
+# https://git.alpinelinux.org/aports/commit/testing/nss_wrapper/APKBUILD?h=3.17-stable&id=94d81ceeb58cff448d489bbcbe9a6d40c9991663
+ $([ "$(apk --print-arch)" != 'ppc64le' ] && echo 'nss_wrapper') \
+ ; \
+ apk del --no-network .build-deps; \
+ cd /; \
+ rm -rf \
/usr/src/postgresql \
/usr/local/share/doc \
/usr/local/share/man \
- && find /usr/local -name '*.a' -delete
+ ; \
+ \
+ postgres --version
# make the sample config easier to munge (and "correct by default")
-RUN sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample
+RUN set -eux; \
+ cp -v /usr/local/share/postgresql/postgresql.conf.sample /usr/local/share/postgresql/postgresql.conf.sample.orig; \
+ sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/local/share/postgresql/postgresql.conf.sample; \
+ grep -F "listen_addresses = '*'" /usr/local/share/postgresql/postgresql.conf.sample
-RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
ENV PGDATA /var/lib/postgresql/data
-RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" # this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values)
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
VOLUME /var/lib/postgresql/data
-COPY docker-entrypoint.sh /usr/local/bin/
-RUN ln -s usr/local/bin/docker-entrypoint.sh / # backwards compat
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
ENTRYPOINT ["docker-entrypoint.sh"]
+# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
+# calls "Fast Shutdown mode" wherein new connections are disallowed and any
+# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
+# flush tables to disk.
+#
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
+# about available PostgreSQL server shutdown signals.
+#
+# See also https://www.postgresql.org/docs/current/server-start.html for further
+# justification of this as the default value, namely that the example (and
+# shipped) systemd service files use the "Fast Shutdown mode" for service
+# termination.
+#
+STOPSIGNAL SIGINT
+#
+# An additional setting that is recommended for all users regardless of this
+# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
+# equivalent) for controlling how long to wait between sending the defined
+# STOPSIGNAL and sending SIGKILL.
+#
+# The default in most runtimes (such as Docker) is 10 seconds, and the
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
+# that even 90 seconds may not be long enough in many instances.
+
EXPOSE 5432
CMD ["postgres"]
diff --git a/Dockerfile-debian.template b/Dockerfile-debian.template
index a86f24b5f7..1ac04a725f 100644
--- a/Dockerfile-debian.template
+++ b/Dockerfile-debian.template
@@ -1,15 +1,4 @@
-# vim:set ft=dockerfile:
-FROM debian:%%DEBIAN_TAG%%
-
-RUN set -ex; \
- if ! command -v gpg > /dev/null; then \
- apt-get update; \
- apt-get install -y --no-install-recommends \
- gnupg \
- dirmngr \
- ; \
- rm -rf /var/lib/apt/lists/*; \
- fi
+FROM debian:{{ env.variant }}-slim
# explicitly set user/group IDs
RUN set -eux; \
@@ -18,23 +7,41 @@ RUN set -eux; \
useradd -r -g postgres --uid=999 --home-dir=/var/lib/postgresql --shell=/bin/bash postgres; \
# also create the postgres user's home directory with appropriate permissions
# see https://github.com/docker-library/postgres/issues/274
- mkdir -p /var/lib/postgresql; \
- chown -R postgres:postgres /var/lib/postgresql
+ install --verbose --directory --owner postgres --group postgres --mode 1777 /var/lib/postgresql
+
+RUN set -ex; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends \
+ gnupg \
+# https://www.postgresql.org/docs/16/app-psql.html#APP-PSQL-META-COMMAND-PSET-PAGER
+# https://github.com/postgres/postgres/blob/REL_16_1/src/include/fe_utils/print.h#L25
+# (if "less" is available, it gets used as the default pager for psql, and it only adds ~1.5MiB to our image size)
+ less \
+ ; \
+ rm -rf /var/lib/apt/lists/*
# grab gosu for easy step-down from root
-ENV GOSU_VERSION 1.11
-RUN set -x \
- && apt-get update && apt-get install -y --no-install-recommends ca-certificates wget && rm -rf /var/lib/apt/lists/* \
- && wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture)" \
- && wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture).asc" \
- && export GNUPGHOME="$(mktemp -d)" \
- && gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 \
- && gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu \
- && { command -v gpgconf > /dev/null && gpgconf --kill all || :; } \
- && rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc \
- && chmod +x /usr/local/bin/gosu \
- && gosu nobody true \
- && apt-get purge -y --auto-remove ca-certificates wget
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+ savedAptMark="$(apt-mark showmanual)"; \
+ apt-get update; \
+ apt-get install -y --no-install-recommends ca-certificates wget; \
+ rm -rf /var/lib/apt/lists/*; \
+ dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+ wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+ wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+ export GNUPGHOME="$(mktemp -d)"; \
+ gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+ gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+ apt-mark auto '.*' > /dev/null; \
+ [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \
+ apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+ chmod +x /usr/local/bin/gosu; \
+ gosu --version; \
+ gosu nobody true
# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
RUN set -eux; \
@@ -44,16 +51,19 @@ RUN set -eux; \
sed -ri '/\/usr\/share\/locale/d' /etc/dpkg/dpkg.cfg.d/docker; \
! grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
fi; \
- apt-get update; apt-get install -y locales; rm -rf /var/lib/apt/lists/*; \
- localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
+ apt-get update; apt-get install -y --no-install-recommends locales; rm -rf /var/lib/apt/lists/*; \
+ echo 'en_US.UTF-8 UTF-8' >> /etc/locale.gen; \
+ locale-gen; \
+ locale -a | grep 'en_US.utf8'
ENV LANG en_US.utf8
-# install "nss_wrapper" in case we need to fake "/etc/passwd" and "/etc/group" (especially for OpenShift)
-# https://github.com/docker-library/postgres/issues/359
-# https://cwrap.org/nss_wrapper.html
RUN set -eux; \
apt-get update; \
- apt-get install -y --no-install-recommends libnss-wrapper; \
+ apt-get install -y --no-install-recommends \
+ libnss-wrapper \
+ xz-utils \
+ zstd \
+ ; \
rm -rf /var/lib/apt/lists/*
RUN mkdir /docker-entrypoint-initdb.d
@@ -64,14 +74,16 @@ RUN set -ex; \
# uid PostgreSQL Debian Repository
key='B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8'; \
export GNUPGHOME="$(mktemp -d)"; \
- gpg --batch --keyserver ha.pool.sks-keyservers.net --recv-keys "$key"; \
- gpg --batch --export "$key" > /etc/apt/trusted.gpg.d/postgres.gpg; \
- command -v gpgconf > /dev/null && gpgconf --kill all; \
- rm -rf "$GNUPGHOME"; \
- apt-key list
+ mkdir -p /usr/local/share/keyrings/; \
+ gpg --batch --keyserver keyserver.ubuntu.com --recv-keys "$key"; \
+ gpg --batch --export --armor "$key" > /usr/local/share/keyrings/postgres.gpg.asc; \
+ gpgconf --kill all; \
+ rm -rf "$GNUPGHOME"
+
+ENV PG_MAJOR {{ env.version }}
+ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
-ENV PG_MAJOR %%PG_MAJOR%%
-ENV PG_VERSION %%PG_VERSION%%
+ENV PG_VERSION {{ .[env.variant].version }}
RUN set -ex; \
\
@@ -79,42 +91,52 @@ RUN set -ex; \
export PYTHONDONTWRITEBYTECODE=1; \
\
dpkgArch="$(dpkg --print-architecture)"; \
+ aptRepo="[ signed-by=/usr/local/share/keyrings/postgres.gpg.asc ] http://apt.postgresql.org/pub/repos/apt/ {{ env.variant }}-pgdg main $PG_MAJOR"; \
case "$dpkgArch" in \
- %%ARCH_LIST%%) \
+ {{ .[env.variant].arches | join(" | ") }}) \
# arches officialy built by upstream
- echo "deb http://apt.postgresql.org/pub/repos/apt/ %%DEBIAN_SUITE%%-pgdg main $PG_MAJOR" > /etc/apt/sources.list.d/pgdg.list; \
+ echo "deb $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \
apt-get update; \
;; \
*) \
# we're on an architecture upstream doesn't officially build for
# let's build binaries from their published source packages
- echo "deb-src http://apt.postgresql.org/pub/repos/apt/ %%DEBIAN_SUITE%%-pgdg main $PG_MAJOR" > /etc/apt/sources.list.d/pgdg.list; \
+ echo "deb-src $aptRepo" > /etc/apt/sources.list.d/pgdg.list; \
\
- case "$PG_MAJOR" in \
- 9.* | 10 ) ;; \
- *) \
-# https://github.com/docker-library/postgres/issues/484 (clang-6.0 required, only available in stretch-backports)
-# TODO remove this once we hit buster+
- echo 'deb http://deb.debian.org/debian %%DEBIAN_SUITE%%-backports main' >> /etc/apt/sources.list.d/pgdg.list; \
- ;; \
- esac; \
+ savedAptMark="$(apt-mark showmanual)"; \
\
tempDir="$(mktemp -d)"; \
cd "$tempDir"; \
\
- savedAptMark="$(apt-mark showmanual)"; \
+# create a temporary local APT repo to install from (so that dependency resolution can be handled by APT, as it should be)
+ apt-get update; \
+ apt-get install -y --no-install-recommends dpkg-dev; \
+ echo "deb [ trusted=yes ] file://$tempDir ./" > /etc/apt/sources.list.d/temp.list; \
+ _update_repo() { \
+ dpkg-scanpackages . > Packages; \
+# work around the following APT issue by using "Acquire::GzipIndexes=false" (overriding "/etc/apt/apt.conf.d/docker-gzip-indexes")
+# Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+# ...
