# syntax=docker/dockerfile:1.3 FROM fedora AS builder ARG PGVERSION=15 # For building PG RUN dnf install git make gcc gcc-c++ pam-devel \ libxml2-devel readline-devel krb5-devel \ libxslt-devel openldap-devel libuuid-devel \ systemd-devel gettext-devel perl bison flex \ tcl-devel python3-devel perl-libs zlib-devel \ libicu libicu-devel \ groff-base \ nss-devel nspr-devel -y # llvm-devel llvm-libs clang-devel llvm WORKDIR /src # Import the code from the context. COPY postgres /src/postgres WORKDIR /src/postgres RUN ./configure '--enable-rpath' '--prefix=/usr/pgsql-${PGVERSION}' '--includedir=/usr/pgsql-${PGVERSION}/include' \ '--libdir=/usr/pgsql-${PGVERSION}/lib' '--mandir=/usr/pgsql-${PGVERSION}/share/man' '--datadir=/usr/pgsql-${PGVERSION}/share' \ '--with-icu' '--with-perl' '--with-python' '--with-tcl' '--with-tclconfig=/usr/lib64' '--with-ssl=nss' \ '--with-pam' '--with-gssapi' '--with-includes=/usr/include' '--with-libraries=/usr/lib64' '--enable-nls' '--enable-dtrace' \ '--with-uuid=e2fs' '--with-libxml' '--with-libxslt' '--with-ldap' '--with-systemd' \ '--with-system-tzdata=/usr/share/zoneinfo' '--sysconfdir=/etc/sysconfig/pgsql' '--docdir=/usr/pgsql-${PGVERSION}/doc' \ '--htmldir=/usr/pgsql-${PGVERSION}/doc/html' \ 'CFLAGS=-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection' \ 'LLVM_CONFIG=/usr/bin/llvm-config-64' \ 'CLANG=/usr/bin/clang' \ 'PKG_CONFIG_PATH=:/usr/lib64/pkgconfig:/usr/share/pkgconfig' \ 'LDFLAGS=-Wl,--as-needed -L/usr/lib64 -L/usr/lib64 -Wl,-rpath,'/usr/pgsql-${PGVERSION}/lib',--enable-new-dtags' RUN make -j18 && \ make install RUN dnf install diffutils -y RUN chown nobody . -R USER nobody RUN make check-world -j18 USER root RUN useradd -ms /bin/bash postgres ENV PATH="/usr/pgsql-${PGVERSION}/bin:$PATH" # Final stage: the running container. FROM fedora AS final ARG PGVERSION=15 COPY --from=builder /usr/pgsql-${PGVERSION} /usr/pgsql-${PGVERSION} RUN dnf install perl libicu systemd nss nss-tools -y RUN useradd -ms /bin/bash postgres COPY postgresql-${PGVERSION}.service /usr/lib/systemd/system RUN systemctl enable postgresql-${PGVERSION} WORKDIR /var/lib/ RUN mkdir -p pgsql/${PGVERSION}/data RUN chown -R postgres:postgres /var/lib/pgsql USER postgres WORKDIR /var/lib/pgsql/${PGVERSION} RUN echo postgres > /tmp/pwfile && \ /usr/pgsql-${PGVERSION}/bin/initdb -D data -A scram-sha-256 --auth-local=peer --auth-host=scram-sha-256 --pwfile=/tmp/pwfile && \ rm /tmp/pwfile && \ echo "hostssl all all 0.0.0.0/0 cert clientcert=verify-full" >> /var/lib/pgsql/${PGVERSION}/data/pg_hba.conf WORKDIR /var/lib/pgsql/${PGVERSION}/data RUN echo logging_collector = on >> postgresql.conf && \ echo ssl = on >> postgresql.conf && \ echo "ssl_database = 'server.db'" >> postgresql.conf && \ echo "ssl_cert_file = 'server'" >> postgresql.conf && \ echo "listen_addresses = '*'" >> postgresql.conf && \ dd if=/dev/random of=/tmp/seed count=1 && \ mkdir root_ca.db && \ certutil -N -d "sql:root_ca.db/" --empty-password && \ echo y 10 y | certutil -S -d "sql:root_ca.db/" -n root_ca -s "CN=ca.pgtest" -x -k rsa -g 2048 -m 5432 -t "CT,C,C" \ -z /tmp/seed --keyUsage certSigning -2 --nsCertType sslCA,objectSigningCA \ -Z SHA256 && \ certutil -L -d "sql:root_ca.db/" -n root_ca -a > root_ca.pem && \ mkdir server.db && \ certutil -N -d "sql:server.db/" --empty-password && \ certutil -A -d "sql:server.db" -n root_ca -t "CT,C,C" -a -i root_ca.pem && \ certutil -R -d "sql:server.db" -z /tmp/seed -k rsa -n server -s "CN=pgserver" -t "CTu,CTu,CTu" -x -d "sql:server.db/" -o server.csr && \ certutil -C -d "sql:root_ca.db/" -c root_ca -i server.csr -o server_cert.der \ --keyUsage keyEncipherment,dataEncipherment,digitalSignature --nsCertType sslServer -Z SHA256 && \ certutil -A -d "sql:server.db" -n server -t CTu,CTu,CTu -i server_cert.der WORKDIR /home/postgres RUN mkdir client.db && \ certutil -d "sql:client.db" -N --empty-password && \ certutil -d "sql:client.db" -R -s "CN=postgres" -o client.csr -g 2048 -Z SHA256 -z /tmp/seed && \ certutil -C -d "sql:/var/lib/pgsql/${PGVERSION}/data/root_ca.db" -c root_ca -i client.csr -o client_cert.der \ --keyUsage keyEncipherment,dataEncipherment,digitalSignature --nsCertType sslClient -Z SHA256 && \ certutil -A -d "sql:client.db" -n root_ca -t "CT,C,C" -a -i /var/lib/pgsql/${PGVERSION}/data/root_ca.pem && \ certutil -A -d "sql:client.db" -n client_cert -t CTu,CTu,CTu -i client_cert.der EXPOSE 5432 VOLUME ["/var/lib/pgsql"] # Let init start the postgres service USER 0 ENTRYPOINT ["/usr/sbin/init"]