From fe89a60c9bda1f1e1627f6732fdfd90f4d410bd6 Mon Sep 17 00:00:00 2001 From: Tianon Gravi Date: Thu, 24 May 2018 11:39:50 -0700 Subject: [PATCH] Implement "nss_wrapper" for Debian variants --- 10/Dockerfile | 8 ++++++++ 10/alpine/docker-entrypoint.sh | 19 ++++++++++++++++++- 10/docker-entrypoint.sh | 19 ++++++++++++++++++- 9.3/Dockerfile | 8 ++++++++ 9.3/alpine/docker-entrypoint.sh | 19 ++++++++++++++++++- 9.3/docker-entrypoint.sh | 19 ++++++++++++++++++- 9.4/Dockerfile | 8 ++++++++ 9.4/alpine/docker-entrypoint.sh | 19 ++++++++++++++++++- 9.4/docker-entrypoint.sh | 19 ++++++++++++++++++- 9.5/Dockerfile | 8 ++++++++ 9.5/alpine/docker-entrypoint.sh | 19 ++++++++++++++++++- 9.5/docker-entrypoint.sh | 19 ++++++++++++++++++- 9.6/Dockerfile | 8 ++++++++ 9.6/alpine/docker-entrypoint.sh | 19 ++++++++++++++++++- 9.6/docker-entrypoint.sh | 19 ++++++++++++++++++- Dockerfile-debian.template | 8 ++++++++ docker-entrypoint.sh | 19 ++++++++++++++++++- 17 files changed, 246 insertions(+), 11 deletions(-) diff --git a/10/Dockerfile b/10/Dockerfile index 247e73c4ef..a7624394d2 100644 --- a/10/Dockerfile +++ b/10/Dockerfile @@ -40,6 +40,14 @@ RUN set -eux; \ localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8 ENV LANG en_US.utf8 +# install "nss_wrapper" in case we need to fake "/etc/passwd" and "/etc/group" (especially for OpenShift) +# https://github.com/docker-library/postgres/issues/359 +# https://cwrap.org/nss_wrapper.html +RUN set -eux; \ + apt-get update; \ + apt-get install -y --no-install-recommends libnss-wrapper; \ + rm -rf /var/lib/apt/lists/* + RUN mkdir /docker-entrypoint-initdb.d RUN set -ex; \ diff --git a/10/alpine/docker-entrypoint.sh b/10/alpine/docker-entrypoint.sh index 5d66ba8dd8..0b0daf8604 100755 --- a/10/alpine/docker-entrypoint.sh +++ b/10/alpine/docker-entrypoint.sh @@ -1,5 +1,6 @@ #!/usr/bin/env bash -set -e +set -Eeo pipefail +# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables) # usage: file_env VAR [DEFAULT] # ie: file_env 'XYZ_DB_PASSWORD' 'example' @@ -54,12 +55,28 @@ if [ "$1" = 'postgres' ]; then # look specifically for PG_VERSION, as it is expected in the DB dir if [ ! -s "$PGDATA/PG_VERSION" ]; then + # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary + # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html + if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then + export LD_PRELOAD='/usr/lib/libnss_wrapper.so' + export NSS_WRAPPER_PASSWD="$(mktemp)" + export NSS_WRAPPER_GROUP="$(mktemp)" + echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" + echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" + fi + file_env 'POSTGRES_INITDB_ARGS' if [ "$POSTGRES_INITDB_WALDIR" ]; then export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --waldir $POSTGRES_INITDB_WALDIR" fi eval "initdb --username=postgres $POSTGRES_INITDB_ARGS" + # unset/cleanup "nss_wrapper" bits + if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then + rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" + unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + fi + # check password first so we can output the warning before postgres # messes it up file_env 'POSTGRES_PASSWORD' diff --git a/10/docker-entrypoint.sh b/10/docker-entrypoint.sh index 000967a40c..ecd7458d58 100755 --- a/10/docker-entrypoint.sh +++ b/10/docker-entrypoint.sh @@ -1,5 +1,6 @@ #!/usr/bin/env bash -set -e +set -Eeo pipefail +# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables) # usage: file_env VAR [DEFAULT] # ie: file_env 'XYZ_DB_PASSWORD' 'example' @@ -54,12 +55,28 @@ if [ "$1" = 'postgres' ]; then # look specifically for PG_VERSION, as it is expected in the DB dir if [ ! -s "$PGDATA/PG_VERSION" ]; then + # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary + # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html + if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then + export LD_PRELOAD='/usr/lib/libnss_wrapper.so' + export NSS_WRAPPER_PASSWD="$(mktemp)" + export NSS_WRAPPER_GROUP="$(mktemp)" + echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" + echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" + fi + file_env 'POSTGRES_INITDB_ARGS' if [ "$POSTGRES_INITDB_WALDIR" ]; then export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --waldir $POSTGRES_INITDB_WALDIR" fi eval "initdb --username=postgres $POSTGRES_INITDB_ARGS" + # unset/cleanup "nss_wrapper" bits + if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then + rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" + unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + fi + # check password first so we can output the warning before postgres # messes it up file_env 'POSTGRES_PASSWORD' diff --git a/9.3/Dockerfile b/9.3/Dockerfile index dd586c4f16..b716d3cfa4 100644 --- a/9.3/Dockerfile +++ b/9.3/Dockerfile @@ -40,6 +40,14 @@ RUN set -eux; \ localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8 ENV LANG en_US.utf8 +# install "nss_wrapper" in case we need to fake "/etc/passwd" and "/etc/group" (especially for OpenShift) +# https://github.com/docker-library/postgres/issues/359 +# https://cwrap.org/nss_wrapper.html +RUN set -eux; \ + apt-get update; \ + apt-get install -y --no-install-recommends libnss-wrapper; \ + rm -rf /var/lib/apt/lists/* + RUN mkdir /docker-entrypoint-initdb.d RUN set -ex; \ diff --git a/9.3/alpine/docker-entrypoint.sh b/9.3/alpine/docker-entrypoint.sh index f217bf44d5..547adfbd87 100755 --- a/9.3/alpine/docker-entrypoint.sh +++ b/9.3/alpine/docker-entrypoint.sh @@ -1,5 +1,6 @@ #!/usr/bin/env bash -set -e +set -Eeo pipefail +# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables) # usage: file_env VAR [DEFAULT] # ie: file_env 'XYZ_DB_PASSWORD' 'example' @@ -54,12 +55,28 @@ if [ "$1" = 'postgres' ]; then # look specifically for PG_VERSION, as it is expected in the DB dir if [ ! -s "$PGDATA/PG_VERSION" ]; then + # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary + # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html + if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then + export LD_PRELOAD='/usr/lib/libnss_wrapper.so' + export NSS_WRAPPER_PASSWD="$(mktemp)" + export NSS_WRAPPER_GROUP="$(mktemp)" + echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" + echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" + fi + file_env 'POSTGRES_INITDB_ARGS' if [ "$POSTGRES_INITDB_XLOGDIR" ]; then export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --xlogdir $POSTGRES_INITDB_XLOGDIR" fi eval "initdb --username=postgres $POSTGRES_INITDB_ARGS" + # unset/cleanup "nss_wrapper" bits + if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then + rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" + unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + fi + # check password first so we can output the warning before postgres # messes it up file_env 'POSTGRES_PASSWORD' diff --git a/9.3/docker-entrypoint.sh b/9.3/docker-entrypoint.sh index bc132894f5..fbac223fc0 100755 --- a/9.3/docker-entrypoint.sh +++ b/9.3/docker-entrypoint.sh @@ -1,5 +1,6 @@ #!/usr/bin/env bash -set -e +set -Eeo pipefail +# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables) # usage: file_env VAR [DEFAULT] # ie: file_env 'XYZ_DB_PASSWORD' 'example' @@ -54,12 +55,28 @@ if [ "$1" = 'postgres' ]; then # look specifically for PG_VERSION, as it is expected in the DB dir if [ ! -s "$PGDATA/PG_VERSION" ]; then + # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary + # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html + if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then + export LD_PRELOAD='/usr/lib/libnss_wrapper.so' + export NSS_WRAPPER_PASSWD="$(mktemp)" + export NSS_WRAPPER_GROUP="$(mktemp)" + echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" + echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" + fi + file_env 'POSTGRES_INITDB_ARGS' if [ "$POSTGRES_INITDB_XLOGDIR" ]; then export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --xlogdir $POSTGRES_INITDB_XLOGDIR" fi eval "initdb --username=postgres $POSTGRES_INITDB_ARGS" + # unset/cleanup "nss_wrapper" bits + if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then + rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" + unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + fi + # check password first so we can output the warning before postgres # messes it up file_env 'POSTGRES_PASSWORD' diff --git a/9.4/Dockerfile b/9.4/Dockerfile index d8991a5a58..d4056fec8c 100644 --- a/9.4/Dockerfile +++ b/9.4/Dockerfile @@ -40,6 +40,14 @@ RUN set -eux; \ localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8 ENV LANG en_US.utf8 +# install "nss_wrapper" in case we need to fake "/etc/passwd" and "/etc/group" (especially for OpenShift) +# https://github.com/docker-library/postgres/issues/359 +# https://cwrap.org/nss_wrapper.html +RUN set -eux; \ + apt-get update; \ + apt-get install -y --no-install-recommends libnss-wrapper; \ + rm -rf /var/lib/apt/lists/* + RUN mkdir /docker-entrypoint-initdb.d RUN set -ex; \ diff --git a/9.4/alpine/docker-entrypoint.sh b/9.4/alpine/docker-entrypoint.sh index f217bf44d5..547adfbd87 100755 --- a/9.4/alpine/docker-entrypoint.sh +++ b/9.4/alpine/docker-entrypoint.sh @@ -1,5 +1,6 @@ #!