From 48f2ad1b73abdfe08d0e4e3feb4934177929d9b5 Mon Sep 17 00:00:00 2001 From: Joe Ferguson Date: Mon, 10 Sep 2018 16:46:22 -0700 Subject: [PATCH] Functionalize the entrypoint to allow outside sourcing for extreme customizing of startup --- docker-entrypoint.sh | 318 +++++++++++++++++++++++++++---------------- 1 file changed, 201 insertions(+), 117 deletions(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 93ee4fba4d..2f9a92ffcb 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -24,153 +24,237 @@ file_env() { unset "$fileVar" } -if [ "${1:0:1}" = '-' ]; then - set -- postgres "$@" -fi +# check to see if this file is being run or sourced from another script +_is_sourced() { + # https://unix.stackexchange.com/a/215279 + [ "${FUNCNAME[${#FUNCNAME[@]} - 1]}" == 'source' ] +} + +# used to create initial posgres directories and if run as root, ensure ownership to the "postgres" user +create_postgres_dirs() { + local user="$(id -u)" -# allow the container to be started with `--user` -if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then mkdir -p "$PGDATA" - chown -R postgres "$PGDATA" chmod 700 "$PGDATA" - mkdir -p /var/run/postgresql - chown -R postgres /var/run/postgresql - chmod 775 /var/run/postgresql + # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 + mkdir -p /var/run/postgresql || : + chmod 775 /var/run/postgresql || : - # Create the transaction log directory before initdb is run (below) so the directory is owned by the correct user + # Create the transaction log directory before initdb is run so the directory is owned by the correct user if [ "$POSTGRES_INITDB_WALDIR" ]; then mkdir -p "$POSTGRES_INITDB_WALDIR" - chown -R postgres "$POSTGRES_INITDB_WALDIR" + [ "$user" = '0' ] && find "$POSTGRES_INITDB_WALDIR" \! -user postgres - exec chown postgres '{}' + chmod 700 "$POSTGRES_INITDB_WALDIR" fi - exec gosu postgres "$BASH_SOURCE" "$@" -fi + # allow the container to be started with `--user` + if [ "$user" = '0' ]; then + find "$PGDATA" \! -user postgres -exec chown postgres '{}' + + find /var/run/postgresql \! -user postgres -exec chown postgres '{}' + + fi +} -if [ "$1" = 'postgres' ]; then - mkdir -p "$PGDATA" - chown -R "$(id -u)" "$PGDATA" 2>/dev/null || : - chmod 700 "$PGDATA" 2>/dev/null || : - - # look specifically for PG_VERSION, as it is expected in the DB dir - if [ ! -s "$PGDATA/PG_VERSION" ]; then - # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary - # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html - if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then - export LD_PRELOAD='/usr/lib/libnss_wrapper.so' - export NSS_WRAPPER_PASSWD="$(mktemp)" - export NSS_WRAPPER_GROUP="$(mktemp)" - echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" - echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" - fi +# initialize empty PGDATA directory with new database via 'initdb' +init_pgdata() { + # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary + # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html + if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then + export LD_PRELOAD='/usr/lib/libnss_wrapper.so' + export NSS_WRAPPER_PASSWD="$(mktemp)" + export NSS_WRAPPER_GROUP="$(mktemp)" + echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" + echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" + fi - file_env 'POSTGRES_USER' 'postgres' - file_env 'POSTGRES_PASSWORD' + file_env 'POSTGRES_INITDB_ARGS' + if [ "$POSTGRES_INITDB_WALDIR" ]; then + export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --waldir $POSTGRES_INITDB_WALDIR" + fi - file_env 'POSTGRES_INITDB_ARGS' - if [ "$POSTGRES_INITDB_WALDIR" ]; then - export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --waldir $POSTGRES_INITDB_WALDIR" - fi - eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS" + eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS" - # unset/cleanup "nss_wrapper" bits - if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then - rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" - unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP - fi + # unset/cleanup "nss_wrapper" bits + if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then + rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" + unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + fi +} - # check password first so we can output the warning before postgres - # messes it up - if [ -n "$POSTGRES_PASSWORD" ]; then - authMethod=md5 +# print large warning if POSTGRES_PASSWORD is empty +print_password_warning() { + # check password first so we can output the warning before postgres + # messes it up + if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then + cat >&2 <<-'EOWARN' - if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then - cat >&2 <<-'EOWARN' + WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. - WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. + This will not work if used via PGPASSWORD with "psql". - This will not work if used via PGPASSWORD with "psql". + https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) + https://github.com/docker-library/postgres/issues/507 - https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) - https://github.com/docker-library/postgres/issues/507 + EOWARN + fi + if [ -z "$POSTGRES_PASSWORD" ]; then + # The - option suppresses leading tabs but *not* spaces. :) + cat >&2 <<-'EOWARN' + **************************************************** + WARNING: No password has been set for the database. + This will allow anyone with access to the + Postgres port to access your database. In + Docker's default configuration, this is + effectively