diff --git a/Dockerfile b/Dockerfile index d9c8572..eda5b95 100644 --- a/Dockerfile +++ b/Dockerfile @@ -74,6 +74,7 @@ RUN ARCH=$(uname -m) && \ yum -y reinstall tzdata && \ yum -y clean all --enablerepo='*' && \ localedef -f UTF-8 -i en_US en_US.UTF-8 && \ + chmod -R g+w /etc/pki/tls && \ test "$(id postgres)" = "uid=26(postgres) gid=26(postgres) groups=26(postgres)" && \ mkdir -p /var/lib/pgsql/data && \ /usr/libexec/fix-permissions /var/lib/pgsql /var/run/postgresql diff --git a/container-assets/miq-run-postgresql b/container-assets/miq-run-postgresql index 97df057..d1b11fc 100755 --- a/container-assets/miq-run-postgresql +++ b/container-assets/miq-run-postgresql @@ -6,4 +6,74 @@ do export "$(basename $file)=$(cat $file)" done -exec "/usr/bin/run-postgresql" + +# Original run-postgresql +export ENABLE_REPLICATION=${ENABLE_REPLICATION:-false} + +set -eu +export_vars=$(cgroup-limits) ; export $export_vars + +source "${CONTAINER_SCRIPTS_PATH}/common.sh" + +set_pgdata + +process_extending_files \ + "${APP_DATA}/src/postgresql-pre-start" \ + "${CONTAINER_SCRIPTS_PATH}/pre-start" + +check_env_vars +generate_passwd_file +generate_postgresql_config + +# MIQ conditionally inject SSL config +if [ -f /etc/pki/tls/private/server.key ]; then + echo "ssl = on" >> $POSTGRESQL_CONFIG_FILE + echo "ssl_cert_file = '/etc/pki/tls/certs/server.crt'" >> $POSTGRESQL_CONFIG_FILE + echo "ssl_key_file = '/etc/pki/tls/private/server.key'" >> $POSTGRESQL_CONFIG_FILE +fi + +# Is this brand new data volume? +PG_INITIALIZED=false + +if [ ! -f "$PGDATA/postgresql.conf" ]; then + initialize_database + PG_INITIALIZED=: +else + try_pgupgrade +fi + +# MIQ conditionally configure SSL listener +if [ -f /etc/pki/tls/private/server.key ]; then + # Can't do this before initialize_database + sed -i 's/host\(\b.*\)/hostssl\1/g' /var/lib/pgsql/data/userdata/pg_hba.conf +fi + +# Use insanely large timeout (24h) to ensure that the potential recovery has +# enough time here to happen (unless liveness probe kills us). Note that in +# case of server failure this command still exists immediately. +pg_ctl start -w --timeout 86400 -o "-h ''" + +# This is just a pedantic safety measure (the timeout above is unlikely to +# happen), but `pt_ctl -w` is not reliable prior to PostgreSQL v10 where it +# returns exit_status=0 even if the server is still starting. For more info +# see the issue#297 and +# https://www.postgresql.org/message-id/CAB7nPqSJs85wK9aknm%3D_jmS6GnH3SQBhpzKcqs8Qo2LhEg2etw%40mail.gmail.com +pg_isready + +if $PG_INITIALIZED ; then + process_extending_files \ + "${APP_DATA}/src/postgresql-init" \ + "${CONTAINER_SCRIPTS_PATH}/init" + migrate_db + create_users +fi + +process_extending_files \ + "${APP_DATA}/src/postgresql-start" \ + "${CONTAINER_SCRIPTS_PATH}/start" + +pg_ctl stop + +unset_env_vars +echo "Starting server..." +exec postgres "$@" diff --git a/container-assets/on-start.sh b/container-assets/on-start.sh index 03df013..5830c44 100755 --- a/container-assets/on-start.sh +++ b/container-assets/on-start.sh @@ -1,7 +1,3 @@ #!/bin/bash psql --command "ALTER ROLE \"${POSTGRESQL_USER}\" SUPERUSER;" - -if [ -f /opt/app-root/src/certificates/server.key ]; then - sed -i 's/host\(\b.*\)/hostssl\1/g' /var/lib/pgsql/data/userdata/pg_hba.conf -fi diff --git a/container-assets/pre-start.sh b/container-assets/pre-start.sh index 4e79905..6f155a8 100755 --- a/container-assets/pre-start.sh +++ b/container-assets/pre-start.sh @@ -3,9 +3,10 @@ if [ ! -f /opt/app-root/src/certificates/server.key ]; then echo "Skipping SSL setup, key not found." else - cp /opt/app-root/src/certificates/server.crt /var/lib/pgsql/data/userdata/server.crt - cp /opt/app-root/src/certificates/server.key /var/lib/pgsql/data/userdata/server.key + echo "Copying SSL certificates to /etc/pki/ and fixing permissions" + cp /opt/app-root/src/certificates/server.crt /etc/pki/tls/certs/server.crt + cp /opt/app-root/src/certificates/server.key /etc/pki/tls/private/server.key # Postgresql server will reject key files with liberal permissions - chmod og-rwx /var/lib/pgsql/data/userdata/server.key + chmod og-rwx /etc/pki/tls/private/server.key fi