diff --git a/Dockerfile.alpine b/Dockerfile.alpine index dd9321c..58f4866 100644 --- a/Dockerfile.alpine +++ b/Dockerfile.alpine @@ -147,6 +147,12 @@ RUN cd postgresql-16.* && \ # Use the PostgreSQL Alpine image as our output image base FROM postgres:${PGTARGET}-alpine3.20 +# Copy default configuration in case the original container does not provide it (Bitnami ...) +RUN mkdir -p /opt/pgautoupgrade && \ + chmod 660 /opt/pgautoupgrade && \ + chown 999:999 /opt/pgautoupgrade +COPY --chown=999 postgresql.conf pg_hba.conf /opt/pgautoupgrade/ + # We need to define this here, to make the above PGTARGET available after the FROM ARG PGTARGET @@ -179,12 +185,11 @@ RUN apk update && \ # Pass the PG build target through to the running image ENV PGTARGET=${PGTARGET} -# Copy across the post-upgrade shell script -COPY pgautoupgrade-postupgrade.sh pgautoupgrade-healthcheck.sh /usr/local/bin/ +# Copy across all our shell scripts +COPY pgautoupgrade-postupgrade.sh pgautoupgrade-healthcheck.sh postgres-docker-entrypoint.sh docker-entrypoint.sh /usr/local/bin/ # Set up the script run by the container when it starts WORKDIR /var/lib/postgresql -COPY docker-entrypoint.sh /usr/local/bin/ ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"] HEALTHCHECK CMD /usr/local/bin/pgautoupgrade-healthcheck.sh diff --git a/Dockerfile.bookworm b/Dockerfile.bookworm index 842f9cd..fa0398a 100644 --- a/Dockerfile.bookworm +++ b/Dockerfile.bookworm @@ -145,6 +145,12 @@ RUN cd postgresql-16.* && \ # Use the PostgreSQL Bookworm image as our output image base FROM postgres:${PGTARGET}-bookworm +# Copy default configuration in case the original container does not provide it (Bitnami ...) +RUN mkdir -p /opt/pgautoupgrade && \ + chmod 660 /opt/pgautoupgrade && \ + chown 999:999 /opt/pgautoupgrade +COPY --chown=999 postgresql.conf pg_hba.conf /opt/pgautoupgrade/ + # We need to define this here, to make the above PGTARGET available after the FROM ARG PGTARGET @@ -174,12 +180,11 @@ RUN apt update && \ # Pass the PG build target through to the running image ENV PGTARGET=${PGTARGET} -# Copy across the post-upgrade shell script -COPY pgautoupgrade-postupgrade.sh pgautoupgrade-healthcheck.sh /usr/local/bin/ +# Copy across all our shell scripts +COPY pgautoupgrade-postupgrade.sh pgautoupgrade-healthcheck.sh postgres-docker-entrypoint.sh docker-entrypoint.sh /usr/local/bin/ # Set up the script run by the container when it starts WORKDIR /var/lib/postgresql -COPY docker-entrypoint.sh /usr/local/bin/ ENTRYPOINT ["/usr/local/bin/docker-entrypoint.sh"] HEALTHCHECK CMD /usr/local/bin/pgautoupgrade-healthcheck.sh diff --git a/README.md b/README.md index 4a693c9..7f42127 100644 --- a/README.md +++ b/README.md @@ -84,6 +84,21 @@ $ docker run --name pgauto -it \ ``` +### Upgrading from a Bitnami container + +If you used the Postgres image by Bitnami, we have made a couple of adjustments to make this upgrade work as well. + +The Bitnami containers do not persist the `postgresql.conf` and `pg_hba.conf` file in the Postgres data directory. If we detect that these files are missing, we will copy a default version of these files into the data directory. If you request the "one shot" mode, these files will be removed again at the end of the upgrade process. + +The official Postgres image, and therefore ours as well, use `999` as ID for the postgres user inside the container. Bitnami uses 1001. During the upgrade process, we make a copy of the data, which will be assigned to ID `999`. If you request the "one shot" mode, the original file permissions will be restored once the upgrade is completed. + +Be aware that we use the environment variables from the official Postgres image. Ensure you set `PGDATA` to the Bitnami folder (by default `/bitnami/postgresql`) and `POSTGRES_PASSWORD` to the password of your Postgres user. + +The container has to run as `root` if using `one shot` mode, otherwise we are unable to restore the existing file permissions of your Postgres data directory. You can run the container as user `999`, but then you will have to manually apply the file permissions to your Postgres data directory. + +> [!WARNING] +> As of writing this paragraph (14th of November, 2024), we only tested upgrading from Bitnami Postgres v13, v14, v15, v16 to v17. For these versions, we used the latest available container version. Bitnami's script and directory structure could change over time. If you note any issues upgrading from other versions, please provide the exact SHA of the image so we can try to replicate the issue. + # For Developers ## Building the image diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index f35936c..10f5f52 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -2,652 +2,57 @@ set -Eeo pipefail # TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables) -# Define the path to the upgrade lock file using PGDATA if set, otherwise default -UPGRADE_LOCK_FILE="${PGDATA:-/var/lib/postgresql/data}/upgrade_in_progress.lock" - -# usage: file_env VAR [DEFAULT] -# ie: file_env 'XYZ_DB_PASSWORD' 'example' -# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of -# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) -file_env() { - local var="$1" - local fileVar="${var}_FILE" - local def="${2:-}" - if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then - printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar" - exit 1 - fi - local val="$def" - if [ "${!var:-}" ]; then - val="${!var}" - elif [ "${!fileVar:-}" ]; then - val="$(< "${!fileVar}")" - fi - export "$var"="$val" - unset "$fileVar" -} - -# check to see if this file is being run or sourced from another script -_is_sourced() { - # https://unix.stackexchange.com/a/215279 - [ "${#FUNCNAME[@]}" -ge 2 ] \ - && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ - && [ "${FUNCNAME[1]}" = 'source' ] -} - -# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user -docker_create_db_directories() { - local user; user="$(id -u)" - - mkdir -p "$PGDATA" - # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory) - chmod 00700 "$PGDATA" || : - - # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 - mkdir -p /var/run/postgresql || : - chmod 03775 /var/run/postgresql || : - - # Create the transaction log directory before initdb is run so the directory is owned by the correct user - if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then - mkdir -p "$POSTGRES_INITDB_WALDIR" - if [ "$user" = '0' ]; then - find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' + - fi - chmod 700 "$POSTGRES_INITDB_WALDIR" - fi - - # allow the container to be started with `--user` - if [ "$user" = '0' ]; then - find "$PGDATA" \! -user postgres -exec chown postgres '{}' + - find /var/run/postgresql \! -user postgres -exec chown postgres '{}' + - fi -} - -# initialize empty PGDATA directory with new database via 'initdb' -# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function -# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames -# this is also where the database user is created, specified by `POSTGRES_USER` env -docker_init_database_dir() { - # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary - # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html - local uid; uid="$(id -u)" - if ! getent passwd "$uid" &> /dev/null; then - # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15) - local wrapper - for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do - if [ -s "$wrapper" ]; then - NSS_WRAPPER_PASSWD="$(mktemp)" - NSS_WRAPPER_GROUP="$(mktemp)" - export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP - local gid; gid="$(id -g)" - printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD" - printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP" - break - fi - done - fi - - if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then - set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@" - fi - - # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025 - eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' - - # unset/cleanup "nss_wrapper" bits - if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then - rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" - unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP - fi -} - -# print large warning if POSTGRES_PASSWORD is long -# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust' -# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust' -# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ] -docker_verify_minimum_env() { - # check password first so we can output the warning before postgres - # messes it up - if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then - cat >&2 <<-'EOWARN' - - WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. - - This will not work if used via PGPASSWORD with "psql". - - https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) - https://github.com/docker-library/postgres/issues/507 - - EOWARN - fi - if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then - # The - option suppresses leading tabs but *not* spaces. :) - cat >&2 <<-'EOE' - Error: Database is uninitialized and superuser password is not specified. - You must specify POSTGRES_PASSWORD to a non-empty value for the - superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run". - - You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all - connections without a password. This is *not* recommended. - - See PostgreSQL documentation about "trust": - https://www.postgresql.org/docs/current/auth-trust.html - EOE - exit 1 - fi - if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then - cat >&2 <<-'EOWARN' - ******************************************************************************** - WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow - anyone with access to the Postgres port to access your database without - a password, even if POSTGRES_PASSWORD is set. See PostgreSQL - documentation about "trust": - https://www.postgresql.org/docs/current/auth-trust.html - In Docker's default configuration, this is effectively any other - container on the same system. - - It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace - it with "-e POSTGRES_PASSWORD=password" instead to set a password in - "docker run". - ******************************************************************************** - EOWARN - fi -} - -# usage: docker_process_init_files [file [file [...]]] -# ie: docker_process_init_files /always-initdb.d/* -# process initializer files, based on file extensions and permissions -docker_process_init_files() { - # psql here for backwards compatibility "${psql[@]}" - psql=( docker_process_sql ) - - printf '\n' - local f - for f; do - case "$f" in - *.sh) - # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 - # https://github.com/docker-library/postgres/pull/452 - if [ -x "$f" ]; then - printf '%s: running %s\n' "$0" "$f" - "$f" - else - printf '%s: sourcing %s\n' "$0" "$f" - . "$f" - fi - ;; - *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;; - *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;; - *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;; - *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;; - *) printf '%s: ignoring %s\n' "$0" "$f" ;; - esac - printf '\n' - done -} - -# Execute sql script, passed via stdin (or -f flag of pqsl) -# usage: docker_process_sql [psql-cli-args] -# ie: docker_process_sql --dbname=mydb <<<'INSERT ...' -# ie: docker_process_sql -f my-file.sql -# ie: docker_process_sql > "$PGDATA/pg_hba.conf" -} - -# start socket-only postgresql server for setting up or running scripts -# all arguments will be passed along as arguments to `postgres` (via pg_ctl) -docker_temp_server_start() { - if [ "$1" = 'postgres' ]; then - shift - fi - - # internal start of server in order to allow setup using psql client - # does not listen on external TCP/IP and waits until start finishes - set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}" - - PGUSER="${PGUSER:-$POSTGRES_USER}" \ - pg_ctl -D "$PGDATA" \ - -o "$(printf '%q ' "$@")" \ - -w start -} - -# stop postgresql server after done setting up user and running scripts -docker_temp_server_stop() { - PGUSER="${PGUSER:-postgres}" \ - pg_ctl -D "$PGDATA" -m fast -w stop -} - -# Initialise PG data directory in a temp location with a specific locale -initdb_locale() { - echo "Initialising PostgreSQL ${PGTARGET} data directory" - bin_path=$(get_bin_path) - ${bin_path}/initdb --username="${POSTGRES_USER}" ${POSTGRES_INITDB_ARGS} ${PGDATA}/new/ -} - -# check arguments for an option that would cause postgres to stop -# return true if there is one -_pg_want_help() { - local arg - for arg; do - case "$arg" in - # postgres --help | grep 'then exit' - # leaving out -C on purpose since it always fails and is unhelpful: - # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory - -'?'|--help|--describe-config|-V|--version) - return 0 - ;; - esac - done - return 1 -} - -get_bin_path() { - if [ -f /etc/alpine-release ]; then - echo "/usr/local/bin" - else - echo "/usr/lib/postgresql/${PGTARGET}/bin" - fi -} - -# Function to create the upgrade lock file -create_upgrade_lock_file() { - echo "Creating upgrade lock file at $UPGRADE_LOCK_FILE" - touch "$UPGRADE_LOCK_FILE" -} - -# Function to remove the upgrade lock file -remove_upgrade_lock_file() { - echo "Removing upgrade lock file at $UPGRADE_LOCK_FILE" - rm -f "$UPGRADE_LOCK_FILE" -} - -_main() { - # if first arg looks like a flag, assume we want to run postgres server - if [ "${1:0:1}" = '-' ]; then - set -- postgres "$@" - fi - - if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then - docker_setup_env - # setup data directories and permissions (when run as root) - docker_create_db_directories - if [ "$(id -u)" = '0' ]; then - exec gosu postgres "$BASH_SOURCE" "$@" - fi - - # only run initialization on an empty data directory - if [ -z "$DATABASE_ALREADY_EXISTS" ]; then - docker_verify_minimum_env - - # check dir permissions to reduce likelihood of half-initialized database - ls /docker-entrypoint-initdb.d/ > /dev/null - - docker_init_database_dir - pg_setup_hba_conf "$@" - - # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless - # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS - export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" - docker_temp_server_start "$@" - - docker_setup_db - docker_process_init_files /docker-entrypoint-initdb.d/* - - docker_temp_server_stop - unset PGPASSWORD - - cat <<-'EOM' - - PostgreSQL init process complete; ready for start up. - - EOM - else - cat <<-'EOM' - - PostgreSQL Database directory appears to contain a database; Skipping initialization - - EOM - fi - fi - - # For development of pgautoupgrade. This spot leaves the container running, prior to the pgautoupgrade scripting - # executing - local UPGRADE_PERFORMED=0 - if [ "x${PGAUTO_DEVEL}" = "xbefore" ]; then - echo "--------------------------------------------------------------------------" - echo "In pgautoupgrade development mode, paused prior to pgautoupgrade scripting" - echo "--------------------------------------------------------------------------" - while :; do - sleep 5 - done - else - ### The main pgautoupgrade scripting starts here ### - - echo "************************************" - echo "PostgreSQL data directory: ${PGDATA}" - echo "************************************" - - # Get the version of the PostgreSQL data files - local PGVER=${PGTARGET} - if [ -s "${PGDATA}/PG_VERSION" ]; then - PGVER=$(cat "${PGDATA}/PG_VERSION") - fi - - # If the version of PostgreSQL data files doesn't match our desired version, then upgrade them - if [ "${PGVER}" != "${PGTARGET}" ]; then - create_upgrade_lock_file - # Ensure the database files are a version we can upgrade - local RECOGNISED=0 - local OLDPATH=unset - if [ "${PGVER}" = "9.5" ] || [ "${PGVER}" = "9.6" ] || [ "${PGVER}" = "10" ] || [ "${PGVER}" = "11" ] || [ "${PGVER}" = "12" ]; then - RECOGNISED=1 - fi - if [ "${PGTARGET}" -gt 13 ] && [ "${PGVER}" = "13" ]; then - RECOGNISED=1 - fi - if [ "${PGTARGET}" -gt 14 ] && [ "${PGVER}" = "14" ]; then - RECOGNISED=1 - fi - if [ "${PGTARGET}" -gt 15 ] && [ "${PGVER}" = "15" ]; then - RECOGNISED=1 - fi - if [ "${PGTARGET}" -gt 16 ] && [ "${PGVER}" = "16" ]; then - RECOGNISED=1 - fi - if [ "${RECOGNISED}" -eq 1 ]; then - OLDPATH="/usr/local-pg${PGVER}" - echo "*******************************************************************************************" - echo "Performing PG upgrade on version ${PGVER} database files. Upgrading to version ${PGTARGET}" - echo "*******************************************************************************************" - else - echo "****************************************************************************" - echo "Unrecognised version of PostgreSQL database files found, aborting completely" - echo "****************************************************************************" - exit 9 - fi - - # Check for presence of old/new directories, indicating a failed previous autoupgrade - echo "----------------------------------------------------------------------" - echo "Checking for left over artifacts from a failed previous autoupgrade..." - echo "----------------------------------------------------------------------" - local OLD="${PGDATA}/old" - local NEW="${PGDATA}/new" - if [ -d "${OLD}" ]; then - echo "*****************************************" - echo "Left over OLD directory found. Aborting." - echo "*****************************************" - exit 10 - fi - if [ -d "${NEW}" ]; then - echo "*****************************************" - echo "Left over NEW directory found. Aborting." - echo "*****************************************" - exit 11 - fi - echo "-------------------------------------------------------------------------------" - echo "No artifacts found from a failed previous autoupgrade. Continuing the process." - echo "-------------------------------------------------------------------------------" - - # Don't automatically abort on non-0 exit status, as that messes with these upcoming mv commands - set +e - - # Move the PostgreSQL data files into a subdirectory of the mount point - echo "---------------------------------------" - echo "Creating OLD temporary directory ${OLD}" - echo "---------------------------------------" - mkdir "${OLD}" - if [ ! -d "${OLD}" ]; then - echo "*********************************************************************" - echo "Creation of temporary directory '${OLD}' failed. Aborting completely" - echo "*********************************************************************" - exit 7 - fi - echo "--------------------------------------------" - echo "Creating OLD temporary directory is complete" - echo "--------------------------------------------" - - echo "-------------------------------------------------------" - echo "Moving existing data files into OLD temporary directory" - echo "-------------------------------------------------------" - mv -v "${PGDATA}"/* "${OLD}" - echo "-------------------------------------------------------------------" - echo "Moving existing data files into OLD temporary directory is complete" - echo "-------------------------------------------------------------------" - - echo "---------------------------------------" - echo "Creating NEW temporary directory ${NEW}" - echo "---------------------------------------" - mkdir "${NEW}" - if [ ! -d "${NEW}" ]; then - echo "********************************************************************" - echo "Creation of temporary directory '${NEW}' failed. Aborting completely" - echo "********************************************************************" - # With a failure at this point we should be able to move the old data back - # to its original location - mv -v "${OLD}"/* "${PGDATA}" - rmdir old - exit 8 - fi - echo "--------------------------------------------" - echo "Creating NEW temporary directory is complete" - echo "--------------------------------------------" - - echo "-----------------------------------------------------" - echo "Changing permissions of temporary directories to 0700" - echo "-----------------------------------------------------" - chmod 0700 "${OLD}" "${NEW}" - echo "---------------------------------------------------------" - echo "Changing permissions of temporary directories is complete" - echo "---------------------------------------------------------" - - # Return the error handling back to automatically aborting on non-0 exit status - set -e - - # If no initdb arguments were passed to us from the environment, then work out something valid ourselves - if [ "x${POSTGRES_INITDB_ARGS}" != "x" ]; then - echo "------------------------------------------------------------------------------" - echo "Using initdb arguments passed in from the environment: ${POSTGRES_INITDB_ARGS}" - echo "------------------------------------------------------------------------------" - else - echo "-------------------------------------------------" - echo "Remove postmaster.pid file from PG data directory" - echo "-------------------------------------------------" - rm -f "${OLD}"/postmaster.pid - - echo "------------------------------------" - echo "Determining our own initdb arguments" - echo "------------------------------------" - local COLLATE=unset - local CTYPE=unset - local ENCODING=unset - - ENCODING=$(echo 'SHOW SERVER_ENCODING' | "${OLDPATH}/bin/postgres" --single -D "${OLD}" "${POSTGRES_DB}" | grep 'server_encoding = "' | cut -d '"' -f 2) - - # LC_COLLATE and LC_TYPE have been removed with PG v16 - # https://www.postgresql.org/docs/release/16.0/ - if [ "${PGVER}" -lt 16 ]; then - COLLATE=$(echo 'SHOW LC_COLLATE' | "${OLDPATH}/bin/postgres" --single -D "${OLD}" "${POSTGRES_DB}" | grep 'lc_collate = "' | cut -d '"' -f 2) - CTYPE=$(echo 'SHOW LC_CTYPE' | "${OLDPATH}/bin/postgres" --single -D "${OLD}" "${POSTGRES_DB}" | grep 'lc_ctype = "' | cut -d '"' -f 2) - - POSTGRES_INITDB_ARGS="--locale=${COLLATE} --lc-collate=${COLLATE} --lc-ctype=${CTYPE} --encoding=${ENCODING}" - else - POSTGRES_INITDB_ARGS="--encoding=${ENCODING}" - fi - - echo "---------------------------------------------------------------" - echo "The initdb arguments we determined are: ${POSTGRES_INITDB_ARGS}" - echo "---------------------------------------------------------------" - fi - - # Initialise the new PostgreSQL database directory - echo "--------------------------------------------------------------------------------------------------------------------" - echo "Old database using collation settings: '${POSTGRES_INITDB_ARGS}'. Initialising new database with those settings too" - echo "--------------------------------------------------------------------------------------------------------------------" - initdb_locale "${POSTGRES_INITDB_ARGS}" - echo "------------------------------------" - echo "New database initialisation complete" - echo "------------------------------------" - - # Change into the PostgreSQL database directory, to avoid a pg_upgrade error about write permissions - cd "${PGDATA}" - - # Run the pg_upgrade command itself - echo "---------------------------------------" - echo "Running pg_upgrade command, from $(pwd)" - echo "---------------------------------------" - bin_path=$(get_bin_path) - "${bin_path}/pg_upgrade" --username="${POSTGRES_USER}" --link -d "${OLD}" -D "${NEW}" -b "${OLDPATH}/bin" -B "${bin_path}" --socketdir="/var/run/postgresql" - echo "--------------------------------------" - echo "Running pg_upgrade command is complete" - echo "--------------------------------------" - - # Move the new database files into place - echo "-----------------------------------------------------" - echo "Moving the new database files to the active directory" - echo "-----------------------------------------------------" - mv -v "${NEW}"/* "${PGDATA}" - echo "-----------------------------------------" - echo "Moving the new database files is complete" - echo "-----------------------------------------" - - # Re-use the pg_hba.conf and pg_ident.conf from the old data directory - echo "--------------------------------------------------------------" - echo "Copying the old pg_hba and pg_ident configuration files across" - echo "--------------------------------------------------------------" - cp -f "${OLD}/pg_hba.conf" "${OLD}/pg_ident.conf" "${PGDATA}" - echo "-------------------------------------------------------------------" - echo "Copying the old pg_hba and pg_ident configuration files is complete" - echo "-------------------------------------------------------------------" - - # Remove the left over database files - echo "---------------------------------" - echo "Removing left over database files" - echo "---------------------------------" - rm -rf "${OLD}" "${NEW}" ~/delete_old_cluster.sh - echo "---------------------------------------------" - echo "Removing left over database files is complete" - echo "---------------------------------------------" - - UPGRADE_PERFORMED=1 - - echo "***************************************************************************************" - echo "Automatic upgrade process finished upgrading the data format to PostgreSQL ${PGTARGET}." - echo "The database has not yet been reindexed nor updated the query planner stats. Those " - echo "will be done by a background task shortly. " - echo "***************************************************************************************" - remove_upgrade_lock_file - fi - - ### The main pgautoupgrade scripting ends here ### - fi - - # For development of pgautoupgrade. This spot leaves the container running, after the pgautoupgrade scripting has - # executed, but without subsequently running the PostgreSQL server - if [ "x${PGAUTO_DEVEL}" = "xserver" ]; then - echo "-------------------------------------------------------------------" - echo "In pgautoupgrade development mode, paused after main pg_upgrade has" - echo "run, but before database server and post-upgrade tasks have started" - echo "-------------------------------------------------------------------" - while :; do - sleep 5 - done - else - # If the upgrade process ran, then we need to launch the post-upgrade script in the background while PG runs - if [ "${UPGRADE_PERFORMED}" -eq 1 ]; then - /usr/local/bin/pgautoupgrade-postupgrade.sh "${PGDATA}" "${POSTGRES_DB}" "${PGAUTO_ONESHOT}" 2>&1 & - echo "****************************" - echo "Post upgrade script launched" - echo "****************************" - - # Start PostgreSQL - exec "$@" - else - # If no upgrade was performed, then we start PostgreSQL as per normal as long as "one shot" mode wasn't requested - if [ "x${PGAUTO_ONESHOT}" = "xyes" ]; then - echo "***********************************************************************************" - echo "'One shot' automatic upgrade was requested, so exiting as there is no upgrade to do" - echo "If you're seeing this message and expecting an upgrade to be happening, it probably" - echo "means the container is being started in a loop and a previous run already did it :)" - echo "***********************************************************************************" - else - # Start PostgreSQL - exec "$@" - fi - fi - fi - - # Run a sync before exiting, just to ensure everything is flushed to disk before docker terminates the process - sync -} - -# Check if an upgrade lock file exists at script start and exit if it does -if [ -f "$UPGRADE_LOCK_FILE" ]; then - echo "Upgrade lock file already exists, indicating an incomplete previous upgrade. Exiting." - exit 1 +EXISTING_PG_HBA_CONF=0 +EXISTING_PGDATA_PERMISSIONS=$(stat -c %a "$PGDATA") +EXISTING_PGDATA_OWNER_GROUP=$(stat -c "%u:%g" "$PGDATA") +EXISTING_POSTGRESQL_CONF=0 + +# if a valid PGDATA exists, the database directory is likely already initialized +# if coming from a Bitnami image, we need to inject a postgresql.conf and pg_hba.conf file +# and if they requested "one shot" mode, we will remove it again so they can continue to use the Bitnami image +if [ -f "$PGDATA/PG_VERSION" ]; then + if [ -f "${PGDATA}/postgresql.conf" ]; then + EXISTING_POSTGRESQL_CONF=1 + else + echo "-------------------------------------------------------------------------------" + echo "The Postgres data directory at ${PGDATA} is missing a postgresql.conf file. Copying a standard version of ours." + echo "-------------------------------------------------------------------------------" + cp -f /opt/pgautoupgrade/postgresql.conf "${PGDATA}/postgresql.conf" + fi + + if [ -f "${PGDATA}/pg_hba.conf" ]; then + EXISTING_PG_HBA_CONF=1 + else + echo "-------------------------------------------------------------------------------" + echo "The Postgres data directory at ${PGDATA} is missing a pg_hba.conf file. Copying a standard version of ours." + echo "-------------------------------------------------------------------------------" + cp -f "/opt/pgautoupgrade/pg_hba.conf" "${PGDATA}/pg_hba.conf" + fi fi -if ! _is_sourced; then - _main "$@" +/usr/local/bin/postgres-docker-entrypoint.sh "$@" + +if [ "x${PGAUTO_ONESHOT}" = "xyes" ]; then + if [ "$EXISTING_POSTGRESQL_CONF" = "0" ]; then + echo "-------------------------------------------------------------------------------" + echo "Removing postgresql.conf from ${PGDATA}, as it was not provided by the data directory before the upgrade." + echo "-------------------------------------------------------------------------------" + rm -rf "${PGDATA}/postgresql.conf" + fi + + if [ "$EXISTING_PG_HBA_CONF" = "0" ]; then + echo "-------------------------------------------------------------------------------" + echo "Removing pg_hba.conf from ${PGDATA}, as it was not provided by the data directory before the upgrade." + echo "-------------------------------------------------------------------------------" + rm -rf "${PGDATA}/pg_hba.conf" + fi + + echo "-------------------------------------------------------------------------------" + echo "Restoring original data permissions to ${PGDATA}" + echo "-------------------------------------------------------------------------------" + chmod -R $EXISTING_PGDATA_PERMISSIONS "$PGDATA" + chown -R $EXISTING_PGDATA_OWNER_GROUP "$PGDATA" fi + +# Run a sync before exiting, just to ensure everything is flushed to disk before docker terminates the process +sync diff --git a/pg_hba.conf b/pg_hba.conf new file mode 100644 index 0000000..4e202d3 --- /dev/null +++ b/pg_hba.conf @@ -0,0 +1,100 @@ +# PostgreSQL Client Authentication Configuration File +# =================================================== +# +# Refer to the "Client Authentication" section in the PostgreSQL +# documentation for a complete description of this file. A short +# synopsis follows. +# +# This file controls: which hosts are allowed to connect, how clients +# are authenticated, which PostgreSQL user names they can use, which +# databases they can access. Records take one of these forms: +# +# local DATABASE USER METHOD [OPTIONS] +# host DATABASE USER ADDRESS METHOD [OPTIONS] +# hostssl DATABASE USER ADDRESS METHOD [OPTIONS] +# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS] +# hostgssenc DATABASE USER ADDRESS METHOD [OPTIONS] +# hostnogssenc DATABASE USER ADDRESS METHOD [OPTIONS] +# +# (The uppercase items must be replaced by actual values.) +# +# The first field is the connection type: +# - "local" is a Unix-domain socket +# - "host" is a TCP/IP socket (encrypted or not) +# - "hostssl" is a TCP/IP socket that is SSL-encrypted +# - "hostnossl" is a TCP/IP socket that is not SSL-encrypted +# - "hostgssenc" is a TCP/IP socket that is GSSAPI-encrypted +# - "hostnogssenc" is a TCP/IP socket that is not GSSAPI-encrypted +# +# DATABASE can be "all", "sameuser", "samerole", "replication", a +# database name, or a comma-separated list thereof. The "all" +# keyword does not match "replication". Access to replication +# must be enabled in a separate record (see example below). +# +# USER can be "all", a user name, a group name prefixed with "+", or a +# comma-separated list thereof. In both the DATABASE and USER fields +# you can also write a file name prefixed with "@" to include names +# from a separate file. +# +# ADDRESS specifies the set of hosts the record matches. It can be a +# host name, or it is made up of an IP address and a CIDR mask that is +# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that +# specifies the number of significant bits in the mask. A host name +# that starts with a dot (.) matches a suffix of the actual host name. +# Alternatively, you can write an IP address and netmask in separate +# columns to specify the set of hosts. Instead of a CIDR-address, you +# can write "samehost" to match any of the server's own IP addresses, +# or "samenet" to match any address in any subnet that the server is +# directly connected to. +# +# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256", +# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert". +# Note that "password" sends passwords in clear text; "md5" or +# "scram-sha-256" are preferred since they send encrypted passwords. +# +# OPTIONS are a set of options for the authentication in the format +# NAME=VALUE. The available options depend on the different +# authentication methods -- refer to the "Client Authentication" +# section in the documentation for a list of which options are +# available for which authentication methods. +# +# Database and user names containing spaces, commas, quotes