diff --git a/.dockerignore b/.dockerignore index c0b11c0..4df4001 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,7 +1,6 @@ .git .gitignore -./alpine ./Makefile *.yml diff --git a/Makefile b/Makefile index 05ef327..03fbcf6 100644 --- a/Makefile +++ b/Makefile @@ -1,41 +1,42 @@ -# Ver: 1.7 by Endial Fang (endial@126.com) +# Ver: 1.11 by Endial Fang (endial@126.com) # # 当前 Docker 镜像的编译脚本 -registry_url :=registry.cn-shenzhen.aliyuncs.com -app_name :=colovu/postgres +# 定义镜像名称 +image_name :=colovu/postgres -# 生成镜像TAG,类似: -# <镜像名>:<分支名>- # Git 仓库且无文件修改直接编译 +# 定义默认镜像仓库地址 +registry_url :=docker.io + +# 定义系统默认使用的源服务器,包含:default / tencent / ustc / aliyun / huawei +apt_source :=tencent + +# 定义镜像TAG,类似: +# <镜像名>:<分支名>-<7位Git ID> # Git 仓库且无文件修改直接编译 # <镜像名>:<分支名>-<年月日>-<时分秒> # Git 仓库有文件修改后的编译 # <镜像名>:latest-<年月日>-<时分秒> # 非 Git 仓库编译 current_subversion:=$(shell if [ ! `git status >/dev/null 2>&1` ]; then git rev-parse --short HEAD; else date +%y%m%d-%H%M%S; fi) -current_tag:=local-$(shell if [ ! `git status >/dev/null 2>&1` ]; then git rev-parse --abbrev-ref HEAD | sed -e 's/master/latest/'; else echo "latest"; fi)-$(current_subversion) +image_tag:=$(shell if [ ! `git status >/dev/null 2>&1` ]; then git rev-parse --abbrev-ref HEAD | sed -e 's/master/latest/'; else echo "latest"; fi)-$(current_subversion) -# Sources List: default / tencent / ustc / aliyun / huawei -build-arg:=--build-arg apt_source=tencent +build-arg:=--build-arg registry_url=$(registry_url) +build-arg+=--build-arg apt_source=$(apt_source) # 设置本地下载服务器路径,加速调试时的本地编译速度 -local_ip:=`echo "en0 eth0" |xargs -n1 ip addr show 2>/dev/null|grep inet|grep -v 127.0.0.1|grep -v inet6|tr "/" " "|awk '{print $$2}'` +local_ip:=`echo "en0 eth0" | xargs -n1 ip addr show 2>/dev/null | grep inet | grep -v 127.0.0.1 | grep -v inet6 | tr "/" " " | awk '{print $$2}'` build-arg+=--build-arg local_url=http://$(local_ip)/dist-files -.PHONY: build build-debian build-alpine clean clearclean upgrade +.PHONY: build clean clearclean upgrade -build: build-alpine build-debian +# 屏蔽 "Use 'docker scan' to run Snyk tests against images to find vulnerabilities and learn how to fix them" +export DOCKER_SCAN_SUGGEST=false + +build: + @echo "Build $(image_name):$(image_tag)" + @docker build --progress plain --force-rm $(build-arg) -t $(image_name):$(image_tag) . + @echo "Add tag: $(image_name):latest" + @docker tag $(image_name):$(image_tag) $(image_name):latest @echo "Build complete" -build-debian: - @echo "Build $(app_name):$(current_tag)" - @docker build --force-rm $(build-arg) -t $(app_name):$(current_tag) . - @echo "Add tag: $(app_name):local-latest" - @docker tag $(app_name):$(current_tag) $(app_name):local-latest - -build-alpine: - @echo "Build $(app_name):$(current_tag)-alpine" - @docker build --force-rm $(build-arg) -t $(app_name):$(current_tag)-alpine ./alpine - @echo "Add tag: $(app_name):local-latest-alpine" - @docker tag $(app_name):$(current_tag)-alpine $(app_name):local-latest-alpine - # 清理悬空的镜像(无TAG)及停止的容器 clearclean: clean @echo "Clean untaged images and stoped containers..." @@ -45,7 +46,7 @@ clearclean: clean # 为了防止删除前缀名相同的镜像,在过滤条件中加入一个空格进行过滤 clean: @echo "Clean all images for current application..." - @docker images | grep "$(app_name) " | awk '{print $$3}' | sort -u | xargs -L 1 docker rmi -f + @docker images | grep "$(image_name) " | awk '{print $$3}' | sort -u | xargs -L 1 docker rmi -f # 更新所有 colovu 仓库的镜像 upgrade: diff --git a/alpine/Dockerfile b/alpine/Dockerfile deleted file mode 100644 index f6db2dd..0000000 --- a/alpine/Dockerfile +++ /dev/null @@ -1,155 +0,0 @@ -# Ver: 1.2 by Endial Fang (endial@126.com) -# - -# 预处理 ========================================================================= -FROM colovu/abuilder as builder - -# sources.list 可使用版本:default / tencent / ustc / aliyun / huawei -ARG apt_source=default - -# 编译镜像时指定用于加速的本地服务器地址 -ARG local_url="" - -ENV APP_NAME=postgresql \ - APP_VERSION=12.4 - -RUN select_source ${apt_source}; -RUN install_pkg bison coreutils flex libedit-dev libxml2-dev libxslt-dev util-linux-dev zlib-dev icu-dev \ - openssl-dev openldap-dev krb5-dev linux-pam-dev libselinux-dev \ -# configure: error: prove not found - perl-utils \ -# configure: error: Perl module IPC::Run is required to run TAP tests - perl-ipc-run - -# 下载并解压软件包 -RUN set -eux; \ - appName="${APP_NAME}-${APP_VERSION}.tar.bz2"; \ - sha256="bee93fbe2c32f59419cb162bcc0145c58da9a8644ee154a30b9a5ce47de606cc"; \ - [ ! -z ${local_url} ] && localURL=${local_url}/${APP_NAME}; \ - appUrls="${localURL:-} \ - https://ftp.postgresql.org/pub/source/v${APP_VERSION} \ - "; \ - download_pkg unpack ${appName} "${appUrls}" -s "${sha256}"; - -# 源码编译: 编译后将配置文件模板拷贝至 /usr/local/${APP_NAME}/share/${APP_NAME} 中 -RUN set -eux; \ - APP_SRC="/usr/local/${APP_NAME}-${APP_VERSION}"; \ - cd ${APP_SRC}; \ - \ -# update "DEFAULT_PGSOCKET_DIR" to "/var/run/postgresql" (matching Debian) -# see https://anonscm.debian.org/git/pkg-postgresql/postgresql.git/tree/debian/patches/51-default-sockets-in-var.patch?id=8b539fcb3e093a521c095e70bdfa76887217b89f - awk '$1 == "#define" && $2 == "DEFAULT_PGSOCKET_DIR" && $3 == "\"/tmp\"" { $3 = "\"/var/run/postgresql\""; print; next } { print }' src/include/pg_config_manual.h > src/include/pg_config_manual.h.new; \ - grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \ - mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \ - gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ -# explicitly update autoconf config.guess and config.sub so they support more arches/libcs - wget -O config/config.guess 'https://git.savannah.gnu.org/cgit/config.git/plain/config.guess?id=7d3d27baf8107b630586c962c057e22149653deb'; \ - wget -O config/config.sub 'https://git.savannah.gnu.org/cgit/config.git/plain/config.sub?id=7d3d27baf8107b630586c962c057e22149653deb'; \ - \ -# configure options taken from: -# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5 - ./configure \ - --prefix=/usr/local/${APP_NAME} \ - --build="$gnuArch" \ - --enable-integer-datetimes \ - --enable-thread-safety \ - --disable-rpath \ - --with-uuid=e2fs \ - --with-gnu-ld \ - --with-pgport=5432 \ - --with-system-tzdata=/usr/share/zoneinfo \ - --with-includes=/usr/local/include \ - --with-libraries=/usr/local/lib \ - --with-openssl \ - --with-libxml \ - --with-libxslt \ - --with-icu \ - --with-krb5 \ - --with-ldap \ - --enable-tap-tests \ -# "/usr/src/postgresql/src/backend/access/common/tupconvert.c:105: undefined reference to `libintl_gettext'" -# --enable-nls \ -# these make our image abnormally large (at least 100MB larger), which seems uncouth for an "Alpine" (ie, "small") variant :) -# --enable-debug \ -# --with-gssapi \ -# --with-tcl \ -# --with-perl \ -# --with-python \ -# --with-pam \ - ; \ - make -j "$(nproc)" world; \ - make install-world; \ - make -C contrib install; - -# 删除编译生成的多余文件 -RUN set -eux; \ - find /usr/local -name '*.a' -delete; \ - rm -rf /usr/local/${APP_NAME}/include; - -# 检测并生成依赖文件记录;repmgr 相关资源也是放置在 ${APP_NAME} 路径下 -RUN set -eux; \ - scanelf --needed --nobanner --format '%n#p' --recursive /usr/local/${APP_NAME} | \ - tr ',' '\n' | \ - sort -u | \ - awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } \ - { print "so:" $1 }' >/usr/local/${APP_NAME}/runDeps; - -# 镜像生成 ======================================================================== -FROM colovu/alpine:3.12 - -ARG apt_source=default -ARG local_url="" - -ENV APP_NAME=postgresql \ - APP_USER=postgres \ - APP_EXEC=postgres \ - APP_VERSION=12.4 - -ENV APP_HOME_DIR=/usr/local/${APP_NAME} \ - APP_DEF_DIR=/etc/${APP_NAME} - -ENV PATH="${APP_HOME_DIR}/bin:${PATH}" \ - LD_LIBRARY_PATH="${APP_HOME_DIR}/lib" - -LABEL \ - "Version"="v${APP_VERSION}" \ - "Description"="Docker image for ${APP_NAME}(v${APP_VERSION})." \ - "Dockerfile"="https://github.com/colovu/docker-${APP_NAME}" \ - "Vendor"="Endial Fang (endial@126.com)" - - - -# 选择软件包源 -RUN select_source ${apt_source} - -# 从预处理过程中拷贝软件包(Optional) -COPY --from=builder /usr/local/${APP_NAME}/ /usr/local/${APP_NAME} - -# 安装依赖的软件包及库(Optional) -RUN install_pkg `cat /usr/local/${APP_NAME}/runDeps`; - -COPY customer / -RUN create_user && prepare_env - -# 执行预处理脚本,并验证安装的软件包 -RUN set -eux; \ - override_file="/usr/local/overrides/overrides-${APP_VERSION}.sh"; \ - [ -e "${override_file}" ] && /bin/bash "${override_file}"; \ - gosu ${APP_USER} ${APP_EXEC} --version ; \ - gosu --version; - -# 默认提供的数据卷 -VOLUME ["/srv/conf", "/srv/data", "/srv/datalog", "/srv/cert", "/var/log"] - -# 默认使用gosu切换为新建用户启动,必须保证端口在1024之上 -EXPOSE 5432 - -# 应用健康状态检查 -HEALTHCHECK CMD PGPASSWORD="${PG_POSTGRES_PASSWORD:-${PG_PASSWORD}}" psql -h 127.0.0.1 -d postgres -U postgres -At -c "select version();" || exit 1 - -# 容器初始化命令,默认存放在:/usr/local/bin/entry.sh -ENTRYPOINT ["entry.sh"] - -# 应用程序的服务命令,必须使用非守护进程方式运行。如果使用变量,则该变量必须在运行环境中存在(ENV可以获取) -CMD ["${APP_EXEC}", "--config-file=${PG_CONF_FILE}", "--hba_file=${PG_HBA_FILE}"] - diff --git a/alpine/customer/usr/local/bin/comm-env.sh b/alpine/customer/usr/local/bin/comm-env.sh deleted file mode 100644 index 54892a7..0000000 --- a/alpine/customer/usr/local/bin/comm-env.sh +++ /dev/null @@ -1,116 +0,0 @@ -#!/bin/bash -# Ver: 1.0 by Endial Fang (endial@126.com) -# -# 应用环境变量定义及初始化 - -# 通用设置 -export ENV_DEBUG=${ENV_DEBUG:-false} -export ALLOW_ANONYMOUS_LOGIN="${ALLOW_ANONYMOUS_LOGIN:-no}" - -# 通过读取变量名对应的 *_FILE 文件,获取变量值;如果对应文件存在,则通过传入参数设置的变量值会被文件中对应的值覆盖 -# 变量优先级: *_FILE > 传入变量 > 默认值 -app_env_file_lists=( - PG_POSTGRES_PASSWORD - PG_PASSWORD - PG_REPLICATION_PASSWORD - PG_LDAP_BIND_PASSWORD -) -for env_var in "${app_env_file_lists[@]}"; do - file_env_var="${env_var}_FILE" - if [[ -n "${!file_env_var:-}" ]]; then - export "${env_var}=$(< "${!file_env_var}")" - unset "${file_env_var}" - fi -done -unset app_env_file_lists - -# 应用路径参数 -export APP_HOME_DIR="/usr/local/${APP_NAME}" -export APP_DEF_DIR="/etc/${APP_NAME}" -export APP_CONF_DIR="/srv/conf/${APP_NAME}" -export APP_DATA_DIR="/srv/data/${APP_NAME}" -export APP_DATA_LOG_DIR="/srv/datalog/${APP_NAME}" -export APP_CACHE_DIR="/var/cache/${APP_NAME}" -export APP_RUN_DIR="/var/run/${APP_NAME}" -export APP_LOG_DIR="/var/log/${APP_NAME}" -export APP_CERT_DIR="/srv/cert/${APP_NAME}" - -export PG_DATA_DIR="${APP_DATA_DIR}/data" - -export PG_CONF_FILE="${APP_CONF_DIR}/postgresql.conf" -export PG_HBA_FILE="${APP_CONF_DIR}/pg_hba.conf" -export PG_RECOVERY_FILE="${PG_DATA_DIR}/recovery.conf" -export PG_IDENT_FILE="${PG_DATA_DIR}/pg_ident.conf" -export PG_EXT_PID_FILE="${APP_RUN_DIR}/postgresql.pid" -export PG_LOG_FILE="${APP_LOG_DIR}/postgresql.log" - -# 应用配置参数 -export PG_CLUSTER_APP_NAME=${PG_CLUSTER_APP_NAME:-cvcluster} -export PG_REPLICATION_MODE="${PG_REPLICATION_MODE:-primary}" -export PG_PRIMARY_HOST="${PG_PRIMARY_HOST:-}" -export PG_PRIMARY_PORT="${PG_PRIMARY_PORT:-5432}" -export PG_NUM_SYNCHRONOUS_REPLICAS="${PG_NUM_SYNCHRONOUS_REPLICAS:-0}" -export PG_REPLICATION_USER="${PG_REPLICATION_USER:-}" -export PG_REPLICATION_PASSWORD="${PG_REPLICATION_PASSWORD:-}" -export PG_SYNCHRONOUS_COMMIT_MODE="${PG_SYNCHRONOUS_COMMIT_MODE:-on}" -export PG_FSYNC="${PG_FSYNC:-on}" -export PG_INIT_MAX_TIMEOUT=${PG_INIT_MAX_TIMEOUT:-60} -export PG_INITDB_ARGS="${PG_INITDB_ARGS:-}" -export PG_INITDB_WAL_DIR="${PG_INITDB_WAL_DIR:-}" -export PG_PORT_NUMBER="${PG_PORT_NUMBER:-5432}" -export PG_SHARED_PRELOAD_LIBRARIES="${PG_SHARED_PRELOAD_LIBRARIES:-}" -export PG_USERNAME_CONNECTION_LIMIT="${PG_USERNAME_CONNECTION_LIMIT:-}" -export PG_POSTGRES_CONNECTION_LIMIT="${PG_POSTGRES_CONNECTION_LIMIT:-}" - -export PG_ENABLE_LDAP="${PG_ENABLE_LDAP:-no}" -export PG_LDAP_URL="${PG_LDAP_URL:-}" -export PG_LDAP_PREFIX="${PG_LDAP_PREFIX:-}" -export PG_LDAP_SUFFIX="${PG_LDAP_SUFFIX:-}" -export PG_LDAP_SERVER="${PG_LDAP_SERVER:-}" -export PG_LDAP_PORT="${PG_LDAP_PORT:-}" -export PG_LDAP_SCHEME="${PG_LDAP_SCHEME:-}" -export PG_LDAP_TLS="${PG_LDAP_TLS:-}" -export PG_LDAP_BASE_DN="${PG_LDAP_BASE_DN:-}" -export PG_LDAP_BIND_DN="${PG_LDAP_BIND_DN:-}" -export PG_LDAP_BIND_PASSWORD="${PG_LDAP_BIND_PASSWORD:-}" -export PG_LDAP_SEARCH_ATTR="${PG_LDAP_SEARCH_ATTR:-}" -export PG_LDAP_SEARCH_FILTER="${PG_LDAP_SEARCH_FILTER:-}" - -export PG_ENABLE_TLS="${PG_ENABLE_TLS:-no}" -export PG_TLS_CERT_FILE="${PG_TLS_CERT_FILE:-}" -export PG_TLS_KEY_FILE="${PG_TLS_KEY_FILE:-}" -export PG_TLS_CA_FILE="${PG_TLS_CA_FILE:-}" -export PG_TLS_CRL_FILE="${PG_TLS_CRL_FILE:-}" -export PG_TLS_PREFER_SERVER_CIPHERS="${PG_TLS_PREFER_SERVER_CIPHERS:-yes}" - -export PG_PGAUDIT_LOG="${PG_PGAUDIT_LOG:-}" -export PG_PGAUDIT_LOG_CATALOG="${PG_PGAUDIT_LOG_CATALOG:-}" -export