@@ -48,41 +48,15 @@ RUN set -ex; \
4848
4949# explicitly set user/group IDs
5050RUN set -eux; \
51- groupadd -r postgres --gid=999; \
52- # https://salsa.debian.org/postgresql/postgresql-common/blob/997d842ee744687d99a2b2d95c1083a2615c79e8/debian/postgresql-common.postinst#L32-35
51+ groupadd -r postgres --gid=26; \
5352 useradd -r -g postgres --uid=26 --home-dir=/var/lib/postgresql --shell=/bin/bash postgres; \
54- # also create the postgres user's home directory with appropriate permissions
55- # see https://github.com/docker-library/postgres/issues/274
5653 mkdir -p /var/lib/postgresql; \
5754 chown -R postgres:postgres /var/lib/postgresql
5855
59- # grab gosu for easy step-down from root
60- # https://github.com/tianon/gosu/releases
61- ENV GOSU_VERSION 1.17
62- RUN set -eux; \
63- savedAptMark="$(apt-mark showmanual)" ; \
64- apt-get update; \
65- apt-get install -y --no-install-recommends ca-certificates wget; \
66- rm -rf /var/lib/apt/lists/*; \
67- dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')" ; \
68- wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch" ; \
69- wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc" ; \
70- export GNUPGHOME="$(mktemp -d)" ; \
71- gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
72- gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
73- gpgconf --kill all; \
74- rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
75- apt-mark auto '.*' > /dev/null; \
76- [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \
77- apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
78- chmod +x /usr/local/bin/gosu; \
79- gosu --version; \
80- gosu nobody true
81-
8256# make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
8357RUN set -eux; \
58+ # if this file exists, we're likely in "debian:xxx-slim", and locales are thus being excluded so we need to remove that exclusion (since we need locales)
8459 if [ -f /etc/dpkg/dpkg.cfg.d/docker ]; then \
85- # if this file exists, we're likely in "debian:xxx-slim", and locales are thus being excluded so we need to remove that exclusion (since we need locales)
8660 grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
8761 sed -ri '/\/ usr\/ share\/ locale/d' /etc/dpkg/dpkg.cfg.d/docker; \
8862 ! grep -q '/usr/share/locale' /etc/dpkg/dpkg.cfg.d/docker; \
@@ -91,15 +65,13 @@ RUN set -eux; \
9165 echo 'en_US.UTF-8 UTF-8' >> /etc/locale.gen; \
9266 locale-gen; \
9367 locale -a | grep 'en_US.utf8'
94- ENV LANG en_US.utf8
9568
96- RUN mkdir /docker-entrypoint-initdb.d
97-
98- ENV PG_MAJOR $PG_MAJOR
99- ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
69+ ENV LANG=en_US.utf8
70+ ENV PG_MAJOR=$PG_MAJOR
71+ ENV PATH=/usr/lib/postgresql/$PG_MAJOR/bin:$PATH
10072
10173# Build PostgreSQL
102- # Partially refer to https://github.com/docker-library/postgres/blob/master/16/alpine3.19 /Dockerfile#L33-L160
74+ # Partially refer to https://github.com/docker-library/postgres/blob/master/16/alpine3.21 /Dockerfile#L119-L159
10375RUN set -eux ; \
10476 mkdir -p /usr/src/postgresql ; \
10577 git clone -b "$PG_BRANCH" --single-branch "$PG_REPO" /usr/src/postgresql ; \
@@ -175,9 +147,6 @@ RUN set -xe ; \
175147
176148# Even though we compile from source, we still need PGDG to gather an updated version of psycopg2
177149RUN set -ex; \
178- # pub 4096R/ACCC4CF8 2011-10-13 [expires: 2019-07-02]
179- # Key fingerprint = B97B 0AFC AA1A 47F0 44F2 44A0 7FCC 7D46 ACCC 4CF8
180- # uid PostgreSQL Debian Repository
181150 key='B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8' ; \
182151 export GNUPGHOME="$(mktemp -d)" ; \
183152 mkdir -p /usr/local/share/keyrings/; \
@@ -200,58 +169,7 @@ RUN set -xe; \
200169 pip3 install --break-system-packages barman[cloud,azure,snappy,google] boto3==1.35.99; \
201170 rm -rf /var/lib/apt/lists/*;
202171
203- # make the sample config easier to munge (and "correct by default")
204- RUN set -eux; \
205- dpkg-divert --add --rename --divert "/usr/share/postgresql/postgresql.conf.sample.dpkg" "/usr/share/postgresql/$PG_MAJOR/postgresql.conf.sample" ; \
206- cp -v /usr/share/postgresql/postgresql.conf.sample.dpkg /usr/share/postgresql/postgresql.conf.sample; \
207- ln -sv ../postgresql.conf.sample "/usr/share/postgresql/$PG_MAJOR/" ; \
208- sed -ri "s!^#?(listen_addresses)\s *=\s *\S +.*!\1 = '*'!" /usr/share/postgresql/postgresql.conf.sample; \
209- grep -F "listen_addresses = '*'" /usr/share/postgresql/postgresql.conf.sample
210-
211- RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 3777 /var/run/postgresql
212-
213- ENV PGDATA /var/lib/postgresql/data
214- # this 1777 will be replaced by 0700 at runtime (allows semi-arbitrary "--user" values)
215- RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 1777 "$PGDATA"
216- VOLUME /var/lib/postgresql/data
217-
218172# DoD 2.3 - remove setuid/setgid from any binary that not strictly requires it, and before doing that list them on the stdout
219173RUN find / -not -path "/proc/*" -perm /6000 -type f -exec ls -ld {} \; -exec chmod a-s {} \; || true
220174
221175USER 26
222-
223- COPY docker-entrypoint.sh /usr/local/bin/
224- ENTRYPOINT ["docker-entrypoint.sh" ]
225-
226- # We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
227- # calls "Fast Shutdown mode" wherein new connections are disallowed and any
228- # in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
229- # flush tables to disk, which is the best compromise available to avoid data
230- # corruption.
231- #
232- # Users who know their applications do not keep open long-lived idle connections
233- # may way to use a value of SIGTERM instead, which corresponds to "Smart
234- # Shutdown mode" in which any existing sessions are allowed to finish and the
235- # server stops when all sessions are terminated.
236- #
237- # See https://www.postgresql.org/docs/12/server-shutdown.html for more details
238- # about available PostgreSQL server shutdown signals.
239- #
240- # See also https://www.postgresql.org/docs/12/server-start.html for further
241- # justification of this as the default value, namely that the example (and
242- # shipped) systemd service files use the "Fast Shutdown mode" for service
243- # termination.
244- #
245- STOPSIGNAL SIGINT
246- #
247- # An additional setting that is recommended for all users regardless of this
248- # value is the runtime "--stop-timeout" (or your orchestrator/runtime's
249- # equivalent) for controlling how long to wait between sending the defined
250- # STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption).
251- #
252- # The default in most runtimes (such as Docker) is 10 seconds, and the
253- # documentation at https://www.postgresql.org/docs/12/server-start.html notes
254- # that even 90 seconds may not be long enough in many instances.
255-
256- EXPOSE 5432
257- CMD ["postgres" ]
0 commit comments