any other container on the same + system. - EOWARN - fi - else - # The - option suppresses leading tabs but *not* spaces. :) - cat >&2 <<-'EOWARN' - **************************************************** - WARNING: No password has been set for the database. - This will allow anyone with access to the - Postgres port to access your database. In - Docker's default configuration, this is - effectively any other container on the same - system. - - Use "-e POSTGRES_PASSWORD=password" to set - it in "docker run". - **************************************************** - EOWARN - - authMethod=trust - fi + Use "-e POSTGRES_PASSWORD=password" to set + it in "docker run". + **************************************************** + EOWARN - { - echo - echo "host all all all $authMethod" - } >> "$PGDATA/pg_hba.conf" + fi +} - # internal start of server in order to allow set-up using psql-client - # does not listen on external TCP/IP and waits until start finishes - PGUSER="${PGUSER:-$POSTGRES_USER}" \ - pg_ctl -D "$PGDATA" \ - -o "-c listen_addresses=''" \ - -w start +# run, source, or read files from /docker-entrypoint-initdb.d (or specified directory) +process_init_files() { + # psql here for backwards compatiblilty "${psql[@]}" + psql=( psql_run ) - file_env 'POSTGRES_DB' "$POSTGRES_USER" + local initDir="${1:-/docker-entrypoint-initdb.d}" - export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" - psql=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password ) + echo + for f in "${initDir%/}"/*; do + case "$f" in + *.sh) + # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 + # https://github.com/docker-library/postgres/pull/452 + if [ -x "$f" ]; then + echo "$0: running $f" + "$f" + else + echo "$0: sourcing $f" + . "$f" + fi + ;; + *.sql) echo "$0: running $f"; psql_run -f "$f"; echo ;; + *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | psql_run; echo ;; + *) echo "$0: ignoring $f" ;; + esac + echo + done +} - if [ "$POSTGRES_DB" != 'postgres' ]; then - "${psql[@]}" --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL' - CREATE DATABASE :"db" ; - EOSQL - echo - fi - psql+=( --dbname "$POSTGRES_DB" ) +# run `psql` with proper arguments for user and db +psql_run() { + local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password ) + if [ -n "$POSTGRES_DB" ]; then + query_runner+=( --dbname "$POSTGRES_DB" ) + fi + + "${query_runner[@]}" "$@" +} +# create initial postgresql superuser with password and database +# uses environment variables for input: POSTGRES_USER, POSTGRES_PASSWORD, POSTGRES_DB +setup_database() { + if [ "$POSTGRES_DB" != 'postgres' ]; then + POSTGRES_DB= psql_run --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL' + CREATE DATABASE :"db" ; + EOSQL echo - for f in /docker-entrypoint-initdb.d/*; do - case "$f" in - *.sh) - # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 - # https://github.com/docker-library/postgres/pull/452 - if [ -x "$f" ]; then - echo "$0: running $f" - "$f" - else - echo "$0: sourcing $f" - . "$f" - fi - ;; - *.sql) echo "$0: running $f"; "${psql[@]}" -f "$f"; echo ;; - *.sql.gz) echo "$0: running $f"; gunzip -c "$f" | "${psql[@]}"; echo ;; - *) echo "$0: ignoring $f" ;; - esac - echo - done + fi +} - PGUSER="${PGUSER:-$POSTGRES_USER}" \ - pg_ctl -D "$PGDATA" -m fast -w stop +# get user/pass and db from env vars or via file +setup_env_vars() { + file_env 'POSTGRES_PASSWORD' - unset PGPASSWORD + file_env 'POSTGRES_USER' 'postgres' + file_env 'POSTGRES_DB' "$POSTGRES_USER" +} +# append md5 or trust auth to pg_hba.conf based on existence of POSTGRES_PASSWORD +setup_pg_hba() { + local authMethod + if [ "$POSTGRES_PASSWORD" ]; then + authMethod='md5' + else + authMethod='trust' + fi + + { echo - echo 'PostgreSQL init process complete; ready for start up.' - echo + echo "host all all all $authMethod" + } >> "$PGDATA/pg_hba.conf" +} + +# start socket-only postgresql server for setting up user or running scripts +temporary_pgserver_start() { + # internal start of server in order to allow set-up using psql-client + # does not listen on external TCP/IP and waits until start finishes + PGUSER="${PGUSER:-$POSTGRES_USER}" \ + pg_ctl -D "$PGDATA" \ + -o "-c listen_addresses=''" \ + -w start + #??? "$@" +} + +# stop postgresql server after done setting up user and running scripts +temporary_pgserver_stop() { + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" -m fast -w stop +} + +main() { + # if first arg looks like a flag, assume we want to run postgres server + if [ "${1:0:1}" = '-' ]; then + set -- postgres "$@" fi -fi -exec "$@" + # setup data directories and permissions, then restart script as postgres user + if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then + create_postgres_dirs + exec gosu postgres "$BASH_SOURCE" "$@" + fi + + if [ "$1" = 'postgres' ]; then + create_postgres_dirs + + # only run initialization on an empty data directory + # look specifically for PG_VERSION, as it is expected in the DB dir + if [ ! -s "$PGDATA/PG_VERSION" ]; then + init_pgdata + + setup_env_vars + print_password_warning + setup_pg_hba + + # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless + # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS + export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" + temporary_pgserver_start + + setup_database + + process_init_files + + temporary_pgserver_stop + unset PGPASSWORD + + echo + echo 'PostgreSQL init process complete; ready for start up.' + echo + else + echo + echo 'PostgreSQL Database directory appears to contain a database; Skipping initialization' + echo + fi + fi + + exec "$@" +} + +if ! _is_sourced; then + main "$@" +fi