PG_LOG_CONNECTIONS="${PG_LOG_CONNECTIONS:-}" -export PG_LOG_DISCONNECTIONS="${PG_LOG_DISCONNECTIONS:-}" -export PG_LOG_HOSTNAME="${PG_LOG_HOSTNAME:-}" -export PG_CLIENT_MIN_MESSAGES="${PG_CLIENT_MIN_MESSAGES:-error}" -export PG_LOG_LINE_PREFIX="${PG_LOG_LINE_PREFIX:-}" -export PG_LOG_TIMEZONE="${PG_LOG_TIMEZONE:-}" - -export PG_MAX_CONNECTIONS="${PG_MAX_CONNECTIONS:-}" -export PG_TCP_KEEPALIVES_IDLE="${PG_TCP_KEEPALIVES_IDLE:-}" -export PG_TCP_KEEPALIVES_INTERVAL="${PG_TCP_KEEPALIVES_INTERVAL:-}" -export PG_TCP_KEEPALIVES_COUNT="${PG_TCP_KEEPALIVES_COUNT:-}" -export PG_STATEMENT_TIMEOUT="${PG_STATEMENT_TIMEOUT:-}" - -export PG_USERNAME="${PG_USERNAME:-postgres}" -export PG_PASSWORD="${PG_PASSWORD:-}" -export PG_DATABASE="${PG_DATABASE:-postgres}" -# 使用自定义用户名(非"postgres")时的管理员密码 -[[ "${PG_USERNAME}" = "postgres" ]] && PG_POSTGRES_PASSWORD="${PG_PASSWORD}" -export PG_POSTGRES_PASSWORD="${PG_POSTGRES_PASSWORD:-}" -export PG_INITSCRIPTS_USERNAME="${PG_INITSCRIPTS_USERNAME:-${PG_USERNAME}}" -export PG_INITSCRIPTS_PASSWORD="${PG_INITSCRIPTS_PASSWORD:-${PG_PASSWORD}}" - -export PGCONNECT_TIMEOUT="${PGCONNECT_TIMEOUT:-10}" - -# 内部变量 -export PG_FIRST_BOOT="yes" - -# 个性化变量 - diff --git a/alpine/customer/usr/local/bin/comm-postgresql.sh b/alpine/customer/usr/local/bin/comm-postgresql.sh deleted file mode 100644 index b4c9e23..0000000 --- a/alpine/customer/usr/local/bin/comm-postgresql.sh +++ /dev/null @@ -1,782 +0,0 @@ -#!/bin/bash -# Ver: 1.0 by Endial Fang (endial@126.com) -# -# 应用通用业务处理函数 - -# 加载依赖脚本 -. /usr/local/scripts/libcommon.sh # 通用函数库 - -. /usr/local/scripts/libfile.sh -. /usr/local/scripts/libfs.sh -. /usr/local/scripts/libos.sh -. /usr/local/scripts/libservice.sh -. /usr/local/scripts/libvalidations.sh - -# 函数列表 - -# 配置 libnss_wrapper 以使得 PostgreSQL 命令可以以任意用户身份执行 -postgresql_enable_nss_wrapper() { - if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then - LOG_D "Configuring libnss_wrapper..." - export LD_PRELOAD='/usr/lib/libnss_wrapper.so' - export NSS_WRAPPER_PASSWD="$(mktemp)" - export NSS_WRAPPER_GROUP="$(mktemp)" - echo "postgres:x:$(id -u):$(id -g):PostgreSQL:${PG_DATA_DIR}:/bin/false" > "${NSS_WRAPPER_PASSWD}" - echo "postgres:x:$(id -g):" > "${NSS_WRAPPER_GROUP}" - fi -} - -# 禁用 libnss_wrapper -postgresql_disable_nss_wrapper() { - # unset/cleanup "nss_wrapper" bits - if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then - rm -f "${NSS_WRAPPER_PASSWD}" "${NSS_WRAPPER_GROUP}" - unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP - fi -} - -# 将变量配置更新至配置文件 -# 参数: -# $1 - 文件 -# $2 - 变量 -# $3 - 值(列表) -postgresql_common_conf_set() { - local file="${1:?missing file}" - local key="${2:?missing key}" - local value="${3:?missing value}" - - if grep -q "^#*\s*${key}" "$file" >/dev/null; then - replace_in_file "$file" "^#*\s*${key}\s*=.*" "${key} = '${value}'" false - else - echo "${key} = '${value}'" >>"$file" - fi -} - -# 更新 postgresql.conf 配置文件中指定变量值 -# 变量: -# $1 - 变量 -# $2 - 值(列表) -postgresql_conf_set() { - postgresql_common_conf_set "${PG_CONF_FILE}" "$@" -} - -# 更新 pg_hba.conf 配置文件中指定变量值 -# 变量: -# $1 - 变量 -# $2 - 值(列表) -postgresql_hba_set() { - replace_in_file "${PG_HBA_FILE}" "${1}" "${2}" false -} - -# 更新 pg_ident.conf 配置文件中指定变量值 -# 变量: -# $1 - 变量 -# $2 - 值(列表) -postgresql_ident_set() { - postgresql_common_conf_set "${PG_IDENT_FILE}" "$@" -} - -# 更新 recover.conf 配置文件中指定变量值 -# 变量: -# $1 - 变量 -# $2 - 值(列表) -postgresql_recover_set() { - postgresql_common_conf_set "${PG_RECOVERY_FILE}" "$@" -} - -# 初始化 pg_hba.conf 文件,增加 LDAP 配置;同时保留本地认证 -postgresql_hba_ldap_auth() { - LOG_I "Enabling LDAP authentication" - local ldap_configuration="" - - if [[ -n "${PG_LDAP_URL}" ]]; then - ldap_configuration="ldapurl=\"${PG_LDAP_URL}\"" - else - ldap_configuration="ldapserver=${PG_LDAP_SERVER}" - - [[ -n "${PG_LDAP_PREFIX}" ]] && ldap_configuration+=" ldapprefix=\"${PG_LDAP_PREFIX}\"" - [[ -n "${PG_LDAP_SUFFIX}" ]] && ldap_configuration+=" ldapsuffix=\"${PG_LDAP_SUFFIX}\"" - [[ -n "${PG_LDAP_PORT}" ]] && ldap_configuration+=" ldapport=${PG_LDAP_PORT}" - [[ -n "${PG_LDAP_BASE_DN}" ]] && ldap_configuration+=" ldapbasedn=\"${PG_LDAP_BASE_DN}\"" - [[ -n "${PG_LDAP_BIND_DN}" ]] && ldap_configuration+=" ldapbinddn=\"${PG_LDAP_BIND_DN}\"" - [[ -n "${PG_LDAP_BIND_PASSWORD}" ]] && ldap_configuration+=" ldapbindpasswd=${PG_LDAP_BIND_PASSWORD}" - [[ -n "${PG_LDAP_SEARCH_ATTR}" ]] && ldap_configuration+=" ldapsearchattribute=${PG_LDAP_SEARCH_ATTR}" - [[ -n "${PG_LDAP_SEARCH_FILTER}" ]] && ldap_configuration+=" ldapsearchfilter=\"${PG_LDAP_SEARCH_FILTER}\"" - [[ -n "${PG_LDAP_TLS}" ]] && ldap_configuration+=" ldaptls=${PG_LDAP_TLS}" - [[ -n "${PG_LDAP_SCHEME}" ]] && ldap_configuration+=" ldapscheme=${PG_LDAP_SCHEME}" - fi - - cat <"${PG_HBA_FILE}" -host all postgres 0.0.0.0/0 trust -host all postgres ::/0 trust -host all all 0.0.0.0/0 ldap ${ldap_configuration} -host all all ::/0 ldap ${ldap_configuration} -EOF -} - -# 设置 pg_hba.conf 文件,增加 TLS 配置 -postgresql_hba_allow_tls_connection() { - LOG_I "Enabling TLS client authentication" - - cat <>"${PG_HBA_FILE}" -hostssl all all 0.0.0.0/0 cert -hostssl all all ::/0 cert -EOF -} - -# 设置 pg_hba.conf 文件,允许 replication 访问 -postgresql_hba_allow_replication_connection() { - LOG_I "Enabling replication client authentication" - - local replication_auth="trust" - if [[ -n "${PG_REPLICATION_PASSWORD}" ]]; then - replication_auth="md5" - fi - cat <>"${PG_HBA_FILE}" -host replication all 0.0.0.0/0 ${replication_auth} -host replication all ::/0 ${replication_auth} -EOF -} - -# 设置 pg_hba.conf,允许本地访问 -postgresql_hba_allow_local_connection() { - LOG_I "Enabling local client authentication" - - cat <>"${PG_HBA_FILE}" -local all all trust -host all all 127.0.0.1/0 trust -host all all ::1/128 trust -EOF -} - -# 初始化 pg_hba.conf 文件 -postgresql_hba_password_auth() { - LOG_I "Enabling password client authentication" - - cat <"${PG_HBA_FILE}" -host all all 0.0.0.0/0 trust -host all all ::/0 trust -EOF -} - -# 使用运行中的 PostgreSQL 服务执行 SQL 操作 -# 参数: -# $1 - 需要操作的数据库名 -# $2 - 操作使用的用户名 -# $3 - 操作用户密码 -# $4 - 主机 -# $5 - 端口 -# $6 - 扩展参数 (如: -tA) -postgresql_execute() { - local -r db="${1:-}" - local -r user="${2:-postgres}" - local -r pass="${3:-}" - local -r host="${4:-localhost}" - local -r