/usr/bin/env bash -set -e +set -Eeo pipefail +# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables) # usage: file_env VAR [DEFAULT] # ie: file_env 'XYZ_DB_PASSWORD' 'example' @@ -54,12 +55,28 @@ if [ "$1" = 'postgres' ]; then # look specifically for PG_VERSION, as it is expected in the DB dir if [ ! -s "$PGDATA/PG_VERSION" ]; then + # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary + # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html + if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then + export LD_PRELOAD='/usr/lib/libnss_wrapper.so' + export NSS_WRAPPER_PASSWD="$(mktemp)" + export NSS_WRAPPER_GROUP="$(mktemp)" + echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" + echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" + fi + file_env 'POSTGRES_INITDB_ARGS' if [ "$POSTGRES_INITDB_XLOGDIR" ]; then export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --xlogdir $POSTGRES_INITDB_XLOGDIR" fi eval "initdb --username=postgres $POSTGRES_INITDB_ARGS" + # unset/cleanup "nss_wrapper" bits + if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then + rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" + unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + fi + # check password first so we can output the warning before postgres # messes it up file_env 'POSTGRES_PASSWORD' diff --git a/9.4/docker-entrypoint.sh b/9.4/docker-entrypoint.sh index bc132894f5..fbac223fc0 100755 --- a/9.4/docker-entrypoint.sh +++ b/9.4/docker-entrypoint.sh @@ -1,5 +1,6 @@ #!/usr/bin/env bash -set -e +set -Eeo pipefail +# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables) # usage: file_env VAR [DEFAULT] # ie: file_env 'XYZ_DB_PASSWORD' 'example' @@ -54,12 +55,28 @@ if [ "$1" = 'postgres' ]; then # look specifically for PG_VERSION, as it is expected in the DB dir if [ ! -s "$PGDATA/PG_VERSION" ]; then + # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary + # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html + if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then + export LD_PRELOAD='/usr/lib/libnss_wrapper.so' + export NSS_WRAPPER_PASSWD="$(mktemp)" + export NSS_WRAPPER_GROUP="$(mktemp)" + echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" + echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" + fi + file_env 'POSTGRES_INITDB_ARGS' if [ "$POSTGRES_INITDB_XLOGDIR" ]; then export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --xlogdir $POSTGRES_INITDB_XLOGDIR" fi eval "initdb --username=postgres $POSTGRES_INITDB_ARGS" + # unset/cleanup "nss_wrapper" bits + if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then + rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" + unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + fi + # check password first so we can output the warning before postgres # messes it up file_env 'POSTGRES_PASSWORD' diff --git a/9.5/Dockerfile b/9.5/Dockerfile index 47c0004f71..451d014578 100644 --- a/9.5/Dockerfile +++ b/9.5/Dockerfile @@ -40,6 +40,14 @@ RUN set -eux; \ localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8 ENV LANG en_US.utf8 +# install "nss_wrapper" in case we need to fake "/etc/passwd" and "/etc/group" (especially for OpenShift) +# https://github.com/docker-library/postgres/issues/359 +# https://cwrap.org/nss_wrapper.html +RUN set -eux; \ + apt-get update; \ + apt-get install -y --no-install-recommends libnss-wrapper; \ + rm -rf /var/lib/apt/lists/* + RUN mkdir /docker-entrypoint-initdb.d RUN set -ex; \ diff --git a/9.5/alpine/docker-entrypoint.sh b/9.5/alpine/docker-entrypoint.sh index f217bf44d5..547adfbd87 100755 --- a/9.5/alpine/docker-entrypoint.sh +++ b/9.5/alpine/docker-entrypoint.sh @@ -1,5 +1,6 @@ #!