+# E: Failed to fetch store:/var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
+ apt-get -o Acquire::GzipIndexes=false update; \
+ }; \
+ _update_repo; \
\
# build .deb files from upstream's source packages (which are verified by apt-get)
- apt-get update; \
- apt-get build-dep -y \
- postgresql-common pgdg-keyring \
- "postgresql-$PG_MAJOR=$PG_VERSION" \
- ; \
- DEB_BUILD_OPTIONS="nocheck parallel=$(nproc)" \
- apt-get source --compile \
- postgresql-common pgdg-keyring \
- "postgresql-$PG_MAJOR=$PG_VERSION" \
- ; \
+ nproc="$(nproc)"; \
+ export DEB_BUILD_OPTIONS="nocheck parallel=$nproc"; \
+# we have to build postgresql-common first because postgresql-$PG_MAJOR shares "debian/rules" logic with it: https://salsa.debian.org/postgresql/postgresql/-/commit/99f44476e258cae6bf9e919219fa2c5414fa2876
+# (and it "Depends: pgdg-keyring")
+ apt-get build-dep -y postgresql-common pgdg-keyring; \
+ apt-get source --compile postgresql-common pgdg-keyring; \
+ _update_repo; \
+{{ if .major == 13 then ( -}}
+# we need DEBIAN_FRONTEND on postgresql-13 for slapd ("Please enter the password for the admin entry in your LDAP directory."); see https://bugs.debian.org/929417
+ DEBIAN_FRONTEND=noninteractive \
+{{ ) else "" end -}}
+ apt-get build-dep -y "postgresql-$PG_MAJOR=$PG_VERSION"; \
+ apt-get source --compile "postgresql-$PG_MAJOR=$PG_VERSION"; \
+ \
# we don't remove APT lists here because they get re-downloaded and removed later
\
# reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
@@ -122,24 +144,17 @@ RUN set -ex; \
apt-mark showmanual | xargs apt-mark auto > /dev/null; \
apt-mark manual $savedAptMark; \
\
-# create a temporary local APT repo to install from (so that dependency resolution can be handled by APT, as it should be)
ls -lAFh; \
- dpkg-scanpackages . > Packages; \
+ _update_repo; \
grep '^Package: ' Packages; \
- echo "deb [ trusted=yes ] file://$tempDir ./" > /etc/apt/sources.list.d/temp.list; \
-# work around the following APT issue by using "Acquire::GzipIndexes=false" (overriding "/etc/apt/apt.conf.d/docker-gzip-indexes")
-# Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
-# ...
-# E: Failed to fetch store:/var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages Could not open file /var/lib/apt/lists/partial/_tmp_tmp.ODWljpQfkE_._Packages - open (13: Permission denied)
- apt-get -o Acquire::GzipIndexes=false update; \
+ cd /; \
;; \
esac; \
\
- apt-get install -y postgresql-common; \
+ apt-get install -y --no-install-recommends postgresql-common; \
sed -ri 's/#(create_main_cluster) .*$/\1 = false/' /etc/postgresql-common/createcluster.conf; \
- apt-get install -y \
+ apt-get install -y --no-install-recommends \
"postgresql-$PG_MAJOR=$PG_VERSION" \
- "postgresql-contrib-$PG_MAJOR=$PG_VERSION" \
; \
\
rm -rf /var/lib/apt/lists/*; \
@@ -151,7 +166,9 @@ RUN set -ex; \
fi; \
\
# some of the steps above generate a lot of "*.pyc" files (and setting "PYTHONDONTWRITEBYTECODE" beforehand doesn't propagate properly for some reason), so we clean them up manually (as long as they aren't owned by a package)
- find /usr -name '*.pyc' -type f -exec bash -c 'for pyc; do dpkg -S "$pyc" &> /dev/null || rm -vf "$pyc"; done' -- '{}' +
+ find /usr -name '*.pyc' -type f -exec bash -c 'for pyc; do dpkg -S "$pyc" &> /dev/null || rm -vf "$pyc"; done' -- '{}' +; \
+ \
+ postgres --version
# make the sample config easier to munge (and "correct by default")
RUN set -eux; \
@@ -161,16 +178,40 @@ RUN set -eux; \
sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/share/postgresql/postgresql.conf.sample; \
grep -F "listen_addresses = '*'" /usr/share/postgresql/postgresql.conf.sample
-RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql
+RUN install --verbose --directory --owner postgres --group postgres --mode 3777 /var/run/postgresql
-ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
ENV PGDATA /var/lib/postgresql/data
-RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" # this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values)
+# this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
+RUN install --verbose --directory --owner postgres --group postgres --mode 1777 "$PGDATA"
VOLUME /var/lib/postgresql/data
-COPY docker-entrypoint.sh /usr/local/bin/
-RUN ln -s usr/local/bin/docker-entrypoint.sh / # backwards compat
+COPY docker-entrypoint.sh docker-ensure-initdb.sh /usr/local/bin/
+RUN ln -sT docker-ensure-initdb.sh /usr/local/bin/docker-enforce-initdb.sh
ENTRYPOINT ["docker-entrypoint.sh"]
+# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
+# calls "Fast Shutdown mode" wherein new connections are disallowed and any
+# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
+# flush tables to disk.
+#
+# See https://www.postgresql.org/docs/current/server-shutdown.html for more details
+# about available PostgreSQL server shutdown signals.
+#
+# See also https://www.postgresql.org/docs/current/server-start.html for further
+# justification of this as the default value, namely that the example (and
+# shipped) systemd service files use the "Fast Shutdown mode" for service
+# termination.
+#
+STOPSIGNAL SIGINT
+#
+# An additional setting that is recommended for all users regardless of this
+# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
+# equivalent) for controlling how long to wait between sending the defined
+# STOPSIGNAL and sending SIGKILL.
+#
+# The default in most runtimes (such as Docker) is 10 seconds, and the
+# documentation at https://www.postgresql.org/docs/current/server-start.html notes
+# that even 90 seconds may not be long enough in many instances.
