Skip to content

Commit fe89a60

Browse files
tianontianon
committed
Implement "nss_wrapper" for Debian variants
1 parent 46bc23c commit fe89a60

17 files changed

+246
-11
lines changed

10/Dockerfile

+8
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,14 @@ RUN set -eux; \
4040
localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
4141
ENV LANG en_US.utf8
4242

43+
# install "nss_wrapper" in case we need to fake "/etc/passwd" and "/etc/group" (especially for OpenShift)
44+
# https://github.com/docker-library/postgres/issues/359
45+
# https://cwrap.org/nss_wrapper.html
46+
RUN set -eux; \
47+
apt-get update; \
48+
apt-get install -y --no-install-recommends libnss-wrapper; \
49+
rm -rf /var/lib/apt/lists/*
50+
4351
RUN mkdir /docker-entrypoint-initdb.d
4452

4553
RUN set -ex; \

10/alpine/docker-entrypoint.sh

+18-1
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
#!/usr/bin/env bash
2-
set -e
2+
set -Eeo pipefail
3+
# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
34

45
# usage: file_env VAR [DEFAULT]
56
# ie: file_env 'XYZ_DB_PASSWORD' 'example'
@@ -54,12 +55,28 @@ if [ "$1" = 'postgres' ]; then
5455

5556
# look specifically for PG_VERSION, as it is expected in the DB dir
5657
if [ ! -s "$PGDATA/PG_VERSION" ]; then
58+
# "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
59+
# see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
60+
if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then
61+
export LD_PRELOAD='/usr/lib/libnss_wrapper.so'
62+
export NSS_WRAPPER_PASSWD="$(mktemp)"
63+
export NSS_WRAPPER_GROUP="$(mktemp)"
64+
echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD"
65+
echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"
66+
fi
67+
5768
file_env 'POSTGRES_INITDB_ARGS'
5869
if [ "$POSTGRES_INITDB_WALDIR" ]; then
5970
export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --waldir $POSTGRES_INITDB_WALDIR"
6071
fi
6172
eval "initdb --username=postgres $POSTGRES_INITDB_ARGS"
6273

74+
# unset/cleanup "nss_wrapper" bits
75+
if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then
76+
rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
77+
unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
78+
fi
79+
6380
# check password first so we can output the warning before postgres
6481
# messes it up
6582
file_env 'POSTGRES_PASSWORD'

10/docker-entrypoint.sh

+18-1
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
#!/usr/bin/env bash
2-
set -e
2+
set -Eeo pipefail
3+
# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
34

45
# usage: file_env VAR [DEFAULT]
56
# ie: file_env 'XYZ_DB_PASSWORD' 'example'
@@ -54,12 +55,28 @@ if [ "$1" = 'postgres' ]; then
5455

5556
# look specifically for PG_VERSION, as it is expected in the DB dir
5657
if [ ! -s "$PGDATA/PG_VERSION" ]; then
58+
# "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
59+
# see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
60+
if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then
61+
export LD_PRELOAD='/usr/lib/libnss_wrapper.so'
62+
export NSS_WRAPPER_PASSWD="$(mktemp)"
63+
export NSS_WRAPPER_GROUP="$(mktemp)"
64+
echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD"
65+
echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"
66+
fi
67+
5768
file_env 'POSTGRES_INITDB_ARGS'
5869
if [ "$POSTGRES_INITDB_WALDIR" ]; then
5970
export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --waldir $POSTGRES_INITDB_WALDIR"
6071
fi
6172
eval "initdb --username=postgres $POSTGRES_INITDB_ARGS"
6273

74+
# unset/cleanup "nss_wrapper" bits
75+
if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then
76+
rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
77+
unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
78+
fi
79+
6380
# check password first so we can output the warning before postgres
6481
# messes it up
6582
file_env 'POSTGRES_PASSWORD'

9.3/Dockerfile

+8
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,14 @@ RUN set -eux; \
4040
localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
4141
ENV LANG en_US.utf8
4242

