diff --git a/UBI/12/.versions.json b/UBI/12/.versions.json index 10bfe0ac..292a366d 100644 --- a/UBI/12/.versions.json +++ b/UBI/12/.versions.json @@ -2,5 +2,7 @@ "BARMAN_VERSION": "3.9.0", "IMAGE_RELEASE_VERSION": "4", "POSTGRES_VERSION": "12.17", - "UBI_VERSION": "8.9-1107.1705420509" + "UBI8_VERSION": "8.9-1107.1705420509", + "UBI9_VERSION": "9.3-1476", + "UBI_VERSION": "8.9-1107" } diff --git a/UBI/12/Dockerfile.multiarch b/UBI/12/Dockerfile.multiarch.ubi8 similarity index 100% rename from UBI/12/Dockerfile.multiarch rename to UBI/12/Dockerfile.multiarch.ubi8 diff --git a/UBI/12/Dockerfile.multiarch.ubi9 b/UBI/12/Dockerfile.multiarch.ubi9 new file mode 100644 index 00000000..1c6a8774 --- /dev/null +++ b/UBI/12/Dockerfile.multiarch.ubi9 @@ -0,0 +1,137 @@ +# vim:set ft=dockerfile: +FROM quay.io/enterprisedb/edb-ubi:9.3-1476 + +# Do not split the description, otherwise we will see a blank space in the labels +LABEL name="PostgreSQL Container Images" \ + vendor="EnterpriseDB" \ + url="https://www.enterprisedb.com/" \ + version="12.17" \ + release="4" \ + summary="PostgreSQL Container images." \ + description="This Docker image contains PostgreSQL and Barman Cloud based on RedHat Universal Base Images (UBI) 9." + +COPY root/ / + +ARG TARGETARCH +RUN --mount=type=secret,id=cs_token \ + set -xe ; \ + ARCH="${TARGETARCH}" ; \ + base_url="https://download.postgresql.org/pub/repos/yum/reporpms" ; \ + pg_failover_slots_pkg="pg_failover_slots_12" ; \ + case $ARCH in \ + amd64) \ + yum -y install "${base_url}/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm" ; \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ;; \ + arm64) \ + yum -y install "${base_url}/EL-9-aarch64/pgdg-redhat-repo-latest.noarch.rpm" ; \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ;; \ + ppc64le) \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ; \ + pg_failover_slots_pkg="edb-pg12-pg-failover-slots1" ;; \ + s390x) \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/edb/setup.rpm.sh | bash ; \ + pg_failover_slots_pkg="edb-pg12-pg-failover-slots1" ;; \ + *) \ + exit 1 ;; \ + esac ; \ + yum -y upgrade glibc-common ; \ + yum -y reinstall glibc-common ; \ + rm -fr /etc/rpm/macros.image-language-conf ; \ + yum -y install hostname rsync tar gettext bind-utils nss_wrapper glibc-locale-source glibc-langpack-en glibc-all-langpacks ; \ + case 12 in \ + 11|12|13|14) \ + yum -y --setopt=tsflags=nodocs install \ + postgresql12-12.17 \ + postgresql12-contrib-12.17 \ + postgresql12-server-12.17 \ + postgresql12-libs-12.17 \ + pgaudit14_12 \ + "$pg_failover_slots_pkg" \ + ;; \ + 15|16) \ + yum -y --setopt=tsflags=nodocs install \ + postgresql12-12.17 \ + postgresql12-contrib-12.17 \ + postgresql12-server-12.17 \ + postgresql12-libs-12.17 \ + ;; \ + *) \ + exit 1 ;; \ + esac ; \ + rm -fr /etc/yum.repos.d/enterprisedb-*.repo ; \ + rm -fr /tmp/* ; \ + yum -y clean all --enablerepo='*' + +# Install barman-cloud +RUN set -xe ; \ + yum -y install python3.11-pip python3.11-psycopg2 ; \ + pip3.11 install --upgrade pip ; \ + pip3.11 install -r requirements.txt ; \ + yum -y clean all --enablerepo='*' + +# make the sample config easier to munge (and "correct by default") +RUN set -eux; \ + sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/pgsql-12/share/postgresql.conf.sample; \ + grep -F "listen_addresses = '*'" /usr/pgsql-12/share/postgresql.conf.sample + +# prepare the environment and make sure postgres user has the correct UID +RUN set -xeu ; \ + localedef -f UTF-8 -i en_US en_US.UTF-8 ; \ + test "$(id postgres)" = "uid=26(postgres) gid=26(postgres) groups=26(postgres)" ; \ + mkdir -p /var/run/postgresql ; \ + chown postgres:postgres /var/run/postgresql ; \ + chmod 0755 /var/run/postgresql + +ENV PATH $PATH:/usr/pgsql-12/bin + +RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql + +ENV PGDATA /var/lib/postgresql/data/pgdata +# this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values) +RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" +VOLUME /var/lib/postgresql/data + +RUN mkdir /docker-entrypoint-initdb.d + +# Remove example certificates in pem and enc format from /usr/share/doc folder +RUN find /usr/share/doc -type f '(' -iname "*.pem" -o -iname "*.enc" ')' -exec rm -rf {} \; || true + +# DoD 2.3 - remove setuid/setgid from any binary that not strictly requires it, and before doing that list them on the stdout +RUN find / -not -path "/proc/*" -perm /6000 -type f -exec ls -ld {} \; -exec chmod a-s {} \; || true + +USER 26 + +ENTRYPOINT ["docker-entrypoint.sh"] + +# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL +# calls "Fast Shutdown mode" wherein new connections are disallowed and any +# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and +# flush tables to disk, which is the best compromise available to avoid data +# corruption. +# +# Users who know their applications do not keep open long-lived idle connections +# may way to use a value of SIGTERM instead, which corresponds to "Smart +# Shutdown mode" in which any existing sessions are allowed to finish and the +# server stops when all sessions are terminated. +# +# See https://www.postgresql.org/docs/12/server-shutdown.html for more details +# about available PostgreSQL server shutdown signals. +# +# See also https://www.postgresql.org/docs/12/server-start.html for further +# justification of this as the default value, namely that the example (and +# shipped) systemd service files use the "Fast Shutdown mode" for service +# termination. +# +STOPSIGNAL SIGINT +# +# An additional setting that is recommended for all users regardless of this +# value is the runtime "--stop-timeout" (or your orchestrator/runtime's +# equivalent) for controlling how long to wait between sending the defined +# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption). +# +# The default in most runtimes (such as Docker) is 10 seconds, and the +# documentation at https://www.postgresql.org/docs/12/server-start.html notes +# that even 90 seconds may not be long enough in many instances. + +EXPOSE 5432 +CMD ["postgres"] diff --git a/UBI/12/Dockerfile.multilang b/UBI/12/Dockerfile.multilang.ubi8 similarity index 100% rename from UBI/12/Dockerfile.multilang rename to UBI/12/Dockerfile.multilang.ubi8 diff --git a/UBI/12/Dockerfile.multilang.ubi9 b/UBI/12/Dockerfile.multilang.ubi9 new file mode 100644 index 00000000..b3de9c3c --- /dev/null +++ b/UBI/12/Dockerfile.multilang.ubi9 @@ -0,0 +1,129 @@ +# vim:set ft=dockerfile: +FROM quay.io/enterprisedb/edb-ubi:9.3-1476 + +# Do not split the description, otherwise we will see a blank space in the labels +LABEL name="PostgreSQL Container Images" \ + vendor="EnterpriseDB" \ + url="https://www.enterprisedb.com/" \ + version="12.17" \ + release="4" \ + summary="PostgreSQL Container images." \ + description="This Docker image contains PostgreSQL and Barman Cloud based on RedHat Universal Base Images (UBI) 9." + +COPY root/ / + +ARG TARGETARCH +RUN --mount=type=secret,id=cs_token \ + set -xe ; \ + ARCH="${TARGETARCH}" ; \ + base_url="https://download.postgresql.org/pub/repos/yum/reporpms" ; \ + pg_failover_slots_pkg="pg_failover_slots_12" ; \ + case $ARCH in \ + amd64) \ + yum -y install "${base_url}/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm" ; \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ;; \ + arm64) \ + yum -y install "${base_url}/EL-9-aarch64/pgdg-redhat-repo-latest.noarch.rpm" ; \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ;; \ + ppc64le) \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ; \ + pg_failover_slots_pkg="edb-pg12-pg-failover-slots1" ;; \ + s390x) \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/edb/setup.rpm.sh | bash ; \ + pg_failover_slots_pkg="edb-pg12-pg-failover-slots1" ;; \ + *) \ + exit 1 ;; \ + esac ; \ + yum -y upgrade glibc-common ; \ + yum -y reinstall glibc-common ; \ + rm -fr /etc/rpm/macros.image-language-conf ; \ + yum -y install hostname rsync tar gettext bind-utils nss_wrapper glibc-locale-source glibc-langpack-en glibc-all-langpacks ; \ + yum -y --setopt=tsflags=nodocs install \ + postgresql12-12.17 \ + postgresql12-contrib-12.17 \ + postgresql12-server-12.17 \ + postgresql12-libs-12.17 \ + "$pg_failover_slots_pkg" \ + ; \ + if [ "$PG_MAJOR" -lt "16" ]; then \ + yum -y --setopt=tsflags=nodocs install \ + pgaudit14_12 \ + ; \ + fi; \ + rm -fr /etc/yum.repos.d/enterprisedb-*.repo ; \ + rm -fr /tmp/* ; \ + yum -y clean all --enablerepo='*' + +# Install barman-cloud +RUN set -xe ; \ + yum -y install python3.11-pip python3.11-psycopg2 ; \ + pip3.11 install --upgrade pip ; \ + pip3.11 install -r requirements.txt ; \ + yum -y clean all --enablerepo='*' + +# make the sample config easier to munge (and "correct by default") +RUN set -eux; \ + sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/pgsql-12/share/postgresql.conf.sample; \ + grep -F "listen_addresses = '*'" /usr/pgsql-12/share/postgresql.conf.sample + +# prepare the environment and make sure postgres user has the correct UID +RUN set -xeu ; \ + localedef -f UTF-8 -i en_US en_US.UTF-8 ; \ + test "$(id postgres)" = "uid=26(postgres) gid=26(postgres) groups=26(postgres)" ; \ + mkdir -p /var/run/postgresql ; \ + chown postgres:postgres /var/run/postgresql ; \ + chmod 0755 /var/run/postgresql + +ENV PATH $PATH:/usr/pgsql-12/bin + +RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql + +ENV PGDATA /var/lib/postgresql/data/pgdata +# this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values) +RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" +VOLUME /var/lib/postgresql/data + +RUN mkdir /docker-entrypoint-initdb.d + +# Remove example certificates in pem and enc format from /usr/share/doc folder +RUN find /usr/share/doc -type f '(' -iname "*.pem" -o -iname "*.enc" ')' -exec rm -rf {} \; || true + +# DoD 2.3 - remove setuid/setgid from any binary that not strictly requires it, and before doing that list them on the stdout +RUN find / -not -path "/proc/*" -perm /6000 -type f -exec ls -ld {} \; -exec chmod a-s {} \; || true + +USER 26 + +ENTRYPOINT ["docker-entrypoint.sh"] + +# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL +# calls "Fast Shutdown mode" wherein new connections are disallowed and any +# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and +# flush tables to disk, which is the best compromise available to avoid data +# corruption. +# +# Users who know their applications do not keep open long-lived idle connections +# may way to use a value of SIGTERM instead, which corresponds to "Smart +# Shutdown mode" in which any existing sessions are allowed to finish and the +# server stops when all sessions are terminated. +# +# See https://www.postgresql.org/docs/12/server-shutdown.html for more details +# about available PostgreSQL server shutdown signals. +# +# See also https://www.postgresql.org/docs/12/server-start.html for further +# justification of this as the default