From 3706d4c4562c284ed070286b9fd516151167a40c Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Thu, 19 Jan 2017 14:57:19 -0800 Subject: [PATCH] Allow arbitrary --user values (mostly) One special case is that `initdb` _requires_ the current user to exist in `/etc/passwd`, but running PostgreSQL itself does not require that. --- 9.2/Dockerfile | 2 +- 9.2/alpine/Dockerfile | 2 +- 9.2/alpine/docker-entrypoint.sh | 22 +++++++++++++++------- 9.2/docker-entrypoint.sh | 22 +++++++++++++++------- 9.3/Dockerfile | 2 +- 9.3/alpine/Dockerfile | 2 +- 9.3/alpine/docker-entrypoint.sh | 22 +++++++++++++++------- 9.3/docker-entrypoint.sh | 22 +++++++++++++++------- 9.4/Dockerfile | 2 +- 9.4/alpine/Dockerfile | 2 +- 9.4/alpine/docker-entrypoint.sh | 22 +++++++++++++++------- 9.4/docker-entrypoint.sh | 22 +++++++++++++++------- 9.5/Dockerfile | 2 +- 9.5/alpine/Dockerfile | 2 +- 9.5/alpine/docker-entrypoint.sh | 22 +++++++++++++++------- 9.5/docker-entrypoint.sh | 22 +++++++++++++++------- 9.6/Dockerfile | 2 +- 9.6/alpine/Dockerfile | 2 +- 9.6/alpine/docker-entrypoint.sh | 22 +++++++++++++++------- 9.6/docker-entrypoint.sh | 22 +++++++++++++++------- Dockerfile-alpine.template | 2 +- Dockerfile-debian.template | 2 +- docker-entrypoint.sh | 22 +++++++++++++++------- 23 files changed, 177 insertions(+), 89 deletions(-) diff --git a/9.2/Dockerfile b/9.2/Dockerfile index 3ebbd28c30..1083962d9f 100644 --- a/9.2/Dockerfile +++ b/9.2/Dockerfile @@ -58,7 +58,7 @@ RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgres ENV PATH /usr/lib/postgresql/$PG_MAJOR/bin:$PATH ENV PGDATA /var/lib/postgresql/data -RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 700 "$PGDATA" +RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" # this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values) VOLUME /var/lib/postgresql/data COPY docker-entrypoint.sh / diff --git a/9.2/alpine/Dockerfile b/9.2/alpine/Dockerfile index 2c215321e6..93a71d8043 100644 --- a/9.2/alpine/Dockerfile +++ b/9.2/alpine/Dockerfile @@ -122,7 +122,7 @@ RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgres ENV PATH /usr/lib/postgresql/$PG_MAJOR/bin:$PATH ENV PGDATA /var/lib/postgresql/data -RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 700 "$PGDATA" +RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" # this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values) VOLUME /var/lib/postgresql/data COPY docker-entrypoint.sh / diff --git a/9.2/alpine/docker-entrypoint.sh b/9.2/alpine/docker-entrypoint.sh index fb0a284618..3ef8a645e1 100755 --- a/9.2/alpine/docker-entrypoint.sh +++ b/9.2/alpine/docker-entrypoint.sh @@ -27,7 +27,8 @@ if [ "${1:0:1}" = '-' ]; then set -- postgres "$@" fi -if [ "$1" = 'postgres' ]; then +# allow the container to be started with `--user` +if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then mkdir -p "$PGDATA" chown -R postgres "$PGDATA" chmod 700 "$PGDATA" @@ -36,11 +37,18 @@ if [ "$1" = 'postgres' ]; then chown -R postgres /var/run/postgresql chmod g+s /var/run/postgresql + exec su-exec postgres "$BASH_SOURCE" "$@" +fi + +if [ "$1" = 'postgres' ]; then + mkdir -p "$PGDATA" # look specifically for PG_VERSION, as it is expected in the DB dir if [ ! -s "$PGDATA/PG_VERSION" ]; then + chown -R "$(id -u)" "$PGDATA" 2>/dev/null || : + file_env 'POSTGRES_INITDB_ARGS' - eval "su-exec postgres initdb $POSTGRES_INITDB_ARGS" + eval "initdb --username=postgres $POSTGRES_INITDB_ARGS" # check password first so we can output the warning before postgres # messes it up @@ -68,11 +76,12 @@ if [ "$1" = 'postgres' ]; then authMethod=trust fi - { echo; echo "host all all all $authMethod"; } | su-exec