+
EXPOSE 5432
CMD ["postgres"]
diff --git a/README.md b/README.md
index 99f531d5bc..883f0701e9 100644
--- a/README.md
+++ b/README.md
@@ -2,26 +2,14 @@
## Maintained by: [the PostgreSQL Docker Community](https://github.com/docker-library/postgres)
-This is the Git repo of the [Docker "Official Image"](https://docs.docker.com/docker-hub/official_repos/) for [postgres](https://hub.docker.com/_/postgres/) (not to be confused with any official postgres image provided by postgres upstream). See [the Docker Hub page](https://hub.docker.com/_/postgres/) for the full readme on how to use this Docker image and for information regarding contributing and issues.
+This is the Git repo of the [Docker "Official Image"](https://github.com/docker-library/official-images#what-are-official-images) for [`postgres`](https://hub.docker.com/_/postgres/) (not to be confused with any official `postgres` image provided by `postgres` upstream). See [the Docker Hub page](https://hub.docker.com/_/postgres/) for the full readme on how to use this Docker image and for information regarding contributing and issues.
-The [full description from Docker Hub](https://hub.docker.com/_/postgres/) is generated over in [docker-library/docs](https://github.com/docker-library/docs), specifically in [docker-library/docs/postgres](https://github.com/docker-library/docs/tree/master/postgres).
+The [full image description on Docker Hub](https://hub.docker.com/_/postgres/) is generated/maintained over in [the docker-library/docs repository](https://github.com/docker-library/docs), specifically in [the `postgres` directory](https://github.com/docker-library/docs/tree/master/postgres).
## See a change merged here that doesn't show up on Docker Hub yet?
-Check [the "library/postgres" manifest file in the docker-library/official-images repo](https://github.com/docker-library/official-images/blob/master/library/postgres), especially [PRs with the "library/postgres" label on that repo](https://github.com/docker-library/official-images/labels/library%2Fpostgres).
+For more information about the full official images change lifecycle, see [the "An image's source changed in Git, now what?" FAQ entry](https://github.com/docker-library/faq#an-images-source-changed-in-git-now-what).
-For more information about the official images process, see the [docker-library/official-images readme](https://github.com/docker-library/official-images/blob/master/README.md).
-
----
-
-- [Travis CI:
- ](https://travis-ci.org/docker-library/postgres/branches)
-- [Automated `update.sh`:
- ](https://doi-janky.infosiftr.net/job/update.sh/job/postgres)
-
-| Build | Status | Badges | (per-arch) |
-|:-:|:-:|:-:|:-:|
-| [`amd64`<br />](https://doi-janky.infosiftr.net/job/multiarch/job/amd64/job/postgres) | [`arm32v5`<br />](https://doi-janky.infosiftr.net/job/multiarch/job/arm32v5/job/postgres) | [`arm32v6`<br />](https://doi-janky.infosiftr.net/job/multiarch/job/arm32v6/job/postgres) | [`arm32v7`<br />](https://doi-janky.infosiftr.net/job/multiarch/job/arm32v7/job/postgres) |
-| [`arm64v8`<br />](https://doi-janky.infosiftr.net/job/multiarch/job/arm64v8/job/postgres) | [`i386`<br />](https://doi-janky.infosiftr.net/job/multiarch/job/i386/job/postgres) | [`ppc64le`<br />](https://doi-janky.infosiftr.net/job/multiarch/job/ppc64le/job/postgres) | [`s390x`<br />](https://doi-janky.infosiftr.net/job/multiarch/job/s390x/job/postgres) |
+For outstanding `postgres` image PRs, check [PRs with the "library/postgres" label on the official-images repository](https://github.com/docker-library/official-images/labels/library%2Fpostgres). For the current "source of truth" for [`postgres`](https://hub.docker.com/_/postgres/), see [the `library/postgres` file in the official-images repository](https://github.com/docker-library/official-images/blob/master/library/postgres).
<!-- THIS FILE IS GENERATED BY https://github.com/docker-library/docs/blob/master/generate-repo-stub-readme.sh -->
diff --git a/apply-templates.sh b/apply-templates.sh
new file mode 100755
index 0000000000..aa2d65c6b0
--- /dev/null
+++ b/apply-templates.sh
@@ -0,0 +1,66 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+[ -f versions.json ] # run "versions.sh" first
+
+cd "$(dirname "$(readlink -f "$BASH_SOURCE")")"
+
+jqt='.jq-template.awk'
+if [ -n "${BASHBREW_SCRIPTS:-}" ]; then
+ jqt="$BASHBREW_SCRIPTS/jq-template.awk"
+elif [ "$BASH_SOURCE" -nt "$jqt" ]; then
+ # https://github.com/docker-library/bashbrew/blob/master/scripts/jq-template.awk
+ wget -qO "$jqt" 'https://github.com/docker-library/bashbrew/raw/9f6a35772ac863a0241f147c820354e4008edf38/scripts/jq-template.awk'
+fi
+
+if [ "$#" -eq 0 ]; then
+ versions="$(jq -r 'keys | map(@sh) | join(" ")' versions.json)"
+ eval "set -- $versions"
+fi
+
+generated_warning() {
+ cat <<-EOH
+ #
+ # NOTE: THIS DOCKERFILE IS GENERATED VIA "apply-templates.sh"
+ #
+ # PLEASE DO NOT EDIT IT DIRECTLY.
+ #
+
+ EOH
+}
+
+for version; do
+ export version
+
+ major="$(jq -r '.[env.version].major' versions.json)"
+
+ variants="$(jq -r '.[env.version].variants | map(@sh) | join(" ")' versions.json)"
+ eval "variants=( $variants )"
+
+ rm -rf "$version"
+
+ for variant in "${variants[@]}"; do
+ export variant
+
+ dir="$version/$variant"
+ mkdir -p "$dir"
+
+ echo "processing $dir ..."
+
+ case "$variant" in
+ alpine*)
+ template='Dockerfile-alpine.template'
+ ;;
+ *)
+ template='Dockerfile-debian.template'
+ ;;
+ esac
+
+ {
+ generated_warning
+ gawk -f "$jqt" "$template"
+ } > "$dir/Dockerfile"
+
+ cp -a docker-entrypoint.sh docker-ensure-initdb.sh "$dir/"
+ done
+done
diff --git a/docker-ensure-initdb.sh b/docker-ensure-initdb.sh
new file mode 100755
index 0000000000..ae1f6b6b90
--- /dev/null
+++ b/docker-ensure-initdb.sh
@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+#
+# This script is intended for three main use cases:
+#
+# 1. (most importantly) as an example of how to use "docker-entrypoint.sh" to extend/reuse the initialization behavior
+#
+# 2. ("docker-ensure-initdb.sh") as a Kubernetes "init container" to ensure the provided database directory is initialized; see also "startup probes" for an alternative solution
+# (no-op if database is already initialized)
+#
+# 3. ("docker-enforce-initdb.sh") as part of CI to ensure the database is fully initialized before use
+# (error if database is already initialized)
+#
+
+source /usr/local/bin/docker-entrypoint.sh
+
+# arguments to this script are assumed to be arguments to the "postgres" server (same as "docker-entrypoint.sh"), and most "docker-entrypoint.sh" functions assume "postgres" is the first argument (see "_main" over there)
+if [ "$#" -eq 0 ] || [ "$1" != 'postgres' ]; then
+ set -- postgres "$@"
+fi
+
+# see also "_main" in "docker-entrypoint.sh"
+
+docker_setup_env
+# setup data directories and permissions (when run as root)
+docker_create_db_directories
+if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
+fi
+
+# only run initialization on an empty data directory
+if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+else
+ self="$(basename "$0")"
+ case "$self" in
+ docker-ensure-initdb.sh)
+ echo >&2 "$self: note: database already initialized in '$PGDATA'!"
+ exit 0
+ ;;
+
+ docker-enforce-initdb.sh)
+ echo >&2 "$self: error: (unexpected) database found in '$PGDATA'!"