43+
# install "nss_wrapper" in case we need to fake "/etc/passwd" and "/etc/group" (especially for OpenShift)
44+
# https://github.com/docker-library/postgres/issues/359
45+
# https://cwrap.org/nss_wrapper.html
46+
RUN set -eux; \
47+
apt-get update; \
48+
apt-get install -y --no-install-recommends libnss-wrapper; \
49+
rm -rf /var/lib/apt/lists/*
50+
4351
RUN mkdir /docker-entrypoint-initdb.d
4452

4553
RUN set -ex; \

9.3/alpine/docker-entrypoint.sh

+18-1
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
#!/usr/bin/env bash
2-
set -e
2+
set -Eeo pipefail
3+
# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
34

45
# usage: file_env VAR [DEFAULT]
56
# ie: file_env 'XYZ_DB_PASSWORD' 'example'
@@ -54,12 +55,28 @@ if [ "$1" = 'postgres' ]; then
5455

5556
# look specifically for PG_VERSION, as it is expected in the DB dir
5657
if [ ! -s "$PGDATA/PG_VERSION" ]; then
58+
# "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
59+
# see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
60+
if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then
61+
export LD_PRELOAD='/usr/lib/libnss_wrapper.so'
62+
export NSS_WRAPPER_PASSWD="$(mktemp)"
63+
export NSS_WRAPPER_GROUP="$(mktemp)"
64+
echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD"
65+
echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"
66+
fi
67+
5768
file_env 'POSTGRES_INITDB_ARGS'
5869
if [ "$POSTGRES_INITDB_XLOGDIR" ]; then
5970
export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --xlogdir $POSTGRES_INITDB_XLOGDIR"
6071
fi
6172
eval "initdb --username=postgres $POSTGRES_INITDB_ARGS"
6273

74+
# unset/cleanup "nss_wrapper" bits
75+
if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then
76+
rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
77+
unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
78+
fi
79+
6380
# check password first so we can output the warning before postgres
6481
# messes it up
6582
file_env 'POSTGRES_PASSWORD'

9.3/docker-entrypoint.sh

+18-1
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
#!/usr/bin/env bash
2-
set -e
2+
set -Eeo pipefail
3+
# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
34

45
# usage: file_env VAR [DEFAULT]
56
# ie: file_env 'XYZ_DB_PASSWORD' 'example'
@@ -54,12 +55,28 @@ if [ "$1" = 'postgres' ]; then
5455

5556
# look specifically for PG_VERSION, as it is expected in the DB dir
5657
if [ ! -s "$PGDATA/PG_VERSION" ]; then
58+
# "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
59+
# see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
60+
if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then
61+
export LD_PRELOAD='/usr/lib/libnss_wrapper.so'
62+
export NSS_WRAPPER_PASSWD="$(mktemp)"
63+
export NSS_WRAPPER_GROUP="$(mktemp)"
64+
echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD"
65+
echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"
66+
fi
67+
5768
file_env 'POSTGRES_INITDB_ARGS'
5869
if [ "$POSTGRES_INITDB_XLOGDIR" ]; then
5970
export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --xlogdir $POSTGRES_INITDB_XLOGDIR"
6071
fi
6172
eval "initdb --username=postgres $POSTGRES_INITDB_ARGS"
6273

74+
# unset/cleanup "nss_wrapper" bits
75+
if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then
76+
rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
77+
unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
78+
fi
79+
6380
# check password first so we can output the warning before postgres
6481
# messes it up
6582
file_env 'POSTGRES_PASSWORD'

9.4/Dockerfile

+8
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,14 @@ RUN set -eux; \
4040
localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
4141
ENV LANG en_US.utf8
4242