postgres tee -a "$PGDATA/pg_hba.conf" > /dev/null + { echo; echo "host all all all $authMethod"; } | tee -a "$PGDATA/pg_hba.conf" > /dev/null # internal start of server in order to allow set-up using psql-client # does not listen on external TCP/IP and waits until start finishes - su-exec postgres pg_ctl -D "$PGDATA" \ + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" \ -o "-c listen_addresses='localhost'" \ -w start @@ -111,14 +120,13 @@ if [ "$1" = 'postgres' ]; then echo done - su-exec postgres pg_ctl -D "$PGDATA" -m fast -w stop + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" -m fast -w stop echo echo 'PostgreSQL init process complete; ready for start up.' echo fi - - exec su-exec postgres "$@" fi exec "$@" diff --git a/9.2/docker-entrypoint.sh b/9.2/docker-entrypoint.sh index 2402797939..d74eb4e66c 100755 --- a/9.2/docker-entrypoint.sh +++ b/9.2/docker-entrypoint.sh @@ -27,7 +27,8 @@ if [ "${1:0:1}" = '-' ]; then set -- postgres "$@" fi -if [ "$1" = 'postgres' ]; then +# allow the container to be started with `--user` +if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then mkdir -p "$PGDATA" chown -R postgres "$PGDATA" chmod 700 "$PGDATA" @@ -36,11 +37,18 @@ if [ "$1" = 'postgres' ]; then chown -R postgres /var/run/postgresql chmod g+s /var/run/postgresql + exec gosu postgres "$BASH_SOURCE" "$@" +fi + +if [ "$1" = 'postgres' ]; then + mkdir -p "$PGDATA" # look specifically for PG_VERSION, as it is expected in the DB dir if [ ! -s "$PGDATA/PG_VERSION" ]; then + chown -R "$(id -u)" "$PGDATA" 2>/dev/null || : + file_env 'POSTGRES_INITDB_ARGS' - eval "gosu postgres initdb $POSTGRES_INITDB_ARGS" + eval "initdb --username=postgres $POSTGRES_INITDB_ARGS" # check password first so we can output the warning before postgres # messes it up @@ -68,11 +76,12 @@ if [ "$1" = 'postgres' ]; then authMethod=trust fi - { echo; echo "host all all all $authMethod"; } | gosu postgres tee -a "$PGDATA/pg_hba.conf" > /dev/null + { echo; echo "host all all all $authMethod"; } | tee -a "$PGDATA/pg_hba.conf" > /dev/null # internal start of server in order to allow set-up using psql-client # does not listen on external TCP/IP and waits until start finishes - gosu postgres pg_ctl -D "$PGDATA" \ + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" \ -o "-c listen_addresses='localhost'" \ -w start @@ -111,14 +120,13 @@ if [ "$1" = 'postgres' ]; then echo done - gosu postgres pg_ctl -D "$PGDATA" -m fast -w stop + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" -m fast -w stop echo echo 'PostgreSQL init process complete; ready for start up.' echo fi - - exec gosu postgres "$@" fi exec "$@" diff --git a/9.3/Dockerfile b/9.3/Dockerfile index eb72171ee4..3e03a4bafc 100644 --- a/9.3/Dockerfile +++ b/9.3/Dockerfile @@ -58,7 +58,7 @@ RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgres ENV PATH /usr/lib/postgresql/$PG_MAJOR/bin:$PATH ENV PGDATA /var/lib/postgresql/data -RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 700 "$PGDATA" +RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" # this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values) VOLUME /var/lib/postgresql/data COPY docker-entrypoint.sh / diff --git a/9.3/alpine/Dockerfile b/9.3/alpine/Dockerfile index 26b90e078d..2bb81faa7b 100644 --- a/9.3/alpine/Dockerfile +++ b/9.3/alpine/Dockerfile @@ -122,7 +122,7 @@ RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgres ENV PATH /usr/lib/postgresql/$PG_MAJOR/bin:$PATH ENV PGDATA /var/lib/postgresql/data -RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 700 "$PGDATA" +RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" # this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values) VOLUME /var/lib/postgresql/data COPY docker-entrypoint.sh / diff --git a/9.3/alpine/docker-entrypoint.sh b/9.3/alpine/docker-entrypoint.sh index fb0a284618..3ef8a645e1 100755 --- a/9.3/alpine/docker-entrypoint.sh +++ b/9.3/alpine/docker-entrypoint.sh @@ -27,7 +27,8 @@ if [ "${1:0:1}" = '-' ]; then set -- postgres "$@" fi -if [ "$1" = 'postgres' ]; then +# allow the container to be started with `--user` +if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then mkdir -p "$PGDATA" chown -R postgres "$PGDATA" chmod 700 "$PGDATA" @@ -36,11 +37,18 @@ if [ "$1" = 'postgres' ]; then chown -R postgres /var/run/postgresql chmod g+s /var/run/postgresql + exec su-exec postgres "$BASH_SOURCE" "$@" +fi + +if [ "$1" = 'postgres' ]; then + mkdir -p "$PGDATA" # look specifically for PG_VERSION, as it is expected in the DB dir if [ ! -s "$PGDATA/PG_VERSION" ]; then + chown -R "$(id -u)" "$PGDATA" 2>/dev/null || : + file_env 'POSTGRES_INITDB_ARGS' - eval "su-exec postgres initdb $POSTGRES_INITDB_ARGS" + eval "initdb --username=postgres $POSTGRES_INITDB_ARGS" # check password first so we can output the warning before postgres # messes it up @@ -68,11 +76,12 @@ if [ "$1" = 'postgres' ]; then authMethod=trust fi - { echo; echo "host all all all $authMethod"; } | su-exec postgres tee -a "$PGDATA/pg_hba.conf" > /dev/null + { echo; echo "host all all all $authMethod"; } | tee -a "$PGDATA/pg_hba.conf" > /dev/null # internal start of server in order to allow set-up using psql-client # does not listen on external TCP/IP and waits until start finishes - su-exec postgres pg_ctl -D "$PGDATA" \ + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" \ -o "-c listen_addresses='localhost'" \ -w start @@ -111,14 +120,13 @@ if [ "$1" = 'postgres' ]; then echo done - su-exec postgres pg_ctl -D "$PGDATA" -m fast -w stop + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" -m fast -w stop echo echo 'PostgreSQL init process complete; ready for start up.' echo fi - - exec su-exec postgres "$@" fi exec "$@" diff --git a/9.3/docker-entrypoint.sh b/9.3/docker-entrypoint.sh index 2402797939..d74eb4e66c 100755 --- a/9.3/docker-entrypoint.sh +++ b/9.3/docker-entrypoint.sh @@ -27,7 +27,8 @@ if [ "${1:0:1}" = '-' ]; then set -- postgres "$@" fi -if [ "$1" = 'postgres' ]; then +# allow the container to be started with `--user` +if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then mkdir -p "$PGDATA" chown -R postgres "$PGDATA" chmod 700 "$PGDATA" @@ -36,11 +37,18 @@ if [ "$1" = 'postgres' ]; then chown -R postgres /var/run/postgresql chmod g+s /var/run/postgresql + exec gosu postgres "$BASH_SOURCE" "$@" +fi + +if [ "$1" = 'postgres' ]; then + mkdir -p "$PGDATA" # look specifically for PG_VERSION, as it is expected in the DB dir if [ ! -s "$PGDATA/PG_VERSION" ]; then + chown -R "$(id -u)" "$PGDATA" 2>/dev/null || : + file_env 'POSTGRES_INITDB_ARGS' - eval "gosu postgres initdb $POSTGRES_INITDB_ARGS" + eval "initdb --username=postgres $POSTGRES_INITDB_ARGS" # check password first so we can output the warning before postgres # messes it up @@ -68,11 +76,12 @@ if [ "$1" = 'postgres' ]; then authMethod=trust fi - { echo; echo "host all all all $authMethod"; } | gosu postgres tee -a "$PGDATA/pg_hba.conf" > /dev/null + { echo; echo "host all all all $authMethod"; } | tee -a "$PGDATA/pg_hba.conf" > /dev/null # internal start of server in order to allow set-up using psql-client # does not listen on external TCP/IP and waits until start finishes - gosu postgres pg_ctl -D "$PGDATA" \ + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" \ -o "-c listen_addresses='localhost'" \ -w start @@ -111,14 +120,13 @@ if [ "$1" = 'postgres' ]; then echo done - gosu postgres pg_ctl -D "$PGDATA" -m fast -w stop + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" -m fast -w stop echo echo 'PostgreSQL init process complete; ready for start up.' echo fi - - exec gosu postgres "$@" fi exec "$@" diff --git a/9.4/Dockerfile b/9.4/Dockerfile index 384e4f5781..fa82c6820c 100644 --- a/9.4/Dockerfile +++ b/9.4/Dockerfile @@ -58,7 +58,7 @@ RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgres ENV PATH /usr/lib/postgresql/$PG_MAJOR/bin:$PATH ENV PGDATA /var/lib/postgresql/data -RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 700 "$PGDATA" +RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" # this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values) VOLUME /var/lib/postgresql/data COPY docker-entrypoint.sh / diff --git a/9.4/alpine/Dockerfile b/9.4/alpine/Dockerfile index 993c0b41ce..3ee227fd9f 100644 --- a/9.4/alpine/Dockerfile +++ b/9.4/alpine/Dockerfile @@ -122,7 +122,7 @@ RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgres ENV PATH /usr/lib/postgresql/$PG_MAJOR/bin:$PATH ENV PGDATA /var/lib/postgresql/data -RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 700 "$PGDATA" +RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" # this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values) VOLUME /var/lib/postgresql/data COPY docker-entrypoint.sh / diff --git a/9.4/alpine/docker-entrypoint.sh b/9.4/alpine/docker-entrypoint.sh index fb0a284618..3ef8a645e1 100755 --- a/9.4/alpine/docker-entrypoint.sh +++ b/9.4/alpine/docker-entrypoint.sh @@ -27,7 +27,8 @@ if [ "${1:0:1}" = '-' ]; then set -- postgres "$@" fi -if [ "$1" = 'postgres' ]; then +# allow the container to be started with `--user` +if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then mkdir -p "$PGDATA" chown -R postgres "$PGDATA" chmod 700 "$PGDATA" @@ -36,11 +37,18 @@ if [ "$1" = 'postgres' ]; then chown -R postgres /var/run/postgresql chmod g+s /var/run/postgresql + exec su-exec postgres "$BASH_SOURCE" "$@" +fi + +if [ "$1" = 'postgres' ]; then + mkdir -p "$PGDATA" # look specifically for PG_VERSION, as it is expected in the DB dir if [ ! -s "$PGDATA/PG_VERSION" ]; then + chown -R "$(id -u)" "$PGDATA" 2>/dev/null || : + file_env 'POSTGRES_INITDB_ARGS' - eval "su-exec postgres initdb $POSTGRES_INITDB_ARGS" + eval "initdb --username=postgres $POSTGRES_INITDB_ARGS" # check password first so we can output the warning before postgres # messes it up @@ -68,11 +76,12 @@ if [ "$1" = 'postgres' ]; then authMethod=trust fi - { echo; echo "host all all all $authMethod"; } | su-exec postgres tee -a "$PGDATA/pg_hba.conf" > /dev/null + { echo; echo "host all all all $authMethod"; } | tee -a "$PGDATA/pg_hba.conf" > /dev/null # internal start of server in order to allow set-up using psql-client # does not listen on external TCP/IP and waits until start finishes - su-exec postgres pg_ctl -D "$PGDATA" \ + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" \ -o "-c listen_addresses='localhost'" \ -w start @@ -111,14 +120,13 @@ if [ "$1" = 'postgres' ]; then echo done - su-exec postgres pg_ctl -D "$PGDATA" -m fast -w stop + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" -m fast -w stop echo echo 'PostgreSQL init process complete; ready for start up.' echo fi - - exec su-exec postgres "$@" fi exec "$@" diff --git a/9.4/docker-entrypoint.sh b/9.4/docker-entrypoint.sh index 2402797939..d74eb4e66c 100755 --- a/9.4/docker-entrypoint.sh +++ b/9.4/docker-entrypoint.sh @@ -27,7 +27,8 @@ if [ "${1:0:1}" = '-' ]; then set -- postgres "$@" fi -if [ "$1" = 'postgres' ]; then +# allow the