port="${5:-${PG_PORT_NUMBER}}" - local -r opts="${6:-}" - - local args=("-h" "$host" "-p" "$port" "-U" "$user") - local cmd=("${APP_HOME_DIR}/bin/psql") - [[ -n "$db" ]] && args+=("-d" "$db") - [[ -n "$opts" ]] && args+=("$opts") - LOG_D "Execute args: ${args[@]}" - if is_boolean_yes "${ENV_DEBUG}"; then - PGPASSWORD=$pass "${cmd[@]}" "${args[@]}" - else - PGPASSWORD=$pass "${cmd[@]}" "${args[@]}" >/dev/null 2>&1 - fi -} - -# 使用环境变量中的配置值更新配置文件 -postgresql_configure_from_environment_variables() { - LOG_D "Modify postgresql.conf with PG_CFG_* values..." - for var in "${!PG_CFG_@}"; do - key="$(echo "$var" | sed -e 's/^PG_CFG_//g' | sed -e 's/___/-/g' | sed -e 's/__/./g' | tr '[:upper:]' '[:lower:]')" - value="${!var}" - postgresql_conf_set "$key" "$value" - done -} - -# 生成初始 postgres.conf 配置 -postgresql_default_postgresql_config() { - LOG_I "Modify postgresql.conf with default values..." - - [ ! -e "${PG_CONF_FILE}" ] && cp -rf "${APP_HOME_DIR}/share/postgresql.conf.sample" "${PG_CONF_FILE}" - - postgresql_conf_set "logging_collector" "on" - postgresql_conf_set "wal_level" "hot_standby" - postgresql_conf_set "max_wal_size" "400MB" - postgresql_conf_set "max_wal_senders" "16" - postgresql_conf_set "wal_keep_segments" "12" - postgresql_conf_set "wal_log_hints" "on" - postgresql_conf_set "hot_standby" "on" - if (( PG_NUM_SYNCHRONOUS_REPLICAS > 0 )); then - postgresql_conf_set "synchronous_commit" "${PG_SYNCHRONOUS_COMMIT_MODE}" - postgresql_conf_set "synchronous_standby_names" "${PG_NUM_SYNCHRONOUS_REPLICAS} (\"${PG_CLUSTER_APP_NAME}\")" - fi - postgresql_conf_set "fsync" "${PG_FSYNC}" - - [[ -n "${PG_SHARED_PRELOAD_LIBRARIES}" ]] && postgresql_conf_set "shared_preload_libraries" "${PG_SHARED_PRELOAD_LIBRARIES}" - - postgresql_conf_set "include_dir" "conf.d" - mkdir -p "${APP_CONF_DIR}/conf.d" - - postgresql_configure_from_environment_variables -} - -# 生成初始 pg_hba.conf 配置 -postgresql_default_hba_config() { - LOG_I "Modify pg_hba.conf with default values..." - - if is_boolean_yes "${PG_ENABLE_LDAP}"; then - postgresql_hba_ldap_auth - else - postgresql_hba_password_auth - fi -} - -# 更新 pg_hba.conf 文件,仅允许基于密码认证的访问 -postgresql_restrict_hba_config() { - LOG_I "Check pg_hba.conf for restrict configs..." - - if [[ -n "${PG_PASSWORD}" ]]; then - LOG_D " Configuring md5 encrypt" - postgresql_hba_set "trust" "md5" - fi -} - -# 获取软件主版本号 -postgresql_get_major_version() { - psql --version | grep -oE "[0-9]+\.[0-9]+" | grep -oE "^[0-9]+" -} - -# 为 Slava 模式工作的节点创建 recovery.conf 文件 -postgresql_configure_recovery() { - LOG_I "Setting up streaming replication standby..." - - # Recover 配置信息在不同版本保存位置不一样: - # 版本为12及以上时, Slave 节点配置保存在 postgresql.conf 文件中 - # 版本低于12时, Slave 节点配置保存在 recover.conf 文件中 - local -r psql_major_version="$(postgresql_get_major_version)" - if (( psql_major_version >= 12 )); then - postgresql_conf_set "primary_conninfo" "host=${PG_PRIMARY_HOST} port=${PG_PRIMARY_PORT} user=${PG_REPLICATION_USER} password=${PG_REPLICATION_PASSWORD} application_name=${PG_CLUSTER_APP_NAME}" - postgresql_conf_set "promote_trigger_file" "/tmp/postgresql.trigger.${PG_PRIMARY_PORT}" - touch "${PG_DATA_DIR}/standby.signal" - else - [ ! -e "${PG_RECOVERY_FILE}" ] && cp -f "${APP_HOME_DIR}/share/recovery.conf.sample" "${PG_RECOVERY_FILE}" - chmod 600 "${PG_RECOVERY_FILE}" - postgresql_recover_set "standby_mode" "on" - postgresql_recover_set "primary_conninfo" "host=${PG_PRIMARY_HOST} port=${PG_PRIMARY_PORT} user=${PG_REPLICATION_USER} password=${PG_REPLICATION_PASSWORD} application_name=${PG_CLUSTER_APP_NAME}" - postgresql_recover_set "trigger_file" "/tmp/postgresql.trigger.${PG_PRIMARY_PORT}" - fi -} - -# 配置应用日志参数 -postgresql_configure_logging() { - LOG_I "Update logging configuration..." - - [[ -n "${PG_PGAUDIT_LOG}" ]] && postgresql_conf_set "pgaudit.log" "${PG_PGAUDIT_LOG}" - [[ -n "${PG_PGAUDIT_LOG_CATALOG}" ]] && postgresql_conf_set "pgaudit.log_catalog" "${PG_PGAUDIT_LOG_CATALOG}" - [[ -n "${PG_LOG_CONNECTIONS}" ]] && postgresql_conf_set "log_connections" "${PG_LOG_CONNECTIONS}" - [[ -n "${PG_LOG_DISCONNECTIONS}" ]] && postgresql_conf_set "log_disconnections" "${PG_LOG_DISCONNECTIONS}" - [[ -n "${PG_LOG_HOSTNAME}" ]] && postgresql_conf_set "log_hostname" "${PG_LOG_HOSTNAME}" - [[ -n "${PG_CLIENT_MIN_MESSAGES}" ]] && postgresql_conf_set "client_min_messages" "${PG_CLIENT_MIN_MESSAGES}" - [[ -n "${PG_LOG_LINE_PREFIX}" ]] && postgresql_conf_set "log_line_prefix" "${PG_LOG_LINE_PREFIX}" - ([[ -n "${PG_LOG_TIMEZONE}" ]] && postgresql_conf_set "log_timezone" "${PG_LOG_TIMEZONE}") || true -} - -# 配置应用连接控制参数 -postgresql_configure_connections() { - LOG_I "Update TCP connection configuration..." - - [[ -n "${PG_MAX_CONNECTIONS}" ]] && postgresql_conf_set "max_connections" "${PG_MAX_CONNECTIONS}" - [[ -n "${PG_TCP_KEEPALIVES_IDLE}" ]] && postgresql_conf_set "tcp_keepalives_idle" "${PG_TCP_KEEPALIVES_IDLE}" - [[ -n "${PG_TCP_KEEPALIVES_INTERVAL}" ]] && postgresql_conf_set "tcp_keepalives_interval" "${PG_TCP_KEEPALIVES_INTERVAL}" - [[ -n "${PG_TCP_KEEPALIVES_COUNT}" ]] && postgresql_conf_set "tcp_keepalives_count" "${PG_TCP_KEEPALIVES_COUNT}" - ([[ -n "${PG_STATEMENT_TIMEOUT}" ]] && postgresql_conf_set "statement_timeout" "${PG_STATEMENT_TIMEOUT}") || true -} - -# 配置应用 TLS 参数 -postgresql_configure_tls() { - LOG_I "Update TLS configuration..." - - chmod 600 "${PG_TLS_KEY_FILE}" || LOG_W "Could not set compulsory permissions (600) on file ${PG_TLS_KEY_FILE}" - postgresql_conf_set "ssl" "on" - ! is_boolean_yes "${PG_TLS_PREFER_SERVER_CIPHERS}" && postgresql_conf_set "ssl_prefer_server_ciphers" "off" - [[ -n "${PG_TLS_CA_FILE}" ]] && postgresql_conf_set "ssl_ca_file" "${PG_TLS_CA_FILE}" - [[ -n "${PG_TLS_CRL_FILE}" ]] && postgresql_conf_set "ssl_crl_file" "${PG_TLS_CRL_FILE}" - postgresql_conf_set "ssl_cert_file" "${PG_TLS_CERT_FILE}" - postgresql_conf_set "ssl_key_file" "${PG_TLS_KEY_FILE}" -} - -# 为默认的数据库用户 postgres 设置密码 -# 参数: -# $1 - 用户密码 -postgresql_alter_postgres_user() { - local -r escaped_password="${1//\'/\'\'}" - LOG_I "Changing password of postgres" - - echo "ALTER ROLE postgres WITH PASSWORD '$escaped_password';" | postgresql_execute - if [[ -n "${PG_POSTGRES_CONNECTION_LIMIT}" ]]; then - echo "ALTER ROLE postgres WITH CONNECTION LIMIT ${PG_POSTGRES_CONNECTION_LIMIT};" | postgresql_execute - fi -} - -# 为数据库 $PG_DATABASE 创建管理员账户 -postgresql_create_admin_user() { - local -r escaped_password="${PG_PASSWORD//\'/\'\'}" - - local connlimit_string="" - if [[ -n "${PG_USERNAME_CONNECTION_LIMIT}" ]]; then - connlimit_string="CONNECTION LIMIT ${PG_USERNAME_CONNECTION_LIMIT}" - fi - - LOG_I "Creating user ${PG_USERNAME}" - echo "CREATE ROLE \"${PG_USERNAME}\" WITH LOGIN ${connlimit_string} CREATEDB PASSWORD '${escaped_password}';" | postgresql_execute - - LOG_I "Granting access to \"${PG_USERNAME}\" to the database \"${PG_DATABASE}\"" - echo "GRANT ALL PRIVILEGES ON DATABASE \"${PG_DATABASE}\" TO \"${PG_USERNAME}\"\;" | postgresql_execute "" "postgres" "${PG_POSTGRES_PASSWORD}" -} - -# 为 primary-standby 复制模式创建用户 -postgresql_create_replication_user() { - local -r escaped_password="${PG_REPLICATION_PASSWORD//\'/\'\'}" - LOG_I "Creating replication user ${PG_REPLICATION_USER}" - - echo "CREATE ROLE \"${PG_REPLICATION_USER}\" WITH REPLICATION LOGIN ENCRYPTED PASSWORD '$escaped_password'" | postgresql_execute -} - -# 创建用户自定义数据库 $PG_DATABASE -postgresql_create_custom_database() { - LOG_I "Creating custom database ${PG_DATABASE}" - - echo "CREATE DATABASE \"${PG_DATABASE}\"" | postgresql_execute "" "postgres" "" "localhost" -} - -# 检测用户参数信息是否满足条件; 针对部分权限过于开放情况,打印提示信息 -postgresql_verify_minimum_env() { - local error_code=0 - LOG_D "Validating settings in PG_* env vars..." - - print_validation_error() { - LOG_E "$1" - error_code=1 - } - - # 检测认证设置。如果不允许匿名登录,检测登录用户名及密码是否设置 - empty_password_warn() { - LOG_W "You set the environment variable ALLOW_ANONYMOUS_LOGIN=${ALLOW_ANONYMOUS_LOGIN}. For safety reasons, do not use this flag in a production environment." - } - empty_password_error() { - print_validation_error "The $1 environment variable is empty or not set. Set the environment variable ALLOW_ANONYMOUS_LOGIN=yes to allow the container to be started with blank passwords. This is recommended only for development." - } - - if is_boolean_yes "${ALLOW_ANONYMOUS_LOGIN}"; then - empty_password_warn - else - if [[ -z "${PG_PASSWORD}" ]]; then - empty_password_error "{PG_PASSWORD}" - fi - if (( ${#PG_PASSWORD} > 100 )); then - print_validation_error "The password cannot be longer than 100 characters. Set the environment variable PG_PASSWORD with a shorter value" - fi - if [[ -n "${PG_USERNAME}" ]] && [[ -z "${PG_PASSWORD}" ]]; then - empty_password_error "{PG_PASSWORD}" - fi - if [[ -n "${PG_USERNAME}" ]] && [[ "${PG_USERNAME}" != "postgres" ]] && [[ -n "${PG_PASSWORD}" ]] && [[ -z "${PG_DATABASE}" ]]; then - print_validation_error "In order to use a custom PostgreSQL user you need to set the environment variable PG_DATABASE as well" - fi - fi - - if [[ -n "${PG_REPLICATION_MODE}" ]]; then - if [[ "${PG_REPLICATION_MODE}" = "primary" ]]; then - if (( PG_NUM_SYNCHRONOUS_REPLICAS < 0 )); then - print_validation_error "The number of synchronous replicas cannot be less than 0. Set the environment variable PG_NUM_SYNCHRONOUS_REPLICAS" - fi - elif [[ "${PG_REPLICATION_MODE}" = "standby" ]]; then - if [[ -z "${PG_PRIMARY_HOST}" ]]; then - print_validation_error "Slave replication mode chosen without setting the environment variable PG_PRIMARY_HOST. Use it to indicate where the Master node is running" - fi - if [[ -z "${PG_REPLICATION_USER}" ]]; then - print_validation_error "Slave replication mode chosen without setting the environment variable PG_REPLICATION_USER. Make sure that the primary also has this parameter set" - fi - else - print_validation_error "Invalid replication mode. Available options are 'primary/standby'" - fi - # Common replication checks - if [[ -n "${PG_REPLICATION_USER}" ]] && [[ -z "${PG_REPLICATION_PASSWORD}" ]]; then - empty_password_error "{PG_REPLICATION_PASSWORD}" - fi - else - if is_boolean_yes "${ALLOW_ANONYMOUS_LOGIN}"; then - empty_password_warn - else - if [[ -z "${PG_PASSWORD}" ]]; then - empty_password_error "{PG_PASSWORD}" - fi - if [[ -n "${PG_USERNAME}" ]] && [[ -z "${PG_PASSWORD}" ]]; then - empty_password_error "{PG_PASSWORD}" - fi - fi - fi - - if ! is_yes_no_value "${PG_ENABLE_LDAP}"; then - empty_password_error "The values allowed for PG_ENABLE_LDAP are: yes or no" - fi - - if is_boolean_yes "${PG_ENABLE_LDAP}" && [[ -n "${PG_LDAP_URL}" ]] && [[ -n "${PG_LDAP_SERVER}" ]]; then - empty_password_error "You can not set PG_LDAP_URL and PG_LDAP_SERVER at the same time. Check your LDAP configuration." - fi - - if ! is_yes_no_value "${PG_ENABLE_TLS}"; then - print_validation_error "The values allowed for PG_ENABLE_TLS are: yes or no" - elif is_boolean_yes "${PG_ENABLE_TLS}"; then - if [[ -z "${PG_TLS_CERT_FILE}" ]]; then - print_validation_error "You must provide a X.509 certificate in order to use TLS" - elif [[ ! -f "${PG_TLS_CERT_FILE}" ]]; then - print_validation_error "The X.509 certificate file in the specified path ${PG_TLS_CERT_FILE} does not exist" - fi - if [[ -z "${PG_TLS_KEY_FILE}" ]]; then - print_validation_error "You must provide a private key in order to use TLS" - elif [[ ! -f "${PG_TLS_KEY_FILE}" ]]; then - print_validation_error "The private key file in the specified path ${PG_TLS_KEY_FILE} does not exist" - fi - if [[ -z "${PG_TLS_CA_FILE}" ]]; then - warn "A CA X.509 certificate was not provided. Client verification will not be performed in TLS connections" - elif [[ ! -f "${PG_TLS_CA_FILE}" ]]; then - print_validation_error "The CA X.509 certificate file in the specified path ${PG_TLS_CA_FILE} does not exist" - fi - if [[ -n "${PG_TLS_CRL_FILE}" ]] && [[ ! -f "${PG_TLS_CRL_FILE}" ]]; then - print_validation_error "The CRL file in the specified path ${PG_TLS_CRL_FILE} does not exist" - fi - if ! is_yes_no_value "${PG_TLS_PREFER_SERVER_CIPHERS}"; then - print_validation_error "The values allowed for PG_TLS_PREFER_SERVER_CIPHERS are: yes or no" - fi - fi - - [[ "$error_code" -eq 0 ]] || exit "$error_code" -} - -# 更改默认监听地址为 "*" 或 "0.0.0.0",以对容器外提供服务;默认配置文件应当为仅监听 localhost(127.0.0.1) -postgresql_enable_remote_connections() { - LOG_I "Modify default config to enable all IP access" - - postgresql_conf_set "listen_addresses" "*" -} - -# 以后台方式启动应用服务,并等待启动就绪 -postgresql_start_server_bg() { - postgresql_is_server_running && return - LOG_I "Starting ${APP_NAME} in background..." - - # -w wait until operation completes (default) - # -W don't wait until operation completes - # -D location of the database storage area - # -l write (or append) server log to FILENAME - # -o command line options to pass to postgres or initdb - # --config-file 指定配置文件 - # --external_pid_file 指定 PID 文件,在配置文件中已定义 - # --hba_file 指定 HBA 文件,在配置文件中已定义 - local -r pg_ctl_flags=("-w" "-D" "${PG_DATA_DIR}" "-l" "${PG_LOG_FILE}" "-o" "--config-file=${PG_CONF_FILE} --external_pid_file=${PG_EXT_PID_FILE} --hba_file=${PG_HBA_FILE}") - local pg_ctl_cmd=("${APP_HOME_DIR}/bin/pg_ctl") - if is_boolean_yes "${ENV_DEBUG}"; then - "${pg_ctl_cmd[@]}" "start" "${pg_ctl_flags[@]}" - else - "${pg_ctl_cmd[@]}" "start" "${pg_ctl_flags[@]}" "-s" >/dev/null 2>&1 - fi - - local -r check_args=("-U" "postgres") - local check_cmd=("${APP_HOME_DIR}/bin/pg_isready") - local counter=${PG_INIT_MAX_TIMEOUT} - # 通过命令或特定端口检测应用是否就绪 - LOG_I "Checking ${APP_NAME} ready status..." - while ! "${check_cmd[@]}" "${check_args[@]}" "-q" >/dev/null 2>&1; do - sleep 1 - counter=$(( counter - 1 )) - if (( counter <= 0 )); then - LOG_E "PostgreSQL is not ready after ${PG_INIT_MAX_TIMEOUT} seconds" - exit 1 - fi - LOG_D "PostgreSQL is not ready now: ${counter}" - done - LOG_D "${APP_NAME} is ready for service" -} - -# 停止应用服务 -postgresql_stop_server() { - if postgresql_is_server_running ; then - LOG_I "Stopping background ${APP_NAME}..." - - if is_boolean_yes "${ENV_DEBUG}"; then - PGUSER="postgres" pg_ctl -D "${PG_DATA_DIR}" -m fast -w stop "-s" - else - PGUSER="postgres" pg_ctl -D "${PG_DATA_DIR}" -m fast -w stop "-s" >/dev/null 2>&1 - fi - fi - - # 使用 PID 文件 kill 进程 - #stop_service_using_pid "${PG_EXT_PID_FILE}" -} - -# 检测应用服务是否在后台运行中 -postgresql_is_server_running() { - LOG_D "Check if ${APP_NAME} is running..." - - local pid - pid="$(get_pid_from_file "${PG_EXT_PID_FILE}")" - - if [[ -z "${pid}" ]]; then - false - else - is_service_running "${pid}" - fi -} - -# 清理数据文件 -postgresql_clean_data() { - LOG_D "Clean ${APP_NAME} data files..." - - rm -rf "${PG_DATA_DIR}/*" "${APP_DATA_DIR}/.data_init_flag" -} - -# 在重新启动容器时,删除标志文件及必须删除的临时文件 (容器重新启动) -postgresql_clean_from_restart() { - LOG_D "Clean ${APP_NAME} tmp files for restart..." - - local -r -a files=( - "${PG_DATA_DIR}/postmaster.pid" - "${PG_DATA_DIR}/standby.signal" - "${PG_DATA_DIR}/recovery.signal" - "${PG_EXT_PID_FILE}" - ) - - for file in "${files[@]}"; do - if [[ -f "$file" ]]; then - LOG_I "Remove file: $file" - rm -rf "$file" - fi - done -} - -# 清空数据库及配置文件 -postgresql_reset() { - LOG_I "Clean all configuration and database files..." - rm -rf "${PG_DATA_DIR}/*" - rm -rf "${APP_DATA_DIR}/.data_init_flag" "${APP_DATA_DIR}/.custom_preinit_flag" "${APP_DATA_DIR}/.custom_init_flag" - rm -rf "${APP_CONF_DIR}/*" - rm -rf "${APP_CONF_DIR}/.app_init_flag" -} - -# 应用默认初始化操作 -# 执行完毕后,生成文件 ${APP_CONF_DIR}/.app_init_flag 及 ${APP_DATA_DIR}/.data_init_flag 文件 -postgresql_default_init() { - LOG_D "Check default init status of ${APP_NAME}..." - postgresql_clean_from_restart - - if is_dir_empty "${PG_DATA_DIR}"; then - LOG_I "Deploying ${APP_NAME} from scratch..." - [ ! -e "${PG_HBA_FILE}" ] && postgresql_default_hba_config && postgresql_hba_allow_local_connection - [ ! -e "${PG_CONF_FILE}" ] && postgresql_default_postgresql_config - - if [[ "${PG_REPLICATION_MODE}" = "primary" ]]; then - postgresql_primary_init_db - - postgresql_start_server_bg - [[ "${PG_DATABASE}" != "postgres" ]] && postgresql_create_custom_database - - # 为数据库授权;默认用户不为 postgres 时,需要创建管理员账户 - LOG_D "Set password for postgres user" - if [[ "${PG_USERNAME}" = "postgres" ]]; then - [[ -n "${PG_PASSWORD}" ]] && postgresql_alter_postgres_user "${PG_PASSWORD}" - else - [[ -n "${PG_POSTGRES_PASSWORD}" ]] && postgresql_alter_postgres_user "${PG_POSTGRES_PASSWORD}" - postgresql_create_admin_user - fi - [[ -n "${PG_REPLICATION_USER}" ]] && postgresql_create_replication_user - else - postgresql_standby_init_db - fi - else - LOG_I "Deploying ${APP_NAME} with persisted data..." - export PG_FIRST_BOOT="no" - fi - - # 检测配置文件是否存在 - if [[ ! -f "${APP_CONF_DIR}/.app_init_flag" ]]; then - LOG_I "Deploying postgresql with new configuration" - postgresql_default_postgresql_config - postgresql_default_hba_config - postgresql_hba_allow_local_connection - - if [[ "${PG_REPLICATION_MODE}" = "primary" ]]; then - [[ -n "${PG_REPLICATION_USER}" ]] && postgresql_hba_allow_replication_connection - else - postgresql_configure_recovery - fi - - if is_boolean_yes "${PG_ENABLE_TLS}" ; then - postgresql_configure_tls - [[ -n "${PG_TLS_CA_FILE}" ]] && postgresql_hba_allow_tls_connection - fi - - postgresql_configure_logging - postgresql_configure_connections - - touch "${APP_CONF_DIR}/.app_init_flag" - echo "$(date '+%Y-%m-%d %H:%M:%S') : Init success." >> "${APP_CONF_DIR}/.app_init_flag" - else - LOG_I "Deploying postgresql with persisted configuration" - fi - - if [[ ! -f "${APP_DATA_DIR}/.data_init_flag" ]]; then - touch ${APP_DATA_DIR}/.data_init_flag - echo "$(date '+%Y-%m-%d %H:%M:%S') : Init success." >> ${APP_DATA_DIR}/.data_init_flag - fi - - postgresql_restrict_hba_config - - # 删除第一次运行时生成的默认配置文件 - rm -f "${PG_DATA_DIR}"/postgresql.conf "${PG_DATA_DIR}"/pg_hba.conf -} - -# 用户自定义的前置初始化操作,依次执行目录 preinitdb.d 中的初始化脚本 -# 执行完毕后,生成文件 ${APP_DATA_DIR}/.custom_preinit_flag -postgresql_custom_preinit() { - LOG_I "Check custom pre-init status of ${APP_NAME}..." - - # 检测用户配置文件目录是否存在 preinitdb.d 文件夹,如果存在,尝试执行目录中的初始化脚本 - if [ -d "/srv/conf/${APP_NAME}/preinitdb.d" ]; then - # 检测数据存储目录是否存在已初始化标志文件;如果不存在,检索可执行脚本文件并进行初始化操作 - if [[ -n $(find "/srv/conf/${APP_NAME}/preinitdb.d/" -type f -regex ".*\.\(sh\)") ]] && \ - [[ ! -f "${APP_DATA_DIR}/.custom_preinit_flag" ]]; then - LOG_I "Process custom pre-init scripts from /srv/conf/${APP_NAME}/preinitdb.d..." - - # 检索所有可执行脚本,排序后执行 - find "/srv/conf/${APP_NAME}/preinitdb.d/" -type f -regex ".*\.