and other +# special characters must be quoted. Quoting one of the keywords +# "all", "sameuser", "samerole" or "replication" makes the name lose +# its special character, and just match a database or username with +# that name. +# +# This file is read on server startup and when the server receives a +# SIGHUP signal. If you edit the file on a running system, you have to +# SIGHUP the server for the changes to take effect, run "pg_ctl reload", +# or execute "SELECT pg_reload_conf()". +# +# Put your actual configuration here +# ---------------------------------- +# +# If you want to allow non-local connections, you need to add more +# "host" records. In that case you will also need to make PostgreSQL +# listen on a non-local interface via the listen_addresses +# configuration parameter, or via the -i or -h command line switches. + +# CAUTION: Configuring the system for local "trust" authentication +# allows any local user to connect as any PostgreSQL user, including +# the database superuser. If you do not trust all your local users, +# use another authentication method. + + +# TYPE DATABASE USER ADDRESS METHOD + +# "local" is for Unix domain socket connections only +local all all trust +# IPv4 local connections: +host all all 127.0.0.1/32 trust +# IPv6 local connections: +host all all ::1/128 trust +# Allow replication connections from localhost, by a user with the +# replication privilege. +local replication all trust +host replication all 127.0.0.1/32 trust +host replication all ::1/128 trust + +host all all all scram-sha-256 diff --git a/pgautoupgrade-postupgrade.sh b/pgautoupgrade-postupgrade.sh index 3315dfa..92e5d24 100755 --- a/pgautoupgrade-postupgrade.sh +++ b/pgautoupgrade-postupgrade.sh @@ -3,7 +3,7 @@ set -e if [ $# -ne 3 ]; then - echo "Required number of arguments not passed to post upgrade script. 3 expected, $# received" + echo "Required number of arguments not passed to post upgrade script. 3 expected, $# received" exit 1 fi @@ -82,6 +82,7 @@ if [ "x${PGAUTO_ONESHOT}" = "xyes" ]; then echo "****************************************************************************************************" echo "'One shot' automatic upgrade was requested, so exiting now that the post upgrade tasks have finished" echo "****************************************************************************************************" + pg_ctl stop -D "${PGDATA}" else echo "*************************************************************************************************" diff --git a/postgres-docker-entrypoint.sh b/postgres-docker-entrypoint.sh new file mode 100755 index 0000000..bb9d593 --- /dev/null +++ b/postgres-docker-entrypoint.sh @@ -0,0 +1,650 @@ +#!/usr/bin/env bash +set -Eeo pipefail +# TODO swap to -Eeuo pipefail above (after handling all potentially-unset variables) + +# Define the path to the upgrade lock file using PGDATA if set, otherwise default +UPGRADE_LOCK_FILE="${PGDATA:-/var/lib/postgresql/data}/upgrade_in_progress.lock" + +# usage: file_env VAR [DEFAULT] +# ie: file_env 'XYZ_DB_PASSWORD' 'example' +# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of +# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature) +file_env() { + local var="$1" + local fileVar="${var}_FILE" + local def="${2:-}" + if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then + printf >&2 'error: both %s and %s are set (but are exclusive)\n' "$var" "$fileVar" + exit 1 + fi + local val="$def" + if [ "${!var:-}" ]; then + val="${!var}" + elif [ "${!fileVar:-}" ]; then + val="$(< "${!fileVar}")" + fi + export "$var"="$val" + unset "$fileVar" +} + +# check to see if this file is being run or sourced from another script +_is_sourced() { + # https://unix.stackexchange.com/a/215279 + [ "${#FUNCNAME[@]}" -ge 2 ] \ + && [ "${FUNCNAME[0]}" = '_is_sourced' ] \ + && [ "${FUNCNAME[1]}" = 'source' ] +} + +# used to create initial postgres directories and if run as root, ensure ownership to the "postgres" user +docker_create_db_directories() { + local user; user="$(id -u)" + + mkdir -p "$PGDATA" + # ignore failure since there are cases where we can't chmod (and PostgreSQL might fail later anyhow - it's picky about permissions of this directory) + chmod 00700 "$PGDATA" || : + + # ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289 + mkdir -p /var/run/postgresql || : + chmod 03775 /var/run/postgresql || : + + # Create the transaction log directory before initdb is run so the directory is owned by the correct user + if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then + mkdir -p "$POSTGRES_INITDB_WALDIR" + if [ "$user" = '0' ]; then + find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' + + fi + chmod 700 "$POSTGRES_INITDB_WALDIR" + fi + + # allow the container to be started with `--user` + if [ "$user" = '0' ]; then + find "$PGDATA" \! -user postgres -exec chown postgres '{}' + + find /var/run/postgresql \! -user postgres -exec chown postgres '{}' + + fi +} + +# initialize empty PGDATA directory with new database via 'initdb' +# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function +# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames +# this is also where the database user is created, specified by `POSTGRES_USER` env +docker_init_database_dir() { + # "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary + # see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html + local uid; uid="$(id -u)" + if ! getent passwd "$uid" &> /dev/null; then + # see if we can find a suitable "libnss_wrapper.so" (https://salsa.debian.org/sssd-team/nss-wrapper/-/commit/b9925a653a54e24d09d9b498a2d913729f7abb15) + local wrapper + for wrapper in {/usr,}/lib{/*,}/libnss_wrapper.so; do + if [ -s "$wrapper" ]; then + NSS_WRAPPER_PASSWD="$(mktemp)" + NSS_WRAPPER_GROUP="$(mktemp)" + export LD_PRELOAD="$wrapper" NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + local gid; gid="$(id -g)" + printf 'postgres:x:%s:%s:PostgreSQL:%s:/bin/false\n' "$uid" "$gid" "$PGDATA" > "$NSS_WRAPPER_PASSWD" + printf 'postgres:x:%s:\n' "$gid" > "$NSS_WRAPPER_GROUP" + break + fi + done + fi + + if [ -n "${POSTGRES_INITDB_WALDIR:-}" ]; then + set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@" + fi + + # --pwfile refuses to handle a properly-empty file (hence the "\n"): https://github.com/docker-library/postgres/issues/1025 + eval 'initdb --username="$POSTGRES_USER" --pwfile=<(printf "%s\n" "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' + + # unset/cleanup "nss_wrapper" bits + if [[ "${LD_PRELOAD:-}" == */libnss_wrapper.so ]]; then + rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" + unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + fi +} + +# print large warning if POSTGRES_PASSWORD is long +# error if both POSTGRES_PASSWORD is empty and POSTGRES_HOST_AUTH_METHOD is not 'trust' +# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust' +# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ] +docker_verify_minimum_env() { + # check password first so we can output the warning before postgres + # messes it up + if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then + cat >&2 <<-'EOWARN' + + WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. + + This will not work if used via PGPASSWORD with "psql". + + https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412) + https://github.com/docker-library/postgres/issues/507 + + EOWARN + fi + if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then + # The - option suppresses leading tabs but *not* spaces. :) + cat >&2 <<-'EOE' + Error: Database is uninitialized and superuser password is not specified. + You must specify POSTGRES_PASSWORD to a non-empty value for the + superuser. For example, "-e POSTGRES_PASSWORD=password" on "docker run". + + You may also use "POSTGRES_HOST_AUTH_METHOD=trust" to allow all + connections without a password. This is *not* recommended. + + See PostgreSQL documentation about "trust": + https://www.postgresql.org/docs/current/auth-trust.html + EOE + exit 1 + fi + if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then + cat >&2 <<-'EOWARN' + ******************************************************************************** + WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow + anyone with access to the Postgres port to access your database without + a password, even if POSTGRES_PASSWORD is set. See PostgreSQL + documentation about "trust": + https://www.postgresql.org/docs/current/auth-trust.html + In Docker's default configuration, this is effectively any other + container on the same system. + + It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace + it with "-e POSTGRES_PASSWORD=password" instead to set a password in + "docker run". + ******************************************************************************** + EOWARN + fi +} + +# usage: docker_process_init_files [file [file [...]]] +# ie: docker_process_init_files /always-initdb.d/* +# process initializer files, based on file extensions and permissions +docker_process_init_files() { + # psql here for backwards compatibility "${psql[@]}" + psql=( docker_process_sql ) + + printf '\n' + local f + for f; do + case "$f" in + *.sh) + # https://github.com/docker-library/postgres/issues/450#issuecomment-393167936 + # https://github.com/docker-library/postgres/pull/452 + if [ -x "$f" ]; then + printf '%s: running %s\n' "$0" "$f" + "$f" + else + printf '%s: sourcing %s\n' "$0" "$f" + . "$f" + fi + ;; + *.sql) printf '%s: running %s\n' "$0" "$f"; docker_process_sql -f "$f"; printf '\n' ;; + *.sql.gz) printf '%s: running %s\n' "$0" "$f"; gunzip -c "$f" | docker_process_sql; printf '\n' ;; + *.sql.xz) printf '%s: running %s\n' "$0" "$f"; xzcat "$f" | docker_process_sql; printf '\n' ;; + *.sql.zst) printf '%s: running %s\n' "$0" "$f"; zstd -dc "$f" | docker_process_sql; printf '\n' ;; + *) printf '%s: ignoring %s\n' "$0" "$f" ;; + esac + printf '\n' + done +} + +# Execute sql script, passed via stdin (or -f flag of pqsl) +# usage: docker_process_sql [psql-cli-args] +# ie: docker_process_sql --dbname=mydb <<<'INSERT ...' +# ie: docker_process_sql -f my-file.sql +# ie: docker_process_sql > "$PGDATA/pg_hba.conf" +} + +# start socket-only postgresql server for setting up or running scripts +# all arguments will be passed along as arguments to `postgres` (via pg_ctl) +docker_temp_server_start() { + if [ "$1" = 'postgres' ]; then + shift + fi + + # internal start of server in order to allow setup using psql client + # does not listen on external TCP/IP and waits until start finishes + set -- "$@" -c listen_addresses='' -p "${PGPORT:-5432}" + + PGUSER="${PGUSER:-$POSTGRES_USER}" \ + pg_ctl -D "$PGDATA" \ + -o "$(printf '%q ' "$@")" \ + -w start +} + +# stop postgresql server after done setting up user and running scripts +docker_temp_server_stop() { + PGUSER="${PGUSER:-postgres}" \ + pg_ctl -D "$PGDATA" -m fast -w stop +} + +# Initialise PG data directory in a temp location with a specific locale +initdb_locale() { + echo "Initialising PostgreSQL ${PGTARGET} data directory" + bin_path=$(get_bin_path) + ${bin_path}/initdb --username="${POSTGRES_USER}" ${POSTGRES_INITDB_ARGS} ${PGDATA}/new/ +} + +# check arguments for an option that would cause postgres to stop +# return true if there is one +_pg_want_help() { + local arg + for arg; do + case "$arg" in + # postgres --help | grep 'then exit' + # leaving out -C on purpose since it always fails and is unhelpful: + # postgres: could not access the server configuration file "/var/lib/postgresql/data/postgresql.conf": No such file or directory + -'?'