43+
# install "nss_wrapper" in case we need to fake "/etc/passwd" and "/etc/group" (especially for OpenShift)
44+
# https://github.com/docker-library/postgres/issues/359
45+
# https://cwrap.org/nss_wrapper.html
46+
RUN set -eux; \
47+
apt-get update; \
48+
apt-get install -y --no-install-recommends libnss-wrapper; \
49+
rm -rf /var/lib/apt/lists/*
50+
4351
RUN mkdir /docker-entrypoint-initdb.d
4452

4553
RUN set -ex; \

9.4/alpine/docker-entrypoint.sh

+18-1
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
#!/usr/bin/env bash
2-
set -e
2+
set -Eeo pipefail
3+
# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
34

45
# usage: file_env VAR [DEFAULT]
56
# ie: file_env 'XYZ_DB_PASSWORD' 'example'
@@ -54,12 +55,28 @@ if [ "$1" = 'postgres' ]; then
5455

5556
# look specifically for PG_VERSION, as it is expected in the DB dir
5657
if [ ! -s "$PGDATA/PG_VERSION" ]; then
58+
# "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
59+
# see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
60+
if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then
61+
export LD_PRELOAD='/usr/lib/libnss_wrapper.so'
62+
export NSS_WRAPPER_PASSWD="$(mktemp)"
63+
export NSS_WRAPPER_GROUP="$(mktemp)"
64+
echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD"
65+
echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"
66+
fi
67+
5768
file_env 'POSTGRES_INITDB_ARGS'
5869
if [ "$POSTGRES_INITDB_XLOGDIR" ]; then
5970
export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --xlogdir $POSTGRES_INITDB_XLOGDIR"
6071
fi
6172
eval "initdb --username=postgres $POSTGRES_INITDB_ARGS"
6273

74+
# unset/cleanup "nss_wrapper" bits
75+
if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then
76+
rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
77+
unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
78+
fi
79+
6380
# check password first so we can output the warning before postgres
6481
# messes it up
6582
file_env 'POSTGRES_PASSWORD'

9.4/docker-entrypoint.sh

+18-1
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
#!/usr/bin/env bash
2-
set -e
2+
set -Eeo pipefail
3+
# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
34

45
# usage: file_env VAR [DEFAULT]
56
# ie: file_env 'XYZ_DB_PASSWORD' 'example'
@@ -54,12 +55,28 @@ if [ "$1" = 'postgres' ]; then
5455

5556
# look specifically for PG_VERSION, as it is expected in the DB dir
5657
if [ ! -s "$PGDATA/PG_VERSION" ]; then
58+
# "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
59+
# see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
60+
if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then
61+
export LD_PRELOAD='/usr/lib/libnss_wrapper.so'
62+
export NSS_WRAPPER_PASSWD="$(mktemp)"
63+
export NSS_WRAPPER_GROUP="$(mktemp)"
64+
echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD"
65+
echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"
66+
fi
67+
5768
file_env 'POSTGRES_INITDB_ARGS'
5869
if [ "$POSTGRES_INITDB_XLOGDIR" ]; then
5970
export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --xlogdir $POSTGRES_INITDB_XLOGDIR"
6071
fi
6172
eval "initdb --username=postgres $POSTGRES_INITDB_ARGS"
6273

74+
# unset/cleanup "nss_wrapper" bits
75+
if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then
76+
rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
77+
unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
78+
fi
79+
6380
# check password first so we can output the warning before postgres
6481
# messes it up
6582
file_env 'POSTGRES_PASSWORD'

9.5/Dockerfile

+8
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,14 @@ RUN set -eux; \
4040
localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
4141
ENV LANG en_US.utf8
4242

43+
# install "nss_wrapper" in case we need to fake "/etc/passwd" and "/etc/group" (especially for OpenShift)
44+
# https://github.com/docker-library/postgres/issues/359
45+
# https://cwrap.org/nss_wrapper.html
46+
RUN set -eux; \
47+
apt-get update; \
48+
apt-get install -y --no-install-recommends libnss-wrapper; \
49+
rm -rf /var/lib/apt/lists/*
50+
4351
RUN mkdir /docker-entrypoint-initdb.d
4452