\(sh\)" | sort | process_init_files - - touch "${APP_DATA_DIR}/.custom_preinit_flag" - echo "$(date '+%Y-%m-%d %H:%M:%S') : Init success." >> "${APP_DATA_DIR}/.custom_preinit_flag" - LOG_I "Custom preinit for ${APP_NAME} complete." - else - LOG_I "Custom preinit for ${APP_NAME} already done before, skipping initialization." - fi - fi - - # 检测依赖的服务是否就绪 - #for i in ${SERVICE_PRECONDITION[@]}; do - # app_wait_service "${i}" - #done -} - -# 用户自定义的应用初始化操作,依次执行目录initdb.d中的初始化脚本 -# 执行完毕后,生成文件 ${APP_DATA_DIR}/.custom_init_flag -postgresql_custom_init() { - LOG_I "Check custom initdb status of ${APP_NAME}..." - - # 检测用户配置文件目录是否存在 initdb.d 文件夹,如果存在,尝试执行目录中的初始化脚本 - if [ -d "/srv/conf/${APP_NAME}/initdb.d" ]; then - # 检测数据存储目录是否存在已初始化标志文件;如果不存在,检索可执行脚本文件并进行初始化操作 - if [[ -n $(find "/srv/conf/${APP_NAME}/initdb.d/" -type f -regex ".*\.\(sh\|sql\|sql.gz\)") ]] && \ - [[ ! -f "${APP_DATA_DIR}/.custom_init_flag" ]]; then - LOG_I "Process custom init scripts from /srv/conf/${APP_NAME}/initdb.d..." - - # 启动后台服务 - postgresql_start_server_bg - - # 检索所有可执行脚本,排序后执行 - find "/srv/conf/${APP_NAME}/initdb.d/" -type f -regex ".*\.\(sh\|sql\|sql.gz\)" | sort | while read -r f; do - case "$f" in - *.sh) - if [[ -x "$f" ]]; then - LOG_D "Executing $f"; "$f" - else - LOG_D "Sourcing $f"; . "$f" - fi - ;; - *.sql) - LOG_D "Executing $f"; - postgresql_execute "${PG_DATABASE}" "${PG_INITSCRIPTS_USERNAME}" "${PG_INITSCRIPTS_PASSWORD}" < "$f" - ;; - *.sql.gz) - LOG_D "Executing $f"; - gunzip -c "$f" | postgresql_execute "${PG_DATABASE}" "${PG_INITSCRIPTS_USERNAME}" "${PG_INITSCRIPTS_PASSWORD}" - ;; - *) - LOG_D "Ignoring $f" ;; - esac - done - - touch "${APP_DATA_DIR}/.custom_init_flag" - echo "$(date '+%Y-%m-%d %H:%M:%S') : Init success." >> "${APP_DATA_DIR}/.custom_init_flag" - LOG_I "Custom init for ${APP_NAME} complete." - else - LOG_I "Custom init for ${APP_NAME} already done before, skipping initialization." - fi - fi -} - -# 初始化 Master 节点数据库 -postgresql_primary_init_db() { - LOG_I "Initializing PostgreSQL database" - - postgresql_enable_nss_wrapper - - local envExtraFlags=() - local initdb_args=() - if [[ -n "${PG_INITDB_ARGS}" ]]; then - read -r -a envExtraFlags <<< "${PG_INITDB_ARGS}" - initdb_args+=("${envExtraFlags[@]}") - fi - #initdb+=("-o" "--config-file=${PG_CONF_FILE} --external_pid_file=${PG_EXT_PID_FILE} --hba_file=${PG_HBA_FILE}") - if [[ -n "${PG_INITDB_WAL_DIR:-}" ]]; then - initdb_args+=("--waldir=${PG_INITDB_WAL_DIR}") - fi - - local initdb_cmd=("${APP_HOME_DIR}/bin/initdb") - - if [[ -n "${initdb_args[*]}" ]]; then - LOG_I "extra initdb arguments: ${initdb_args[*]}" - fi - - if is_boolean_yes "${ENV_DEBUG}"; then - "${initdb_cmd[@]}" -E UTF8 -D "${PG_DATA_DIR}" -U "postgres" "${initdb_args[@]}" - else - "${initdb_cmd[@]}" -E UTF8 -D "${PG_DATA_DIR}" -U "postgres" "${initdb_args[@]}" >/dev/null 2>&1 - fi - - postgresql_disable_nss_wrapper -} - -# 初始化 Slave 节点数据库 -postgresql_standby_init_db() { - LOG_I "Waiting for replication primary to accept connections (${PG_INIT_MAX_TIMEOUT} seconds)..." - local -r check_args=("-U" "${PG_REPLICATION_USER}" "-h" "${PG_PRIMARY_HOST}" "-p" "${PG_PRIMARY_PORT}" "-d" "${PG_DATABASE}") - local check_cmd=("${APP_HOME_DIR}/bin/pg_isready") - local ready_counter=${PG_INIT_MAX_TIMEOUT} - - while ! PGPASSWORD=${PG_REPLICATION_PASSWORD} "${check_cmd[@]}" "${check_args[@]}" >/dev/null 2>&1;do - sleep 1 - ready_counter=$(( ready_counter - 1 )) - if (( ready_counter <= 0 )); then - LOG_E "PostgreSQL primary is not ready after ${PG_INIT_MAX_TIMEOUT} seconds" - exit 1 - fi - done - - LOG_I "Replicating the database from node primary..." - #local -r backup_args=("-D" "$PG_DATA_DIR" -d "hostaddr=$PG_PRIMARY_HOST port=$PG_PRIMARY_PORT user=$PG_REPLICATION_USER password=$PG_REPLICATION_PASSWORD" -v -Fp -Xs - local -r backup_args=("-D" "${PG_DATA_DIR}" "-U" "${PG_REPLICATION_USER}" "-h" "${PG_PRIMARY_HOST}" "-p" "${PG_PRIMARY_PORT}" "-X" "stream" "-w" "-v" "-P") - local backup_cmd=("${APP_HOME_DIR}/bin/pg_basebackup") - local replication_counter=${PG_INIT_MAX_TIMEOUT} - - while ! PGPASSWORD=${PG_REPLICATION_PASSWORD} "${backup_cmd[@]}" "${backup_args[@]}";do - LOG_D "Backup command failed. Sleeping and trying again" - sleep 1 - replication_counter=$(( replication_counter - 1 )) - if (( replication_counter <= 0 )); then - LOG_E "Slave replication failed after trying for ${PG_INIT_MAX_TIMEOUT} seconds" - exit 1 - fi - done -} - diff --git a/alpine/customer/usr/local/bin/entry.sh b/alpine/customer/usr/local/bin/entry.sh deleted file mode 100755 index 6d4f9b9..0000000 --- a/alpine/customer/usr/local/bin/entry.sh +++ /dev/null @@ -1,37 +0,0 @@ -#!/bin/bash -# Ver: 1.0 by Endial Fang (endial@126.com) -# -# 容器入口脚本 - -# 设置 shell 执行参数,可使用'-'(打开)'+'(关闭)控制。常用: -# -e: 命令执行错误则报错; -u: 变量未定义则报错; -x: 打印实际待执行的命令行; -o pipefail: 设置管道中命令遇到失败则报错 -set -eu -set -o pipefail - -. /usr/local/bin/comm-${APP_NAME}.sh # 应用专用函数库 - -. /usr/local/bin/comm-env.sh # 设置环境变量 - -LOG_I "** Processing entry.sh **" - -if ! is_sourced; then - # 替换命令行中的变量 - set -- $(eval echo "$@") - - [ "${1:0:1}" = '-' ] && set -- "${APP_EXEC:-}" "$@" - - print_image_welcome - print_command_help "$@" - - if [ "$1" = "${APP_EXEC}" ] && is_root; then - /usr/local/bin/setup.sh - - LOG_I "Restart with non-root user: ${APP_USER}\n" - exec gosu "${APP_USER}" "$0" "$@" - fi - - [ "$1" = "${APP_EXEC}" ] && /usr/local/bin/init.sh - - LOG_I "Start container with command: $@" - exec tini -- "$@" -fi diff --git a/alpine/customer/usr/local/bin/init.sh b/alpine/customer/usr/local/bin/init.sh deleted file mode 100755 index 937c4cd..0000000 --- a/alpine/customer/usr/local/bin/init.sh +++ /dev/null @@ -1,32 +0,0 @@ -#!/bin/bash -# Ver: 1.0 by Endial Fang (endial@126.com) -# -# 应用初始化脚本 - -# 设置 shell 执行参数,可使用'-'(打开)'+'(关闭)控制。常用: -# -e: 命令执行错误则报错; -u: 变量未定义则报错; -x: 打印实际待执行的命令行; -o pipefail: 设置管道中命令遇到失败则报错 -set -eu -set -o pipefail - -. /usr/local/bin/comm-${APP_NAME}.sh # 应用专用函数库 - -. /usr/local/bin/comm-env.sh # 设置环境变量 - -LOG_I "** Processing init.sh **" - -trap "postgresql_stop_server" EXIT - -# 执行应用预初始化操作 -${APP_NAME}_custom_preinit - -# 执行应用初始化操作 -${APP_NAME}_default_init - -# 执行用户自定义初始化脚本 -${APP_NAME}_custom_init - -# 绑定所有 IP 及 指定端口 ,启用远程访问 -postgresql_enable_remote_connections -postgresql_conf_set "port" "${PG_PORT_NUMBER}" - -LOG_I "** Processing init.sh finished! **" diff --git a/alpine/customer/usr/local/bin/run.sh b/alpine/customer/usr/local/bin/run.sh deleted file mode 100755 index fcbb526..0000000 --- a/alpine/customer/usr/local/bin/run.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/bin/bash -# Ver: 1.0 by Endial Fang (endial@126.com) -# -# 应用启动脚本 - -# 设置 shell 执行参数,可使用'-'(打开)'+'(关闭)控制。