From b09af0322d03c6f277d54ab6d712df81166be1be Mon Sep 17 00:00:00 2001 From: Endial Fang Date: Tue, 29 Sep 2020 13:51:01 +0800 Subject: [PATCH] =?UTF-8?q?[fix:12]=E6=9B=B4=E6=96=B0=E8=84=9A=E6=9C=AC?= =?UTF-8?q?=E7=AE=A1=E7=90=86=E7=BB=93=E6=9E=84=EF=BC=9B=E8=A7=A3=E5=86=B3?= =?UTF-8?q?=E5=88=9D=E5=A7=8B=E5=8C=96=E6=97=B6=E5=85=BC=E5=AE=B9=E6=80=A7?= =?UTF-8?q?=E9=97=AE=E9=A2=98=EF=BC=9B=E6=9B=B4=E6=96=B0Makefile=E8=8E=B7?= =?UTF-8?q?=E5=8F=96=E6=9C=8D=E5=8A=A1=E5=99=A8=E5=91=BD=E4=BB=A4=E5=85=BC?= =?UTF-8?q?=E5=AE=B9=E6=80=A7?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Dockerfile | 92 +-- Makefile | 2 +- alpine/Dockerfile | 82 +-- alpine/customer/usr/local/bin/comm-env.sh | 115 ++++ .../bin/{appcommon.sh => comm-postgresql.sh} | 607 ++++++++++-------- alpine/customer/usr/local/bin/entry.sh | 5 +- alpine/customer/usr/local/bin/init.sh | 17 +- alpine/customer/usr/local/bin/run.sh | 14 +- alpine/customer/usr/local/bin/setup.sh | 24 +- .../usr/local/overrides/overrides-12.4.sh | 32 +- alpine/customer/usr/sbin/create_user | 4 +- alpine/customer/usr/sbin/prepare_env | 11 +- customer/usr/local/bin/comm-env.sh | 115 ++++ .../bin/{appcommon.sh => comm-postgresql.sh} | 607 ++++++++++-------- customer/usr/local/bin/entry.sh | 5 +- customer/usr/local/bin/init.sh | 17 +- customer/usr/local/bin/run.sh | 14 +- customer/usr/local/bin/setup.sh | 24 +- .../usr/local/overrides/overrides-12.4.sh | 32 +- customer/usr/sbin/create_user | 4 +- customer/usr/sbin/prepare_env | 11 +- docker-compose.yml | 11 +- 22 files changed, 1074 insertions(+), 771 deletions(-) create mode 100644 alpine/customer/usr/local/bin/comm-env.sh rename alpine/customer/usr/local/bin/{appcommon.sh => comm-postgresql.sh} (52%) create mode 100644 customer/usr/local/bin/comm-env.sh rename customer/usr/local/bin/{appcommon.sh => comm-postgresql.sh} (52%) diff --git a/Dockerfile b/Dockerfile index 8918e60..753135d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -13,12 +13,9 @@ ARG local_url="" ENV APP_NAME=postgresql \ APP_VERSION=12.4 -WORKDIR /usr/local - RUN select_source ${apt_source}; -#RUN install_pkg bison coreutils flex libedit-dev libxml2-dev libxslt-dev util-linux-dev zlib-dev icu-dev \ RUN install_pkg bison flex libedit-dev libxml2-dev libxslt-dev zlib1g-dev libreadline-dev uuid-dev \ - libperl-dev + libperl-dev libicu-dev libxslt1-dev libssl-dev libldap2-dev libkrb5-dev libpam0g-dev libselinux1-dev; # 下载并解压软件包 RUN set -eux; \ @@ -30,11 +27,9 @@ RUN set -eux; \ "; \ download_pkg unpack ${appName} "${appUrls}" -s "${sha256}"; -# 源码编译软件包 +# 源码编译: 编译后将配置文件模板拷贝至 /usr/local/${APP_NAME}/share/${APP_NAME} 中 RUN set -eux; \ -# 源码编译方式安装: 编译后将原始配置文件拷贝至 ${APP_DEF_DIR} 中 APP_SRC="/usr/local/${APP_NAME}-${APP_VERSION}"; \ - mkdir -p /usr/local/${APP_NAME}/bin /usr/local/${APP_NAME}/lib; \ cd ${APP_SRC}; \ \ # update "DEFAULT_PGSOCKET_DIR" to "/var/run/postgresql" (matching Debian) @@ -54,56 +49,47 @@ RUN set -eux; \ --build="$gnuArch" \ --enable-integer-datetimes \ --enable-thread-safety \ -# --enable-tap-tests \ --disable-rpath \ --with-uuid=e2fs \ --with-gnu-ld \ --with-pgport=5432 \ --with-system-tzdata=/usr/share/zoneinfo \ - --prefix=/usr/local \ --with-includes=/usr/local/include \ --with-libraries=/usr/local/lib \ --with-openssl \ --with-libxml \ --with-libxslt \ --with-icu \ - --with-libuuid \ + --with-krb5 \ + --with-ldap \ +# --enable-tap-tests \ # "/usr/src/postgresql/src/backend/access/common/tupconvert.c:105: undefined reference to `libintl_gettext'" # --enable-nls \ # these make our image abnormally large (at least 100MB larger), which seems uncouth for an "Alpine" (ie, "small") variant :) # --enable-debug \ -# --with-krb5 \ # --with-gssapi \ -# --with-ldap \ # --with-tcl \ # --with-perl \ # --with-python \ # --with-pam \ ; \ - make PG_SYSROOT=/usr/local/${APP_NAME} -j "$(nproc)" world; \ - make PREFIX=/usr/local/${APP_NAME} install-world; \ - make PREFIX=/usr/local/${APP_NAME} -C contrib install; \ - runDeps="$( \ -# scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \ -# | tr ',' '\n' \ -# | sort -u \ -# | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ - find /usr/local -type f -executable -exec ldd '{}' ';' \ - | awk '/=>/ { print $(NF-1) }' \ - | sort -u \ - | xargs -r dpkg-query --search \ - | cut -d: -f1 \ - | sort -u; \ - )"; \ - echo "${runDeps}" >/usr/local/${APP_NAME}/runDeps; \ - mv /usr/local/lib/* /usr/local/${APP_NAME}/lib/; \ - mv /usr/local/bin/* /usr/local/${APP_NAME}/bin/; \ - mkdir -p /usr/local/${APP_NAME}/share; \ - mv /usr/local/share/${APP_NAME} /usr/local/${APP_NAME}/share; \ - find /usr/local -name '*.a' -delete; + make -j "$(nproc)" world; \ + make install-world; \ + make -C contrib install; +# 删除编译生成的多余文件 +RUN set -eux; \ + find /usr/local -name '*.a' -delete; \ + rm -rf /usr/local/${APP_NAME}/include; -#ENV LD_LIBRARY_PATH=/usr/local/${APP_NAME}/lib +# 检测并生成依赖文件记录;repmgr 相关资源也是放置在 ${APP_NAME} 路径下 +RUN set -eux; \ + find /usr/local/${APP_NAME} -type f -executable -exec ldd '{}' ';' | \ + awk '/=>/ { print $(NF-1) }' | \ + sort -u | \ + xargs -r dpkg-query --search | \ + cut -d: -f1 | \ + sort -u >/usr/local/${APP_NAME}/runDeps; # 镜像生成 ======================================================================== FROM colovu/debian:10 @@ -117,17 +103,9 @@ ENV APP_NAME=postgresql \ APP_VERSION=12.4 ENV APP_HOME_DIR=/usr/local/${APP_NAME} \ - APP_DEF_DIR=/etc/${APP_NAME} \ - APP_CONF_DIR=/srv/conf/${APP_NAME} \ - APP_DATA_DIR=/srv/data/${APP_NAME} \ - APP_DATA_LOG_DIR=/srv/datalog/${APP_NAME} \ - APP_CACHE_DIR=/var/cache/${APP_NAME} \ - APP_RUN_DIR=/var/run/${APP_NAME} \ - APP_LOG_DIR=/var/log/${APP_NAME} \ - APP_CERT_DIR=/srv/cert/${APP_NAME} + APP_DEF_DIR=/etc/${APP_NAME} -ENV \ - PATH="${APP_HOME_DIR}/bin:${PATH}" \ +ENV PATH="${APP_HOME_DIR}/bin:${PATH}" \ LD_LIBRARY_PATH=${APP_HOME_DIR}/lib LABEL \ @@ -136,32 +114,26 @@ LABEL \ "Dockerfile"="https://github.com/colovu/docker-${APP_NAME}" \ "Vendor"="Endial Fang (endial@126.com)" -COPY customer / -# 以包管理方式安装软件包(Optional) + +# 选择软件包源 RUN select_source ${apt_source} -RUN install_pkg uuid -#RUN install_pkg bash tini sudo libssl1.1 - -RUN create_user && prepare_env # 从预处理过程中拷贝软件包(Optional) -#COPY --from=0 /usr/local/bin/gosu-amd64 /usr/local/bin/gosu -#COPY --from=builder /usr/local/bin /usr/local/postgresql/bin -#COPY --from=builder /usr/local/lib /usr/local/lib -COPY --from=builder ${APP_HOME_DIR} ${APP_HOME_DIR} +COPY --from=builder /usr/local/${APP_NAME}/ /usr/local/${APP_NAME} -RUN install_pkg `cat ${APP_HOME_DIR}/runDeps`; +# 安装依赖的软件包及库(Optional) +RUN install_pkg `cat /usr/local/${APP_NAME}/runDeps`; + +COPY customer / +RUN create_user && prepare_env # 执行预处理脚本,并验证安装的软件包 RUN set -eux; \ override_file="/usr/local/overrides/overrides-${APP_VERSION}.sh"; \ [ -e "${override_file}" ] && /bin/bash "${override_file}"; \ -# cp -rf ${APP_HOME_DIR}/share/${APP_NAME} /etc/; \ -# mkdir -p ${APP_DEF_DIR}/conf.d; \ - export LD_LIBRARY_PATH=${APP_HOME_DIR}/lib; \ gosu ${APP_USER} ${APP_EXEC} --version ; \ - :; + gosu --version; # 默认提供的数据卷 VOLUME ["/srv/conf", "/srv/data", "/srv/datalog", "/srv/cert", "/var/log"] @@ -173,5 +145,5 @@ EXPOSE 5432 ENTRYPOINT ["entry.sh"] # 应用程序的服务命令,必须使用非守护进程方式运行。如果使用变量,则该变量必须在运行环境中存在(ENV可以获取) -CMD ["${APP_EXEC}", "-D", "${PGDATA}"] +CMD ["${APP_EXEC}", "--config-file=${PG_CONF_FILE}", "--hba_file=${PG_HBA_FILE}"] diff --git a/Makefile b/Makefile index 9cbce72..5ebb830 100644 --- a/Makefile +++ b/Makefile @@ -15,7 +15,7 @@ current_tag:=$(shell if [ ! `git status >/dev/null 2>&1` ]; then git rev-parse - build-arg:=--build-arg apt_source=tencent # 设置本地下载服务器路径,加速调试时的本地编译速度 -local_ip:=`ifconfig -a|grep inet|grep -v 127.0.0.1|grep -v inet6|awk '{print $$2}'|tr -d "addr:"` +local_ip:=`echo "en0 eth0" |xargs -n1 ip addr show 2>/dev/null|grep inet|grep -v 127.0.0.1|grep -v inet6|tr "/" " "|awk '{print $$2}'` build-arg+=--build-arg local_url=http://$(local_ip)/dist-files #--build-arg local_url=http://192.168.1.187/dist-files/postgresql diff --git a/alpine/Dockerfile b/alpine/Dockerfile index 6e6335c..3f79c6d 100644 --- a/alpine/Dockerfile +++ b/alpine/Dockerfile @@ -13,10 +13,9 @@ ARG local_url="" ENV APP_NAME=postgresql \ APP_VERSION=12.4 -WORKDIR /usr/local - RUN select_source ${apt_source}; RUN install_pkg bison coreutils flex libedit-dev libxml2-dev libxslt-dev util-linux-dev zlib-dev icu-dev \ + openssl-dev openldap-dev krb5-dev linux-pam-dev libselinux-dev \ # configure: error: prove not found perl-utils \ # configure: error: Perl module IPC::Run is required to run TAP tests @@ -32,11 +31,9 @@ RUN set -eux; \ "; \ download_pkg unpack ${appName} "${appUrls}" -s "${sha256}"; -# 源码编译软件包 +# 源码编译: 编译后将配置文件模板拷贝至 /usr/local/${APP_NAME}/share/${APP_NAME} 中 RUN set -eux; \ -# 源码编译方式安装: 编译后将原始配置文件拷贝至 ${APP_DEF_DIR} 中 APP_SRC="/usr/local/${APP_NAME}-${APP_VERSION}"; \ - mkdir -p /usr/local/${APP_NAME}/bin /usr/local/${APP_NAME}/lib; \ cd ${APP_SRC}; \ \ # update "DEFAULT_PGSOCKET_DIR" to "/var/run/postgresql" (matching Debian) @@ -56,49 +53,46 @@ RUN set -eux; \ --build="$gnuArch" \ --enable-integer-datetimes \ --enable-thread-safety \ - --enable-tap-tests \ --disable-rpath \ --with-uuid=e2fs \ --with-gnu-ld \ --with-pgport=5432 \ --with-system-tzdata=/usr/share/zoneinfo \ - --prefix=/usr/local \ --with-includes=/usr/local/include \ --with-libraries=/usr/local/lib \ --with-openssl \ --with-libxml \ --with-libxslt \ --with-icu \ + --with-krb5 \ + --with-ldap \ + --enable-tap-tests \ # "/usr/src/postgresql/src/backend/access/common/tupconvert.c:105: undefined reference to `libintl_gettext'" # --enable-nls \ # these make our image abnormally large (at least 100MB larger), which seems uncouth for an "Alpine" (ie, "small") variant :) # --enable-debug \ -# --with-krb5 \ # --with-gssapi \ -# --with-ldap \ # --with-tcl \ # --with-perl \ # --with-python \ # --with-pam \ ; \ - make PG_SYSROOT=/usr/local/${APP_NAME} -j "$(nproc)" world; \ - make PREFIX=/usr/local/${APP_NAME} install-world; \ - make PREFIX=/usr/local/${APP_NAME} -C contrib install; \ - runDeps="$( \ - scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \ - | tr ',' '\n' \ - | sort -u \ - | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ - )"; \ - echo "${runDeps}" >/usr/local/${APP_NAME}/runDeps; \ - mv /usr/local/lib/* /usr/local/${APP_NAME}/lib/; \ - mv /usr/local/bin/* /usr/local/${APP_NAME}/bin/; \ - mkdir -p /usr/local/${APP_NAME}/share; \ - mv /usr/local/share/${APP_NAME} /usr/local/${APP_NAME}/share; \ - find /usr/local -name '*.a' -delete; + make -j "$(nproc)" world; \ + make install-world; \ + make -C contrib install; +# 删除编译生成的多余文件 +RUN set -eux; \ + find /usr/local -name '*.a' -delete; \ + rm -rf /usr/local/${APP_NAME}/include; -#ENV LD_LIBRARY_PATH=/usr/local/${APP_NAME}/lib +# 检测并生成依赖文件记录;repmgr 相关资源也是放置在 ${APP_NAME} 路径下 +RUN set -eux; \ + scanelf --needed --nobanner --format '%n#p' --recursive /usr/local/${APP_NAME} | \ + tr ',' '\n' | \ + sort -u | \ + awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } \ + { print "so:" $1 }' >/usr/local/${APP_NAME}/runDeps; # 镜像生成 ======================================================================== FROM colovu/alpine:3.12 @@ -112,17 +106,9 @@ ENV APP_NAME=postgresql \ APP_VERSION=12.4 ENV APP_HOME_DIR=/usr/local/${APP_NAME} \ - APP_DEF_DIR=/etc/${APP_NAME} \ - APP_CONF_DIR=/srv/conf/${APP_NAME} \ - APP_DATA_DIR=/srv/data/${APP_NAME} \ - APP_DATA_LOG_DIR=/srv/datalog/${APP_NAME} \ - APP_CACHE_DIR=/var/cache/${APP_NAME} \ - APP_RUN_DIR=/var/run/${APP_NAME} \ - APP_LOG_DIR=/var/log/${APP_NAME} \ - APP_CERT_DIR=/srv/cert/${APP_NAME} + APP_DEF_DIR=/etc/${APP_NAME} -ENV \ - PATH="${APP_HOME_DIR}/bin:${PATH}" \ +ENV PATH="${APP_HOME_DIR}/bin:${PATH}" \ LD_LIBRARY_PATH=${APP_HOME_DIR}/lib LABEL \ @@ -131,32 +117,26 @@ LABEL \ "Dockerfile"="https://github.com/colovu/docker-${APP_NAME}" \ "Vendor"="Endial Fang (endial@126.com)" -COPY customer / -# 以包管理方式安装软件包(Optional) + +# 选择软件包源 RUN select_source ${apt_source} -RUN install_pkg tzdata -#RUN install_pkg bash tini sudo libssl1.1 - -RUN create_user && prepare_env # 从预处理过程中拷贝软件包(Optional) -#COPY --from=0 /usr/local/bin/gosu-amd64 /usr/local/bin/gosu -#COPY --from=builder /usr/local/bin /usr/local/postgresql/bin -#COPY --from=builder /usr/local/lib /usr/local/lib -COPY --from=builder ${APP_HOME_DIR} ${APP_HOME_DIR} +COPY --from=builder /usr/local/${APP_NAME}/ /usr/local/${APP_NAME} -RUN install_pkg `cat ${APP_HOME_DIR}/runDeps`; +# 安装依赖的软件包及库(Optional) +RUN install_pkg `cat /usr/local/${APP_NAME}/runDeps`; + +COPY customer / +RUN create_user && prepare_env # 执行预处理脚本,并验证安装的软件包 RUN set -eux; \ override_file="/usr/local/overrides/overrides-${APP_VERSION}.sh"; \ [ -e "${override_file}" ] && /bin/bash "${override_file}"; \ -# cp -rf ${APP_HOME_DIR}/share/${APP_NAME} /etc/; \ -# mkdir -p ${APP_DEF_DIR}/conf.d; \ - export LD_LIBRARY_PATH=${APP_HOME_DIR}/lib; \ gosu ${APP_USER} ${APP_EXEC} --version ; \ - :; + gosu --version; # 默认提供的数据卷 VOLUME ["/srv/conf", "/srv/data", "/srv/datalog", "/srv/cert", "/var/log"] @@ -168,5 +148,5 @@ EXPOSE 5432 ENTRYPOINT ["entry.sh"] # 应用程序的服务命令,必须使用非守护进程方式运行。