+ exit 1
+ ;;
+
+ *)
+ echo >&2 "$self: error: unknown file name: $self"
+ exit 99
+ ;;
+ esac
+fi
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
index 93ee4fba4d..ae40666ca1 100755
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@@ -11,7 +11,7 @@ file_env() {
local fileVar="${var}_FILE"
local def="${2:-}"
if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
- echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+ printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar"
exit 1
fi
local val="$def"
@@ -24,67 +24,89 @@ file_env() {
unset "$fileVar"
}
-if [ "${1:0:1}" = '-' ]; then
- set -- postgres "$@"
-fi
+# check to see if this file is being run or sourced from another script
+_is_sourced() {
+ # https://unix.stackexchange.com/a/215279
+ [ "${#FUNCNAME[@]}" -ge 2 ] \
+ && [ "${FUNCNAME[0]}" = '_is_sourced' ] \
+ && [ "${FUNCNAME[1]}" = 'source' ]
+}
+
+# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user
+docker_create_db_directories() {
+ local user; user="$(id -u)"
-# allow the container to be started with `--user`
-if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then
mkdir -p "$PGDATA"
- chown -R postgres "$PGDATA"
- chmod 700 "$PGDATA"
+ # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory)
+ chmod 00700 "$PGDATA" || :
- mkdir -p /var/run/postgresql
- chown -R postgres /var/run/postgresql
- chmod 775 /var/run/postgresql
+ # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289
+ mkdir -p /var/run/postgresql || :
+ chmod 03775 /var/run/postgresql || :
- # Create the transaction log directory before initdb is run (below) so the directory is owned by the correct user
- if [ "$POSTGRES_INITDB_WALDIR" ]; then
+ # Create the transaction log directory before initdb is run so the directory is owned by the correct user
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
mkdir -p "$POSTGRES_INITDB_WALDIR"
- chown -R postgres "$POSTGRES_INITDB_WALDIR"
+ if [ "$user" = '0' ]; then
+ find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
+ fi
chmod 700 "$POSTGRES_INITDB_WALDIR"
fi
- exec gosu postgres "$BASH_SOURCE" "$@"
-fi
-
-if [ "$1" = 'postgres' ]; then
- mkdir -p "$PGDATA"
- chown -R "$(id -u)" "$PGDATA" 2>/dev/null || :
- chmod 700 "$PGDATA" 2>/dev/null || :
-
- # look specifically for PG_VERSION, as it is expected in the DB dir
- if [ ! -s "$PGDATA/PG_VERSION" ]; then
- # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
- # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
- if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then
- export LD_PRELOAD='/usr/lib/libnss_wrapper.so'
- export NSS_WRAPPER_PASSWD="$(mktemp)"
- export NSS_WRAPPER_GROUP="$(mktemp)"
- echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD"
- echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"
- fi
+ # allow the container to be started with `--user`
+ if [ "$user" = '0' ]; then
+ find "$PGDATA" \! -user postgres -exec chown postgres '{}' +
+ find /var/run/postgresql \! -user postgres -exec chown postgres '{}' +
+ fi
+}
- file_env 'POSTGRES_USER' 'postgres'
- file_env 'POSTGRES_PASSWORD'
+# initialize empty PGDATA directory with new database via 'initdb'
+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function
+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames
+# this is also where the database user is created, specified by `POSTGRES_USER` env
+docker_init_database_dir() {
+ # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
+ # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
+ local uid; uid="$(id -u)"
+ if ! getent passwd "$uid" &> /dev/null; then
+ # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15)
+ local wrapper
+ for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do
+ if [ -s "$wrapper" ]; then
+ NSS_WRAPPER_PASSWD="$(mktemp)"
+ NSS_WRAPPER_GROUP="$(mktemp)"
+ export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ local gid; gid="$(id -g)"
+ printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD"
+ printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP"
+ break
+ fi
+ done
+ fi
- file_env 'POSTGRES_INITDB_ARGS'
- if [ "$POSTGRES_INITDB_WALDIR" ]; then
- export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --waldir $POSTGRES_INITDB_WALDIR"
- fi
- eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"
+ if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then
+ set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
+ fi
- # unset/cleanup "nss_wrapper" bits
- if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then
- rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
- unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
- fi
+ # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025
+ eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"'
- # check password first so we can output the warning before postgres
- # messes it up
- if [ -n "$POSTGRES_PASSWORD" ]; then
- authMethod=md5
+ # unset/cleanup "nss_wrapper" bits
+ if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then
+ rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
+ unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
+ fi
+}
+# print large warning if POSTGRES_PASSWORD is long
+# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust'
+# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
+# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
+docker_verify_minimum_env() {
+ case "${PG_MAJOR:-}" in
+ 13) # https://github.com/postgres/postgres/commit/67a472d71c98c3d2fa322a1b4013080b20720b98
+ # check password first so we can output the warning before postgres
+ # messes it up
if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then
cat >&2 <<-'EOWARN'
@@ -97,80 +119,241 @@ if [ "$1" = 'postgres' ]; then
EOWARN
fi
- else
- # The - option suppresses leading tabs but *not* spaces. :)
- cat >&2 <<-'EOWARN'
- ****************************************************
- WARNING: No password has been set for the database.
- This will allow anyone with access to the
- Postgres port to access your database. In
- Docker's default configuration, this is
- effectively any other container on the same
- system.
-
- Use "-e POSTGRES_PASSWORD=password" to set
- it in "docker run".
- ****************************************************
- EOWARN
-
- authMethod=trust
+ ;;
+ esac
+ if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ # The - option suppresses leading tabs but *not* spaces. :)
+ cat >&2 <<-'EOE'
+ Error: Database is uninitialized and superuser password is not specified.
+ You must specify POSTGRES_PASSWORD to a non-empty value for the
+ superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run".
+
+ You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all
+ connections without a password. This is *not* recommended.
+
+ See PostgreSQL documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ EOE
+ exit 1
+ fi
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ cat >&2 <<-'EOWARN'
+ ********************************************************************************
+ WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
+ anyone with access to the Postgres port to access your database without
+ a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
+ documentation about "trust":
+ https://www.postgresql.org/docs/current/auth-trust.html
+ In Docker's default configuration, this is effectively any other
+ container on the same system.
+
+ It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
+ it with "-e POSTGRES_PASSWORD=password" instead to set a password in
+ "docker run".
+ ********************************************************************************
+ EOWARN
+ fi
+}
+
+# usage: docker_process_init_files [file [file [...]]]
+# ie: docker_process_init_files /always-initdb.d/*
+# process initializer files, based on file extensions and permissions
+docker_process_init_files() {
+ # psql here for backwards compatibility "${psql[@]}"
+ psql=( docker_process_sql )
+
+ printf '\n'
+ local f
+ for f; do
+ case "$f" in
+ *.sh)
+ # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
+ # https://github.com/docker-library/postgres/pull/452
+ if [ -x "$f" ]; then
+ printf '%s: running %s\n' "$0" "$f"
+ "$f"
+ else
+ printf '%s: sourcing %s\n' "$0" "$f"
+ . "$f"
+ fi
+ ;;
+ *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;;
+ *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;;
+ *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;;
+ *) printf '%s: ignoring %s\n' "$0" "$f" ;;
+ esac
+ printf '\n'
+ done
+}
+
+# Execute sql script, passed via stdin (or -f flag of pqsl)
+# usage: docker_process_sql [psql-cli-args]
+# ie: docker_process_sql --dbname=mydb <<<'INSERT ...'