/usr/bin/env bash -set -e +set -Eeo pipefail +# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables) # usage: file_env VAR [DEFAULT] # ie: file_env 'XYZ_DB_PASSWORD' 'example' @@ -54,12 +55,28 @@ if [ "$1" = 'postgres' ]; then # look specifically for PG_VERSION, as it is expected in the DB dir if [ ! -s "$PGDATA/PG_VERSION" ]; then + # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary + # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html + if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then + export LD_PRELOAD='/usr/lib/libnss_wrapper.so' + export NSS_WRAPPER_PASSWD="$(mktemp)" + export NSS_WRAPPER_GROUP="$(mktemp)" + echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" + echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" + fi + file_env 'POSTGRES_INITDB_ARGS' if [ "$POSTGRES_INITDB_XLOGDIR" ]; then export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --xlogdir $POSTGRES_INITDB_XLOGDIR" fi eval "initdb --username=postgres $POSTGRES_INITDB_ARGS" + # unset/cleanup "nss_wrapper" bits + if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then + rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" + unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + fi + # check password first so we can output the warning before postgres # messes it up file_env 'POSTGRES_PASSWORD' diff --git a/9.5/docker-entrypoint.sh b/9.5/docker-entrypoint.sh index bc132894f5..fbac223fc0 100755 --- a/9.5/docker-entrypoint.sh +++ b/9.5/docker-entrypoint.sh @@ -1,5 +1,6 @@ #!/usr/bin/env bash -set -e +set -Eeo pipefail +# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables) # usage: file_env VAR [DEFAULT] # ie: file_env 'XYZ_DB_PASSWORD' 'example' @@ -54,12 +55,28 @@ if [ "$1" = 'postgres' ]; then # look specifically for PG_VERSION, as it is expected in the DB dir if [ ! -s "$PGDATA/PG_VERSION" ]; then + # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary + # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html + if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then + export LD_PRELOAD='/usr/lib/libnss_wrapper.so' + export NSS_WRAPPER_PASSWD="$(mktemp)" + export NSS_WRAPPER_GROUP="$(mktemp)" + echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" + echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" + fi + file_env 'POSTGRES_INITDB_ARGS' if [ "$POSTGRES_INITDB_XLOGDIR" ]; then export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --xlogdir $POSTGRES_INITDB_XLOGDIR" fi eval "initdb --username=postgres $POSTGRES_INITDB_ARGS" + # unset/cleanup "nss_wrapper" bits + if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then + rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" + unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + fi + # check password first so we can output the warning before postgres # messes it up file_env 'POSTGRES_PASSWORD' diff --git a/9.6/Dockerfile b/9.6/Dockerfile index a7efa980ed..77907dbe45 100644 --- a/9.6/Dockerfile +++ b/9.6/Dockerfile @@ -40,6 +40,14 @@ RUN set -eux; \ localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8 ENV LANG en_US.utf8 +# install "nss_wrapper" in case we need to fake "/etc/passwd" and "/etc/group" (especially for OpenShift) +# https://github.com/docker-library/postgres/issues/359 +# https://cwrap.org/nss_wrapper.html +RUN set -eux; \ + apt-get update; \ + apt-get install -y --no-install-recommends libnss-wrapper; \ + rm -rf /var/lib/apt/lists/* + RUN mkdir /docker-entrypoint-initdb.d RUN set -ex; \ diff --git a/9.6/alpine/docker-entrypoint.sh b/9.6/alpine/docker-entrypoint.sh index f217bf44d5..547adfbd87 100755 --- a/9.6/alpine/docker-entrypoint.sh +++ b/9.6/alpine/docker-entrypoint.sh @@ -1,5 +1,6 @@ #!/usr/bin/env bash -set -e +set -Eeo pipefail +# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables) # usage: file_env VAR [DEFAULT] # ie: file_env 'XYZ_DB_PASSWORD' 'example' @@ -54,12 +55,28 @@ if [ "$1" = 'postgres' ]; then # look specifically for PG_VERSION, as it is expected in the DB dir if [ ! -s "$PGDATA/PG_VERSION" ]; then + # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary + # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html + if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then + export LD_PRELOAD='/usr/lib/libnss_wrapper.so' + export NSS_WRAPPER_PASSWD="$(mktemp)" + export