如果使用变量,则该变量必须在运行环境中存在(ENV可以获取) -CMD ["${APP_EXEC}", "-D", "${PGDATA}"] +CMD ["${APP_EXEC}", "--config-file=${PG_CONF_FILE}", "--hba_file=${PG_HBA_FILE}"] diff --git a/alpine/customer/usr/local/bin/comm-env.sh b/alpine/customer/usr/local/bin/comm-env.sh new file mode 100644 index 0000000..30d614b --- /dev/null +++ b/alpine/customer/usr/local/bin/comm-env.sh @@ -0,0 +1,115 @@ +#!/bin/bash +# Ver: 1.0 by Endial Fang (endial@126.com) +# +# 应用环境变量定义及初始化 + +# 通用设置 +export ENV_DEBUG=${ENV_DEBUG:-false} +export ALLOW_ANONYMOUS_LOGIN="${ALLOW_ANONYMOUS_LOGIN:-no}" + +# 通过读取变量名对应的 *_FILE 文件,获取变量值;如果对应文件存在,则通过传入参数设置的变量值会被文件中对应的值覆盖 +# 变量优先级: *_FILE > 传入变量 > 默认值 +app_env_file_lists=( + PG_POSTGRES_PASSWORD + PG_PASSWORD + PG_REPLICATION_PASSWORD + PG_LDAP_BIND_PASSWORD +) +for env_var in "${app_env_file_lists[@]}"; do + file_env_var="${env_var}_FILE" + if [[ -n "${!file_env_var:-}" ]]; then + export "${env_var}=$(< "${!file_env_var}")" + unset "${file_env_var}" + fi +done +unset postgresql_env_vars + +# 应用路径参数 +export APP_HOME_DIR="/usr/local/${APP_NAME}" +export APP_DEF_DIR="/etc/${APP_NAME}" +export APP_CONF_DIR="/srv/conf/${APP_NAME}" +export APP_DATA_DIR="/srv/data/${APP_NAME}" +export APP_DATA_LOG_DIR="/srv/datalog/${APP_NAME}" +export APP_CACHE_DIR="/var/cache/${APP_NAME}" +export APP_RUN_DIR="/var/run/${APP_NAME}" +export APP_LOG_DIR="/var/log/${APP_NAME}" +export APP_CERT_DIR="/srv/cert/${APP_NAME}" + +export PG_DATA_DIR="${APP_DATA_DIR}/data" + +export PG_CONF_FILE="${APP_CONF_DIR}/postgresql.conf" +export PG_HBA_FILE="${APP_CONF_DIR}/pg_hba.conf" +export PG_RECOVERY_FILE="${PG_DATA_DIR}/recovery.conf" +export PG_IDENT_FILE="${PG_DATA_DIR}/pg_ident.conf" +export PG_EXT_PID_FILE="${APP_RUN_DIR}/postgresql.pid" +export PG_LOG_FILE="${APP_LOG_DIR}/postgresql.log" + +# 应用配置参数 +export PG_CLUSTER_APP_NAME=${PG_CLUSTER_APP_NAME:-cvcluster} +export PG_REPLICATION_MODE="${PG_REPLICATION_MODE:-primary}" +export PG_PRIMARY_HOST="${PG_PRIMARY_HOST:-}" +export PG_PRIMARY_PORT="${PG_PRIMARY_PORT:-5432}" +export PG_NUM_SYNCHRONOUS_REPLICAS="${PG_NUM_SYNCHRONOUS_REPLICAS:-0}" +export PG_REPLICATION_USER="${PG_REPLICATION_USER:-}" +export PG_REPLICATION_PASSWORD="${PG_REPLICATION_PASSWORD:-}" +export PG_SYNCHRONOUS_COMMIT_MODE="${PG_SYNCHRONOUS_COMMIT_MODE:-on}" +export PG_FSYNC="${PG_FSYNC:-on}" +export PG_INIT_MAX_TIMEOUT=${PG_INIT_MAX_TIMEOUT:-60} +export PG_INITDB_ARGS="${PG_INITDB_ARGS:-}" +export PG_INITDB_WAL_DIR="${PG_INITDB_WAL_DIR:-}" +export PG_PORT_NUMBER="${PG_PORT_NUMBER:-5432}" +export PG_SHARED_PRELOAD_LIBRARIES="${PG_SHARED_PRELOAD_LIBRARIES:-}" +export PG_USERNAME_CONNECTION_LIMIT="${PG_USERNAME_CONNECTION_LIMIT:-}" +export PG_POSTGRES_CONNECTION_LIMIT="${PG_POSTGRES_CONNECTION_LIMIT:-}" + +export PG_ENABLE_LDAP="${PG_ENABLE_LDAP:-no}" +export PG_LDAP_URL="${PG_LDAP_URL:-}" +export PG_LDAP_PREFIX="${PG_LDAP_PREFIX:-}" +export PG_LDAP_SUFFIX="${PG_LDAP_SUFFIX:-}" +export PG_LDAP_SERVER="${PG_LDAP_SERVER:-}" +export PG_LDAP_PORT="${PG_LDAP_PORT:-}" +export PG_LDAP_SCHEME="${PG_LDAP_SCHEME:-}" +export PG_LDAP_TLS="${PG_LDAP_TLS:-}" +export PG_LDAP_BASE_DN="${PG_LDAP_BASE_DN:-}" +export PG_LDAP_BIND_DN="${PG_LDAP_BIND_DN:-}" +export PG_LDAP_BIND_PASSWORD="${PG_LDAP_BIND_PASSWORD:-}" +export PG_LDAP_SEARCH_ATTR="${PG_LDAP_SEARCH_ATTR:-}" +export PG_LDAP_SEARCH_FILTER="${PG_LDAP_SEARCH_FILTER:-}" + +export PG_ENABLE_TLS="${PG_ENABLE_TLS:-no}" +export PG_TLS_CERT_FILE="${PG_TLS_CERT_FILE:-}" +export PG_TLS_KEY_FILE="${PG_TLS_KEY_FILE:-}" +export PG_TLS_CA_FILE="${PG_TLS_CA_FILE:-}" +export PG_TLS_CRL_FILE="${PG_TLS_CRL_FILE:-}" +export PG_TLS_PREFER_SERVER_CIPHERS="${PG_TLS_PREFER_SERVER_CIPHERS:-yes}" + +export PG_PGAUDIT_LOG="${PG_PGAUDIT_LOG:-}" +export