|--help|--describe-config|-V|--version) + return 0 + ;; + esac + done + return 1 +} + +get_bin_path() { + if [ -f /etc/alpine-release ]; then + echo "/usr/local/bin" + else + echo "/usr/lib/postgresql/${PGTARGET}/bin" + fi +} + +# Function to create the upgrade lock file +create_upgrade_lock_file() { + echo "Creating upgrade lock file at $UPGRADE_LOCK_FILE" + touch "$UPGRADE_LOCK_FILE" +} + +# Function to remove the upgrade lock file +remove_upgrade_lock_file() { + echo "Removing upgrade lock file at $UPGRADE_LOCK_FILE" + rm -f "$UPGRADE_LOCK_FILE" +} + +_main() { + # if first arg looks like a flag, assume we want to run postgres server + if [ "${1:0:1}" = '-' ]; then + set -- postgres "$@" + fi + + if [ "$1" = 'postgres' ] && ! _pg_want_help "$@"; then + docker_setup_env + # setup data directories and permissions (when run as root) + docker_create_db_directories + if [ "$(id -u)" = '0' ]; then + exec gosu postgres "$BASH_SOURCE" "$@" + fi + + # only run initialization on an empty data directory + if [ -z "$DATABASE_ALREADY_EXISTS" ]; then + docker_verify_minimum_env + + # check dir permissions to reduce likelihood of half-initialized database + ls /docker-entrypoint-initdb.d/ > /dev/null + + docker_init_database_dir + pg_setup_hba_conf "$@" + + # PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless + # e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS + export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}" + docker_temp_server_start "$@" + + docker_setup_db + docker_process_init_files /docker-entrypoint-initdb.d/* + + docker_temp_server_stop + unset PGPASSWORD + + cat <<-'EOM' + + PostgreSQL init process complete; ready for start up. + + EOM + else + cat <<-'EOM' + + PostgreSQL Database directory appears to contain a database; Skipping initialization + + EOM + fi + fi + + # For development of pgautoupgrade. This spot leaves the container running, prior to the pgautoupgrade scripting + # executing + local UPGRADE_PERFORMED=0 + if [ "x${PGAUTO_DEVEL}" = "xbefore" ]; then + echo "--------------------------------------------------------------------------" + echo "In pgautoupgrade development mode, paused prior to pgautoupgrade scripting" + echo "--------------------------------------------------------------------------" + while :; do + sleep 5 + done + else + ### The main pgautoupgrade scripting starts here ### + + echo "************************************" + echo "PostgreSQL data directory: ${PGDATA}" + echo "************************************" + + # Get the version of the PostgreSQL data files + local PGVER=${PGTARGET} + if [ -s "${PGDATA}/PG_VERSION" ]; then + PGVER=$(cat "${PGDATA}/PG_VERSION") + fi + + # If the version of PostgreSQL data files doesn't match our desired version, then upgrade them + if [ "${PGVER}" != "${PGTARGET}" ]; then + create_upgrade_lock_file + # Ensure the database files are a version we can upgrade + local RECOGNISED=0 + local OLDPATH=unset + if [ "${PGVER}" = "9.5" ] || [ "${PGVER}" = "9.6" ] || [ "${PGVER}" = "10" ] || [ "${PGVER}" = "11" ] || [ "${PGVER}" = "12" ]; then + RECOGNISED=1 + fi + if [ "${PGTARGET}" -gt 13 ] && [ "${PGVER}" = "13" ]; then + RECOGNISED=1 + fi + if [ "${PGTARGET}" -gt 14 ] && [ "${PGVER}" = "14" ]; then + RECOGNISED=1 + fi + if [ "${PGTARGET}" -gt 15 ] && [ "${PGVER}" = "15" ]; then + RECOGNISED=1 + fi + if [ "${PGTARGET}" -gt 16 ] && [ "${PGVER}" = "16" ]; then + RECOGNISED=1 + fi + if [ "${RECOGNISED}" -eq 1 ]; then + OLDPATH="/usr/local-pg${PGVER}" + echo "*******************************************************************************************" + echo "Performing PG upgrade on version ${PGVER} database files. Upgrading to version ${PGTARGET}" + echo "*******************************************************************************************" + else + echo "****************************************************************************" + echo "Unrecognised version of PostgreSQL database files found, aborting completely" + echo "****************************************************************************" + exit 9 + fi + + # Check for presence of old/new directories, indicating a failed previous autoupgrade + echo "----------------------------------------------------------------------" + echo "Checking for left over artifacts from a failed previous autoupgrade..." + echo "----------------------------------------------------------------------" + local OLD="${PGDATA}/old" + local NEW="${PGDATA}/new" + if [ -d "${OLD}" ]; then + echo "*****************************************" + echo "Left over OLD directory found. Aborting." + echo "*****************************************" + exit 10 + fi + if [ -d "${NEW}" ]; then + echo "*****************************************" + echo "Left over NEW directory found. Aborting." + echo "*****************************************" + exit 11 + fi + echo "-------------------------------------------------------------------------------" + echo "No artifacts found from a failed previous autoupgrade. Continuing the process." + echo "-------------------------------------------------------------------------------" + + # Don't automatically abort on non-0 exit status, as that messes with these upcoming mv commands + set +e + + # Move the PostgreSQL data files into a subdirectory of the mount point + echo "---------------------------------------" + echo "Creating OLD temporary directory ${OLD}" + echo "---------------------------------------" + mkdir "${OLD}" + if [ ! -d "${OLD}" ]; then + echo "*********************************************************************" + echo "Creation of temporary directory '${OLD}' failed. Aborting completely" + echo "*********************************************************************" + exit 7 + fi + echo "--------------------------------------------" + echo "Creating OLD temporary directory is complete" + echo "--------------------------------------------" + + echo "-------------------------------------------------------" + echo "Moving existing data files into OLD temporary directory" + echo "-------------------------------------------------------" + mv -v "${PGDATA}"/* "${OLD}" + echo "-------------------------------------------------------------------" + echo "Moving existing data files into OLD temporary directory is complete" + echo "-------------------------------------------------------------------" + + echo "---------------------------------------" + echo "Creating NEW temporary directory ${NEW}" + echo "---------------------------------------" + mkdir "${NEW}" + if [ ! -d "${NEW}" ]; then + echo "********************************************************************" + echo "Creation of temporary directory '${NEW}' failed. Aborting completely" + echo "********************************************************************" + # With a failure at this point we should be able to move the old data back + # to its original location + mv -v "${OLD}"/* "${PGDATA}" + rmdir old + exit 8 + fi + echo "--------------------------------------------" + echo "Creating NEW temporary directory is complete" + echo "--------------------------------------------" + + echo "-----------------------------------------------------" + echo "Changing permissions of temporary directories to 0700" + echo "-----------------------------------------------------" + chmod 0700 "${OLD}" "${NEW}" + echo "---------------------------------------------------------" + echo "Changing permissions of temporary directories is complete" + echo "---------------------------------------------------------" + + # Return the error handling back to automatically aborting on non-0 exit status + set -e + + # If no initdb arguments were passed to us from the environment, then work out something valid ourselves + if [ "x${POSTGRES_INITDB_ARGS}" != "x" ]; then + echo "------------------------------------------------------------------------------" + echo "Using initdb arguments passed in from the environment: ${POSTGRES_INITDB_ARGS}" + echo "------------------------------------------------------------------------------" + else + echo "-------------------------------------------------" + echo "Remove postmaster.pid file from PG data directory" + echo "-------------------------------------------------" + rm -f "${OLD}"/postmaster.pid + + echo "------------------------------------" + echo "Determining our own initdb arguments" + echo "------------------------------------" + local COLLATE=unset + local CTYPE=unset + local ENCODING=unset + + ENCODING=$(echo 'SHOW SERVER_ENCODING' | "${OLDPATH}/bin/postgres" --single -D "${OLD}" "${POSTGRES_DB}" | grep 'server_encoding = "' | cut -d '"' -f 2) + + # LC_COLLATE and LC_TYPE have been removed with PG v16 + # https://www.postgresql.org/docs/release/16.0/ + if [ "${PGVER}" -lt 16 ]; then + COLLATE=$(echo 'SHOW LC_COLLATE' | "${OLDPATH}/bin/postgres" --single -D "${OLD}" "${POSTGRES_DB}" | grep 'lc_collate = "' | cut -d '"' -f 2) + CTYPE=$(echo 'SHOW LC_CTYPE' | "${OLDPATH}/bin/postgres" --single -D "${OLD}" "${POSTGRES_DB}" | grep 'lc_ctype = "' | cut -d '"' -f 2) + + POSTGRES_INITDB_ARGS="--locale=${COLLATE} --lc-collate=${COLLATE} --lc-ctype=${CTYPE} --encoding=${ENCODING}" + else + POSTGRES_INITDB_ARGS="--encoding=${ENCODING}" + fi + + echo "---------------------------------------------------------------" + echo "The initdb arguments we determined are: ${POSTGRES_INITDB_ARGS}" + echo "---------------------------------------------------------------" + fi + + # Initialise the new PostgreSQL database directory + echo "--------------------------------------------------------------------------------------------------------------------" + echo "Old database using collation settings: '${POSTGRES_INITDB_ARGS}'. Initialising new database with those settings too" + echo "--------------------------------------------------------------------------------------------------------------------" + initdb_locale "${POSTGRES_INITDB_ARGS}" + echo "------------------------------------" + echo "New database initialisation complete" + echo "------------------------------------" + + # Change into the PostgreSQL database directory, to avoid a pg_upgrade error about write permissions + cd "${PGDATA}" + + # Run the pg_upgrade command itself + echo "---------------------------------------" + echo "Running pg_upgrade command, from $(pwd)" + echo "---------------------------------------" + bin_path=$(get_bin_path) + "${bin_path}/pg_upgrade" --username="${POSTGRES_USER}" --link -d "${OLD}" -D "${NEW}" -b "${OLDPATH}/bin" -B "${bin_path}" --socketdir="/var/run/postgresql" + echo "--------------------------------------" + echo "Running pg_upgrade command is complete" + echo "--------------------------------------" + + # Move