4553
RUN set -ex; \

9.5/alpine/docker-entrypoint.sh

+18-1
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
#!/usr/bin/env bash
2-
set -e
2+
set -Eeo pipefail
3+
# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
34

45
# usage: file_env VAR [DEFAULT]
56
# ie: file_env 'XYZ_DB_PASSWORD' 'example'
@@ -54,12 +55,28 @@ if [ "$1" = 'postgres' ]; then
5455

5556
# look specifically for PG_VERSION, as it is expected in the DB dir
5657
if [ ! -s "$PGDATA/PG_VERSION" ]; then
58+
# "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
59+
# see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
60+
if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then
61+
export LD_PRELOAD='/usr/lib/libnss_wrapper.so'
62+
export NSS_WRAPPER_PASSWD="$(mktemp)"
63+
export NSS_WRAPPER_GROUP="$(mktemp)"
64+
echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD"
65+
echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"
66+
fi
67+
5768
file_env 'POSTGRES_INITDB_ARGS'
5869
if [ "$POSTGRES_INITDB_XLOGDIR" ]; then
5970
export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --xlogdir $POSTGRES_INITDB_XLOGDIR"
6071
fi
6172
eval "initdb --username=postgres $POSTGRES_INITDB_ARGS"
6273

74+
# unset/cleanup "nss_wrapper" bits
75+
if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then
76+
rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
77+
unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
78+
fi
79+
6380
# check password first so we can output the warning before postgres
6481
# messes it up
6582
file_env 'POSTGRES_PASSWORD'

9.5/docker-entrypoint.sh

+18-1
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,6 @@
11
#!/usr/bin/env bash
2-
set -e
2+
set -Eeo pipefail
3+
# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables)
34

45
# usage: file_env VAR [DEFAULT]
56
# ie: file_env 'XYZ_DB_PASSWORD' 'example'
@@ -54,12 +55,28 @@ if [ "$1" = 'postgres' ]; then
5455

5556
# look specifically for PG_VERSION, as it is expected in the DB dir
5657
if [ ! -s "$PGDATA/PG_VERSION" ]; then
58+
# "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary
59+
# see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html
60+
if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then
61+
export LD_PRELOAD='/usr/lib/libnss_wrapper.so'
62+
export NSS_WRAPPER_PASSWD="$(mktemp)"
63+
export NSS_WRAPPER_GROUP="$(mktemp)"
64+
echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD"
65+
echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"
66+
fi
67+
5768
file_env 'POSTGRES_INITDB_ARGS'
5869
if [ "$POSTGRES_INITDB_XLOGDIR" ]; then
5970
export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --xlogdir $POSTGRES_INITDB_XLOGDIR"
6071
fi
6172
eval "initdb --username=postgres $POSTGRES_INITDB_ARGS"
6273

74+
# unset/cleanup "nss_wrapper" bits
75+
if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then
76+
rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"
77+
unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP
78+
fi
79+
6380
# check password first so we can output the warning before postgres
6481
# messes it up
6582
file_env 'POSTGRES_PASSWORD'

9.6/Dockerfile

+8
Original file line numberDiff line numberDiff line change
@@ -40,6 +40,14 @@ RUN set -eux; \
4040
localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8
4141
ENV LANG en_US.utf8
4242

43+
# install "nss_wrapper" in case we need to fake "/etc/passwd" and "/etc/group" (especially for OpenShift)
44+
# https://github.com/docker-library/postgres/issues/359
45+
# https://cwrap.org/nss_wrapper.html
46+
RUN set -eux; \
47+
apt-get update; \
48+
apt-get install -y --no-install-recommends libnss-wrapper; \
49+
rm -rf /var/lib/apt/lists/*
50+
4351
RUN mkdir /docker-entrypoint-initdb.d
4452

4553
RUN set -ex; \

0 commit comments

Comments
 (0)