+# ie: docker_process_sql -f my-file.sql
+# ie: docker_process_sql <my-file.sql
+docker_process_sql() {
+ local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password --no-psqlrc )
+ if [ -n "$POSTGRES_DB" ]; then
+ query_runner+=( --dbname "$POSTGRES_DB" )
+ fi
+
+ PGHOST= PGHOSTADDR= "${query_runner[@]}" "$@"
+}
+
+# create initial database
+# uses environment variables for input: POSTGRES_DB
+docker_setup_db() {
+ local dbAlreadyExists
+ dbAlreadyExists="$(
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" --tuples-only <<-'EOSQL'
+ SELECT 1 FROM pg_database WHERE datname = :'db' ;
+ EOSQL
+ )"
+ if [ -z "$dbAlreadyExists" ]; then
+ POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
+ CREATE DATABASE :"db" ;
+ EOSQL
+ printf '\n'
+ fi
+}
+
+# Loads various settings that are used elsewhere in the script
+# This should be called before any other functions
+docker_setup_env() {
+ file_env 'POSTGRES_PASSWORD'
+
+ file_env 'POSTGRES_USER' 'postgres'
+ file_env 'POSTGRES_DB' "$POSTGRES_USER"
+ file_env 'POSTGRES_INITDB_ARGS'
+ : "${POSTGRES_HOST_AUTH_METHOD:=}"
+
+ declare -g DATABASE_ALREADY_EXISTS
+ : "${DATABASE_ALREADY_EXISTS:=}"
+ # look specifically for PG_VERSION, as it is expected in the DB dir
+ if [ -s "$PGDATA/PG_VERSION" ]; then
+ DATABASE_ALREADY_EXISTS='true'
+ fi
+}
+
+# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
+# all arguments will be passed along as arguments to `postgres` for getting the value of 'password_encryption'
+pg_setup_hba_conf() {
+ # default authentication method is md5 on versions before 14
+ # https://www.postgresql.org/about/news/postgresql-14-released-2318/
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+ local auth
+ # check the default/configured encryption and use that as the auth method
+ auth="$(postgres -C password_encryption "$@")"
+ : "${POSTGRES_HOST_AUTH_METHOD:=$auth}"
+ {
+ printf '\n'
+ if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
+ printf '# warning trust is enabled for all connections\n'
+ printf '# see https://www.postgresql.org/docs/17/auth-trust.html\n'
fi
+ printf 'host all all all %s\n' "$POSTGRES_HOST_AUTH_METHOD"
+ } >> "$PGDATA/pg_hba.conf"
+}
+
+# start socket-only postgresql server for setting up or running scripts
+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)
+docker_temp_server_start() {
+ if [ "$1" = 'postgres' ]; then
+ shift
+ fi
+
+ # internal start of server in order to allow setup using psql client
+ # does not listen on external TCP/IP and waits until start finishes
+ set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}"
- {
- echo
- echo "host all all all $authMethod"
- } >> "$PGDATA/pg_hba.conf"
+ # unset NOTIFY_SOCKET so the temporary server doesn't prematurely notify
+ # any process supervisor.
+ NOTIFY_SOCKET= \
+ PGUSER="${PGUSER:-$POSTGRES_USER}" \
+ pg_ctl -D "$PGDATA" \
+ -o "$(printf '%q ' "$@")" \
+ -w start
+}
- # internal start of server in order to allow set-up using psql-client
- # does not listen on external TCP/IP and waits until start finishes
- PGUSER="${PGUSER:-$POSTGRES_USER}" \
- pg_ctl -D "$PGDATA" \
- -o "-c listen_addresses=''" \
- -w start
+# stop postgresql server after done setting up user and running scripts
+docker_temp_server_stop() {
+ PGUSER="${PGUSER:-postgres}" \
+ pg_ctl -D "$PGDATA" -m fast -w stop
+}
- file_env 'POSTGRES_DB' "$POSTGRES_USER"
+# check arguments for an option that would cause postgres to stop
+# return true if there is one
+_pg_want_help() {
+ local arg
+ for arg; do
+ case "$arg" in
+ # postgres --help | grep 'then exit'
+ # leaving out -C on purpose since it always fails and is unhelpful:
+ # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory
+ -'?'|--help|--describe-config|-V|--version)
+ return 0
+ ;;
+ esac
+ done
+ return 1
+}
- export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
- psql=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password )
+_main() {
+ # if first arg looks like a flag, assume we want to run postgres server
+ if [ "${1:0:1}" = '-' ]; then
+ set -- postgres "$@"
+ fi
- if [ "$POSTGRES_DB" != 'postgres' ]; then
- "${psql[@]}" --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'
- CREATE DATABASE :"db" ;
- EOSQL
- echo
+ if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then
+ docker_setup_env
+ # setup data directories and permissions (when run as root)
+ docker_create_db_directories
+ if [ "$(id -u)" = '0' ]; then
+ # then restart script as postgres user
+ exec gosu postgres "$BASH_SOURCE" "$@"
fi
- psql+=( --dbname "$POSTGRES_DB" )
-
- echo
- for f in /docker-entrypoint-initdb.d/*; do
- case "$f" in
- *.sh)
- # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
- # https://github.com/docker-library/postgres/pull/452
- if [ -x "$f" ]; then
- echo "$0: running $f"
- "$f"
- else
- echo "$0: sourcing $f"
- . "$f"
- fi
- ;;
- *.sql) echo "$0: running $f"; "${psql[@]}" -f "$f"; echo ;;
- *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | "${psql[@]}"; echo ;;
- *) echo "$0: ignoring $f" ;;
- esac
- echo
- done
- PGUSER="${PGUSER:-$POSTGRES_USER}" \
- pg_ctl -D "$PGDATA" -m fast -w stop
+ # only run initialization on an empty data directory
+ if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+ docker_verify_minimum_env
+
+ # check dir permissions to reduce likelihood of half-initialized database
+ ls /docker-entrypoint-initdb.d/ > /dev/null
+
+ docker_init_database_dir
+ pg_setup_hba_conf "$@"
+
+ # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless
+ # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS
+ export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"
+ docker_temp_server_start "$@"
+
+ docker_setup_db
+ docker_process_init_files /docker-entrypoint-initdb.d/*
+
+ docker_temp_server_stop
+ unset PGPASSWORD
+
+ cat <<-'EOM'
- unset PGPASSWORD
+ PostgreSQL init process complete; ready for start up.
- echo
- echo 'PostgreSQL init process complete; ready for start up.'