value, namely that the example (and +# shipped) systemd service files use the "Fast Shutdown mode" for service +# termination. +# +STOPSIGNAL SIGINT +# +# An additional setting that is recommended for all users regardless of this +# value is the runtime "--stop-timeout" (or your orchestrator/runtime's +# equivalent) for controlling how long to wait between sending the defined +# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption). +# +# The default in most runtimes (such as Docker) is 10 seconds, and the +# documentation at https://www.postgresql.org/docs/12/server-start.html notes +# that even 90 seconds may not be long enough in many instances. + +EXPOSE 5432 +CMD ["postgres"] diff --git a/UBI/12/Dockerfile b/UBI/12/Dockerfile.ubi8 similarity index 100% rename from UBI/12/Dockerfile rename to UBI/12/Dockerfile.ubi8 diff --git a/UBI/12/Dockerfile.ubi9 b/UBI/12/Dockerfile.ubi9 new file mode 100644 index 00000000..1e93f010 --- /dev/null +++ b/UBI/12/Dockerfile.ubi9 @@ -0,0 +1,128 @@ +# vim:set ft=dockerfile: +FROM quay.io/enterprisedb/edb-ubi:9.3-1476 + +# Do not split the description, otherwise we will see a blank space in the labels +LABEL name="PostgreSQL Container Images" \ + vendor="EnterpriseDB" \ + url="https://www.enterprisedb.com/" \ + version="12.17" \ + release="4" \ + summary="PostgreSQL Container images." \ + description="This Docker image contains PostgreSQL and Barman Cloud based on RedHat Universal Base Images (UBI) 9." + +COPY root/ / + +ARG TARGETARCH +RUN --mount=type=secret,id=cs_token \ + set -xe ; \ + ARCH="${TARGETARCH}" ; \ + base_url="https://download.postgresql.org/pub/repos/yum/reporpms" ; \ + pg_failover_slots_pkg="pg_failover_slots_12" ; \ + case $ARCH in \ + amd64) \ + yum -y install "${base_url}/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm" ; \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ;; \ + arm64) \ + yum -y install "${base_url}/EL-9-aarch64/pgdg-redhat-repo-latest.noarch.rpm" ; \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ;; \ + ppc64le) \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ; \ + pg_failover_slots_pkg="edb-pg12-pg-failover-slots1" ;; \ + s390x) \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/edb/setup.rpm.sh | bash ; \ + pg_failover_slots_pkg="edb-pg12-pg-failover-slots1" ;; \ + *) \ + exit 1 ;; \ + esac ; \ + yum -y upgrade glibc-common ; \ + yum -y reinstall glibc-common ; \ + yum -y install hostname rsync tar gettext bind-utils nss_wrapper glibc-locale-source glibc-langpack-en ; \ + yum -y --setopt=tsflags=nodocs install \ + postgresql12-12.17 \ + postgresql12-contrib-12.17 \ + postgresql12-server-12.17 \ + postgresql12-libs-12.17 \ + "$pg_failover_slots_pkg" \ + ; \ + if [ "$PG_MAJOR" -lt "16" ]; then \ + yum -y --setopt=tsflags=nodocs install \ + pgaudit14_12 \ + ; \ + fi; \ + rm -fr /etc/yum.repos.d/enterprisedb-*.repo ; \ + rm -fr /tmp/* ; \ + yum -y clean all --enablerepo='*' + +# Install barman-cloud +RUN set -xe ; \ + yum -y install python3.11-pip python3.11-psycopg2 ; \ + pip3.11 install --upgrade pip ; \ + pip3.11 install -r requirements.txt ; \ + yum -y clean all --enablerepo='*' + +# make the sample config easier to munge (and "correct by default") +RUN set -eux; \ + sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/pgsql-12/share/postgresql.conf.sample; \ + grep -F "listen_addresses = '*'" /usr/pgsql-12/share/postgresql.conf.sample + +# prepare the environment and make sure postgres user has the correct UID +RUN set -xeu ; \ + localedef -f UTF-8 -i en_US en_US.UTF-8 ; \ + test "$(id postgres)" = "uid=26(postgres) gid=26(postgres) groups=26(postgres)" ; \ + mkdir -p /var/run/postgresql ; \ + chown postgres:postgres /var/run/postgresql ; \ + chmod 0755 /var/run/postgresql + +ENV PATH $PATH:/usr/pgsql-12/bin + +RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql + +ENV PGDATA /var/lib/postgresql/data/pgdata +# this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values) +RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" +VOLUME /var/lib/postgresql/data + +RUN mkdir /docker-entrypoint-initdb.d + +# Remove example certificates in pem and enc format from /usr/share/doc folder +RUN find /usr/share/doc -type f '(' -iname "*.pem" -o -iname "*.enc" ')' -exec rm -rf {} \; || true + +# DoD 2.3 - remove setuid/setgid from any binary that not strictly requires it, and before doing that list them on the stdout +RUN find / -not -path "/proc/*" -perm /6000 -type f -exec ls -ld {} \; -exec chmod a-s {} \; || true + +USER 26 + +ENTRYPOINT ["docker-entrypoint.sh"] + +# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL +# calls "Fast Shutdown mode" wherein new connections are disallowed and any +# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and +# flush tables to disk, which is the best compromise available to avoid data +# corruption. +# +# Users who know their applications do not keep open long-lived idle connections +# may way to use a value of SIGTERM instead, which corresponds to "Smart +# Shutdown mode" in which any existing sessions are allowed to finish and the +# server stops when all sessions are terminated. +# +# See https://www.postgresql.org/docs/12/server-shutdown.html for more details +# about available PostgreSQL server shutdown signals. +# +# See also https://www.postgresql.org/docs/12/server-start.html for further +# justification of this as the default value, namely that the example (and +# shipped) systemd service files use the "Fast Shutdown mode" for service +# termination. +# +STOPSIGNAL SIGINT +# +# An additional setting that is recommended for all users regardless of this +# value is the runtime "--stop-timeout" (or your orchestrator/runtime's +# equivalent) for controlling how long to wait between sending the defined +# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption). +# +# The default in most runtimes (such as Docker) is 10 seconds, and the +# documentation at https://www.postgresql.org/docs/12/server-start.html notes +# that even 90 seconds may not be long enough in many instances. + +EXPOSE 5432 +CMD ["postgres"] diff --git a/UBI/12/root/requirements.txt b/UBI/12/root/requirements.txt index b52f5663..2fd22517 100644 --- a/UBI/12/root/requirements.txt +++ b/UBI/12/root/requirements.txt @@ -1,5 +1,5 @@ # -# This file is autogenerated by pip-compile with Python 3.11 +# This file is autogenerated by pip-compile with Python 3.10 # by the following command: # # pip-compile --generate-hashes diff --git a/UBI/13/.versions.json b/UBI/13/.versions.json index d4d562c1..28bcb52d 100644 --- a/UBI/13/.versions.json +++ b/UBI/13/.versions.json @@ -2,5 +2,7 @@ "BARMAN_VERSION": "3.9.0", "IMAGE_RELEASE_VERSION": "4", "POSTGRES_VERSION": "13.13", - "UBI_VERSION": "8.9-1107.1705420509" + "UBI8_VERSION": "8.9-1107.1705420509", + "UBI9_VERSION": "9.3-1476", + "UBI_VERSION": "8.9-1107" } diff --git a/UBI/13/Dockerfile.multiarch b/UBI/13/Dockerfile.multiarch.ubi8 similarity index 100% rename from UBI/13/Dockerfile.multiarch rename to UBI/13/Dockerfile.multiarch.ubi8 diff --git a/UBI/13/Dockerfile.multiarch.ubi9 b/UBI/13/Dockerfile.multiarch.ubi9 new file mode 100644 index 00000000..5c62940a --- /dev/null +++ b/UBI/13/Dockerfile.multiarch.ubi9 @@ -0,0 +1,137 @@ +# vim:set ft=dockerfile: +FROM quay.io/enterprisedb/edb-ubi:9.3-1476 + +# Do not split the description, otherwise we will see a blank space in the labels +LABEL name="PostgreSQL Container Images" \ + vendor="EnterpriseDB" \ + url="https://www.enterprisedb.com/" \ + version="13.13" \ + release="4" \ + summary="PostgreSQL Container images." \ + description="This Docker image contains PostgreSQL and Barman Cloud based on RedHat Universal Base Images (UBI) 9." + +COPY root/ / + +ARG TARGETARCH +RUN --mount=type=secret,id=cs_token \ + set -xe ; \ + ARCH="${TARGETARCH}" ; \ + base_url="https://download.postgresql.org/pub/repos/yum/reporpms" ; \ + pg_failover_slots_pkg="pg_failover_slots_13" ; \ + case $ARCH in \ + amd64) \ + yum -y install "${base_url}/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm" ; \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ;; \ + arm64) \ + yum -y install "${base_url}/EL-9-aarch64/pgdg-redhat-repo-latest.noarch.rpm" ; \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ;; \ + ppc64le) \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ; \ + pg_failover_slots_pkg="edb-pg13-pg-failover-slots1" ;; \ + s390x) \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/edb/setup.rpm.sh | bash ; \ + pg_failover_slots_pkg="edb-pg13-pg-failover-slots1" ;; \ + *) \ + exit 1 ;; \ + esac ; \ + yum -y upgrade glibc-common ; \ + yum -y reinstall glibc-common ; \ + rm -fr /etc/rpm/macros.image-language-conf ; \ + yum -y install hostname rsync tar gettext bind-utils nss_wrapper glibc-locale-source glibc-langpack-en glibc-all-langpacks ; \ + case 13 in \ + 11|12|13|14) \ + yum -y --setopt=tsflags=nodocs install \ + postgresql13-13.13 \ + postgresql13-contrib-13.13 \ + postgresql13-server-13.13 \ + postgresql13-libs-13.13 \ + pgaudit15_13 \ + "$pg_failover_slots_pkg" \ + ;; \ + 15|16) \ + yum -y --setopt=tsflags=nodocs install \ + postgresql13-13.13 \ + postgresql13-contrib-13.13 \ + postgresql13-server-13.13 \ + postgresql13-libs-13.13 \ + ;; \ + *) \ + exit 1 ;; \ + esac ; \ + rm -fr /etc/yum.repos.d/enterprisedb-*.repo ; \ + rm -fr /tmp/* ; \ + yum -y clean all --enablerepo='*' + +# Install barman-cloud +RUN set -xe ; \ + yum -y install python3.11-pip python3.11-psycopg2 ; \ + pip3.11 install --upgrade pip ; \ + pip3.11 install -r requirements.txt ; \ + yum -y clean all --enablerepo='*' + +# make the sample config easier to munge (and "correct by default") +RUN set -eux; \ + sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/pgsql-13/share/postgresql.conf.sample; \ + grep -F "listen_addresses = '*'" /usr/pgsql-13/share/postgresql.conf.sample + +# prepare the environment and make sure postgres user has the correct UID +RUN set -xeu ; \ + localedef -f UTF-8 -i en_US en_US.UTF-8 ; \ + test "$(id postgres)" = "uid=26(postgres) gid=26(postgres) groups=26(postgres)" ; \ + mkdir -p /var/run/postgresql ; \ + chown postgres:postgres /var/run/postgresql ; \ + chmod 0755 /var/run/postgresql + +ENV PATH $PATH:/usr/pgsql-13/bin + +RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql + +ENV PGDATA /var/lib/postgresql/data/pgdata +# this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values) +RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" +VOLUME /var/lib/postgresql/data + +RUN mkdir /docker-entrypoint-initdb.d + +# Remove example certificates in pem and enc format from /usr/share/doc folder +RUN find /usr/share/doc -type f '(' -iname "*.pem" -o -iname "*.enc" ')' -exec rm -rf {} \; || true + +# DoD 2.3 - remove setuid/setgid from any binary that not strictly requires it, and before doing that list them on the stdout +RUN find / -not -path "/proc/*" -perm /6000 -type f -exec ls -ld {} \; -exec chmod a-s {} \; || true + +USER 26 + +ENTRYPOINT ["docker-entrypoint.sh"] + +# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL +# calls "Fast Shutdown mode" wherein new connections are disallowed and any +# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and +# flush tables to disk, which is the best compromise available to avoid data +# corruption. +# +# Users who know their applications do not keep open long-lived idle connections +# may way to use a value of SIGTERM instead, which corresponds to "Smart +# Shutdown mode" in which any existing sessions are allowed to finish and the +# server stops when all sessions are terminated. +# +# See https://www.postgresql.org/docs/12/server-shutdown.html for more details +# about available PostgreSQL server shutdown signals. +# +# See also https://www.postgresql.org/docs/12/server-start.html for further +# justification of this as the default value, namely that the example (and +# shipped) systemd service files use the "Fast Shutdown mode" for service +# termination. +# +STOPSIGNAL SIGINT +# +# An additional setting that is recommended for all users regardless of this +# value is the runtime "--stop-timeout" (or your orchestrator/runtime's +# equivalent) for controlling how long to wait between sending the defined +# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption). +# +# The default in most runtimes (such as Docker) is 10 seconds, and the +# documentation at https://www.postgresql.org/docs/12/server-start.html notes +# that even 90 seconds may not be long enough in many instances. + +EXPOSE 5432 +CMD ["postgres"] diff --git a/UBI/13/Dockerfile.multilang b/UBI/13/Dockerfile.multilang.ubi8 similarity index 100% rename from UBI/13/Dockerfile.multilang rename to UBI/13/Dockerfile.multilang.ubi8 diff --git a/UBI/13/Dockerfile.multilang.ubi9 b/UBI/13/Dockerfile.multilang.ubi9 new file mode 100644 index 00000000..dd2df62a --- /dev/null +++ b/UBI/13/Dockerfile.multilang.ubi9 @@ -0,0 +1,129 @@ +# vim:set ft=dockerfile: +FROM quay.io/enterprisedb/edb-ubi:9.3-1476 + +# Do not split the description, otherwise we will see a blank space in the labels +LABEL name="PostgreSQL Container Images" \ + vendor="EnterpriseDB" \ + url="https://www.enterprisedb.com/" \ + version="13.13" \ + release="4" \ + summary="PostgreSQL Container images." \ + description="This Docker image contains PostgreSQL and Barman Cloud based on RedHat Universal Base Images (UBI) 9." + +COPY root/ / + +ARG TARGETARCH +RUN --mount=type=secret,id=cs_token \ + set -xe ; \ + ARCH="${TARGETARCH}" ; \ + base_url="https://download.postgresql.org/pub/repos/yum/reporpms" ; \ + pg_failover_slots_pkg="pg_failover_slots_13" ; \ + case $ARCH in \ + amd64) \ + yum -y install "${base_url}/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm" ; \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ;; \ + arm64) \ + yum -y install "${base_url}/EL-9-aarch64/pgdg-redhat-repo-latest.noarch.rpm" ; \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ;; \ + ppc64le) \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ; \ + pg_failover_slots_pkg="edb-pg13-pg-failover-slots1" ;; \ + s390x) \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/edb/setup.rpm.sh | bash ; \ + pg_failover_slots_pkg="edb-pg13-pg-failover-slots1" ;; \ + *) \ + exit 1 ;; \ + esac ; \ + yum -y upgrade glibc-common ; \ + yum -y reinstall glibc-common ; \ + rm -fr /etc/rpm/macros.image-language-conf ; \ + yum -y install hostname rsync tar gettext bind-utils nss_wrapper glibc-locale-source glibc-langpack-en glibc-all-langpacks ; \ + yum -y --setopt=tsflags=nodocs install \ + postgresql13-13.13 \ + postgresql13-contrib-13.13 \ + postgresql13-server-13.13 \ + postgresql13-libs-13.13 \ + "$pg_failover_slots_pkg" \ + ; \ + if [ "$PG_MAJOR" -lt "16" ]; then \ + yum -y --setopt=tsflags=nodocs install \ + pgaudit15_13 \ + ; \ + fi; \ + rm -fr /etc/yum.repos.d/enterprisedb-*.repo ; \ + rm -fr /tmp/* ; \ + yum -y clean all --enablerepo='*' + +# Install barman-cloud +RUN set -xe ; \ + yum -y install python3.11-pip python3.11-psycopg2 ; \ + pip3.11 install --upgrade pip ; \ + pip3.11 install -r requirements.txt ; \ + yum -y clean all --enablerepo='*' + +# make the sample config easier to munge (and "correct by default") +RUN set -eux; \ + sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/pgsql-13/share/postgresql.conf.sample; \ + grep -F "listen_addresses = '*'" /usr/pgsql-13/share/postgresql.conf.sample + +# prepare the environment and make sure postgres user has the correct UID +RUN set -xeu ; \ + localedef -f UTF-8 -i en_US en_US.UTF-8 ; \ + test "$(id postgres)" = "uid=26(postgres) gid=26(postgres) groups=26(postgres)" ; \ + mkdir -p /var/run/postgresql ; \ + chown postgres:postgres /var/run/postgresql ; \ + chmod 0755 /var/run/postgresql + +ENV PATH $PATH:/usr/pgsql-13/bin + +RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql + +ENV PGDATA /var/lib/postgresql/data/pgdata +# this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values) +RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" +VOLUME /var/lib/postgresql/data + +RUN mkdir /docker-entrypoint-initdb.d + +# Remove example certificates in pem and enc format from /usr/share/doc folder +RUN find /usr/share/doc -type f '(' -iname "*.pem" -o -iname "*.enc" ')' -exec rm -rf {} \; || true + +# DoD 2.3 - remove setuid/setgid from any binary that not strictly requires it, and before doing that list them on the stdout +RUN find / -not -path "/proc/*" -perm /6000 -type f -exec ls -ld {} \; -exec chmod a-s {} \; || true + +USER 26 + +ENTRYPOINT ["docker-entrypoint.sh"] + +# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL +# calls "Fast Shutdown mode" wherein new connections are disallowed and any +# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and +# flush tables to disk, which is the best compromise available to avoid data +# corruption. +# +# Users who know their applications do not keep open long-lived idle connections +# may way to use a value of SIGTERM instead, which corresponds to "Smart +# Shutdown mode" in which any existing sessions are allowed to finish and the +# server stops when all sessions are terminated. +# +# See https://www.postgresql.org/docs/12/server-shutdown.html for more details +# about available PostgreSQL server shutdown signals. +# +# See also https://www.postgresql.org/docs/12/server-start.html for further +# justification of this as the default value, namely that the example (and +# shipped) systemd service files use the "Fast Shutdown mode" for service +# termination. +# +STOPSIGNAL SIGINT +# +# An additional setting that is recommended for all users regardless of this +# value is the runtime "--stop-timeout" (or your orchestrator/runtime's +# equivalent) for controlling how long to wait between sending the defined +# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption). +# +# The default in most runtimes (such as Docker) is 10 seconds, and the +# documentation at https://www.postgresql.org/docs/12/server-start.html notes +# that even 90 seconds may not be long enough in many instances. + +EXPOSE 5432 +CMD ["postgres"] diff --git a/UBI/13/Dockerfile b/UBI/13/Dockerfile.ubi8 similarity index 100% rename from UBI/13/Dockerfile rename to UBI/13/Dockerfile.ubi8 diff --git a/UBI/13/Dockerfile.ubi9 b/UBI/13/Dockerfile.ubi9 new file mode 100644 index 00000000..5418805d --- /dev/null +++ b/UBI/13/Dockerfile.ubi9 @@ -0,0 +1,128 @@ +# vim:set ft=dockerfile: +FROM quay.io/enterprisedb/edb-ubi:9.3-1476 + +# Do not split the description, otherwise we will see a blank space in the labels +LABEL name="PostgreSQL Container Images" \ + vendor="EnterpriseDB" \ + url="https://www.enterprisedb.com/" \ + version="13.13" \ + release="4" \ + summary="PostgreSQL Container images." \ + description="This Docker image contains PostgreSQL and Barman Cloud based on RedHat Universal Base Images (UBI) 9." + +COPY root/ / + +ARG TARGETARCH +RUN --mount=type=secret,id=cs_token \ + set -xe ; \ + ARCH="${TARGETARCH}" ; \ + base_url="https://download.postgresql.org/pub/repos/yum/reporpms" ; \ + pg_failover_slots_pkg="pg_failover_slots_13" ; \ + case $ARCH in \ + amd64) \ + yum -y install "${base_url}/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm" ; \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ;; \ + arm64) \ + yum -y install "${base_url}/EL-9-aarch64/pgdg-redhat-repo-latest.noarch.rpm" ; \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ;; \ + ppc64le) \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ; \ + pg_failover_slots_pkg="edb-pg13-pg-failover-slots1" ;; \ + s390x) \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/edb/setup.rpm.sh | bash ; \ + pg_failover_slots_pkg="edb-pg13-pg-failover-slots1" ;; \ + *) \ + exit 1 ;; \ + esac ; \ + yum -y upgrade glibc-common ; \ + yum -y reinstall glibc-common ; \ + yum -y install hostname rsync tar gettext bind-utils nss_wrapper glibc-locale-source glibc-langpack-en ; \ + yum -y --setopt=tsflags=nodocs install \ + postgresql13-13.13 \ + postgresql13-contrib-13.13 \ + postgresql13-server-13.13 \ + postgresql13-libs-13.13 \ + "$pg_failover_slots_pkg" \ + ; \ + if [ "$PG_MAJOR" -lt "16" ]; then \ + yum -y --setopt=tsflags=nodocs install \ + pgaudit15_13 \ + ; \ + fi; \ + rm -fr /etc/yum.repos.d/enterprisedb-*.repo ; \ + rm -fr /tmp/* ; \ + yum -y clean all --enablerepo='*' + +# Install barman-cloud +RUN set -xe ; \ + yum -y install python3.11-pip python3.11-psycopg2 ; \ + pip3.11 install --upgrade pip ; \ + pip3.11 install -r requirements.txt ; \ + yum -y clean all --enablerepo='*' + +# make the sample config easier to munge (and "correct by default") +RUN set -eux; \ + sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/pgsql-13/share/postgresql.conf.sample; \ + grep -F "listen_addresses = '*'" /usr/pgsql-13/share/postgresql.conf.sample + +# prepare the environment and make sure postgres user has the correct UID +RUN set -xeu ; \ + localedef -f UTF-8 -i en_US en_US.UTF-8 ; \ + test "$(id postgres)" = "uid=26(postgres) gid=26(postgres) groups=26(postgres)" ; \ + mkdir -p /var/run/postgresql ; \ + chown postgres:postgres /var/run/postgresql ; \ + chmod 0755 /var/run/postgresql + +ENV PATH $PATH:/usr/pgsql-13/bin + +RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql + +ENV PGDATA /var/lib/postgresql/data/pgdata +# this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values) +RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" +VOLUME /var/lib/postgresql/data + +RUN mkdir /docker-entrypoint-initdb.d + +# Remove example certificates in pem and enc format from /usr/share/doc folder +RUN find /usr/share/doc -type f '(' -iname "*.pem" -o -iname "*.enc" ')' -exec rm -rf {} \; || true + +# DoD 2.3 - remove setuid/setgid from any binary that not strictly requires it, and before doing that list them on the stdout +RUN find / -not -path "/proc/*" -perm /6000 -type f -exec ls -ld {} \; -exec chmod a-s {} \; || true + +USER 26 + +ENTRYPOINT ["docker-entrypoint.sh"] + +# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL +# calls "Fast Shutdown mode" wherein new connections are disallowed and any +# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and +# flush tables to disk, which is the best compromise available to avoid data +# corruption. +# +# Users who know their applications do not keep open long-lived idle connections +# may way to use a value of SIGTERM instead, which corresponds to "Smart +# Shutdown mode" in which any existing sessions are allowed to finish and the +# server stops when all sessions are terminated. +# +# See https://www.postgresql.org/docs/12/server-shutdown.html for more details +# about available PostgreSQL server shutdown signals. +# +# See also https://www.postgresql.org/docs/12/server-start.html for further +# justification of this as the default value, namely that the example (and +# shipped) systemd service files use the "Fast Shutdown mode" for service +# termination. +# +STOPSIGNAL SIGINT +# +# An additional setting that is recommended for all users regardless of this +# value is the runtime "--stop-timeout" (or your orchestrator/runtime's +# equivalent) for controlling how long to wait between sending the defined +# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption). +# +# The default in most runtimes (such as Docker) is 10 seconds, and the +# documentation at https://www.postgresql.org/docs/12/server-start.html notes +# that even 90 seconds may not be long enough in many instances. + +EXPOSE 5432 +CMD ["postgres"] diff --git a/UBI/13/root/requirements.txt b/UBI/13/root/requirements.txt index b52f5663..2fd22517 100644 --- a/UBI/13/root/requirements.txt +++ b/UBI/13/root/requirements.txt @@ -1,5 +1,5 @@ # -# This file is autogenerated by pip-compile with Python 3.11 +# This file is autogenerated by pip-compile with Python 3.10 # by the following command: # # pip-compile --generate-hashes diff --git a/UBI/14/.versions.json b/UBI/14/.versions.json index 6f714a37..b7e64b4d 100644 --- a/UBI/14/.versions.json +++ b/UBI/14/.versions.json @@ -2,5 +2,7 @@ "BARMAN_VERSION": "3.9.0", "IMAGE_RELEASE_VERSION": "4", "POSTGRES_VERSION": "14.10", - "UBI_VERSION": "8.9-1107.1705420509" + "UBI8_VERSION": "8.9-1107.1705420509", + "UBI9_VERSION": "9.3-1476", + "UBI_VERSION": "8.9-1107" } diff --git a/UBI/14/Dockerfile.multiarch b/UBI/14/Dockerfile.multiarch.ubi8 similarity index 100% rename from UBI/14/Dockerfile.multiarch rename to UBI/14/Dockerfile.multiarch.ubi8 diff --git a/UBI/14/Dockerfile.multiarch.ubi9 b/UBI/14/Dockerfile.multiarch.ubi9 new file mode 100644 index 00000000..10134613 --- /dev/null +++ b/UBI/14/Dockerfile.multiarch.ubi9 @@ -0,0 +1,137 @@ +# vim:set ft=dockerfile: +FROM quay.io/enterprisedb/edb-ubi:9.3-1476 + +# Do not split the description, otherwise we will see a blank space in the labels +LABEL name="PostgreSQL Container Images" \ + vendor="EnterpriseDB" \ + url="https://www.enterprisedb.com/" \ + version="14.10" \ + release="4" \ + summary="PostgreSQL Container images." \ + description="This Docker image contains PostgreSQL and Barman Cloud based on RedHat Universal Base Images (UBI) 9." + +COPY root/ / + +ARG TARGETARCH +RUN --mount=type=secret,id=cs_token \ + set -xe ; \ + ARCH="${TARGETARCH}" ; \ + base_url="https://download.postgresql.org/pub/repos/yum/reporpms" ; \ + pg_failover_slots_pkg="pg_failover_slots_14" ; \ + case $ARCH in \ + amd64) \ + yum -y install "${base_url}/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm" ; \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ;; \ + arm64) \ + yum -y install "${base_url}/EL-9-aarch64/pgdg-redhat-repo-latest.noarch.rpm" ; \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ;; \ + ppc64le) \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ; \ + pg_failover_slots_pkg="edb-pg14-pg-failover-slots1" ;; \ + s390x) \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/edb/setup.rpm.sh | bash ; \ + pg_failover_slots_pkg="edb-pg14-pg-failover-slots1" ;; \ + *) \ + exit 1 ;; \ + esac ; \ + yum -y upgrade glibc-common ; \ + yum -y reinstall glibc-common ; \ + rm -fr /etc/rpm/macros.image-language-conf ; \ + yum -y install hostname rsync tar gettext bind-utils nss_wrapper glibc-locale-source glibc-langpack-en glibc-all-langpacks ; \ + case 14 in \ + 11|12|13|14) \ + yum -y --setopt=tsflags=nodocs install \ + postgresql14-14.10 \ + postgresql14-contrib-14.10 \ + postgresql14-server-14.10 \ + postgresql14-libs-14.10 \ + pgaudit16_14 \ + "$pg_failover_slots_pkg" \ + ;; \ + 15|16) \ + yum -y --setopt=tsflags=nodocs install \ + postgresql14-14.10 \ + postgresql14-contrib-14.10 \ + postgresql14-server-14.10 \ + postgresql14-libs-14.10 \ + ;; \ + *) \ + exit 1 ;; \ + esac ; \ + rm -fr /etc/yum.repos.d/enterprisedb-*.repo ; \ + rm -fr /tmp/* ; \ + yum -y clean all --enablerepo='*' + +# Install barman-cloud +RUN set -xe ; \ + yum -y install python3.11-pip python3.11-psycopg2 ; \ + pip3.11 install --upgrade pip ; \ + pip3.11 install -r requirements.txt ; \ + yum -y clean all --enablerepo='*' + +# make the sample config easier to munge (and "correct by default") +RUN set -eux; \ + sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/pgsql-14/share/postgresql.conf.sample; \ + grep -F "listen_addresses = '*'" /usr/pgsql-14/share/postgresql.conf.sample + +# prepare the environment and make sure postgres user has the correct UID +RUN set -xeu ; \ + localedef -f UTF-8 -i en_US en_US.UTF-8 ; \ + test "$(id postgres)" = "uid=26(postgres) gid=26(postgres) groups=26(postgres)" ; \ + mkdir -p /var/run/postgresql ; \ + chown postgres:postgres /var/run/postgresql ; \ + chmod 0755 /var/run/postgresql + +ENV PATH $PATH:/usr/pgsql-14/bin + +RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql + +ENV PGDATA /var/lib/postgresql/data/pgdata +# this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values) +RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" +VOLUME /var/lib/postgresql/data + +RUN mkdir /docker-entrypoint-initdb.d + +# Remove example certificates in pem and enc format from /usr/share/doc folder +RUN find /usr/share/doc -type f '(' -iname "*.pem" -o -iname "*.enc" ')' -exec rm -rf {} \; || true + +# DoD 2.3 - remove setuid/setgid from any binary that not strictly requires it, and before doing that list them on the stdout +RUN find / -not -path "/proc/*" -perm /6000 -type f -exec ls -ld {} \; -exec chmod a-s {} \; || true + +USER 26 + +ENTRYPOINT ["docker-entrypoint.sh"] + +# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL +# calls "Fast Shutdown mode" wherein new connections are disallowed and any +# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and +# flush tables to disk, which is the best compromise available to avoid data +# corruption. +# +# Users who know their applications do not keep open long-lived idle connections +# may way to use a value of SIGTERM instead, which corresponds to "Smart +# Shutdown mode" in which any existing sessions are allowed to finish and the +# server stops when all sessions are terminated. +# +# See https://www.postgresql.org/docs/12/server-shutdown.html for more details +# about available PostgreSQL server shutdown signals. +# +# See also https://www.postgresql.org/docs/12/server-start.html for further +# justification of this as the default value, namely that the example (and +# shipped) systemd service files use the "Fast Shutdown mode" for service +# termination. +# +STOPSIGNAL SIGINT +# +# An additional setting that is recommended for all users regardless of this +# value is the runtime "--stop-timeout" (or your orchestrator/runtime's +# equivalent) for controlling how long to wait between sending the defined +# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption). +# +# The default in most runtimes (such as Docker) is 10 seconds, and the +# documentation at https://www.postgresql.org/docs/12/server-start.html notes +# that even 90 seconds may not be long enough in many instances. + +EXPOSE 5432 +CMD ["postgres"] diff --git a/UBI/14/Dockerfile.multilang b/UBI/14/Dockerfile.multilang.ubi8 similarity index 100% rename from UBI/14/Dockerfile.multilang rename to UBI/14/Dockerfile.multilang.ubi8 diff --git a/UBI/14/Dockerfile.multilang.ubi9 b/UBI/14/Dockerfile.multilang.ubi9 new file mode 100644 index 00000000..baab594a --- /dev/null +++ b/UBI/14/Dockerfile.multilang.ubi9 @@ -0,0 +1,129 @@ +# vim:set ft=dockerfile: +FROM quay.io/enterprisedb/edb-ubi:9.3-1476 + +# Do not split the description, otherwise we will see a blank space in the labels +LABEL name="PostgreSQL Container Images" \ + vendor="EnterpriseDB" \ + url="https://www.enterprisedb.com/" \ + version="14.10" \ + release="4" \ + summary="PostgreSQL Container images." \ + description="This Docker image contains PostgreSQL and Barman Cloud based on RedHat Universal Base Images (UBI) 9." + +COPY root/ / + +ARG TARGETARCH +RUN --mount=type=secret,id=cs_token \ + set -xe ; \ + ARCH="${TARGETARCH}" ; \ + base_url="https://download.postgresql.org/pub/repos/yum/reporpms" ; \ + pg_failover_slots_pkg="pg_failover_slots_14" ; \ + case $ARCH in \ + amd64) \ + yum -y install "${base_url}/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm" ; \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ;; \ + arm64) \ + yum -y install "${base_url}/EL-9-aarch64/pgdg-redhat-repo-latest.noarch.rpm" ; \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ;; \ + ppc64le) \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ; \ + pg_failover_slots_pkg="edb-pg14-pg-failover-slots1" ;; \ + s390x) \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/edb/setup.rpm.sh | bash ; \ + pg_failover_slots_pkg="edb-pg14-pg-failover-slots1" ;; \ + *) \ + exit 1 ;; \ + esac ; \ + yum -y upgrade glibc-common ; \ + yum -y reinstall glibc-common ; \ + rm -fr /etc/rpm/macros.image-language-conf ; \ + yum -y install hostname rsync tar gettext bind-utils nss_wrapper glibc-locale-source glibc-langpack-en glibc-all-langpacks ; \ + yum -y --setopt=tsflags=nodocs install \ + postgresql14-14.10 \ + postgresql14-contrib-14.10 \ + postgresql14-server-14.10 \ + postgresql14-libs-14.10 \ + "$pg_failover_slots_pkg" \ + ; \ + if [ "$PG_MAJOR" -lt "16" ]; then \ + yum -y --setopt=tsflags=nodocs install \ + pgaudit16_14 \ + ; \ + fi; \ + rm -fr /etc/yum.repos.d/enterprisedb-*.repo ; \ + rm -fr /tmp/* ; \ + yum -y clean all --enablerepo='*' + +# Install barman-cloud +RUN set -xe ; \ + yum -y install python3.11-pip python3.11-psycopg2 ; \ + pip3.11 install --upgrade pip ; \ + pip3.11 install -r requirements.txt ; \ + yum -y clean all --enablerepo='*' + +# make the sample config easier to munge (and "correct by default") +RUN set -eux; \ + sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/pgsql-14/share/postgresql.conf.sample; \ + grep -F "listen_addresses = '*'" /usr/pgsql-14/share/postgresql.conf.sample + +# prepare the environment and make sure postgres user has the correct UID +RUN set -xeu ; \ + localedef -f UTF-8 -i en_US en_US.UTF-8 ; \ + test "$(id postgres)" = "uid=26(postgres) gid=26(postgres) groups=26(postgres)" ; \ + mkdir -p /var/run/postgresql ; \ + chown postgres:postgres /var/run/postgresql ; \ + chmod 0755 /var/run/postgresql + +ENV PATH $PATH:/usr/pgsql-14/bin + +RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql + +ENV PGDATA /var/lib/postgresql/data/pgdata +# this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values) +RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" +VOLUME /var/lib/postgresql/data + +RUN mkdir /docker-entrypoint-initdb.d + +# Remove example certificates in pem and enc format from /usr/share/doc folder +RUN find /usr/share/doc -type f '(' -iname "*.pem" -o -iname "*.enc" ')' -exec rm -rf {} \; || true + +# DoD 2.3 - remove setuid/setgid from any binary that not strictly requires it, and before doing that list them on the stdout +RUN find / -not -path "/proc/*" -perm /6000 -type f -exec ls -ld {} \; -exec chmod a-s {} \; || true + +USER 26 + +ENTRYPOINT ["docker-entrypoint.sh"] + +# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL +# calls "Fast Shutdown mode" wherein new connections are disallowed and any +# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and +# flush tables to disk, which is the best compromise available to avoid data +# corruption. +# +# Users who know their applications do not keep open long-lived idle connections +# may way to use a value of SIGTERM instead, which corresponds to "Smart +# Shutdown mode" in which any existing sessions are allowed to finish and the +# server stops when all sessions are terminated. +# +# See https://www.postgresql.org/docs/12/server-shutdown.html for more details +# about available PostgreSQL server shutdown signals. +# +# See also https://www.postgresql.org/docs/12/server-start.html for further +# justification of this as the default value, namely that the example (and +# shipped) systemd service files use the "Fast Shutdown mode" for service +# termination. +# +STOPSIGNAL SIGINT +# +# An additional setting that is recommended for all users regardless of this +# value is the runtime "--stop-timeout" (or your orchestrator/runtime's +# equivalent) for controlling how long to wait between sending the defined +# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption). +# +# The default in most runtimes (such as Docker) is 10 seconds, and the +# documentation at https://www.postgresql.org/docs/12/server-start.html notes +# that even 90 seconds may not be long enough in many instances. + +EXPOSE 5432 +CMD ["postgres"] diff --git a/UBI/14/Dockerfile b/UBI/14/Dockerfile.ubi8 similarity index 100% rename from UBI/14/Dockerfile rename to UBI/14/Dockerfile.ubi8 diff --git a/UBI/14/Dockerfile.ubi9 b/UBI/14/Dockerfile.ubi9 new file mode 100644 index 00000000..08753426 --- /dev/null +++ b/UBI/14/Dockerfile.ubi9 @@ -0,0 +1,128 @@ +# vim:set ft=dockerfile: +FROM quay.io/enterprisedb/edb-ubi:9.3-1476 + +# Do not split the description, otherwise we will see a blank space in the labels +LABEL name="PostgreSQL Container Images" \ + vendor="EnterpriseDB" \ + url="https://www.enterprisedb.com/" \ + version="14.10" \ + release="4" \ + summary="PostgreSQL Container images." \ + description="This Docker image contains PostgreSQL and Barman Cloud based on RedHat Universal Base Images (UBI) 9." + +COPY root/ / + +ARG TARGETARCH +RUN --mount=type=secret,id=cs_token \ + set -xe ; \ + ARCH="${TARGETARCH}" ; \ + base_url="https://download.postgresql.org/pub/repos/yum/reporpms" ; \ + pg_failover_slots_pkg="pg_failover_slots_14" ; \ + case $ARCH in \ + amd64) \ + yum -y install "${base_url}/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm" ; \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ;; \ + arm64) \ + yum -y install "${base_url}/EL-9-aarch64/pgdg-redhat-repo-latest.noarch.rpm" ; \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ;; \ + ppc64le) \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ; \ + pg_failover_slots_pkg="edb-pg14-pg-failover-slots1" ;; \ + s390x) \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/edb/setup.rpm.sh | bash ; \ + pg_failover_slots_pkg="edb-pg14-pg-failover-slots1" ;; \ + *) \ + exit 1 ;; \ + esac ; \ + yum -y upgrade glibc-common ; \ + yum -y reinstall glibc-common ; \ + yum -y install hostname rsync tar gettext bind-utils nss_wrapper glibc-locale-source glibc-langpack-en ; \ + yum -y --setopt=tsflags=nodocs install \ + postgresql14-14.10 \ + postgresql14-contrib-14.10 \ + postgresql14-server-14.10 \ + postgresql14-libs-14.10 \ + "$pg_failover_slots_pkg" \ + ; \ + if [ "$PG_MAJOR" -lt "16" ]; then \ + yum -y --setopt=tsflags=nodocs install \ + pgaudit16_14 \ + ; \ + fi; \ + rm -fr /etc/yum.repos.d/enterprisedb-*.repo ; \ + rm -fr /tmp/* ; \ + yum -y clean all --enablerepo='*' + +# Install barman-cloud +RUN set -xe ; \ + yum -y install python3.11-pip python3.11-psycopg2 ; \ + pip3.11 install --upgrade pip ; \ + pip3.11 install -r requirements.txt ; \ + yum -y clean all --enablerepo='*' + +# make the sample config easier to munge (and "correct by default") +RUN set -eux; \ + sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/pgsql-14/share/postgresql.conf.sample; \ + grep -F "listen_addresses = '*'" /usr/pgsql-14/share/postgresql.conf.sample + +# prepare the environment and make sure postgres user has the correct UID +RUN set -xeu ; \ + localedef -f UTF-8 -i en_US en_US.UTF-8 ; \ + test "$(id postgres)" = "uid=26(postgres) gid=26(postgres) groups=26(postgres)" ; \ + mkdir -p /var/run/postgresql ; \ + chown postgres:postgres /var/run/postgresql ; \ + chmod 0755 /var/run/postgresql + +ENV PATH $PATH:/usr/pgsql-14/bin + +RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql + +ENV PGDATA /var/lib/postgresql/data/pgdata +# this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values) +RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" +VOLUME /var/lib/postgresql/data + +RUN mkdir /docker-entrypoint-initdb.d + +# Remove example certificates in pem and enc format from /usr/share/doc folder +RUN find /usr/share/doc -type f '(' -iname "*.pem" -o -iname "*.enc" ')' -exec rm -rf {} \; || true + +# DoD 2.3 - remove setuid/setgid from any binary that not strictly requires it, and before doing that list them on the stdout +RUN find / -not -path "/proc/*" -perm /6000 -type f -exec ls -ld {} \; -exec chmod a-s {} \; || true + +USER 26 + +ENTRYPOINT ["docker-entrypoint.sh"] + +# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL +# calls "Fast Shutdown mode" wherein new connections are disallowed and any +# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and +# flush tables to disk, which is the best compromise available to avoid data +# corruption. +# +# Users who know their applications do not keep open long-lived idle connections +# may way to use a value of SIGTERM instead, which corresponds to "Smart +# Shutdown mode" in which any existing sessions are allowed to finish and the +# server stops when all sessions are terminated. +# +# See https://www.postgresql.org/docs/12/server-shutdown.html for more details +# about available PostgreSQL server shutdown signals. +# +# See also https://www.postgresql.org/docs/12/server-start.html for further +# justification of this as the default value, namely that the example (and +# shipped) systemd service files use the "Fast Shutdown mode" for service +# termination. +# +STOPSIGNAL SIGINT +# +# An additional setting that is recommended for all users regardless of this +# value is the runtime "--stop-timeout" (or your orchestrator/runtime's +# equivalent) for controlling how long to wait between sending the defined +# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption). +# +# The default in most runtimes (such as Docker) is 10 seconds, and the +# documentation at https://www.postgresql.org/docs/12/server-start.html notes +# that even 90 seconds may not be long enough in many instances. + +EXPOSE 5432 +CMD ["postgres"] diff --git a/UBI/14/root/requirements.txt b/UBI/14/root/requirements.txt index b52f5663..2fd22517 100644 --- a/UBI/14/root/requirements.txt +++ b/UBI/14/root/requirements.txt @@ -1,5 +1,5 @@ # -# This file is autogenerated by pip-compile with Python 3.11 +# This file is autogenerated by pip-compile with Python 3.10 # by the following command: # # pip-compile --generate-hashes diff --git a/UBI/15/.versions.json b/UBI/15/.versions.json index 50b3371b..b2fe6d6a 100644 --- a/UBI/15/.versions.json +++ b/UBI/15/.versions.json @@ -2,5 +2,7 @@ "BARMAN_VERSION": "3.9.0", "IMAGE_RELEASE_VERSION": "4", "POSTGRES_VERSION": "15.5", - "UBI_VERSION": "8.9-1107.1705420509" + "UBI8_VERSION": "8.9-1107.1705420509", + "UBI9_VERSION": "9.3-1476", + "UBI_VERSION": "8.9-1107" } diff --git a/UBI/15/Dockerfile.multiarch b/UBI/15/Dockerfile.multiarch.ubi8 similarity index 100% rename from UBI/15/Dockerfile.multiarch rename to UBI/15/Dockerfile.multiarch.ubi8 diff --git a/UBI/15/Dockerfile.multiarch.ubi9 b/UBI/15/Dockerfile.multiarch.ubi9 new file mode 100644 index 00000000..b764dc8f --- /dev/null +++ b/UBI/15/Dockerfile.multiarch.ubi9 @@ -0,0 +1,137 @@ +# vim:set ft=dockerfile: +FROM quay.io/enterprisedb/edb-ubi:9.3-1476 + +# Do not split the description, otherwise we will see a blank space in the labels +LABEL name="PostgreSQL Container Images" \ + vendor="EnterpriseDB" \ + url="https://www.enterprisedb.com/" \ + version="15.5" \ + release="4" \ + summary="PostgreSQL Container images." \ + description="This Docker image contains PostgreSQL and Barman Cloud based on RedHat Universal Base Images (UBI) 9." + +COPY root/ / + +ARG TARGETARCH +RUN --mount=type=secret,id=cs_token \ + set -xe ; \ + ARCH="${TARGETARCH}" ; \ + base_url="https://download.postgresql.org/pub/repos/yum/reporpms" ; \ + pg_failover_slots_pkg="pg_failover_slots_15" ; \ + case $ARCH in \ + amd64) \ + yum -y install "${base_url}/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm" ; \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ;; \ + arm64) \ + yum -y install "${base_url}/EL-9-aarch64/pgdg-redhat-repo-latest.noarch.rpm" ; \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ;; \ + ppc64le) \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ; \ + pg_failover_slots_pkg="edb-pg15-pg-failover-slots1" ;; \ + s390x) \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/edb/setup.rpm.sh | bash ; \ + pg_failover_slots_pkg="edb-pg15-pg-failover-slots1" ;; \ + *) \ + exit 1 ;; \ + esac ; \ + yum -y upgrade glibc-common ; \ + yum -y reinstall glibc-common ; \ + rm -fr /etc/rpm/macros.image-language-conf ; \ + yum -y install hostname rsync tar gettext bind-utils nss_wrapper glibc-locale-source glibc-langpack-en glibc-all-langpacks ; \ + case 15 in \ + 11|12|13|14) \ + yum -y --setopt=tsflags=nodocs install \ + postgresql15-15.5 \ + postgresql15-contrib-15.5 \ + postgresql15-server-15.5 \ + postgresql15-libs-15.5 \ + pgaudit17_15 \ + "$pg_failover_slots_pkg" \ + ;; \ + 15|16) \ + yum -y --setopt=tsflags=nodocs install \ + postgresql15-15.5 \ + postgresql15-contrib-15.5 \ + postgresql15-server-15.5 \ + postgresql15-libs-15.5 \ + ;; \ + *) \ + exit 1 ;; \ + esac ; \ + rm -fr /etc/yum.repos.d/enterprisedb-*.repo ; \ + rm -fr /tmp/* ; \ + yum -y clean all --enablerepo='*' + +# Install barman-cloud +RUN set -xe ; \ + yum -y install python3.11-pip python3.11-psycopg2 ; \ + pip3.11 install --upgrade pip ; \ + pip3.11 install -r requirements.txt ; \ + yum -y clean all --enablerepo='*' + +# make the sample config easier to munge (and "correct by default") +RUN set -eux; \ + sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/pgsql-15/share/postgresql.conf.sample; \ + grep -F "listen_addresses = '*'" /usr/pgsql-15/share/postgresql.conf.sample + +# prepare the environment and make sure postgres user has the correct UID +RUN set -xeu ; \ + localedef -f UTF-8 -i en_US en_US.UTF-8 ; \ + test "$(id postgres)" = "uid=26(postgres) gid=26(postgres) groups=26(postgres)" ; \ + mkdir -p /var/run/postgresql ; \ + chown postgres:postgres /var/run/postgresql ; \ + chmod 0755 /var/run/postgresql + +ENV PATH $PATH:/usr/pgsql-15/bin + +RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql + +ENV PGDATA /var/lib/postgresql/data/pgdata +# this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values) +RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" +VOLUME /var/lib/postgresql/data + +RUN mkdir /docker-entrypoint-initdb.d + +# Remove example certificates in pem and enc format from /usr/share/doc folder +RUN find /usr/share/doc -type f '(' -iname "*.pem" -o -iname "*.enc" ')' -exec rm -rf {} \; || true + +# DoD 2.3 - remove setuid/setgid from any binary that not strictly requires it, and before doing that list them on the stdout +RUN find / -not -path "/proc/*" -perm /6000 -type f -exec ls -ld {} \; -exec chmod a-s {} \; || true + +USER 26 + +ENTRYPOINT ["docker-entrypoint.sh"] + +# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL +# calls "Fast Shutdown mode" wherein new connections are disallowed and any +# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and +# flush tables to disk, which is the best compromise available to avoid data +# corruption. +# +# Users who know their applications do not keep open long-lived idle connections +# may way to use a value of SIGTERM instead, which corresponds to "Smart +# Shutdown mode" in which any existing sessions are allowed to finish and the +# server stops when all sessions are terminated. +# +# See https://www.postgresql.org/docs/12/server-shutdown.html for more details +# about available PostgreSQL server shutdown signals. +# +# See also https://www.postgresql.org/docs/12/server-start.html for further +# justification of this as the default value, namely that the example (and +# shipped) systemd service files use the "Fast Shutdown mode" for service +# termination. +# +STOPSIGNAL SIGINT +# +# An additional setting that is recommended for all users regardless of this +# value is the runtime "--stop-timeout" (or your orchestrator/runtime's +# equivalent) for controlling how long to wait between sending the defined +# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption). +# +# The default in most runtimes (such as Docker) is 10 seconds, and the +# documentation at https://www.postgresql.org/docs/12/server-start.html notes +# that even 90 seconds may not be long enough in many instances. + +EXPOSE 5432 +CMD ["postgres"] diff --git a/UBI/15/Dockerfile.multilang b/UBI/15/Dockerfile.multilang.ubi8 similarity index 100% rename from UBI/15/Dockerfile.multilang rename to UBI/15/Dockerfile.multilang.ubi8 diff --git a/UBI/15/Dockerfile.multilang.ubi9 b/UBI/15/Dockerfile.multilang.ubi9 new file mode 100644 index 00000000..8827970f --- /dev/null +++ b/UBI/15/Dockerfile.multilang.ubi9 @@ -0,0 +1,129 @@ +# vim:set ft=dockerfile: +FROM quay.io/enterprisedb/edb-ubi:9.3-1476 + +# Do not split the description, otherwise we will see a blank space in the labels +LABEL name="PostgreSQL Container Images" \ + vendor="EnterpriseDB" \ + url="https://www.enterprisedb.com/" \ + version="15.5" \ + release="4" \ + summary="PostgreSQL Container images." \ + description="This Docker image contains PostgreSQL and Barman Cloud based on RedHat Universal Base Images (UBI) 9." + +COPY root/ / + +ARG TARGETARCH +RUN --mount=type=secret,id=cs_token \ + set -xe ; \ + ARCH="${TARGETARCH}" ; \ + base_url="https://download.postgresql.org/pub/repos/yum/reporpms" ; \ + pg_failover_slots_pkg="pg_failover_slots_15" ; \ + case $ARCH in \ + amd64) \ + yum -y install "${base_url}/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm" ; \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ;; \ + arm64) \ + yum -y install "${base_url}/EL-9-aarch64/pgdg-redhat-repo-latest.noarch.rpm" ; \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ;; \ + ppc64le) \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ; \ + pg_failover_slots_pkg="edb-pg15-pg-failover-slots1" ;; \ + s390x) \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/edb/setup.rpm.sh | bash ; \ + pg_failover_slots_pkg="edb-pg15-pg-failover-slots1" ;; \ + *) \ + exit 1 ;; \ + esac ; \ + yum -y upgrade glibc-common ; \ + yum -y reinstall glibc-common ; \ + rm -fr /etc/rpm/macros.image-language-conf ; \ + yum -y install hostname rsync tar gettext bind-utils nss_wrapper glibc-locale-source glibc-langpack-en glibc-all-langpacks ; \ + yum -y --setopt=tsflags=nodocs install \ + postgresql15-15.5 \ + postgresql15-contrib-15.5 \ + postgresql15-server-15.5 \ + postgresql15-libs-15.5 \ + "$pg_failover_slots_pkg" \ + ; \ + if [ "$PG_MAJOR" -lt "16" ]; then \ + yum -y --setopt=tsflags=nodocs install \ + pgaudit17_15 \ + ; \ + fi; \ + rm -fr /etc/yum.repos.d/enterprisedb-*.repo ; \ + rm -fr /tmp/* ; \ + yum -y clean all --enablerepo='*' + +# Install barman-cloud +RUN set -xe ; \ + yum -y install python3.11-pip python3.11-psycopg2 ; \ + pip3.11 install --upgrade pip ; \ + pip3.11 install -r requirements.txt ; \ + yum -y clean all --enablerepo='*' + +# make the sample config easier to munge (and "correct by default") +RUN set -eux; \ + sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/pgsql-15/share/postgresql.conf.sample; \ + grep -F "listen_addresses = '*'" /usr/pgsql-15/share/postgresql.conf.sample + +# prepare the environment and make sure postgres user has the correct UID +RUN set -xeu ; \ + localedef -f UTF-8 -i en_US en_US.UTF-8 ; \ + test "$(id postgres)" = "uid=26(postgres) gid=26(postgres) groups=26(postgres)" ; \ + mkdir -p /var/run/postgresql ; \ + chown postgres:postgres /var/run/postgresql ; \ + chmod 0755 /var/run/postgresql + +ENV PATH $PATH:/usr/pgsql-15/bin + +RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql + +ENV PGDATA /var/lib/postgresql/data/pgdata +# this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values) +RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" +VOLUME /var/lib/postgresql/data + +RUN mkdir /docker-entrypoint-initdb.d + +# Remove example certificates in pem and enc format from /usr/share/doc folder +RUN find /usr/share/doc -type f '(' -iname "*.pem" -o -iname "*.enc" ')' -exec rm -rf {} \; || true + +# DoD 2.3 - remove setuid/setgid from any binary that not strictly requires it, and before doing that list them on the stdout +RUN find / -not -path "/proc/*" -perm /6000 -type f -exec ls -ld {} \; -exec chmod a-s {} \; || true + +USER 26 + +ENTRYPOINT ["docker-entrypoint.sh"] + +# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL +# calls "Fast Shutdown mode" wherein new connections are disallowed and any +# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and +# flush tables to disk, which is the best compromise available to avoid data +# corruption. +# +# Users who know their applications do not keep open long-lived idle connections +# may way to use a value of SIGTERM instead, which corresponds to "Smart +# Shutdown mode" in which any existing sessions are allowed to finish and the +# server stops when all sessions are terminated. +# +# See https://www.postgresql.org/docs/12/server-shutdown.html for more details +# about available PostgreSQL server shutdown signals. +# +# See also https://www.postgresql.org/docs/12/server-start.html for further +# justification of this as the default value, namely that the example (and +# shipped) systemd service files use the "Fast Shutdown mode" for service +# termination. +# +STOPSIGNAL SIGINT +# +# An additional setting that is recommended for all users regardless of this +# value is the runtime "--stop-timeout" (or your orchestrator/runtime's +# equivalent) for controlling how long to wait between sending the defined +# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption). +# +# The default in most runtimes (such as Docker) is 10 seconds, and the +# documentation at https://www.postgresql.org/docs/12/server-start.html notes +# that even 90 seconds may not be long enough in many instances. + +EXPOSE 5432 +CMD ["postgres"] diff --git a/UBI/15/Dockerfile b/UBI/15/Dockerfile.ubi8 similarity index 100% rename from UBI/15/Dockerfile rename to UBI/15/Dockerfile.ubi8 diff --git a/UBI/15/Dockerfile.ubi9 b/UBI/15/Dockerfile.ubi9 new file mode 100644 index 00000000..02f3f30b --- /dev/null +++ b/UBI/15/Dockerfile.ubi9 @@ -0,0 +1,128 @@ +# vim:set ft=dockerfile: +FROM quay.io/enterprisedb/edb-ubi:9.3-1476 + +# Do not split the description, otherwise we will see a blank space in the labels +LABEL name="PostgreSQL Container Images" \ + vendor="EnterpriseDB" \ + url="https://www.enterprisedb.com/" \ + version="15.5" \ + release="4" \ + summary="PostgreSQL Container images." \ + description="This Docker image contains PostgreSQL and Barman Cloud based on RedHat Universal Base Images (UBI) 9." + +COPY root/ / + +ARG TARGETARCH +RUN --mount=type=secret,id=cs_token \ + set -xe ; \ + ARCH="${TARGETARCH}" ; \ + base_url="https://download.postgresql.org/pub/repos/yum/reporpms" ; \ + pg_failover_slots_pkg="pg_failover_slots_15" ; \ + case $ARCH in \ + amd64) \ + yum -y install "${base_url}/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm" ; \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ;; \ + arm64) \ + yum -y install "${base_url}/EL-9-aarch64/pgdg-redhat-repo-latest.noarch.rpm" ; \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ;; \ + ppc64le) \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ; \ + pg_failover_slots_pkg="edb-pg15-pg-failover-slots1" ;; \ + s390x) \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/edb/setup.rpm.sh | bash ; \ + pg_failover_slots_pkg="edb-pg15-pg-failover-slots1" ;; \ + *) \ + exit 1 ;; \ + esac ; \ + yum -y upgrade glibc-common ; \ + yum -y reinstall glibc-common ; \ + yum -y install hostname rsync tar gettext bind-utils nss_wrapper glibc-locale-source glibc-langpack-en ; \ + yum -y --setopt=tsflags=nodocs install \ + postgresql15-15.5 \ + postgresql15-contrib-15.5 \ + postgresql15-server-15.5 \ + postgresql15-libs-15.5 \ + "$pg_failover_slots_pkg" \ + ; \ + if [ "$PG_MAJOR" -lt "16" ]; then \ + yum -y --setopt=tsflags=nodocs install \ + pgaudit17_15 \ + ; \ + fi; \ + rm -fr /etc/yum.repos.d/enterprisedb-*.repo ; \ + rm -fr /tmp/* ; \ + yum -y clean all --enablerepo='*' + +# Install barman-cloud +RUN set -xe ; \ + yum -y install python3.11-pip python3.11-psycopg2 ; \ + pip3.11 install --upgrade pip ; \ + pip3.11 install -r requirements.txt ; \ + yum -y clean all --enablerepo='*' + +# make the sample config easier to munge (and "correct by default") +RUN set -eux; \ + sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/pgsql-15/share/postgresql.conf.sample; \ + grep -F "listen_addresses = '*'" /usr/pgsql-15/share/postgresql.conf.sample + +# prepare the environment and make sure postgres user has the correct UID +RUN set -xeu ; \ + localedef -f UTF-8 -i en_US en_US.UTF-8 ; \ + test "$(id postgres)" = "uid=26(postgres) gid=26(postgres) groups=26(postgres)" ; \ + mkdir -p /var/run/postgresql ; \ + chown postgres:postgres /var/run/postgresql ; \ + chmod 0755 /var/run/postgresql + +ENV PATH $PATH:/usr/pgsql-15/bin + +RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql + +ENV PGDATA /var/lib/postgresql/data/pgdata +# this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values) +RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" +VOLUME /var/lib/postgresql/data + +RUN mkdir /docker-entrypoint-initdb.d + +# Remove example certificates in pem and enc format from /usr/share/doc folder +RUN find /usr/share/doc -type f '(' -iname "*.pem" -o -iname "*.enc" ')' -exec rm -rf {} \; || true + +# DoD 2.3 - remove setuid/setgid from any binary that not strictly requires it, and before doing that list them on the stdout +RUN find / -not -path "/proc/*" -perm /6000 -type f -exec ls -ld {} \; -exec chmod a-s {} \; || true + +USER 26 + +ENTRYPOINT ["docker-entrypoint.sh"] + +# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL +# calls "Fast Shutdown mode" wherein new connections are disallowed and any +# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and +# flush tables to disk, which is the best compromise available to avoid data +# corruption. +# +# Users who know their applications do not keep open long-lived idle connections +# may way to use a value of SIGTERM instead, which corresponds to "Smart +# Shutdown mode" in which any existing sessions are allowed to finish and the +# server stops when all sessions are terminated. +# +# See https://www.postgresql.org/docs/12/server-shutdown.html for more details +# about available PostgreSQL server shutdown signals. +# +# See also https://www.postgresql.org/docs/12/server-start.html for further +# justification of this as the default value, namely that the example (and +# shipped) systemd service files use the "Fast Shutdown mode" for service +# termination. +# +STOPSIGNAL SIGINT +# +# An additional setting that is recommended for all users regardless of this +# value is the runtime "--stop-timeout" (or your orchestrator/runtime's +# equivalent) for controlling how long to wait between sending the defined +# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption). +# +# The default in most runtimes (such as Docker) is 10 seconds, and the +# documentation at https://www.postgresql.org/docs/12/server-start.html notes +# that even 90 seconds may not be long enough in many instances. + +EXPOSE 5432 +CMD ["postgres"] diff --git a/UBI/15/root/requirements.txt b/UBI/15/root/requirements.txt index b52f5663..2fd22517 100644 --- a/UBI/15/root/requirements.txt +++ b/UBI/15/root/requirements.txt @@ -1,5 +1,5 @@ # -# This file is autogenerated by pip-compile with Python 3.11 +# This file is autogenerated by pip-compile with Python 3.10 # by the following command: # # pip-compile --generate-hashes diff --git a/UBI/16/.versions.json b/UBI/16/.versions.json index a87bbd40..b7c7e7a1 100644 --- a/UBI/16/.versions.json +++ b/UBI/16/.versions.json @@ -2,5 +2,7 @@ "BARMAN_VERSION": "3.9.0", "IMAGE_RELEASE_VERSION": "4", "POSTGRES_VERSION": "16.1", - "UBI_VERSION": "8.9-1107.1705420509" + "UBI8_VERSION": "8.9-1107.1705420509", + "UBI9_VERSION": "9.3-1476", + "UBI_VERSION": "8.9-1107" } diff --git a/UBI/16/Dockerfile.multiarch b/UBI/16/Dockerfile.multiarch.ubi8 similarity index 100% rename from UBI/16/Dockerfile.multiarch rename to UBI/16/Dockerfile.multiarch.ubi8 diff --git a/UBI/16/Dockerfile.multiarch.ubi9 b/UBI/16/Dockerfile.multiarch.ubi9 new file mode 100644 index 00000000..b771396e --- /dev/null +++ b/UBI/16/Dockerfile.multiarch.ubi9 @@ -0,0 +1,137 @@ +# vim:set ft=dockerfile: +FROM quay.io/enterprisedb/edb-ubi:9.3-1476 + +# Do not split the description, otherwise we will see a blank space in the labels +LABEL name="PostgreSQL Container Images" \ + vendor="EnterpriseDB" \ + url="https://www.enterprisedb.com/" \ + version="16.1" \ + release="4" \ + summary="PostgreSQL Container images." \ + description="This Docker image contains PostgreSQL and Barman Cloud based on RedHat Universal Base Images (UBI) 9." + +COPY root/ / + +ARG TARGETARCH +RUN --mount=type=secret,id=cs_token \ + set -xe ; \ + ARCH="${TARGETARCH}" ; \ + base_url="https://download.postgresql.org/pub/repos/yum/reporpms" ; \ + pg_failover_slots_pkg="pg_failover_slots_16" ; \ + case $ARCH in \ + amd64) \ + yum -y install "${base_url}/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm" ; \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ;; \ + arm64) \ + yum -y install "${base_url}/EL-9-aarch64/pgdg-redhat-repo-latest.noarch.rpm" ; \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ;; \ + ppc64le) \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ; \ + pg_failover_slots_pkg="edb-pg16-pg-failover-slots1" ;; \ + s390x) \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/edb/setup.rpm.sh | bash ; \ + pg_failover_slots_pkg="edb-pg16-pg-failover-slots1" ;; \ + *) \ + exit 1 ;; \ + esac ; \ + yum -y upgrade glibc-common ; \ + yum -y reinstall glibc-common ; \ + rm -fr /etc/rpm/macros.image-language-conf ; \ + yum -y install hostname rsync tar gettext bind-utils nss_wrapper glibc-locale-source glibc-langpack-en glibc-all-langpacks ; \ + case 16 in \ + 11|12|13|14) \ + yum -y --setopt=tsflags=nodocs install \ + postgresql16-16.1 \ + postgresql16-contrib-16.1 \ + postgresql16-server-16.1 \ + postgresql16-libs-16.1 \ + pgaudit18_16 \ + "$pg_failover_slots_pkg" \ + ;; \ + 15|16) \ + yum -y --setopt=tsflags=nodocs install \ + postgresql16-16.1 \ + postgresql16-contrib-16.1 \ + postgresql16-server-16.1 \ + postgresql16-libs-16.1 \ + ;; \ + *) \ + exit 1 ;; \ + esac ; \ + rm -fr /etc/yum.repos.d/enterprisedb-*.repo ; \ + rm -fr /tmp/* ; \ + yum -y clean all --enablerepo='*' + +# Install barman-cloud +RUN set -xe ; \ + yum -y install python3.11-pip python3.11-psycopg2 ; \ + pip3.11 install --upgrade pip ; \ + pip3.11 install -r requirements.txt ; \ + yum -y clean all --enablerepo='*' + +# make the sample config easier to munge (and "correct by default") +RUN set -eux; \ + sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/pgsql-16/share/postgresql.conf.sample; \ + grep -F "listen_addresses = '*'" /usr/pgsql-16/share/postgresql.conf.sample + +# prepare the environment and make sure postgres user has the correct UID +RUN set -xeu ; \ + localedef -f UTF-8 -i en_US en_US.UTF-8 ; \ + test "$(id postgres)" = "uid=26(postgres) gid=26(postgres) groups=26(postgres)" ; \ + mkdir -p /var/run/postgresql ; \ + chown postgres:postgres /var/run/postgresql ; \ + chmod 0755 /var/run/postgresql + +ENV PATH $PATH:/usr/pgsql-16/bin + +RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql + +ENV PGDATA /var/lib/postgresql/data/pgdata +# this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values) +RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" +VOLUME /var/lib/postgresql/data + +RUN mkdir /docker-entrypoint-initdb.d + +# Remove example certificates in pem and enc format from /usr/share/doc folder +RUN find /usr/share/doc -type f '(' -iname "*.pem" -o -iname "*.enc" ')' -exec rm -rf {} \; || true + +# DoD 2.3 - remove setuid/setgid from any binary that not strictly requires it, and before doing that list them on the stdout +RUN find / -not -path "/proc/*" -perm /6000 -type f -exec ls -ld {} \; -exec chmod a-s {} \; || true + +USER 26 + +ENTRYPOINT ["docker-entrypoint.sh"] + +# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL +# calls "Fast Shutdown mode" wherein new connections are disallowed and any +# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and +# flush tables to disk, which is the best compromise available to avoid data +# corruption. +# +# Users who know their applications do not keep open long-lived idle connections +# may way to use a value of SIGTERM instead, which corresponds to "Smart +# Shutdown mode" in which any existing sessions are allowed to finish and the +# server stops when all sessions are terminated. +# +# See https://www.postgresql.org/docs/12/server-shutdown.html for more details +# about available PostgreSQL server shutdown signals. +# +# See also https://www.postgresql.org/docs/12/server-start.html for further +# justification of this as the default value, namely that the example (and +# shipped) systemd service files use the "Fast Shutdown mode" for service +# termination. +# +STOPSIGNAL SIGINT +# +# An additional setting that is recommended for all users regardless of this +# value is the runtime "--stop-timeout" (or your orchestrator/runtime's +# equivalent) for controlling how long to wait between sending the defined +# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption). +# +# The default in most runtimes (such as Docker) is 10 seconds, and the +# documentation at https://www.postgresql.org/docs/12/server-start.html notes +# that even 90 seconds may not be long enough in many instances. + +EXPOSE 5432 +CMD ["postgres"] diff --git a/UBI/16/Dockerfile.multilang b/UBI/16/Dockerfile.multilang.ubi8 similarity index 100% rename from UBI/16/Dockerfile.multilang rename to UBI/16/Dockerfile.multilang.ubi8 diff --git a/UBI/16/Dockerfile.multilang.ubi9 b/UBI/16/Dockerfile.multilang.ubi9 new file mode 100644 index 00000000..e4daf16b --- /dev/null +++ b/UBI/16/Dockerfile.multilang.ubi9 @@ -0,0 +1,129 @@ +# vim:set ft=dockerfile: +FROM quay.io/enterprisedb/edb-ubi:9.3-1476 + +# Do not split the description, otherwise we will see a blank space in the labels +LABEL name="PostgreSQL Container Images" \ + vendor="EnterpriseDB" \ + url="https://www.enterprisedb.com/" \ + version="16.1" \ + release="4" \ + summary="PostgreSQL Container images." \ + description="This Docker image contains PostgreSQL and Barman