PG_PGAUDIT_LOG_CATALOG="${PG_PGAUDIT_LOG_CATALOG:-}" +export PG_LOG_CONNECTIONS="${PG_LOG_CONNECTIONS:-}" +export PG_LOG_DISCONNECTIONS="${PG_LOG_DISCONNECTIONS:-}" +export PG_LOG_HOSTNAME="${PG_LOG_HOSTNAME:-}" +export PG_CLIENT_MIN_MESSAGES="${PG_CLIENT_MIN_MESSAGES:-error}" +export PG_LOG_LINE_PREFIX="${PG_LOG_LINE_PREFIX:-}" +export PG_LOG_TIMEZONE="${PG_LOG_TIMEZONE:-}" + +export PG_MAX_CONNECTIONS="${PG_MAX_CONNECTIONS:-}" +export PG_TCP_KEEPALIVES_IDLE="${PG_TCP_KEEPALIVES_IDLE:-}" +export PG_TCP_KEEPALIVES_INTERVAL="${PG_TCP_KEEPALIVES_INTERVAL:-}" +export PG_TCP_KEEPALIVES_COUNT="${PG_TCP_KEEPALIVES_COUNT:-}" +export PG_STATEMENT_TIMEOUT="${PG_STATEMENT_TIMEOUT:-}" + +export PG_USERNAME="${PG_USERNAME:-postgres}" +export PG_PASSWORD="${PG_PASSWORD:-}" +export PG_DATABASE="${PG_DATABASE:-postgres}" +# 使用自定义用户名(非"postgres")时的管理员密码 +export PG_POSTGRES_PASSWORD="${PG_POSTGRES_PASSWORD:-}" +export PG_INITSCRIPTS_USERNAME="${PG_INITSCRIPTS_USERNAME:-${PG_USERNAME}}" +export PG_INITSCRIPTS_PASSWORD="${PG_INITSCRIPTS_PASSWORD:-${PG_PASSWORD}}" + +export PGCONNECT_TIMEOUT="${PGCONNECT_TIMEOUT:-10}" + +# 内部变量 +export PG_FIRST_BOOT="yes" + +# 个性化变量 + diff --git a/alpine/customer/usr/local/bin/appcommon.sh b/alpine/customer/usr/local/bin/comm-postgresql.sh similarity index 52% rename from alpine/customer/usr/local/bin/appcommon.sh rename to alpine/customer/usr/local/bin/comm-postgresql.sh index 34fc3a7..37805f2 100644 --- a/alpine/customer/usr/local/bin/appcommon.sh +++ b/alpine/customer/usr/local/bin/comm-postgresql.sh @@ -14,100 +14,6 @@ # 函数列表 -# 加载应用使用的环境变量初始值,该函数在相关脚本中以 eval 方式调用 -# 全局变量: -# ENV_* : 容器使用的全局变量 -# APP_* : 在镜像创建时定义的全局变量 -# *_* : 应用配置文件使用的全局变量,变量名根据配置项定义 -# 返回值: -# 可以被 'eval' 使用的序列化输出 -app_env() { - cat <<-'EOF' - # Common Settings - export ENV_DEBUG=${ENV_DEBUG:-false} - export ALLOW_ANONYMOUS_LOGIN="${ALLOW_ANONYMOUS_LOGIN:-no}" - - # Paths configuration - export PGDATA="${APP_DATA_DIR}/data" - export PG_INITDB_WAL_DIR="${PG_INITDB_WAL_DIR:-${APP_DATA_LOG_DIR}}" - - export PG_CONF_FILE="${PGDATA}/postgresql.conf" - export PG_HBA_FILE="${PGDATA}/pg_hba.conf" - export PG_IDENT_FILE="${PGDATA}/pg_ident.conf" - export PG_RECOVERY_FILE="${PGDATA}/recovery.conf" - - export PG_PID_FILE="${APP_RUN_DIR}/postgresql.pid" - export PG_LOG_FILE="${APP_LOG_DIR}/postgresql.log" - - # Cluster configuration - export PG_CLUSTER_APP_NAME=${PG_CLUSTER_APP_NAME:-cvcluster} - export PG_REPLICATION_MODE="${PG_REPLICATION_MODE:-master}" - - export PG_MASTER_HOST="${PG_MASTER_HOST:-}" - export PG_MASTER_PORT_NUMBER="${PG_MASTER_PORT_NUMBER:-5432}" - export PG_NUM_SYNCHRONOUS_REPLICAS="${PG_NUM_SYNCHRONOUS_REPLICAS:-0}" - export PG_REPLICATION_USER="${PG_REPLICATION_USER:-}" - export PG_REPLICATION_PASSWORD="${PG_REPLICATION_PASSWORD:-}" - - export PG_SYNCHRONOUS_COMMIT_MODE="${PG_SYNCHRONOUS_COMMIT_MODE:-on}" - export PG_FSYNC="${PG_FSYNC:-on}" - - # PostgreSQL settings - export PG_INIT_MAX_TIMEOUT=${PG_INIT_MAX_TIMEOUT:-60} - export PG_INITDB_ARGS="${PG_INITDB_ARGS:-}" - export PG_PORT_NUMBER="${PG_PORT_NUMBER:-5432}" - export PG_HOST_AUTH_METHOD="${PG_HOST_AUTH_METHOD:-md5}" - - # PostgreSQL TLS Settings - - # PostgreSQL LDAP Settings - export PG_ENABLE_LDAP="${PG_ENABLE_LDAP:-no}" - export PG_LDAP_URL="${PG_LDAP_URL:-}" - export PG_LDAP_PREFIX="${PG_LDAP_PREFIX:-}" - export PG_LDAP_SUFFIX="${PG_LDAP_SUFFIX:-}" - export PG_LDAP_SERVER="${PG_LDAP_SERVER:-}" - export PG_LDAP_PORT="${PG_LDAP_PORT:-}" - export PG_LDAP_SCHEME="${PG_LDAP_SCHEME:-}" - export PG_LDAP_TLS="${PG_LDAP_TLS:-}" - export PG_LDAP_BASE_DN="${PG_LDAP_BASE_DN:-}" - export PG_LDAP_BIND_DN="${PG_LDAP_BIND_DN:-}" - export PG_LDAP_BIND_PASSWORD="${PG_LDAP_BIND_PASSWORD:-}" - export PG_LDAP_SEARCH_ATTR="${PG_LDAP_SEARCH_ATTR:-}" - export PG_LDAP_SEARCH_FILTER="${PG_LDAP_SEARCH_FILTER:-}" - - # Authentication - export PG_USERNAME="${PG_USERNAME:-postgres}" - export PG_PASSWORD="${PG_PASSWORD:-}" - export PG_DATABASE="${PG_DATABASE:-postgres}" - - export PG_INITSCRIPTS_USERNAME="${PG_INITSCRIPTS_USERNAME:-${PG_USERNAME}}" - export PG_INITSCRIPTS_PASSWORD="${PG_INITSCRIPTS_PASSWORD:-${PG_PASSWORD}}" -EOF - - # 利用 *_FILE 设置密码,不在配置命令中设置密码,增强安全性 - if [[ -f "${PG_POSTGRES_PASSWORD_FILE:-}" ]]; then - cat <<-'EOF' - export PG_POSTGRES_PASSWORD="$(< "${PG_POSTGRES_PASSWORD_FILE}")" -EOF - else - cat <<-'EOF' - export PG_POSTGRES_PASSWORD="${PG_POSTGRES_PASSWORD:-}" -EOF - fi - - if [[ -f "${PG_PASSWORD_FILE:-}" ]]; then - cat <<-'EOF' - export PG_PASSWORD="$(< "${PG_PASSWORD_FILE}")" -EOF - fi - - if [[ -f "${PG_REPLICATION_PASSWORD_FILE:-}" ]]; then - cat <<-'EOF' - export PG_REPLICATION_PASSWORD="$(< "${PG_REPLICATION_PASSWORD_FILE}")" -EOF - fi -} - # 配置 libnss_wrapper 以使得 PostgreSQL 命令可以以任意用户身份执行 postgresql_enable_nss_wrapper() { if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then @@ -115,15 +21,16 @@ postgresql_enable_nss_wrapper() { export LD_PRELOAD='/usr/lib/libnss_wrapper.so' export NSS_WRAPPER_PASSWD="$(mktemp)" export NSS_WRAPPER_GROUP="$(mktemp)" - echo "postgres:x:$(id -u):$(id -g):PostgreSQL:${PGDATA}:/bin/false" > "$NSS_WRAPPER_PASSWD" - echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" + echo "postgres:x:$(id -u):$(id -g):PostgreSQL:${PG_DATA_DIR}:/bin/false" > "${NSS_WRAPPER_PASSWD}" + echo "postgres:x:$(id -g):" > "${NSS_WRAPPER_GROUP}" fi } +# 禁用 libnss_wrapper postgresql_disable_nss_wrapper() { # unset/cleanup "nss_wrapper" bits if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then - rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" + rm -f "${NSS_WRAPPER_PASSWD}" "${NSS_WRAPPER_GROUP}" unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP fi } @@ -136,27 +43,12 @@ postgresql_disable_nss_wrapper() { postgresql_common_conf_set() { local file="${1:?missing file}" local key="${2:?missing key}" - shift - shift - local values=("$@") + local value="${3:?missing value}" - if [[ "${#values[@]}" -eq 0 ]]; then - LOG_E "missing value" - return 1 - elif [[ "${#values[@]}" -ne 1 ]]; then - for i in "${!values[@]}"; do - postgresql_common_conf_set "$file" "${key[$i]}" "${values[$i]}" - done + if grep -q "^#*\s*${key}" "$file" >/dev/null; then + replace_in_file "$file" "^#*\s*${key}\s*=.*" "${key} = '${value}'" false else - value="${values[0]}" - # Check if the value was set before - if grep -q "^[#\\s]*$key\s*=.*" "$file"; then - # Update the existing key - replace_in_file "$file" "^[#\\s]*${key}\s*=.*" "${key} = \'${value}\'" false - else - # 增加一个新的配置项;如果在其他位置有类似操作,需要注意换行 - printf "%s = %s" "$key" "$value" >>"$file" - fi + echo "${property} = '${value}'" >>"$file" fi } @@ -193,8 +85,8 @@ postgresql_recover_set() { } # 初始化 pg_hba.conf 文件,增加 LDAP 配置;同时保留本地认证 -postgresql_ldap_auth_configuration() { - LOG_I "Generating LDAP authentication configuration" +postgresql_hba_ldap_auth() { + LOG_I "Enabling LDAP authentication" local ldap_configuration="" if [[ -n "${PG_LDAP_URL}" ]]; then @@ -214,34 +106,56 @@ postgresql_ldap_auth_configuration() { [[ -n "${PG_LDAP_SCHEME}" ]] && ldap_configuration+=" ldapscheme=${PG_LDAP_SCHEME}" fi - cat <<-'EOF' > "${PG_HBA_FILE}" - local all all trust - host all postgres 0.0.0.0/0 trust - host all postgres ::/0 trust - host all all 0.0.0.0/0 ldap ${ldap_configuration} - host all all ::/0 ldap ${ldap_configuration} + cat <"${PG_HBA_FILE}" +host all postgres 0.0.0.0/0 trust +host all postgres ::/0 trust +host all all 0.0.0.0/0 ldap ${ldap_configuration} +host all all ::/0 ldap ${ldap_configuration} EOF } -# 修改 pg_hba.conf 文件,增加主从复制从服务器认证许可 -postgresql_add_replication_to_pghba() { +# 设置 pg_hba.conf 文件,增加 TLS 配置 +postgresql_hba_allow_tls_connection() { + LOG_I "Enabling TLS client authentication" + + cat <>"${PG_HBA_FILE}" +hostssl all all 0.0.0.0/0 cert +hostssl all all ::/0 cert +EOF +} + +# 设置 pg_hba.conf 文件,允许 replication 访问 +postgresql_hba_allow_replication_connection() { + LOG_I "Enabling replication client authentication" + local replication_auth="trust" - if [[ -n "$PG_REPLICATION_PASSWORD" ]]; then + if [[ -n "${PG_REPLICATION_PASSWORD}" ]]; then replication_auth="md5" fi - cat <<-'EOF' >> "$PG_HBA_FILE" - host replication all 0.0.0.0/0 ${replication_auth} - host replication all ::/0 ${replication_auth} + cat <>"${PG_HBA_FILE}" +host replication all 0.0.0.0/0 ${replication_auth} +host replication all ::/0 ${replication_auth} +EOF +} + +# 设置 pg_hba.conf,允许本地访问 +postgresql_hba_allow_local_connection() { + LOG_I "Enabling local client authentication" + + cat <>"${PG_HBA_FILE}" +local all all trust +host all all 127.0.0.1/0 trust +host all all ::1/128 trust EOF } # 初始化 pg_hba.conf 文件 -postgresql_password_auth_configuration() { - LOG_I "Generating local authentication configuration" - cat <<-'EOF' > "$PG_HBA_FILE" - local all all trust - host all all 0.0.0.0/0 trust - host all all ::/0 trust +postgresql_hba_password_auth() { + LOG_I "Enabling password client authentication" + + cat <"${PG_HBA_FILE}" +host all all 0.0.0.0/0 trust +host all all ::/0 trust EOF } @@ -261,10 +175,10 @@ postgresql_execute() { local -r port="${5:-${PG_PORT_NUMBER}}" local -r opts="${6:-}" - local args=( "-h" "$host" "-p" "$port" "-U" "$user" ) - local cmd=("psql") - [[ -n "$db" ]] && args+=( "-d" "$db" ) - [[ -n "$opts" ]] && args+=( "$opts" ) + local args=("-h" "$host" "-p" "$port" "-U" "$user") + local cmd=("${APP_HOME_DIR}/bin/psql") + [[ -n "$db" ]] && args+=("-d" "$db") + [[ -n "$opts" ]] && args+=("$opts") LOG_D "Execute args: ${args[@]}" if is_boolean_yes "${ENV_DEBUG}"; then PGPASSWORD=$pass "${cmd[@]}" "${args[@]}" @@ -273,60 +187,132 @@ postgresql_execute() { fi } +# 使用环境变量中的配置值更新配置文件 +postgresql_configure_from_environment_variables() { + LOG_D "Modify postgresql.conf with PG_CFG_* values..." + for var in "${!PG_CFG_@}"; do + key="$(echo "$var" | sed -e 's/^PG_CFG_//g' | tr '[:upper:]' '[:lower:]')" + value="${!var}" + postgresql_conf_set "$key" "$value" + done +} + # 生成初始 postgres.conf 配置 postgresql_default_postgresql_config() { LOG_I "Modify postgresql.conf with default values..." - [ ! -e "${PG_CONF_FILE}" ] && cp -rf "${APP_DEF_DIR}/postgresql.conf.sample" "${PG_CONF_FILE}" + [ ! -e "${PG_CONF_FILE}" ] && cp -rf "${APP_HOME_DIR}/share/postgresql.conf.sample" "${PG_CONF_FILE}" + postgresql_configure_from_environment_variables + + postgresql_conf_set "logging_collector" "on" postgresql_conf_set "wal_level" "hot_standby" postgresql_conf_set "max_wal_size" "400MB" postgresql_conf_set "max_wal_senders" "16" postgresql_conf_set "wal_keep_segments" "12" + postgresql_conf_set "wal_log_hints" "on" postgresql_conf_set "hot_standby" "on" if (( PG_NUM_SYNCHRONOUS_REPLICAS > 0 )); then - postgresql_conf_set "synchronous_commit" "$PG_SYNCHRONOUS_COMMIT_MODE" + postgresql_conf_set "synchronous_commit" "${PG_SYNCHRONOUS_COMMIT_MODE}" postgresql_conf_set "synchronous_standby_names" "${PG_NUM_SYNCHRONOUS_REPLICAS} (\"${PG_CLUSTER_APP_NAME}\")" fi - postgresql_conf_set "fsync" "$PG_FSYNC" + postgresql_conf_set "fsync" "${PG_FSYNC}" + + [[ -n "${PG_SHARED_PRELOAD_LIBRARIES}" ]] && postgresql_conf_set "shared_preload_libraries" "${PG_SHARED_PRELOAD_LIBRARIES}" + + # Update default value for 'include_dir' directive + # ref: https://github.com/postgres/postgres/commit/fb9c475597c245562a28d1e916b575ac4ec5c19f#diff-f5544d9b6d218cc9677524b454b41c60 + if ! grep include_dir "${PG_CONF_FILE}" > /dev/null; then + postgresql_error "include_dir line is not present in ${PG_CONF_FILE}. This may be due to a changes in a new version of PostgreSQL. Please check" + exit 1 + fi + postgresql_conf_set "include_dir" "conf.d" + mkdir -p "${APP_CONF_DIR}/conf.d" } # 生成初始 pg_hba.conf 配置 postgresql_default_hba_config() { LOG_I "Modify pg_hba.conf with default values..." - if is_boolean_yes "${PG_ENABLE_LDAP:-no}"; then - postgresql_ldap_auth_configuration + if is_boolean_yes "${PG_ENABLE_LDAP}"; then + postgresql_hba_ldap_auth else - postgresql_password_auth_configuration + postgresql_hba_password_auth fi } -# 生成初始 pg_hba.conf 配置 +# 更新 pg_hba.conf 文件,仅允许基于密码认证的访问 postgresql_restrict_hba_config() { - LOG_I "Modify pg_hba.conf for restrict configs..." + LOG_I "Check pg_hba.conf for restrict configs..." - if [[ -n "$PG_PASSWORD" ]]; then - LOG_I "Configuring md5 encrypt" + if [[ -n "${PG_PASSWORD}" ]]; then + LOG_D " Configuring md5 encrypt" postgresql_hba_set "trust" "md5" fi } +# 获取软件主版本号 +postgresql_get_major_version() { + psql --version | grep -oE "[0-9]+\.