- echo
+ EOM
+ else
+ cat <<-'EOM'
+
+ PostgreSQL Database directory appears to contain a database; Skipping initialization
+
+ EOM
+ fi
fi
-fi
-exec "$@"
+ exec "$@"
+}
+
+if ! _is_sourced; then
+ _main "$@"
+fi
diff --git a/generate-stackbrew-library.sh b/generate-stackbrew-library.sh
index d7e68619da..234a5266a1 100755
--- a/generate-stackbrew-library.sh
+++ b/generate-stackbrew-library.sh
@@ -1,19 +1,20 @@
-#!/bin/bash
-set -eu
+#!/usr/bin/env bash
+set -Eeuo pipefail
declare -A aliases=(
- [11]='latest'
- [9.6]='9'
+ [17]='latest'
)
self="$(basename "$BASH_SOURCE")"
cd "$(dirname "$(readlink -f "$BASH_SOURCE")")"
-versions=( */ )
-versions=( "${versions[@]%/}" )
+if [ "$#" -eq 0 ]; then
+ versions="$(jq -r 'keys | map(@sh) | join(" ")' versions.json)"
+ eval "set -- $versions"
+fi
# sort version numbers with highest first
-IFS=$'\n'; versions=( $(echo "${versions[*]}" | sort -rV) ); unset IFS
+IFS=$'\n'; set -- $(sort -rV <<<"$*"); unset IFS
# get the most recent commit which modified any of "$@"
fileCommit() {
@@ -25,31 +26,37 @@ dirCommit() {
local dir="$1"; shift
(
cd "$dir"
- fileCommit \
- Dockerfile \
- $(git show HEAD:./Dockerfile | awk '
+ files="$(
+ git show HEAD:./Dockerfile | awk '
toupper($1) == "COPY" {
for (i = 2; i < NF; i++) {
+ if ($i ~ /^--from=/) {
+ next
+ }
print $i
}
}
- ')
+ '
+ )"
+ fileCommit Dockerfile $files
)
}
getArches() {
local repo="$1"; shift
- local officialImagesUrl='https://github.com/docker-library/official-images/raw/master/library/'
+ local officialImagesBase="${BASHBREW_LIBRARY:-https://github.com/docker-library/official-images/raw/HEAD/library}/"
- eval "declare -g -A parentRepoToArches=( $(
- find -name 'Dockerfile' -exec awk '
+ local parentRepoToArchesStr
+ parentRepoToArchesStr="$(
+ find -name 'Dockerfile' -exec awk -v officialImagesBase="$officialImagesBase" '
toupper($1) == "FROM" && $2 !~ /^('"$repo"'|scratch|.*\/.*)(:|$)/ {
- print "'"$officialImagesUrl"'" $2
+ printf "%s%s\n", officialImagesBase, $2
}
' '{}' + \
| sort -u \
- | xargs bashbrew cat --format '[{{ .RepoName }}:{{ .TagName }}]="{{ join " " .TagEntry.Architectures }}"'
- ) )"
+ | xargs -r bashbrew cat --format '["{{ .RepoName }}:{{ .TagName }}"]="{{ join " " .TagEntry.Architectures }}"'
+ )"
+ eval "declare -g -A parentRepoToArches=( $parentRepoToArchesStr )"
}
getArches 'postgres'
@@ -68,51 +75,61 @@ join() {
echo "${out#$sep}"
}
-for version in "${versions[@]}"; do
- commit="$(dirCommit "$version")"
+for version; do
+ export version
- pgdgVersion="$(git show "$commit":"$version/Dockerfile" | awk '$1 == "ENV" && $2 == "PG_VERSION" { print $3; exit }')"
- fullVersion="${pgdgVersion%%-*}"
- fullVersion="${fullVersion//'~'/-}"
+ variants="$(jq -r '.[env.version].variants | map(@sh) | join(" ")' versions.json)"
+ eval "variants=( $variants )"
- versionAliases=()
- while [ "$fullVersion" != "$version" -a "${fullVersion%[.-]*}" != "$fullVersion" ]; do
- versionAliases+=( $fullVersion )
- fullVersion="${fullVersion%[.-]*}"
- done
+ alpine="$(jq -r '.[env.version].alpine' versions.json)"
+ debian="$(jq -r '.[env.version].debian' versions.json)"
+
+ fullVersion="$(jq -r '.[env.version].version' versions.json)"
+
+ # ex: 9.6.22, 13.3, or 14beta2
+ versionAliases=(
+ $fullVersion
+ )
+ # skip unadorned "version" on prereleases: https://www.postgresql.org/developer/beta/
+ # ex: 9.6, 13, or 14
+ case "$fullVersion" in
+ *alpha* | *beta* | *rc*) ;;
+ *) versionAliases+=( $version ) ;;
+ esac
+ # ex: 9 or latest
versionAliases+=(
- $version
${aliases[$version]:-}
)
- versionParent="$(awk 'toupper($1) == "FROM" { print $2 }' "$version/Dockerfile")"
- versionArches="${parentRepoToArches[$versionParent]}"
-
- echo
- cat <<-EOE
- Tags: $(join ', ' "${versionAliases[@]}")
- Architectures: $(join ', ' $versionArches)
- GitCommit: $commit
- Directory: $version
- EOE
-
- for variant in alpine; do
- [ -f "$version/$variant/Dockerfile" ] || continue
+ for variant in "${variants[@]}"; do
+ dir="$version/$variant"
+ commit="$(dirCommit "$dir")"
- commit="$(dirCommit "$version/$variant")"
+ parent="$(awk 'toupper($1) == "FROM" { print $2 }' "$dir/Dockerfile")"
+ arches="${parentRepoToArches[$parent]}"
variantAliases=( "${versionAliases[@]/%/-$variant}" )
variantAliases=( "${variantAliases[@]//latest-/}" )
- variantParent="$(awk 'toupper($1) == "FROM" { print $2 }' "$version/$variant/Dockerfile")"
- variantArches="${parentRepoToArches[$variantParent]}"
+ case "$variant" in
+ "$debian")
+ variantAliases=(
+ "${versionAliases[@]}"
+ "${variantAliases[@]}"
+ )
+ ;;
+ alpine"$alpine")
+ variantAliases+=( "${versionAliases[@]/%/-alpine}" )
+ variantAliases=( "${variantAliases[@]//latest-/}" )
+ ;;
+ esac
echo
cat <<-EOE
Tags: $(join ', ' "${variantAliases[@]}")
- Architectures: $(join ', ' $variantArches)
+ Architectures: $(join ', ' $arches)
GitCommit: $commit
- Directory: $version/$variant
+ Directory: $dir
EOE
done
done
diff --git a/ossp-uuid.template b/ossp-uuid.template
deleted file mode 100644
index e52617d00c..0000000000
--- a/ossp-uuid.template
+++ /dev/null
@@ -1,25 +0,0 @@
-# install OSSP uuid (http://www.ossp.org/pkg/lib/uuid/)
-# see https://github.com/docker-library/postgres/pull/255 for more details
- && wget -O uuid.tar.gz "https://www.mirrorservice.org/sites/ftp.ossp.org/pkg/lib/uuid/uuid-$OSSP_UUID_VERSION.tar.gz" \
- && echo "$OSSP_UUID_SHA256 *uuid.tar.gz" | sha256sum -c - \
- && mkdir -p /usr/src/ossp-uuid \
- && tar \
- --extract \
- --file uuid.tar.gz \
- --directory /usr/src/ossp-uuid \
- --strip-components 1 \
- && rm uuid.tar.gz \
- && ( \
- cd /usr/src/ossp-uuid \
- && gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)" \
-# explicitly update autoconf config.guess and config.sub so they support more arches/libcs
- && wget -O config.guess 'https://git.savannah.gnu.org/cgit/config.git/plain/config.guess?id=7d3d27baf8107b630586c962c057e22149653deb' \
- && wget -O config.sub 'https://git.savannah.gnu.org/cgit/config.git/plain/config.sub?id=7d3d27baf8107b630586c962c057e22149653deb' \
- && ./configure \
- --build="$gnuArch" \
- --prefix=/usr/local \
- && make -j "$(nproc)" \
- && make install \
- ) \
- && rm -rf /usr/src/ossp-uuid \
- \
diff --git a/update.sh b/update.sh