NSS_WRAPPER_GROUP="$(mktemp)" + echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" + echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" + fi + file_env 'POSTGRES_INITDB_ARGS' if [ "$POSTGRES_INITDB_XLOGDIR" ]; then export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --xlogdir $POSTGRES_INITDB_XLOGDIR" fi eval "initdb --username=postgres $POSTGRES_INITDB_ARGS" + # unset/cleanup "nss_wrapper" bits + if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then + rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" + unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + fi + # check password first so we can output the warning before postgres # messes it up file_env 'POSTGRES_PASSWORD' diff --git a/9.6/docker-entrypoint.sh b/9.6/docker-entrypoint.sh index bc132894f5..fbac223fc0 100755 --- a/9.6/docker-entrypoint.sh +++ b/9.6/docker-entrypoint.sh @@ -1,5 +1,6 @@ #!/usr/bin/env bash -set -e +set -Eeo pipefail +# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables) # usage: file_env VAR [DEFAULT] # ie: file_env 'XYZ_DB_PASSWORD' 'example' @@ -54,12 +55,28 @@ if [ "$1" = 'postgres' ]; then # look specifically for PG_VERSION, as it is expected in the DB dir if [ ! -s "$PGDATA/PG_VERSION" ]; then + # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary + # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html + if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then + export LD_PRELOAD='/usr/lib/libnss_wrapper.so' + export NSS_WRAPPER_PASSWD="$(mktemp)" + export NSS_WRAPPER_GROUP="$(mktemp)" + echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" + echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" + fi + file_env 'POSTGRES_INITDB_ARGS' if [ "$POSTGRES_INITDB_XLOGDIR" ]; then export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --xlogdir $POSTGRES_INITDB_XLOGDIR" fi eval "initdb --username=postgres $POSTGRES_INITDB_ARGS" + # unset/cleanup "nss_wrapper" bits + if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then + rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" + unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + fi + # check password first so we can output the warning before postgres # messes it up file_env 'POSTGRES_PASSWORD' diff --git a/Dockerfile-debian.template b/Dockerfile-debian.template index d0f3ed1540..715d968bf3 100644 --- a/Dockerfile-debian.template +++ b/Dockerfile-debian.template @@ -40,6 +40,14 @@ RUN set -eux; \ localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8 ENV LANG en_US.utf8 +# install "nss_wrapper" in case we need to fake "/etc/passwd" and "/etc/group" (especially for OpenShift) +# https://github.com/docker-library/postgres/issues/359 +# https://cwrap.org/nss_wrapper.html +RUN set -eux; \ + apt-get update; \ + apt-get install -y --no-install-recommends libnss-wrapper; \ + rm -rf /var/lib/apt/lists/* + RUN mkdir /docker-entrypoint-initdb.d RUN set -ex; \ diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 000967a40c..ecd7458d58 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -1,5 +1,6 @@ #!/usr/bin/env bash -set -e +set -Eeo pipefail +# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables) # usage: file_env VAR [DEFAULT] # ie: file_env 'XYZ_DB_PASSWORD' 'example' @@ -54,12 +55,28 @@ if [ "$1" = 'postgres' ]; then # look specifically for PG_VERSION, as it is expected in the DB dir if [ ! -s "$PGDATA/PG_VERSION" ]; then + # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary + # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html + if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then + export LD_PRELOAD='/usr/lib/libnss_wrapper.so' + export NSS_WRAPPER_PASSWD="$(mktemp)" + export NSS_WRAPPER_GROUP="$(mktemp)" + echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD" + echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" + fi + file_env 'POSTGRES_INITDB_ARGS' if [ "$POSTGRES_INITDB_WALDIR" ]; then export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --waldir $POSTGRES_INITDB_WALDIR" fi eval "initdb --username=postgres $POSTGRES_INITDB_ARGS" + # unset/cleanup "nss_wrapper" bits + if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then + rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" + unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + fi + # check password first so we can output the warning before postgres # messes it up file_env 'POSTGRES_PASSWORD'