Cloud based on RedHat Universal Base Images (UBI) 9." + +COPY root/ / + +ARG TARGETARCH +RUN --mount=type=secret,id=cs_token \ + set -xe ; \ + ARCH="${TARGETARCH}" ; \ + base_url="https://download.postgresql.org/pub/repos/yum/reporpms" ; \ + pg_failover_slots_pkg="pg_failover_slots_16" ; \ + case $ARCH in \ + amd64) \ + yum -y install "${base_url}/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm" ; \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ;; \ + arm64) \ + yum -y install "${base_url}/EL-9-aarch64/pgdg-redhat-repo-latest.noarch.rpm" ; \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ;; \ + ppc64le) \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ; \ + pg_failover_slots_pkg="edb-pg16-pg-failover-slots1" ;; \ + s390x) \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/edb/setup.rpm.sh | bash ; \ + pg_failover_slots_pkg="edb-pg16-pg-failover-slots1" ;; \ + *) \ + exit 1 ;; \ + esac ; \ + yum -y upgrade glibc-common ; \ + yum -y reinstall glibc-common ; \ + rm -fr /etc/rpm/macros.image-language-conf ; \ + yum -y install hostname rsync tar gettext bind-utils nss_wrapper glibc-locale-source glibc-langpack-en glibc-all-langpacks ; \ + yum -y --setopt=tsflags=nodocs install \ + postgresql16-16.1 \ + postgresql16-contrib-16.1 \ + postgresql16-server-16.1 \ + postgresql16-libs-16.1 \ + "$pg_failover_slots_pkg" \ + ; \ + if [ "$PG_MAJOR" -lt "16" ]; then \ + yum -y --setopt=tsflags=nodocs install \ + pgaudit18_16 \ + ; \ + fi; \ + rm -fr /etc/yum.repos.d/enterprisedb-*.repo ; \ + rm -fr /tmp/* ; \ + yum -y clean all --enablerepo='*' + +# Install barman-cloud +RUN set -xe ; \ + yum -y install python3.11-pip python3.11-psycopg2 ; \ + pip3.11 install --upgrade pip ; \ + pip3.11 install -r requirements.txt ; \ + yum -y clean all --enablerepo='*' + +# make the sample config easier to munge (and "correct by default") +RUN set -eux; \ + sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/pgsql-16/share/postgresql.conf.sample; \ + grep -F "listen_addresses = '*'" /usr/pgsql-16/share/postgresql.conf.sample + +# prepare the environment and make sure postgres user has the correct UID +RUN set -xeu ; \ + localedef -f UTF-8 -i en_US en_US.UTF-8 ; \ + test "$(id postgres)" = "uid=26(postgres) gid=26(postgres) groups=26(postgres)" ; \ + mkdir -p /var/run/postgresql ; \ + chown postgres:postgres /var/run/postgresql ; \ + chmod 0755 /var/run/postgresql + +ENV PATH $PATH:/usr/pgsql-16/bin + +RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql + +ENV PGDATA /var/lib/postgresql/data/pgdata +# this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values) +RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" +VOLUME /var/lib/postgresql/data + +RUN mkdir /docker-entrypoint-initdb.d + +# Remove example certificates in pem and enc format from /usr/share/doc folder +RUN find /usr/share/doc -type f '(' -iname "*.pem" -o -iname "*.enc" ')' -exec rm -rf {} \; || true + +# DoD 2.3 - remove setuid/setgid from any binary that not strictly requires it, and before doing that list them on the stdout +RUN find / -not -path "/proc/*" -perm /6000 -type f -exec ls -ld {} \; -exec chmod a-s {} \; || true + +USER 26 + +ENTRYPOINT ["docker-entrypoint.sh"] + +# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL +# calls "Fast Shutdown mode" wherein new connections are disallowed and any +# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and +# flush tables to disk, which is the best compromise available to avoid data +# corruption. +# +# Users who know their applications do not keep open long-lived idle connections +# may way to use a value of SIGTERM instead, which corresponds to "Smart +# Shutdown mode" in which any existing sessions are allowed to finish and the +# server stops when all sessions are terminated. +# +# See https://www.postgresql.org/docs/12/server-shutdown.html for more details +# about available PostgreSQL server shutdown signals. +# +# See also https://www.postgresql.org/docs/12/server-start.html for further +# justification of this as the default value, namely that the example (and +# shipped) systemd service files use the "Fast Shutdown mode" for service +# termination. +# +STOPSIGNAL SIGINT +# +# An additional setting that is recommended for all users regardless of this +# value is the runtime "--stop-timeout" (or your orchestrator/runtime's +# equivalent) for controlling how long to wait between sending the defined +# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption). +# +# The default in most runtimes (such as Docker) is 10 seconds, and the +# documentation at https://www.postgresql.org/docs/12/server-start.html notes +# that even 90 seconds may not be long enough in many instances. + +EXPOSE 5432 +CMD ["postgres"] diff --git a/UBI/16/Dockerfile b/UBI/16/Dockerfile.ubi8 similarity index 100% rename from UBI/16/Dockerfile rename to UBI/16/Dockerfile.ubi8 diff --git a/UBI/16/Dockerfile.ubi9 b/UBI/16/Dockerfile.ubi9 new file mode 100644 index 00000000..d0a92bd4 --- /dev/null +++ b/UBI/16/Dockerfile.ubi9 @@ -0,0 +1,128 @@ +# vim:set ft=dockerfile: +FROM quay.io/enterprisedb/edb-ubi:9.3-1476 + +# Do not split the description, otherwise we will see a blank space in the labels +LABEL name="PostgreSQL Container Images" \ + vendor="EnterpriseDB" \ + url="https://www.enterprisedb.com/" \ + version="16.1" \ + release="4" \ + summary="PostgreSQL Container images." \ + description="This Docker image contains PostgreSQL and Barman Cloud based on RedHat Universal Base Images (UBI) 9." + +COPY root/ / + +ARG TARGETARCH +RUN --mount=type=secret,id=cs_token \ + set -xe ; \ + ARCH="${TARGETARCH}" ; \ + base_url="https://download.postgresql.org/pub/repos/yum/reporpms" ; \ + pg_failover_slots_pkg="pg_failover_slots_16" ; \ + case $ARCH in \ + amd64) \ + yum -y install "${base_url}/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm" ; \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ;; \ + arm64) \ + yum -y install "${base_url}/EL-9-aarch64/pgdg-redhat-repo-latest.noarch.rpm" ; \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ;; \ + ppc64le) \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ; \ + pg_failover_slots_pkg="edb-pg16-pg-failover-slots1" ;; \ + s390x) \ + curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/edb/setup.rpm.sh | bash ; \ + pg_failover_slots_pkg="edb-pg16-pg-failover-slots1" ;; \ + *) \ + exit 1 ;; \ + esac ; \ + yum -y upgrade glibc-common ; \ + yum -y reinstall glibc-common ; \ + yum -y install hostname rsync tar gettext bind-utils nss_wrapper glibc-locale-source glibc-langpack-en ; \ + yum -y --setopt=tsflags=nodocs install \ + postgresql16-16.1 \ + postgresql16-contrib-16.1 \ + postgresql16-server-16.1 \ + postgresql16-libs-16.1 \ + "$pg_failover_slots_pkg" \ + ; \ + if [ "$PG_MAJOR" -lt "16" ]; then \ + yum -y --setopt=tsflags=nodocs install \ + pgaudit18_16 \ + ; \ + fi; \ + rm -fr /etc/yum.repos.d/enterprisedb-*.repo ; \ + rm -fr /tmp/* ; \ + yum -y clean all --enablerepo='*' + +# Install barman-cloud +RUN set -xe ; \ + yum -y install python3.11-pip python3.11-psycopg2 ; \ + pip3.11 install --upgrade pip ; \ + pip3.11 install -r requirements.txt ; \ + yum -y clean all --enablerepo='*' + +# make the sample config easier to munge (and "correct by default") +RUN set -eux; \ + sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/pgsql-16/share/postgresql.conf.sample; \ + grep -F "listen_addresses = '*'" /usr/pgsql-16/share/postgresql.conf.sample + +# prepare the environment and make sure postgres user has the correct UID +RUN set -xeu ; \ + localedef -f UTF-8 -i en_US en_US.UTF-8 ; \ + test "$(id postgres)" = "uid=26(postgres) gid=26(postgres) groups=26(postgres)" ; \ + mkdir -p /var/run/postgresql ; \ + chown postgres:postgres /var/run/postgresql ; \ + chmod 0755 /var/run/postgresql + +ENV PATH $PATH:/usr/pgsql-16/bin + +RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql + +ENV PGDATA /var/lib/postgresql/data/pgdata +# this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values) +RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" +VOLUME /var/lib/postgresql/data + +RUN mkdir /docker-entrypoint-initdb.d + +# Remove example certificates in pem and enc format from /usr/share/doc folder +RUN find /usr/share/doc -type f '(' -iname "*.pem" -o -iname "*.enc" ')' -exec rm -rf {} \; || true + +# DoD 2.3 - remove setuid/setgid from any binary that not strictly requires it, and before doing that list them on the stdout +RUN find / -not -path "/proc/*" -perm /6000 -type f -exec ls -ld {} \; -exec chmod a-s {} \; || true + +USER 26 + +ENTRYPOINT ["docker-entrypoint.sh"] + +# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL +# calls "Fast Shutdown mode" wherein new connections are disallowed and any +# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and +# flush tables to disk, which is the best compromise available to avoid data +# corruption. +# +# Users who know their applications do not keep open long-lived idle connections +# may way to use a value of SIGTERM instead, which corresponds to "Smart +# Shutdown mode" in which any existing sessions are allowed to finish and the +# server stops when all sessions are terminated. +# +# See https://www.postgresql.org/docs/12/server-shutdown.html for more details +# about available PostgreSQL server shutdown signals. +# +# See also https://www.postgresql.org/docs/12/server-start.html for further +# justification of this as the default value, namely that the example (and +# shipped) systemd service files use the "Fast Shutdown mode" for service +# termination. +# +STOPSIGNAL SIGINT +# +# An additional setting that is recommended for all users regardless of this +# value is the runtime "--stop-timeout" (or your orchestrator/runtime's +# equivalent) for controlling how long to wait between sending the defined +# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption). +# +# The default in most runtimes (such as Docker) is 10 seconds, and the +# documentation at https://www.postgresql.org/docs/12/server-start.html notes +# that even 90 seconds may not be long enough in many instances. + +EXPOSE 5432 +CMD ["postgres"] diff --git a/UBI/16/root/requirements.txt b/UBI/16/root/requirements.txt index b52f5663..2fd22517 100644 --- a/UBI/16/root/requirements.txt +++ b/UBI/16/root/requirements.txt @@ -1,5 +1,5 @@ # -# This file is autogenerated by pip-compile with Python 3.11 +# This file is autogenerated by pip-compile with Python 3.10 # by the following command: # # pip-compile --generate-hashes diff --git a/UBI/src/root/requirements.txt b/UBI/src/root/requirements.txt index b52f5663..2fd22517 100644 --- a/UBI/src/root/requirements.txt +++ b/UBI/src/root/requirements.txt @@ -1,5 +1,5 @@ # -# This file is autogenerated by pip-compile with Python 3.11 +# This file is autogenerated by pip-compile with Python 3.10 # by the following command: # # pip-compile --generate-hashes