index a4b92b1ed6..bac2d7581c 100755
--- a/update.sh
+++ b/update.sh
@@ -1,126 +1,7 @@
-#!/bin/bash
+#!/usr/bin/env bash
set -Eeuo pipefail
cd "$(dirname "$(readlink -f "$BASH_SOURCE")")"
-versions=( "$@" )
-if [ ${#versions[@]} -eq 0 ]; then
- versions=( */ )
-fi
-versions=( "${versions[@]%/}" )
-
-# sort version numbers with highest last (so it goes first in .travis.yml)
-IFS=$'\n'; versions=( $(echo "${versions[*]}" | sort -V) ); unset IFS
-
-defaultDebianSuite='stretch-slim'
-declare -A debianSuite=(
- #[9.6]='jessie'
-)
-defaultAlpineVersion='3.9'
-declare -A alpineVersion=(
- #[9.6]='3.5'
-)
-
-packagesBase='http://apt.postgresql.org/pub/repos/apt/dists/'
-
-# https://www.mirrorservice.org/sites/ftp.ossp.org/pkg/lib/uuid/?C=M;O=D
-osspUuidVersion='1.6.2'
-osspUuidHash='11a615225baa5f8bb686824423f50e4427acd3f70d394765bdff32801f0fd5b0'
-
-declare -A suitePackageList=() suiteArches=()
-travisEnv=
-for version in "${versions[@]}"; do
- tag="${debianSuite[$version]:-$defaultDebianSuite}"
- suite="${tag%%-slim}"
- if [ -z "${suitePackageList["$suite"]:+isset}" ]; then
- suitePackageList["$suite"]="$(curl -fsSL "${packagesBase}/${suite}-pgdg/main/binary-amd64/Packages.bz2" | bunzip2)"
- fi
- if [ -z "${suiteArches["$suite"]:+isset}" ]; then
- suiteArches["$suite"]="$(curl -fsSL "${packagesBase}/${suite}-pgdg/Release" | gawk -F ':[[:space:]]+' '$1 == "Architectures" { gsub(/[[:space:]]+/, "|", $2); print $2 }')"
- fi
-
- versionList="$(echo "${suitePackageList["$suite"]}"; curl -fsSL "${packagesBase}/${suite}-pgdg/${version}/binary-amd64/Packages.bz2" | bunzip2)"
- fullVersion="$(echo "$versionList" | awk -F ': ' '$1 == "Package" { pkg = $2 } $1 == "Version" && pkg == "postgresql-'"$version"'" { print $2; exit }' || true)"
- majorVersion="${version%%.*}"
-
- echo "$version: $fullVersion"
-
- cp docker-entrypoint.sh "$version/"
- sed -e 's/%%PG_MAJOR%%/'"$version"'/g;' \
- -e 's/%%PG_VERSION%%/'"$fullVersion"'/g' \
- -e 's/%%DEBIAN_TAG%%/'"$tag"'/g' \
- -e 's/%%DEBIAN_SUITE%%/'"$suite"'/g' \
- -e 's/%%ARCH_LIST%%/'"${suiteArches["$suite"]}"'/g' \
- Dockerfile-debian.template > "$version/Dockerfile"
- if [ "$majorVersion" = '9' ]; then
- sed -i -e 's/WALDIR/XLOGDIR/g' \
- -e 's/waldir/xlogdir/g' \
- "$version/docker-entrypoint.sh"
- # ICU support was introduced in PostgreSQL 10 (https://www.postgresql.org/docs/10/static/release-10.html#id-1.11.6.9.5.13)
- sed -i -e '/icu/d' "$version/Dockerfile"
- else
- # postgresql-contrib-10 package does not exist, but is provided by postgresql-10
- # Packages.gz:
- # Package: postgresql-10
- # Provides: postgresql-contrib-10
- sed -i -e '/postgresql-contrib-/d' "$version/Dockerfile"
- fi
-
- # TODO figure out what to do with odd version numbers here, like release candidates
- srcVersion="${fullVersion%%-*}"
- # change "10~beta1" to "10beta1" for ftp urls
- tilde='~'
- srcVersion="${srcVersion//$tilde/}"
- srcSha256="$(curl -fsSL "https://ftp.postgresql.org/pub/source/v${srcVersion}/postgresql-${srcVersion}.tar.bz2.sha256" | cut -d' ' -f1)"
- for variant in alpine; do
- if [ ! -d "$version/$variant" ]; then
- continue
- fi
-
- cp docker-entrypoint.sh "$version/$variant/"
- sed -i 's/gosu/su-exec/g' "$version/$variant/docker-entrypoint.sh"
- sed -e 's/%%PG_MAJOR%%/'"$version"'/g' \
- -e 's/%%PG_VERSION%%/'"$srcVersion"'/g' \
- -e 's/%%PG_SHA256%%/'"$srcSha256"'/g' \
- -e 's/%%ALPINE-VERSION%%/'"${alpineVersion[$version]:-$defaultAlpineVersion}"'/g' \
- "Dockerfile-$variant.template" > "$version/$variant/Dockerfile"
- if [ "$majorVersion" = '9' ]; then
- sed -i -e 's/WALDIR/XLOGDIR/g' \
- -e 's/waldir/xlogdir/g' \
- "$version/$variant/docker-entrypoint.sh"
- # ICU support was introduced in PostgreSQL 10 (https://www.postgresql.org/docs/10/static/release-10.html#id-1.11.6.9.5.13)
- sed -i -e '/icu/d' "$version/$variant/Dockerfile"
- fi
-
- # TODO remove all this when 9.3 is EOL (2018-10-01 -- from http://www.postgresql.org/support/versioning/)
- case "$version" in
- 9.3)
- uuidConfigFlag='--with-ossp-uuid'
- sed -i \
- -e 's/%%OSSP_UUID_ENV_VARS%%/ENV OSSP_UUID_VERSION '"$osspUuidVersion"'\nENV OSSP_UUID_SHA256 '"$osspUuidHash"'\n/' \
- -e $'/%%INSTALL_OSSP_UUID%%/ {r ossp-uuid.template\n d}' \
- "$version/$variant/Dockerfile"
-
- # configure: WARNING: unrecognized options: --enable-tap-tests
- sed -i '/--enable-tap-tests/d' "$version/$variant/Dockerfile"
- ;;
-
- *)
- uuidConfigFlag='--with-uuid=e2fs'
- sed -i \
- -e '/%%OSSP_UUID_ENV_VARS%%/d' \
- -e '/%%INSTALL_OSSP_UUID%%/d' \
- "$version/$variant/Dockerfile"
- ;;
- esac
- sed -i 's/%%UUID_CONFIG_FLAG%%/'"$uuidConfigFlag"'/' "$version/$variant/Dockerfile"
-
- travisEnv="\n - VERSION=$version VARIANT=$variant$travisEnv"
- done
-
- travisEnv="\n - VERSION=$version FORCE_DEB_BUILD=1$travisEnv"
- travisEnv="\n - VERSION=$version$travisEnv"
-done
-
-travis="$(awk -v 'RS=\n\n' '$1 == "env:" { $0 = "env:'"$travisEnv"'" } { printf "%s%s", $0, RS }' .travis.yml)"
-echo "$travis" > .travis.yml
+./versions.sh "$@"
+./apply-templates.sh "$@"
diff --git a/versions.json b/versions.json
new file mode 100644
index 0000000000..0c4bfb0d20
--- /dev/null
+++ b/versions.json
@@ -0,0 +1,147 @@
+{
+ "13": {
+ "alpine": "3.21",
+ "bookworm": {
+ "arches": [
+ "amd64",
+ "arm64",
+ "ppc64el"
+ ],
+ "version": "13.21-1.pgdg120+1"
+ },
+ "bullseye": {
+ "arches": [
+ "amd64",
+ "arm64",
+ "ppc64el"
+ ],
+ "version": "13.21-1.pgdg110+1"
+ },
+ "debian": "bookworm",
+ "major": 13,
+ "sha256": "dcda1294df45f033b0656cf7a8e4afbbc624c25e1b144aec79530f74d7ef4ab4",
+ "variants": [
+ "bookworm",
+ "bullseye",
+ "alpine3.21",
+ "alpine3.20"
+ ],
+ "version": "13.21"
+ },
+ "14": {
+ "alpine": "3.21",
+ "bookworm": {
+ "arches": [
+ "amd64",
+ "arm64",
+ "ppc64el"
+ ],
+ "version": "14.18-1.pgdg120+1"
+ },
+ "bullseye": {
+ "arches": [
+ "amd64",
+ "arm64",
+ "ppc64el"
+ ],
+ "version": "14.18-1.pgdg110+1"
+ },
+ "debian": "bookworm",
+ "major": 14,
+ "sha256": "83ab29d6bfc3dc58b2ed3c664114fdfbeb6a0450c4b8d7fa69aee91e3ca14f8e",
+ "variants": [
+ "bookworm",
+ "bullseye",
+ "alpine3.21",
+ "alpine3.20"
+ ],
+ "version": "14.18"
+ },
+ "15": {
+ "alpine": "3.21",
+ "bookworm": {
+ "arches": [
+ "amd64",
+ "arm64",
+ "ppc64el"
+ ],