container to be started with `--user` +if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then mkdir -p "$PGDATA" chown -R postgres "$PGDATA" chmod 700 "$PGDATA" @@ -36,11 +37,18 @@ if [ "$1" = 'postgres' ]; then chown -R postgres /var/run/postgresql chmod g+s /var/run/postgresql + exec gosu postgres "$BASH_SOURCE" "$@" +fi + +if [ "$1" = 'postgres' ]; then + mkdir -p "$PGDATA" # look specifically for PG_VERSION, as it is expected in the DB dir if [ ! -s "$PGDATA/PG_VERSION" ]; then + chown -R "$(id -u)" "$PGDATA" 2>/dev/null || : + file_env 'POSTGRES_INITDB_ARGS' - eval "gosu postgres initdb $POSTGRES_INITDB_ARGS" + eval "initdb --username=postgres $POSTGRES_INITDB_ARGS" # check password first so we can output the warning before postgres # messes it up @@ -68,11 +76,12 @@ if [ "$1" = 'postgres' ]; then authMethod=trust fi - { echo; echo "host all all all $authMethod"; } | gosu postgres tee -a "$PGDATA/pg_hba.conf" > /dev/null + { echo; echo "host all all all $authMethod"; } | tee -a "$PGDATA/pg_hba.conf" > /dev/null # internal start of server in order to allow set-up using psql-client # does not listen on external TCP/IP and waits until start finishes - gosu postgres pg_ctl -D "$PGDATA" \ + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" \ -o "-c listen_addresses='localhost'" \ -w start @@ -111,14 +120,13 @@ if [ "$1" = 'postgres' ]; then echo done - gosu postgres pg_ctl -D "$PGDATA" -m fast -w stop + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" -m fast -w stop echo echo 'PostgreSQL init process complete; ready for start up.' echo fi - - exec gosu postgres "$@" fi exec "$@" diff --git a/9.5/Dockerfile b/9.5/Dockerfile index bce896a72f..d58d18dd8a 100644 --- a/9.5/Dockerfile +++ b/9.5/Dockerfile @@ -58,7 +58,7 @@ RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgres ENV PATH /usr/lib/postgresql/$PG_MAJOR/bin:$PATH ENV PGDATA /var/lib/postgresql/data -RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 700 "$PGDATA" +RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" # this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values) VOLUME /var/lib/postgresql/data COPY docker-entrypoint.sh / diff --git a/9.5/alpine/Dockerfile b/9.5/alpine/Dockerfile index 0f33b19c7a..6572a6d298 100644 --- a/9.5/alpine/Dockerfile +++ b/9.5/alpine/Dockerfile @@ -122,7 +122,7 @@ RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgres ENV PATH /usr/lib/postgresql/$PG_MAJOR/bin:$PATH ENV PGDATA /var/lib/postgresql/data -RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 700 "$PGDATA" +RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" # this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values) VOLUME /var/lib/postgresql/data COPY docker-entrypoint.sh / diff --git a/9.5/alpine/docker-entrypoint.sh b/9.5/alpine/docker-entrypoint.sh index fb0a284618..3ef8a645e1 100755 --- a/9.5/alpine/docker-entrypoint.sh +++ b/9.5/alpine/docker-entrypoint.sh @@ -27,7 +27,8 @@ if [ "${1:0:1}" = '-' ]; then set -- postgres "$@" fi -if [ "$1" = 'postgres' ]; then +# allow the container to be started with `--user` +if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then mkdir -p "$PGDATA" chown -R postgres "$PGDATA" chmod 700 "$PGDATA" @@ -36,11 +37,18 @@ if [ "$1" = 'postgres' ]; then chown -R postgres /var/run/postgresql chmod g+s /var/run/postgresql + exec su-exec postgres "$BASH_SOURCE" "$@" +fi + +if [ "$1" = 'postgres' ]; then + mkdir -p "$PGDATA" # look specifically for PG_VERSION, as it is expected in the DB dir if [ ! -s "$PGDATA/PG_VERSION" ]; then + chown -R "$(id -u)" "$PGDATA" 2>/dev/null || : + file_env 'POSTGRES_INITDB_ARGS' - eval "su-exec postgres initdb $POSTGRES_INITDB_ARGS" + eval "initdb --username=postgres $POSTGRES_INITDB_ARGS" # check password first so we can output the warning before postgres # messes it up @@ -68,11 +76,12 @@ if [ "$1" = 'postgres' ]; then authMethod=trust fi - { echo; echo "host all all all $authMethod"; } | su-exec postgres tee -a "$PGDATA/pg_hba.conf" > /dev/null + { echo; echo "host all all all $authMethod"; } | tee -a "$PGDATA/pg_hba.conf" > /dev/null # internal start of server in order to allow set-up using psql-client # does not listen on external TCP/IP and waits until start finishes - su-exec postgres pg_ctl -D "$PGDATA" \ + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" \ -o "-c listen_addresses='localhost'" \ -w start @@ -111,14 +120,13 @@ if [ "$1" = 'postgres' ]; then echo done - su-exec postgres pg_ctl -D "$PGDATA" -m fast -w stop + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" -m fast -w stop echo echo 'PostgreSQL init process complete; ready for start up.' echo fi - - exec su-exec postgres "$@" fi exec "$@" diff --git a/9.5/docker-entrypoint.sh b/9.5/docker-entrypoint.sh index 2402797939..d74eb4e66c 100755 --- a/9.5/docker-entrypoint.sh +++ b/9.5/docker-entrypoint.sh @@ -27,7 +27,8 @@ if [ "${1:0:1}" = '-' ]; then set -- postgres "$@" fi -if [ "$1" = 'postgres' ]; then +# allow the container to be started with `--user` +if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then mkdir -p "$PGDATA" chown -R postgres "$PGDATA" chmod 700 "$PGDATA" @@ -36,11 +37,18 @@ if [ "$1" = 'postgres' ]; then chown -R postgres /var/run/postgresql chmod g+s /var/run/postgresql + exec gosu postgres "$BASH_SOURCE" "$@" +fi + +if [ "$1" = 'postgres' ]; then + mkdir -p "$PGDATA" # look specifically for PG_VERSION, as it is expected in the DB dir if [ ! -s "$PGDATA/PG_VERSION" ]; then + chown -R "$(id -u)" "$PGDATA" 2>/dev/null || : + file_env 'POSTGRES_INITDB_ARGS' - eval "gosu postgres initdb $POSTGRES_INITDB_ARGS" + eval "initdb --username=postgres $POSTGRES_INITDB_ARGS" # check password first so we can output the warning before postgres # messes it up @@ -68,11 +76,12 @@ if [ "$1" = 'postgres' ]; then authMethod=trust fi - { echo; echo "host all all all $authMethod"; } | gosu postgres tee -a "$PGDATA/pg_hba.conf" > /dev/null + { echo; echo "host all all all $authMethod"; } | tee -a "$PGDATA/pg_hba.conf" > /dev/null # internal start of server in order to allow set-up using psql-client # does not listen on external TCP/IP and waits until start finishes - gosu postgres pg_ctl -D "$PGDATA" \ + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" \ -o "-c listen_addresses='localhost'" \ -w start @@ -111,14 +120,13 @@ if [ "$1" = 'postgres' ]; then echo done - gosu postgres pg_ctl -D "$PGDATA" -m fast -w stop + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" -m fast -w stop echo echo 'PostgreSQL init process complete; ready for start up.' echo fi - - exec gosu postgres "$@" fi exec "$@" diff --git a/9.6/Dockerfile b/9.6/Dockerfile index e939475dfd..4116d3b0d3 100644 --- a/9.6/Dockerfile +++ b/9.6/Dockerfile @@ -58,7 +58,7 @@ RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgres ENV PATH /usr/lib/postgresql/$PG_MAJOR/bin:$PATH ENV PGDATA /var/lib/postgresql/data -RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 700 "$PGDATA" +RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" # this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values) VOLUME /var/lib/postgresql/data COPY docker-entrypoint.sh / diff --git a/9.6/alpine/Dockerfile b/9.6/alpine/Dockerfile index 0217c65da9..a5095f1698 100644 --- a/9.6/alpine/Dockerfile +++ b/9.6/alpine/Dockerfile @@ -122,7 +122,7 @@ RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgres ENV PATH /usr/lib/postgresql/$PG_MAJOR/bin:$PATH ENV PGDATA /var/lib/postgresql/data -RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 700 "$PGDATA" +RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" # this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values) VOLUME /var/lib/postgresql/data COPY docker-entrypoint.sh / diff --git a/9.6/alpine/docker-entrypoint.sh b/9.6/alpine/docker-entrypoint.sh index fb0a284618..3ef8a645e1 100755 --- a/9.6/alpine/docker-entrypoint.sh +++ b/9.6/alpine/docker-entrypoint.sh @@ -27,7 +27,8 @@ if [ "${1:0:1}" = '-' ]; then set -- postgres "$@" fi -if [ "$1" = 'postgres' ]; then +# allow the container to be started with `--user` +if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then mkdir -p "$PGDATA" chown -R postgres "$PGDATA" chmod 700 "$PGDATA" @@ -36,11 +37,18 @@ if [ "$1" = 'postgres' ]; then chown -R postgres /var/run/postgresql chmod g+s /var/run/postgresql + exec su-exec postgres "$BASH_SOURCE" "$@" +fi + +if [ "$1" = 'postgres' ]; then + mkdir -p "$PGDATA" # look specifically for PG_VERSION, as it is expected in the DB dir if [ ! -s "$PGDATA/PG_VERSION" ]; then + chown -R "$(id -u)" "$PGDATA" 2>/dev/null || : + file_env 'POSTGRES_INITDB_ARGS' - eval "su-exec postgres initdb $POSTGRES_INITDB_ARGS" + eval "initdb --username=postgres $POSTGRES_INITDB_ARGS" # check password first so we can output the warning before postgres # messes it up @@ -68,11 +76,12 @@ if [ "$1" = 'postgres' ]; then authMethod=trust fi - { echo; echo "host all all all $authMethod"; } | su-exec postgres tee -a "$PGDATA/pg_hba.conf" > /dev/null + { echo; echo "host all all all $authMethod"; } | tee -a "$PGDATA/pg_hba.conf" > /dev/null # internal start of server in order to allow set-up using psql-client # does not listen on external TCP/IP and waits until start finishes - su-exec postgres pg_ctl -D "$PGDATA" \ + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" \ -o "-c listen_addresses='localhost'" \ -w start @@ -111,14 +120,13 @@ if [ "$1" = 'postgres' ]; then echo done - su-exec postgres pg_ctl -D "$PGDATA" -m fast -w stop + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" -m fast -w stop echo echo 'PostgreSQL init process complete; ready for start up.' echo fi - - exec su-exec postgres "$@" fi exec "$@" diff --git a/9.6/docker-entrypoint.sh b/9.6/docker-entrypoint.sh index 2402797939..d74eb4e66c 100755 --- a/9.6/docker-entrypoint.sh +++ b/9.6/docker-entrypoint.sh @@ -27,7 +27,8 @@ if [ "${1:0:1}" = '-' ]; then set -- postgres "$@" fi -if [ "$1" = 'postgres' ]; then +# allow the container to be started with `--user` +if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then mkdir -p "$PGDATA" chown -R postgres "$PGDATA" chmod 700 "$PGDATA" @@ -36,11 +37,18 @@ if [ "$1" = 'postgres' ]; then chown -R postgres /var/run/postgresql chmod g+s /var/run/postgresql + exec gosu postgres "$BASH_SOURCE" "$@" +fi + +if [ "$1" = 'postgres' ]; then + mkdir -p "$PGDATA" # look specifically for PG_VERSION, as it is expected in the DB dir if [ ! -s "$PGDATA/PG_VERSION" ]; then + chown -R "$(id -u)" "$PGDATA" 2>/dev/null || : + file_env 'POSTGRES_INITDB_ARGS' - eval "gosu postgres initdb $POSTGRES_INITDB_ARGS" + eval "initdb --username=postgres $POSTGRES_INITDB_ARGS" # check password first so we can output the warning before postgres # messes it up @@ -68,11 +76,12 @@ if [ "$1" = 'postgres' ]; then authMethod=trust fi - { echo; echo "host all all all $authMethod"; } | gosu postgres tee -a "$PGDATA/pg_hba.conf" > /dev/null + { echo; echo "host all all all $authMethod"; } | tee -a "$PGDATA/pg_hba.conf" > /dev/null # internal start of server in order to allow set-up using psql-client # does not listen on external TCP/IP and waits until start finishes - gosu postgres pg_ctl -D "$PGDATA" \ + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" \ -o "-c listen_addresses='localhost'" \ -w start @@ -111,14 +120,13 @@ if [ "$1" = 'postgres' ]; then echo done - gosu postgres pg_ctl -D "$PGDATA" -m fast -w stop + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" -m fast -w stop echo echo 'PostgreSQL init process complete; ready for start up.' echo fi - - exec gosu postgres "$@" fi exec "$@" diff --git a/Dockerfile-alpine.template b/Dockerfile-alpine.template index 45f01bd529..ec82346d8e 100644 --- a/Dockerfile-alpine.template +++ b/Dockerfile-alpine.template @@ -122,7 +122,7 @@ RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgres ENV PATH /usr/lib/postgresql/$PG_MAJOR/bin:$PATH ENV PGDATA /var/lib/postgresql/data -RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 700 "$PGDATA" +RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" # this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values) VOLUME /var/lib/postgresql/data COPY docker-entrypoint.sh / diff --git a/Dockerfile-debian.template b/Dockerfile-debian.template index d9dd6cd309..e07588a01b 100644 --- a/Dockerfile-debian.template +++ b/Dockerfile-debian.template @@ -58,7 +58,7 @@ RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgres ENV PATH /usr/lib/postgresql/$PG_MAJOR/bin:$PATH ENV PGDATA /var/lib/postgresql/data -RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 700 "$PGDATA" +RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA" # this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values) VOLUME /var/lib/postgresql/data COPY docker-entrypoint.sh / diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 2402797939..d74eb4e66c 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -27,7 +27,8 @@ if [ "${1:0:1}" = '-' ]; then set -- postgres "$@" fi -if [ "$1" = 'postgres' ]; then +# allow the container to be started with `--user` +if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then mkdir -p "$PGDATA" chown -R postgres "$PGDATA" chmod 700 "$PGDATA" @@ -36,11 +37,18 @@ if [ "$1" = 'postgres' ]; then chown -R postgres /var/run/postgresql chmod g+s /var/run/postgresql + exec gosu postgres "$BASH_SOURCE" "$@" +fi + +if [ "$1" = 'postgres' ]; then + mkdir -p "$PGDATA" # look specifically for PG_VERSION, as it is expected in the DB dir if [ ! -s "$PGDATA/PG_VERSION" ]; then + chown -R "$(id -u)" "$PGDATA" 2>/dev/null || : + file_env 'POSTGRES_INITDB_ARGS' - eval "gosu postgres initdb $POSTGRES_INITDB_ARGS" + eval "initdb --username=postgres $POSTGRES_INITDB_ARGS" # check password first so we can output the warning before postgres # messes it up @@ -68,11 +76,12 @@ if [ "$1" = 'postgres' ]; then authMethod=trust fi - { echo; echo "host all all all $authMethod"; } | gosu postgres tee -a "$PGDATA/pg_hba.conf" > /dev/null + { echo; echo "host all all all $authMethod"; } | tee -a "$PGDATA/pg_hba.conf" > /dev/null # internal start of server in order to allow set-up using psql-client # does not listen on external TCP/IP and waits until start finishes - gosu postgres pg_ctl -D "$PGDATA" \ + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" \ -o "-c listen_addresses='localhost'" \ -w start @@ -111,14 +120,13 @@ if [ "$1" = 'postgres' ]; then echo done - gosu postgres pg_ctl -D "$PGDATA" -m fast -w stop + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" -m fast -w stop echo echo 'PostgreSQL init process complete; ready for start up.' echo fi - - exec gosu postgres "$@" fi exec "$@"