the new database files into place + echo "-----------------------------------------------------" + echo "Moving the new database files to the active directory" + echo "-----------------------------------------------------" + mv -v "${NEW}"/* "${PGDATA}" + echo "-----------------------------------------" + echo "Moving the new database files is complete" + echo "-----------------------------------------" + + # Re-use the pg_hba.conf and pg_ident.conf from the old data directory + echo "--------------------------------------------------------------" + echo "Copying the old pg_hba and pg_ident configuration files across" + echo "--------------------------------------------------------------" + cp -f "${OLD}/pg_hba.conf" "${OLD}/pg_ident.conf" "${PGDATA}" + echo "-------------------------------------------------------------------" + echo "Copying the old pg_hba and pg_ident configuration files is complete" + echo "-------------------------------------------------------------------" + + # Remove the left over database files + echo "---------------------------------" + echo "Removing left over database files" + echo "---------------------------------" + rm -rf "${OLD}" "${NEW}" ~/delete_old_cluster.sh + echo "---------------------------------------------" + echo "Removing left over database files is complete" + echo "---------------------------------------------" + + UPGRADE_PERFORMED=1 + + echo "***************************************************************************************" + echo "Automatic upgrade process finished upgrading the data format to PostgreSQL ${PGTARGET}." + echo "The database has not yet been reindexed nor updated the query planner stats. Those " + echo "will be done by a background task shortly. " + echo "***************************************************************************************" + remove_upgrade_lock_file + fi + + ### The main pgautoupgrade scripting ends here ### + fi + + # For development of pgautoupgrade. This spot leaves the container running, after the pgautoupgrade scripting has + # executed, but without subsequently running the PostgreSQL server + if [ "x${PGAUTO_DEVEL}" = "xserver" ]; then + echo "-------------------------------------------------------------------" + echo "In pgautoupgrade development mode, paused after main pg_upgrade has" + echo "run, but before database server and post-upgrade tasks have started" + echo "-------------------------------------------------------------------" + while :; do + sleep 5 + done + else + # If the upgrade process ran, then we need to launch the post-upgrade script in the background while PG runs + if [ "${UPGRADE_PERFORMED}" -eq 1 ]; then + /usr/local/bin/pgautoupgrade-postupgrade.sh "${PGDATA}" "${POSTGRES_DB}" "${PGAUTO_ONESHOT}" 2>&1 & + echo "****************************" + echo "Post upgrade script launched" + echo "****************************" + + # Start PostgreSQL + exec "$@" + else + # If no upgrade was performed, then we start PostgreSQL as per normal as long as "one shot" mode wasn't requested + if [ "x${PGAUTO_ONESHOT}" = "xyes" ]; then + echo "***********************************************************************************" + echo "'One shot' automatic upgrade was requested, so exiting as there is no upgrade to do" + echo "If you're seeing this message and expecting an upgrade to be happening, it probably" + echo "means the container is being started in a loop and a previous run already did it :)" + echo "***********************************************************************************" + else + # Start PostgreSQL + exec "$@" + fi + fi + fi +} + +# Check if an upgrade lock file exists at script start and exit if it does +if [ -f "$UPGRADE_LOCK_FILE" ]; then + echo "Upgrade lock file already exists, indicating an incomplete previous upgrade. Exiting." + exit 1 +fi + +if ! _is_sourced; then + _main "$@" +fi diff --git a/postgresql.conf b/postgresql.conf new file mode 100644 index 0000000..19a847a --- /dev/null +++ b/postgresql.conf @@ -0,0 +1,815 @@ +# ----------------------------- +# PostgreSQL configuration file +# ----------------------------- +# +# This file consists of lines of the form: +# +# name = value +# +# (The "=" is optional.) Whitespace may be used. Comments are introduced with +# "#" anywhere on a line. The complete list of parameter names and allowed +# values can be found in the PostgreSQL documentation. +# +# The commented-out settings shown in this file represent the default values. +# Re-commenting a setting is NOT sufficient to revert it to the default value; +# you need to reload the server. +# +# This file is read on server startup and when the server receives a SIGHUP +# signal. If you edit the file on a running system, you have to SIGHUP the +# server for the changes to take effect, run "pg_ctl reload", or execute +# "SELECT pg_reload_conf()". Some parameters, which are marked below, +# require a server shutdown and restart to take effect. +# +# Any parameter can also be given as a command-line option to the server, e.g., +# "postgres -c log_connections=on". Some parameters can be changed at run time +# with the "SET" SQL command. +# +# Memory units: B = bytes Time units: us = microseconds +# kB = kilobytes ms = milliseconds +# MB = megabytes s = seconds +# GB = gigabytes min = minutes +# TB = terabytes h = hours +# d = days + + +#------------------------------------------------------------------------------ +# FILE LOCATIONS +#------------------------------------------------------------------------------ + +# The default values of these variables are driven from the -D command-line +# option or PGDATA environment variable, represented here as ConfigDir. + +#data_directory = 'ConfigDir' # use data in another directory + # (change requires restart) +#hba_file = 'ConfigDir/pg_hba.conf' # host-based authentication file + # (change requires restart) +#ident_file = 'ConfigDir/pg_ident.conf' # ident configuration file + # (change requires restart) + +# If external_pid_file is not explicitly set, no extra PID file is written. +#external_pid_file = '' # write an extra PID file + # (change requires restart) + + +#------------------------------------------------------------------------------ +# CONNECTIONS AND AUTHENTICATION +#------------------------------------------------------------------------------ + +# - Connection Settings - + +listen_addresses = '*' + # comma-separated list of addresses; + # defaults to 'localhost'; use '*' for all + # (change requires restart) +#port = 5432 # (change requires restart) +max_connections = 100 # (change requires restart) +#superuser_reserved_connections = 3 # (change requires restart) +#unix_socket_directories = '/var/run/postgresql' # comma-separated list of directories + # (change requires restart) +#unix_socket_group = '' # (change requires restart) +#unix_socket_permissions = 0777 # begin with 0 to use octal notation + # (change requires restart) +#bonjour = off # advertise server via Bonjour + # (change requires restart) +#bonjour_name = '' # defaults to the computer name + # (change requires restart) + +# - TCP settings - +# see "man tcp" for details + +#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds; + # 0 selects the system default +#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds; + # 0 selects the system default +#tcp_keepalives_count = 0 # TCP_KEEPCNT; + # 0 selects the system default +#tcp_user_timeout = 0 # TCP_USER_TIMEOUT, in milliseconds; + # 0 selects the system default + +#client_connection_check_interval = 0 # time between checks for client + # disconnection while running queries; + # 0 for never + +# - Authentication - + +#authentication_timeout = 1min # 1s-600s +#password_encryption = scram-sha-256 # scram-sha-256 or md5 +#db_user_namespace = off + +# GSSAPI using Kerberos +#krb_server_keyfile = 'FILE:${sysconfdir}/krb5.keytab' +#krb_caseins_users = off + +# - SSL - + +#ssl = off +#ssl_ca_file = '' +#ssl_cert_file = 'server.crt' +#ssl_crl_file = '' +#ssl_crl_dir = '' +#ssl_key_file = 'server.key' +#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers +#ssl_prefer_server_ciphers = on +#ssl_ecdh_curve = 'prime256v1' +#ssl_min_protocol_version = 'TLSv1.2' +#ssl_max_protocol_version = '' +#ssl_dh_params_file = '' +#ssl_passphrase_command = '' +#ssl_passphrase_command_supports_reload = off + + +#------------------------------------------------------------------------------ +# RESOURCE USAGE (except WAL) +#------------------------------------------------------------------------------ + +# - Memory - + +shared_buffers = 128MB # min 128kB + # (change requires restart) +#huge_pages = try # on, off, or try + # (change requires restart) +#huge_page_size = 0 # zero for system default + # (change requires restart) +#temp_buffers = 8MB # min 800kB +#max_prepared_transactions = 0 # zero disables the feature + # (change requires restart) +# Caution: it is not advisable to set max_prepared_transactions nonzero unless +# you actively intend to use prepared transactions. +#work_mem = 4MB # min 64kB +#hash_mem_multiplier = 2.0 # 1-1000.0 multiplier on hash table work_mem +#maintenance_work_mem = 64MB # min 1MB +#autovacuum_work_mem = -1 # min 1MB, or -1 to use maintenance_work_mem +#logical_decoding_work_mem = 64MB # min 64kB +#max_stack_depth = 2MB # min 100kB +#shared_memory_type = mmap # the default is the first option + # supported by the operating system: + # mmap + # sysv + # windows + # (change requires restart) +dynamic_shared_memory_type = posix # the default is usually the first option + # supported by the operating system: + # posix + # sysv + # windows + # mmap + # (change requires restart) +#min_dynamic_shared_memory = 0MB # (change requires restart) + +# - Disk - + +#temp_file_limit = -1 # limits per-process temp file space + # in kilobytes, or -1 for no limit + +# - Kernel Resources - + +#max_files_per_process = 1000 # min 64 + # (change requires restart) + +# - Cost-Based Vacuum Delay - + +#vacuum_cost_delay = 0 # 0-100 milliseconds (0 disables) +#vacuum_cost_page_hit = 1 # 0-10000 credits +#vacuum_cost_page_miss = 2 # 0-10000 credits +#vacuum_cost_page_dirty = 20 # 0-10000 credits +#vacuum_cost_limit = 200 # 1-10000 credits + +# - Background Writer - + +#bgwriter_delay = 200ms # 10-10000ms between rounds +#bgwriter_lru_maxpages = 100 # max buffers written/round, 0 disables +#bgwriter_lru_multiplier = 2.0 # 0-10.0 multiplier on buffers scanned/round +#bgwriter_flush_after = 512kB # measured in pages, 0 disables + +# - Asynchronous Behavior - + +#backend_flush_after = 0 # measured in pages, 0 disables +#effective_io_concurrency = 1 # 1-1000; 0 disables prefetching +#maintenance_io_concurrency = 10 # 1-1000; 0 disables prefetching +#max_worker_processes = 8 # (change requires restart) +#max_parallel_workers_per_gather = 2 # taken from max_parallel_workers +#max_parallel_maintenance_workers = 2 # taken from max_parallel_workers +#max_parallel_workers = 8 # maximum number of max_worker_processes that + # can be used in parallel operations +#parallel_leader_participation = on +#old_snapshot_threshold = -1 # 1min-60d; -1 disables; 0 is immediate + # (change requires restart) + + +#------------------------------------------------------------------------------ +# WRITE-AHEAD LOG +#------------------------------------------------------------------------------ + +# - Settings - + +#wal_level = replica # minimal, replica, or logical + # (change requires restart) +#fsync = on # flush data to disk for crash safety + # (turning this off can cause + # unrecoverable data corruption) +#synchronous_commit = on # synchronization level; + # off, local, remote_write, remote_apply, or on +#wal_sync_method = fsync # the default is the first option + # supported by the operating system: + # open_datasync + # fdatasync (default on Linux and FreeBSD) + # fsync + # fsync_writethrough + # open_sync +#full_page_writes = on # recover from partial page writes +#wal_log_hints = off # also do full page writes of non-critical updates + # (change requires restart) +#wal_compression = off # enables compression of full-page writes; + # off, pglz, lz4, zstd, or on +#wal_init_zero = on # zero-fill new WAL files +#wal_recycle = on # recycle WAL files +#wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers + # (change requires restart) +#wal_writer_delay = 200ms # 1-10000 milliseconds +#wal_writer_flush_after = 1MB # measured in pages, 0 disables +#wal_skip_threshold = 2MB + +#commit_delay = 0 # range 0-100000, in microseconds +#commit_siblings = 5 # range 1-1000 + +# - Checkpoints - + +#checkpoint_timeout = 5min # range 30s-1d +#checkpoint_completion_target = 0.9 # checkpoint target duration, 0.0 - 1.0 +#checkpoint_flush_after = 256kB # measured in pages, 0 disables +#checkpoint_warning = 30s # 0 disables +max_wal_size = 1GB +min_wal_size = 80MB + +# - Prefetching during recovery - + +#recovery_prefetch = try # prefetch pages referenced in the WAL? +#wal_decode_buffer_size = 512kB # lookahead window used for prefetching + # (change requires restart) + +# - Archiving - + +#archive_mode = off # enables archiving; off, on, or always + # (change requires restart) +#archive_library = '' # library to use to archive a logfile segment + # (empty string indicates archive_command should + # be used) +#archive_command = '' # command to use to archive a logfile segment + # placeholders: %p = path of file to archive + # %f = file name only + # e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f' +#archive_timeout = 0 # force a logfile segment switch after this + # number of seconds; 0 disables + +# - Archive Recovery - + +# These are only used in recovery mode. + +#restore_command = '' # command to use to restore an archived logfile segment + # placeholders: %p = path of file to restore + # %f = file name only + # e.g. 'cp /mnt/server/archivedir/%f %p' +#archive_cleanup_command = '' # command to execute at every restartpoint +#recovery_end_command = '' # command to execute at completion of recovery + +# - Recovery Target - + +# Set these only when performing a targeted recovery. + +#recovery_target = '' # 'immediate' to end recovery as soon as a + # consistent state is reached + # (change requires restart) +#recovery_target_name = '' # the named restore point to which recovery will proceed + # (change requires restart) +#recovery_target_time = '' # the time stamp up to which recovery will proceed + # (change requires restart) +#recovery_target_xid = '' # the transaction ID up to which recovery will proceed + # (change requires restart) +#recovery_target_lsn = '' # the WAL LSN up to which recovery will proceed + # (change requires restart) +#recovery_target_inclusive = on # Specifies whether to stop: + # just after the specified recovery target (on) + # just before the recovery target (off) + # (change requires restart) +#recovery_target_timeline = 'latest' # 'current', 'latest', or timeline ID + # (change requires restart) +#recovery_target_action = 'pause' # 'pause', 'promote', 'shutdown' + # (change requires restart) + + +#------------------------------------------------------------------------------ +# REPLICATION +#------------------------------------------------------------------------------ + +# - Sending Servers - + +# Set these on the primary and on any standby that will send replication data. + +#max_wal_senders = 10 # max number of walsender processes + # (change requires restart) +#max_replication_slots = 10 # max number of replication slots + # (change requires restart) +#wal_keep_size = 0 # in megabytes; 0 disables +#max_slot_wal_keep_size = -1 # in megabytes; -1 disables +#wal_sender_timeout = 60s # in milliseconds; 0 disables +#track_commit_timestamp = off # collect timestamp of transaction commit + # (change requires restart) + +# - Primary Server - + +# These settings are ignored on a standby server. + +#synchronous_standby_names = '' # standby servers that provide sync rep + # method to choose sync standbys, number of sync standbys, + # and comma-separated list of application_name + # from standby(s); '*' = all +#vacuum_defer_cleanup_age = 0 # number of xacts by which cleanup is delayed + +# - Standby Servers - + +# These settings are ignored on a primary server. + +#primary_conninfo = '' # connection string to sending server +#primary_slot_name = '' # replication slot on sending server +#promote_trigger_file = '' # file name whose presence ends recovery +#hot_standby = on # "off" disallows queries during recovery + # (change requires restart) +#max_standby_archive_delay = 30s # max delay before canceling queries + # when reading WAL from archive; + # -1 allows indefinite delay +#max_standby_streaming_delay = 30s # max delay before canceling queries + # when reading streaming WAL; + # -1 allows indefinite delay +#wal_receiver_create_temp_slot = off # create temp slot if primary_slot_name + # is not set +#wal_receiver_status_interval = 10s # send replies at least this often + # 0 disables +#hot_standby_feedback = off # send info from standby to prevent + # query conflicts +#wal_receiver_timeout = 60s # time that receiver waits for + # communication from primary + # in milliseconds; 0 disables +#wal_retrieve_retry_interval = 5s # time to wait before retrying to + # retrieve WAL after a failed attempt +#recovery_min_apply_delay = 0 # minimum delay for applying changes during recovery + +# - Subscribers - + +# These settings are ignored on a publisher. + +#max_logical_replication_workers = 4 # taken from max_worker_processes + # (change requires restart) +#max_sync_workers_per_subscription = 2 # taken from max_logical_replication_workers + + +#------------------------------------------------------------------------------ +# QUERY TUNING +#------------------------------------------------------------------------------ + +# - Planner Method Configuration - + +#enable_async_append = on +#enable_bitmapscan = on +#enable_gathermerge = on +#enable_hashagg = on +#enable_hashjoin = on +#enable_incremental_sort = on +#enable_indexscan = on +#enable_indexonlyscan = on +#enable_material = on +#enable_memoize = on +#enable_mergejoin = on +#enable_nestloop = on +#enable_parallel_append = on +#enable_parallel_hash = on +#enable_partition_pruning = on +#enable_partitionwise_join = off +#enable_partitionwise_aggregate = off +#enable_seqscan = on +#enable_sort = on +#enable_tidscan = on + +# - Planner Cost Constants - + +#seq_page_cost = 1.0 # measured on an arbitrary scale +#random_page_cost = 4.0 # same scale as above +#cpu_tuple_cost = 0.01 # same scale as above +#cpu_index_tuple_cost = 0.005 # same scale as above +#cpu_operator_cost = 0.0025 # same scale as above +#parallel_setup_cost = 1000.0 # same scale as above +#parallel_tuple_cost = 0.1 # same scale as above +#min_parallel_table_scan_size = 8MB +#min_parallel_index_scan_size = 512kB +#effective_cache_size = 4GB + +#jit_above_cost = 100000 # perform JIT compilation if available + # and query more expensive than this; + # -1 disables +#jit_inline_above_cost = 500000 # inline small functions if query is + # more expensive than this; -1 disables +#jit_optimize_above_cost = 500000 # use expensive JIT optimizations if + # query is more expensive than this; + # -1 disables + +# - Genetic Query Optimizer - + +#geqo = on +#geqo_threshold = 12 +#geqo_effort = 5 # range 1-10 +#geqo_pool_size = 0 # selects default based on effort +#geqo_generations = 0 # selects default based on effort +#geqo_selection_bias = 2.0 # range 1.5-2.0 +#geqo_seed = 0.0 # range 0.0-1.0 + +# - Other Planner Options - + +#default_statistics_target = 100 # range 1-10000 +#constraint_exclusion = partition # on, off, or partition +#cursor_tuple_fraction = 0.1 # range 0.0-1.0 +#from_collapse_limit = 8 +#jit = on # allow JIT compilation +#join_collapse_limit = 8 # 1 disables collapsing of explicit + # JOIN clauses +#plan_cache_mode = auto # auto, force_generic_plan or + # force_custom_plan +#recursive_worktable_factor = 10.0 # range 0.001-1000000 + + +#------------------------------------------------------------------------------ +# REPORTING AND LOGGING +#------------------------------------------------------------------------------ + +# - Where to Log - + +#log_destination = 'stderr' # Valid values are combinations of + # stderr, csvlog, jsonlog, syslog, and + # eventlog, depending on platform. + # csvlog and jsonlog require + # logging_collector to be on. + +# This is used when logging to stderr: +#logging_collector = off # Enable capturing of stderr, jsonlog, + # and csvlog into log files. Required + # to be on for csvlogs and jsonlogs. + # (change requires restart) + +# These are only used if logging_collector is on: +#log_directory = 'log' # directory where log files are written, + # can be absolute or relative to PGDATA +#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' # log file name pattern, + # can include strftime() escapes +#log_file_mode = 0600 # creation mode for log files, + # begin with 0 to use octal notation +#log_rotation_age = 1d # Automatic rotation of logfiles will + # happen after that time. 0 disables. +#log_rotation_size = 10MB # Automatic rotation of logfiles will + # happen after that much log output. + # 0 disables. +#log_truncate_on_rotation = off # If on, an existing log file with the + # same name as the new log file will be + # truncated rather than appended to. + # But such truncation only occurs on + # time-driven rotation, not on restarts + # or size-driven rotation. Default is + # off, meaning append to existing files + # in all cases. + +# These are relevant when logging to syslog: +#syslog_facility = 'LOCAL0' +#syslog_ident = 'postgres' +#syslog_sequence_numbers = on +#syslog_split_messages = on + +# This is only relevant when logging to eventlog (Windows): +# (change requires restart) +#event_source = 'PostgreSQL' + +# - When to Log - + +#log_min_messages = warning # values in order of decreasing detail: + # debug5 + # debug4 + # debug3 + # debug2 + # debug1 + # info + # notice + # warning + # error + # log + # fatal + # panic + +#log_min_error_statement = error # values in order of decreasing detail: + # debug5 + # debug4 + # debug3 + # debug2 + # debug1 + # info + # notice + # warning + # error + # log + # fatal + # panic (effectively off) + +#log_min_duration_statement = -1 # -1 is disabled, 0 logs all statements + # and their durations, > 0 logs only + # statements running at least this number + # of milliseconds + +#log_min_duration_sample = -1 # -1 is disabled, 0 logs a sample of statements + # and their durations, > 0 logs only a sample of + # statements running at least this number + # of milliseconds; + # sample fraction is determined by log_statement_sample_rate + +#log_statement_sample_rate = 1.0 # fraction of logged statements exceeding + # log_min_duration_sample to be logged; + # 1.0 logs all such statements, 0.0 never logs + + +#log_transaction_sample_rate = 0.0 # fraction of transactions whose statements + # are logged regardless of their duration; 1.0 logs all + # statements from all transactions, 0.0 never logs + +#log_startup_progress_interval = 10s # Time between progress updates for + # long-running startup operations. + # 0 disables the feature, > 0 indicates + # the interval in milliseconds. + +# - What to Log - + +#debug_print_parse = off +#debug_print_rewritten = off +#debug_print_plan = off +#debug_pretty_print = on +#log_autovacuum_min_duration = 10min # log autovacuum activity; + # -1 disables, 0 logs all actions and + # their durations, > 0 logs only + # actions running at least this number + # of milliseconds. +#log_checkpoints = on +#log_connections = off +#log_disconnections = off +#log_duration = off +#log_error_verbosity = default # terse, default, or verbose messages +#log_hostname = off +#log_line_prefix = '%m [%p] ' # special values: + # %a = application name + # %u = user name + # %d = database name + # %r = remote host and port + # %h = remote host + # %b = backend type + # %p = process ID + # %P = process ID of parallel group leader + # %t = timestamp without milliseconds + # %m = timestamp with milliseconds + # %n = timestamp with milliseconds (as a Unix epoch) + # %Q = query ID (0 if none or not computed) + # %i = command tag + # %e = SQL state + # %c = session ID + # %l = session line number + # %s = session start timestamp + # %v = virtual transaction ID + # %x = transaction ID (0 if none) + # %q = stop here in non-session + # processes + # %% = '%' + # e.g. '<%u%%%d> ' +#log_lock_waits = off # log lock waits >= deadlock_timeout +#log_recovery_conflict_waits = off # log standby recovery conflict waits + # >= deadlock_timeout +#log_parameter_max_length = -1 # when logging statements, limit logged + # bind-parameter values to N bytes; + # -1 means print in full, 0 disables +#log_parameter_max_length_on_error = 0 # when logging an error, limit logged + # bind-parameter values to N bytes; + # -1 means print in full, 0 disables +#log_statement = 'none' # none, ddl, mod, all +#log_replication_commands = off +#log_temp_files = -1 # log temporary files equal or larger + # than the specified size in kilobytes; + # -1 disables, 0 logs all temp files +log_timezone = 'Etc/UTC' + + +#------------------------------------------------------------------------------ +# PROCESS TITLE +#------------------------------------------------------------------------------ + +#cluster_name = '' # added to process titles if nonempty + # (change requires restart) +#update_process_title = on + + +#------------------------------------------------------------------------------ +# STATISTICS +#------------------------------------------------------------------------------ + +# - Cumulative Query and Index Statistics - + +#track_activities = on +#track_activity_query_size = 1024 # (change requires restart) +#track_counts = on +#track_io_timing = off +#track_wal_io_timing = off +#track_functions = none # none, pl, all +#stats_fetch_consistency = cache + + +# - Monitoring - + +#compute_query_id = auto +#log_statement_stats = off +#log_parser_stats = off +#log_planner_stats = off +#log_executor_stats = off + + +#------------------------------------------------------------------------------ +# AUTOVACUUM +#------------------------------------------------------------------------------ + +#autovacuum = on # Enable autovacuum subprocess? 'on' + # requires track_counts to also be on. +#autovacuum_max_workers = 3 # max number of autovacuum subprocesses + # (change requires restart) +#autovacuum_naptime = 1min # time between autovacuum runs +#autovacuum_vacuum_threshold = 50 # min number of row updates before + # vacuum +#autovacuum_vacuum_insert_threshold = 1000 # min number of row inserts + # before vacuum; -1 disables insert + # vacuums +#autovacuum_analyze_threshold = 50 # min number of row updates before + # analyze +#autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum +#autovacuum_vacuum_insert_scale_factor = 0.2 # fraction of inserts over table + # size before insert vacuum +#autovacuum_analyze_scale_factor = 0.1 # fraction of table size before analyze +#autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum + # (change requires restart) +#autovacuum_multixact_freeze_max_age = 400000000 # maximum multixact age + # before forced vacuum + # (change requires restart) +#autovacuum_vacuum_cost_delay = 2ms # default vacuum cost delay for + # autovacuum, in milliseconds; + # -1 means use vacuum_cost_delay +#autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for + # autovacuum, -1 means use + # vacuum_cost_limit + + +#------------------------------------------------------------------------------ +# CLIENT CONNECTION DEFAULTS +#------------------------------------------------------------------------------ + +# - Statement Behavior - + +#client_min_messages = notice # values in order of decreasing detail: + # debug5 + # debug4 + # debug3 + # debug2 + # debug1 + # log + # notice + # warning + # error +#search_path = '"$user", public' # schema names +#row_security = on +#default_table_access_method = 'heap' +#default_tablespace = '' # a tablespace name, '' uses the default +#default_toast_compression = 'pglz' # 'pglz' or 'lz4' +#temp_tablespaces = '' # a list of tablespace names, '' uses + # only default tablespace +#check_function_bodies = on +#default_transaction_isolation = 'read committed' +#default_transaction_read_only = off +#default_transaction_deferrable = off +#session_replication_role = 'origin' +#statement_timeout = 0 # in milliseconds, 0 is disabled +#lock_timeout = 0 # in milliseconds, 0 is disabled +#idle_in_transaction_session_timeout = 0 # in milliseconds, 0 is disabled +#idle_session_timeout = 0 # in milliseconds, 0 is disabled +#vacuum_freeze_table_age = 150000000 +#vacuum_freeze_min_age = 50000000 +#vacuum_failsafe_age = 1600000000 +#vacuum_multixact_freeze_table_age = 150000000 +#vacuum_multixact_freeze_min_age = 5000000 +#vacuum_multixact_failsafe_age = 1600000000 +#bytea_output = 'hex' # hex, escape +#xmlbinary = 'base64' +#xmloption = 'content' +#gin_pending_list_limit = 4MB + +# - Locale and Formatting - + +datestyle = 'iso, mdy' +#intervalstyle = 'postgres' +timezone = 'Etc/UTC' +#timezone_abbreviations = 'Default' # Select the set of available time zone + # abbreviations. Currently, there are + # Default + # Australia (historical usage) + # India + # You can create your own file in + # share/timezonesets/. +#extra_float_digits = 1 # min -15, max 3; any value >0 actually + # selects precise output mode +#client_encoding = sql_ascii # actually, defaults to database + # encoding + +# These settings are initialized by initdb, but they can be changed. +lc_messages = 'en_US.utf8' # locale for system error message + # strings +lc_monetary = 'en_US.utf8' # locale for monetary formatting +lc_numeric = 'en_US.utf8' # locale for number formatting +lc_time = 'en_US.utf8' # locale for time formatting + +# default configuration for text search +default_text_search_config = 'pg_catalog.english' + +# - Shared Library Preloading - + +#local_preload_libraries = '' +#session_preload_libraries = '' +#shared_preload_libraries = '' # (change requires restart) +#jit_provider = 'llvmjit' # JIT library to use + +# - Other Defaults - + +#dynamic_library_path = '$libdir' +#extension_destdir = '' # prepend path when loading extensions + # and shared objects (added by Debian) +#gin_fuzzy_search_limit = 0 + + +#------------------------------------------------------------------------------ +# LOCK MANAGEMENT +#------------------------------------------------------------------------------ + +#deadlock_timeout = 1s +#max_locks_per_transaction = 64 # min 10 + # (change requires restart) +#max_pred_locks_per_transaction = 64 # min 10 + # (change requires restart) +#max_pred_locks_per_relation = -2 # negative values mean + # (max_pred_locks_per_transaction + # / -max_pred_locks_per_relation) - 1 +#max_pred_locks_per_page = 2 # min 0 + + +#------------------------------------------------------------------------------ +# VERSION AND PLATFORM COMPATIBILITY +#------------------------------------------------------------------------------ + +# - Previous PostgreSQL Versions - + +#array_nulls = on +#backslash_quote = safe_encoding # on, off, or safe_encoding +#escape_string_warning = on +#lo_compat_privileges = off +#quote_all_identifiers = off +#standard_conforming_strings = on +#synchronize_seqscans = on + +# - Other Platforms and Clients - + +#transform_null_equals = off + + +#------------------------------------------------------------------------------ +# ERROR HANDLING +#------------------------------------------------------------------------------ + +#exit_on_error = off # terminate session on any error? +#restart_after_crash = on # reinitialize after backend crash? +#data_sync_retry = off # retry or panic on failure to fsync + # data? + # (change requires restart) +#recovery_init_sync_method = fsync # fsync, syncfs (Linux 5.8+) + + +#------------------------------------------------------------------------------ +# CONFIG FILE INCLUDES +#------------------------------------------------------------------------------ + +# These options allow settings to be loaded from files other than the +# default postgresql.conf. Note that these are directives, not variable +# assignments, so they can usefully be given more than once. + +#include_dir = '...' # include files ending in '.conf' from + # a directory, e.g., 'conf.d' +#include_if_exists = '...' # include file only if it exists +#include = '...' # include file + + +#------------------------------------------------------------------------------ +# CUSTOMIZED OPTIONS +#------------------------------------------------------------------------------ + +# Add settings for extensions here diff --git a/test.sh b/test.sh index ae2a875..16b14c6 100755 --- a/test.sh +++ b/test.sh @@ -48,6 +48,15 @@ test_run() { sudo rm -rf postgres-data fi + # Start an empty pgautoupgrade container to make sure this is possible as well + TARGET_TAG="${TARGET}-${FLAVOR}" docker compose -f docker-compose-pgauto.yml up --wait -d + + # Shut down any containers that are still running + docker compose -f docker-compose-pgauto.yml down --remove-orphans + + # Delete the upgraded PostgreSQL data directory + sudo rm -rf postgres-data + import_adventure_works # Start pgautoupgrade container