+ "version": "15.13-1.pgdg120+1"
+ },
+ "bullseye": {
+ "arches": [
+ "amd64",
+ "arm64",
+ "ppc64el"
+ ],
+ "version": "15.13-1.pgdg110+1"
+ },
+ "debian": "bookworm",
+ "major": 15,
+ "sha256": "4f62e133d22ea08a0401b0840920e26698644d01a80c34341fb732dd0a90ca5d",
+ "variants": [
+ "bookworm",
+ "bullseye",
+ "alpine3.21",
+ "alpine3.20"
+ ],
+ "version": "15.13"
+ },
+ "16": {
+ "alpine": "3.21",
+ "bookworm": {
+ "arches": [
+ "amd64",
+ "arm64",
+ "ppc64el"
+ ],
+ "version": "16.9-1.pgdg120+1"
+ },
+ "bullseye": {
+ "arches": [
+ "amd64",
+ "arm64",
+ "ppc64el"
+ ],
+ "version": "16.9-1.pgdg110+1"
+ },
+ "debian": "bookworm",
+ "major": 16,
+ "sha256": "07c00fb824df0a0c295f249f44691b86e3266753b380c96f633c3311e10bd005",
+ "variants": [
+ "bookworm",
+ "bullseye",
+ "alpine3.21",
+ "alpine3.20"
+ ],
+ "version": "16.9"
+ },
+ "17": {
+ "alpine": "3.21",
+ "bookworm": {
+ "arches": [
+ "amd64",
+ "arm64",
+ "ppc64el"
+ ],
+ "version": "17.5-1.pgdg120+1"
+ },
+ "bullseye": {
+ "arches": [
+ "amd64",
+ "arm64",
+ "ppc64el"
+ ],
+ "version": "17.5-1.pgdg110+1"
+ },
+ "debian": "bookworm",
+ "major": 17,
+ "sha256": "fcb7ab38e23b264d1902cb25e6adafb4525a6ebcbd015434aeef9eda80f528d8",
+ "variants": [
+ "bookworm",
+ "bullseye",
+ "alpine3.21",
+ "alpine3.20"
+ ],
+ "version": "17.5"
+ }
+}
diff --git a/versions.sh b/versions.sh
new file mode 100755
index 0000000000..ad83e2b000
--- /dev/null
+++ b/versions.sh
@@ -0,0 +1,154 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+# we will support at most two entries in each of these lists, and both should be in descending order
+supportedDebianSuites=(
+ bookworm
+ bullseye
+)
+supportedAlpineVersions=(
+ 3.21
+ 3.20
+)
+defaultDebianSuite="${supportedDebianSuites[0]}"
+declare -A debianSuites=(
+)
+defaultAlpineVersion="${supportedAlpineVersions[0]}"
+declare -A alpineVersions=(
+ #[14]='3.16'
+)
+
+cd "$(dirname "$(readlink -f "$BASH_SOURCE")")"
+
+versions=( "$@" )
+if [ ${#versions[@]} -eq 0 ]; then
+ versions=( */ )
+ json='{}'
+else
+ json="$(< versions.json)"
+fi
+versions=( "${versions[@]%/}" )
+
+packagesBase='http://apt.postgresql.org/pub/repos/apt/dists/'
+declare -A suitePackageList=() suiteVersionPackageList=() suiteArches=()
+_raw_package_list() {
+ local suite="$1"; shift
+ local component="$1"; shift
+ local arch="$1"; shift
+
+ curl -fsSL "$packagesBase/$suite-pgdg/$component/binary-$arch/Packages.bz2" | bunzip2
+}
+fetch_suite_package_list() {
+ local -; set +x # make sure running with "set -x" doesn't spam the terminal with the raw package lists
+
+ local suite="$1"; shift
+ local version="$1"; shift
+ local arch="$1"; shift
+
+ # normal (GA) releases end up in the "main" component of upstream's repository
+ if [ -z "${suitePackageList["$suite-$arch"]:+isset}" ]; then
+ local suiteArchPackageList
+ suiteArchPackageList="$(_raw_package_list "$suite" 'main' "$arch")"
+ suitePackageList["$suite-$arch"]="$suiteArchPackageList"
+ fi
+
+ # ... but pre-release versions (betas, etc) end up in the "PG_MAJOR" component (so we need to check both)
+ if [ -z "${suiteVersionPackageList["$suite-$version-$arch"]:+isset}" ]; then
+ local versionPackageList
+ versionPackageList="$(_raw_package_list "$suite" "$version" "$arch")"
+ suiteVersionPackageList["$suite-$version-$arch"]="$versionPackageList"
+ fi
+}
+awk_package_list() {
+ local suite="$1"; shift
+ local version="$1"; shift
+ local arch="$1"; shift
+
+ awk -F ': ' -v version="$version" "$@" <<<"${suitePackageList["$suite-$arch"]}"$'\n'"${suiteVersionPackageList["$suite-$version-$arch"]}"
+}
+fetch_suite_arches() {
+ local suite="$1"; shift
+
+ if [ -z "${suiteArches["$suite"]:+isset}" ]; then
+ local suiteRelease
+ suiteRelease="$(curl -fsSL "$packagesBase/$suite-pgdg/Release")"
+ suiteArches["$suite"]="$(gawk <<<"$suiteRelease" -F ':[[:space:]]+' '$1 == "Architectures" { print $2; exit }')"
+ fi
+}
+
+for version in "${versions[@]}"; do
+ export version
+
+ versionAlpineVersion="${alpineVersions[$version]:-$defaultAlpineVersion}"
+ versionDebianSuite="${debianSuites[$version]:-$defaultDebianSuite}"
+ export versionAlpineVersion versionDebianSuite
+
+ doc="$(jq -nc '{
+ alpine: env.versionAlpineVersion,
+ debian: env.versionDebianSuite,
+ }')"
+
+ fullVersion=
+ for suite in "${supportedDebianSuites[@]}"; do
+ fetch_suite_package_list "$suite" "$version" 'amd64'
+ suiteVersions="$(awk_package_list "$suite" "$version" 'amd64' '
+ $1 == "Package" { pkg = $2 }
+ $1 == "Version" && pkg == "postgresql-" version { print $2 }
+ ' | sort -V)"
+ suiteVersion="$(tail -1 <<<"$suiteVersions")" # "15~beta4-1.pgdg110+1"
+ srcVersion="${suiteVersion%%-*}" # "15~beta4"
+ tilde='~'
+ srcVersion="${srcVersion//$tilde/}" # "15beta4"
+ [ -n "$fullVersion" ] || fullVersion="$srcVersion"
+ if [ "$fullVersion" != "$srcVersion" ]; then
+ echo >&2 "warning: $version should be '$fullVersion' but $suite has '$srcVersion' ($suiteVersion)"
+ continue
+ fi
+
+ versionArches='[]'
+ fetch_suite_arches "$suite"
+ for arch in ${suiteArches["$suite"]}; do
+ fetch_suite_package_list "$suite" "$version" "$arch"
+ archVersion="$(awk_package_list "$suite" "$version" "$arch" '
+ $1 == "Package" { pkg = $2 }
+ $1 == "Version" && pkg == "postgresql-" version { print $2; exit }
+ ')"
+ if [ "$archVersion" = "$suiteVersion" ]; then
+ versionArches="$(jq <<<"$versionArches" -c --arg arch "$arch" '. += [$arch]')"
+ fi
+ done
+
+ export suite suiteVersion
+ doc="$(jq <<<"$doc" -c --argjson arches "$versionArches" '
+ .[env.suite] = {
+ version: env.suiteVersion,
+ arches: $arches,
+ }
+ | .variants += [ env.suite ]
+ ')"
+ done
+
+ for alpineVersion in "${supportedAlpineVersions[@]}"; do
+ doc="$(jq <<<"$doc" -c --arg v "$alpineVersion" '
+ .variants += [ "alpine" + $v ]
+ ')"
+ done
+
+ sha256="$(
+ curl -fsSL "https://ftp.postgresql.org/pub/source/v${fullVersion}/postgresql-${fullVersion}.tar.bz2.sha256" \
+ | cut -d' ' -f1
+ )"
+
+ echo "$version: $fullVersion"
+
+ export fullVersion sha256 major="${version%%.*}"
+ json="$(jq <<<"$json" -c --argjson doc "$doc" '
+ .[env.version] = ($doc + {
+ version: env.fullVersion,
+ sha256: env.sha256,
+ major: (env.major | tonumber),
+ })
+ ')"
+done
+
+jq <<<"$json" -S . > versions.json