常用: -# -e: 命令执行错误则报错; -u: 变量未定义则报错; -x: 打印实际待执行的命令行; -o pipefail: 设置管道中命令遇到失败则报错 -set -eu -set -o pipefail - -. /usr/local/bin/comm-${APP_NAME}.sh # 应用专用函数库 - -. /usr/local/bin/comm-env.sh # 设置环境变量 - -LOG_I "** Processing run.sh **" - -flags=("--config-file=${PG_CONF_FILE}" "--hba_file=${PG_HBA_FILE}") -[[ -z "${APP_EXTRA_FLAGS:-}" ]] || flags=("${flags[@]}" "${APP_EXTRA_FLAGS[@]}") -START_COMMAND=("postgres") - -LOG_I "** Starting ${APP_NAME} **" -if is_root; then - exec gosu "${APP_USER}" tini -s -- "${START_COMMAND[@]}" "${flags[@]}" -else - exec tini -s -- "${START_COMMAND[@]}" "${flags[@]}" -fi - diff --git a/alpine/customer/usr/local/bin/setup.sh b/alpine/customer/usr/local/bin/setup.sh deleted file mode 100755 index 8b51233..0000000 --- a/alpine/customer/usr/local/bin/setup.sh +++ /dev/null @@ -1,48 +0,0 @@ -#!/bin/bash -# Ver: 1.0 by Endial Fang (endial@126.com) -# -# 应用环境及依赖文件设置脚本 - -# 设置 shell 执行参数,可使用'-'(打开)'+'(关闭)控制。常用: -# -e: 命令执行错误则报错; -u: 变量未定义则报错; -x: 打印实际待执行的命令行; -o pipefail: 设置管道中命令遇到失败则报错 -set -eu -set -o pipefail - -. /usr/local/bin/comm-${APP_NAME}.sh # 应用专用函数库 - -. /usr/local/bin/comm-env.sh # 设置环境变量 - -LOG_I "** Processing setup.sh **" - -APP_DIRS="${APP_CONF_DIR:-} ${APP_DATA_DIR:-} ${APP_LOG_DIR:-} ${APP_CERT_DIR:-} ${APP_DATA_LOG_DIR:-}" -APP_DIRS="${APP_DIRS} ${PG_DATA_DIR:-} ${PG_INITDB_WAL_DIR:-}" - -LOG_I "Ensure directory exists: ${APP_DIRS}" -for dir in ${APP_DIRS}; do - ensure_dir_exists ${dir} -done - -${APP_NAME}_verify_minimum_env - -# 检测指定文件是否在配置文件存储目录存在,如果不存在则拷贝(新挂载数据卷、手动删除都会导致不存在) -# PG 将使用默认模板生成配置文件,并放置在PGDATA目录 -#LOG_I "Check config files in: ${APP_CONF_DIR}" -#if [[ ! -z "$(ls -A "${APP_DEF_DIR}")" ]]; then -# ensure_config_file_exist "${APP_DEF_DIR}" $(ls -A "${APP_DEF_DIR}") -# : -#fi - -LOG_I "Ensure directory ownership: ${APP_USER}" -for dir in ${APP_DIRS}; do - configure_permissions_ownership "$dir" -u "${APP_USER}" -g "${APP_USER}" -done - -# 解决 PostgreSQL 目录权限过于开放,无法初始化问题:FATAL: data directory "/srv/data/postgresql" has group or world access -LOG_D "Lack of permissions on data directory: ${PG_DATA_DIR}" -chmod 0700 ${PG_DATA_DIR} - -# 解决使用gosu后,nginx: [emerg] open() "/dev/stdout" failed (13: Permission denied) -LOG_D "Change permissions of stdout/stderr to 0622" -chmod 0622 /dev/stdout /dev/stderr - -LOG_I "** Processing setup.sh finished! **" diff --git a/alpine/customer/usr/local/overrides/overrides-12.4.sh b/alpine/customer/usr/local/overrides/overrides-12.4.sh deleted file mode 100644 index c5b6e9e..0000000 --- a/alpine/customer/usr/local/overrides/overrides-12.4.sh +++ /dev/null @@ -1,35 +0,0 @@ -#!/bin/bash -ex - -POSTGRESQL_CONF="${APP_HOME_DIR}/share/postgresql.conf.sample" - -# 在安装完应用后,使用该脚本修改默认配置文件中部分配置项 -# 如果相应的配置项已经定义整体环境变量,则不需要在这里修改 -echo "Process overrides for default configs..." -#sed -i -E 's/^listeners=/d' "$KAFKA_HOME/config/server.properties" - -# 设置默认监听地址为 localhost ,防止初始化操作期间外部链接,在容器初始化完成后修改为监听所有地址 -sed -i -E "s/^#?(listen_addresses) .*/\1 = 'localhost'/g" ${POSTGRESQL_CONF} - -sed -i -E "s/^#?data_directory .*/data_directory = '\/srv\/data\/${APP_NAME}\/data'/g" ${POSTGRESQL_CONF} -sed -i -E "s/^#?hba_file .*/hba_file = '\/srv\/conf\/${APP_NAME}\/pg_hba.conf'/g" ${POSTGRESQL_CONF} -sed -i -E "s/^#?ident_file .*/ident_file = '\/srv\/data\/${APP_NAME}\/data\/pg_ident.conf'/g" ${POSTGRESQL_CONF} -sed -i -E "s/^#?external_pid_file .*/external_pid_file = '\/var\/run\/${APP_NAME}\/postgresql.pid'/g" ${POSTGRESQL_CONF} -sed -i -E "s/^#?max_connections .*/max_connections = 2000/g" ${POSTGRESQL_CONF} -sed -i -E "s/^#?password_encryption .*/password_encryption = md5/g" ${POSTGRESQL_CONF} - -sed -i -E "s/^#?log_destination .*/log_destination = 'stderr'/g" ${POSTGRESQL_CONF} -sed -i -E "s/^#?logging_collector .*/logging_collector = on/g" ${POSTGRESQL_CONF} -sed -i -E "s/^#?log_directory .*/log_directory = '\/var\/log\/${APP_NAME}'/g" ${POSTGRESQL_CONF} -sed -i -E "s/^#?log_filename .*/log_filename = 'postgresql-\%Y-\%m-\%d_\%H\%M\%S.log'/g" ${POSTGRESQL_CONF} -sed -i -E "s/^#?log_truncate_on_rotation .*/log_truncate_on_rotation = on/g" ${POSTGRESQL_CONF} -sed -i -E "s/^#?log_rotation_age .*/log_rotation_age = 1d/g" ${POSTGRESQL_CONF} -sed -i -E "s/^#?log_rotation_size .*/log_rotation_size = 0/g" ${POSTGRESQL_CONF} -sed -i -E "s/^#?log_timezone .*/log_timezone = 'Asia\/Shanghai'/g" ${POSTGRESQL_CONF} - -#sed -i -E "s/^#?include_dir .*/include_dir = 'conf\.d'/g" ${POSTGRESQL_CONF} - -# 修改 unix_socket_directories 与 PID 文件同目录,解决修改 PID 输出目录后 psql 不指定`-h`时 Unix Socket 无法找到问题: -# psql: could not connect to server: No such file or directory -# Is the server running locally and accepting -# connections on Unix domain socket "/var/run/postgresql/.s.PGSQL.5432"? -sed -i -E "s/^unix_socket_directories .*/unix_socket_directories = '\/var\/run\/${APP_NAME}'/g" ${POSTGRESQL_CONF} diff --git a/alpine/customer/usr/sbin/create_user b/alpine/customer/usr/sbin/create_user deleted file mode 100755 index a61a90b..0000000 --- a/alpine/customer/usr/sbin/create_user +++ /dev/null @@ -1,10 +0,0 @@ -#!/bin/bash -# shell 执行参数,分别为 -e(命令执行错误则退出脚本) -u(变量未定义则报错) -x(打印实际待执行的命令行) -set -eux -addgroup -g 998 -S ${APP_USER} -adduser -G ${APP_USER} -u 999 -s /bin/bash -h /srv/data/${APP_NAME} -D -S ${APP_USER} -#adduser -G ${APP_USER} -u 999 -s /usr/sbin/nologin -h /srv/data/${APP_NAME} -D -S ${APP_USER} - -# 如果需要 sudo 权限,需要安装 su 软件包:apk add sudo -#sed -i -e 's/^\sDefaults\s*secure_path\s*=/# Defaults secure_path=/' /etc/sudoers -#echo "${APP_USER} ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers diff --git a/alpine/customer/usr/sbin/prepare_env b/alpine/customer/usr/sbin/prepare_env deleted file mode 100755 index 05ce3b1..0000000 --- a/alpine/customer/usr/sbin/prepare_env +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/bash -# shell 执行参数,分别为 -e(命令执行错误则退出脚本) -u(变量未定义则报错) -x(打印实际待执行的命令行) -set -eux - -APP_DIRS=" \ - /usr/local/${APP_NAME} \ - /etc/${APP_NAME} \ - /srv/conf/${APP_NAME} \ - /srv/data/${APP_NAME} \ - /srv/datalog/${APP_NAME} \ - /var/cache/${APP_NAME} \ - /var/run/${APP_NAME} \ - /var/log/${APP_NAME} \ - /srv/cert/${APP_NAME}" - -mkdir -p ${APP_DIRS} -chown -Rf ${APP_USER}:${APP_USER} ${APP_DIRS};