[0-9]+" | grep -oE "^[0-9]+" +} + # 为 Slava 模式工作的节点创建 recovery.conf 文件 postgresql_configure_recovery() { - LOG_I "Setting up streaming replication slave..." - [ ! -e "${PG_RECOVERY_FILE}" ] && cp -f "${APP_DEF_DIR}/recovery.conf.sample" "${PG_RECOVERY_FILE}" + LOG_I "Setting up streaming replication standby..." - # 版本为12以上时, Slave 节点配置保存在 postgresql.conf 文件中 - postgresql_conf_set "primary_conninfo" "host=${PG_MASTER_HOST} port=${PG_MASTER_PORT_NUMBER} user=${PG_REPLICATION_USER} password=${PG_REPLICATION_PASSWORD} application_name=${PG_CLUSTER_APP_NAME}" - postgresql_conf_set "promote_trigger_file" "/tmp/postgresql.trigger.${PG_MASTER_PORT_NUMBER}" - touch "${PGDATA}"/standby.signal + # Recover 配置信息在不同版本保存位置不一样: + # 版本为12及以上时, Slave 节点配置保存在 postgresql.conf 文件中 + # 版本低于12时, Slave 节点配置保存在 recover.conf 文件中 + local -r psql_major_version="$(postgresql_get_major_version)" + if (( psql_major_version >= 12 )); then + postgresql_conf_set "primary_conninfo" "host=${PG_PRIMARY_HOST} port=${PG_PRIMARY_PORT} user=${PG_REPLICATION_USER} password=${PG_REPLICATION_PASSWORD} application_name=${PG_CLUSTER_APP_NAME}" + postgresql_conf_set "promote_trigger_file" "/tmp/postgresql.trigger.${PG_PRIMARY_PORT}" + touch "${PG_DATA_DIR}/standby.signal" + else + [ ! -e "${PG_RECOVERY_FILE}" ] && cp -f "${APP_HOME_DIR}/share/recovery.conf.sample" "${PG_RECOVERY_FILE}" + chmod 600 "${PG_RECOVERY_FILE}" + postgresql_recover_set "standby_mode" "on" + postgresql_recover_set "primary_conninfo" "host=${PG_PRIMARY_HOST} port=${PG_PRIMARY_PORT} user=${PG_REPLICATION_USER} password=${PG_REPLICATION_PASSWORD} application_name=${PG_CLUSTER_APP_NAME}" + postgresql_recover_set "trigger_file" "/tmp/postgresql.trigger.${PG_PRIMARY_PORT}" + fi +} - # 版本低于12时, Slave 节点配置保存在 recover.conf 文件中 - #chmod 600 "${PG_RECOVERY_FILE}" - #postgresql_recover_set "standby_mode" "on" - #postgresql_recover_set "primary_conninfo" "host=${PG_MASTER_HOST} port=${PG_MASTER_PORT_NUMBER} user=${PG_REPLICATION_USER} password=${PG_REPLICATION_PASSWORD} application_name=${PG_CLUSTER_APP_NAME}" - #postgresql_recover_set "trigger_file" "/tmp/postgresql.trigger.${PG_MASTER_PORT_NUMBER}" +# 配置应用日志参数 +postgresql_configure_logging() { + LOG_I "Update logging configuration..." + + [[ -n "${PG_PGAUDIT_LOG}" ]] && postgresql_conf_set "pgaudit.log" "${PG_PGAUDIT_LOG}" + [[ -n "${PG_PGAUDIT_LOG_CATALOG}" ]] && postgresql_conf_set "pgaudit.log_catalog" "${PG_PGAUDIT_LOG_CATALOG}" + [[ -n "${PG_LOG_CONNECTIONS}" ]] && postgresql_conf_set "log_connections" "${PG_LOG_CONNECTIONS}" + [[ -n "${PG_LOG_DISCONNECTIONS}" ]] && postgresql_conf_set "log_disconnections" "${PG_LOG_DISCONNECTIONS}" + [[ -n "${PG_LOG_HOSTNAME}" ]] && postgresql_conf_set "log_hostname" "${PG_LOG_HOSTNAME}" + [[ -n "${PG_CLIENT_MIN_MESSAGES}" ]] && postgresql_conf_set "client_min_messages" "${PG_CLIENT_MIN_MESSAGES}" + [[ -n "${PG_LOG_LINE_PREFIX}" ]] && postgresql_conf_set "log_line_prefix" "${PG_LOG_LINE_PREFIX}" + ([[ -n "${PG_LOG_TIMEZONE}" ]] && postgresql_conf_set "log_timezone" "${PG_LOG_TIMEZONE}") || true +} + +# 配置应用连接控制参数 +postgresql_configure_connections() { + LOG_I "Update TCP connection configuration..." + + [[ -n "${PG_MAX_CONNECTIONS}" ]] && postgresql_conf_set "max_connections" "${PG_MAX_CONNECTIONS}" + [[ -n "${PG_TCP_KEEPALIVES_IDLE}" ]] && postgresql_conf_set "tcp_keepalives_idle" "${PG_TCP_KEEPALIVES_IDLE}" + [[ -n "${PG_TCP_KEEPALIVES_INTERVAL}" ]] && postgresql_conf_set "tcp_keepalives_interval" "${PG_TCP_KEEPALIVES_INTERVAL}" + [[ -n "${PG_TCP_KEEPALIVES_COUNT}" ]] && postgresql_conf_set "tcp_keepalives_count" "${PG_TCP_KEEPALIVES_COUNT}" + ([[ -n "${PG_STATEMENT_TIMEOUT}" ]] && postgresql_conf_set "statement_timeout" "${PG_STATEMENT_TIMEOUT}") || true +} + +# 配置应用 TLS 参数 +postgresql_configure_tls() { + LOG_I "Update TLS configuration..." + + chmod 600 "${PG_TLS_KEY_FILE}" || LOG_W "Could not set compulsory permissions (600) on file ${PG_TLS_KEY_FILE}" + postgresql_conf_set "ssl" "on" + ! is_boolean_yes "${PG_TLS_PREFER_SERVER_CIPHERS}" && postgresql_conf_set "ssl_prefer_server_ciphers" "off" + [[ -n "${PG_TLS_CA_FILE}" ]] && postgresql_conf_set "ssl_ca_file" "${PG_TLS_CA_FILE}" + [[ -n "${PG_TLS_CRL_FILE}" ]] && postgresql_conf_set "ssl_crl_file" "${PG_TLS_CRL_FILE}" + postgresql_conf_set "ssl_cert_file" "${PG_TLS_CERT_FILE}" + postgresql_conf_set "ssl_key_file" "${PG_TLS_KEY_FILE}" } # 为默认的数据库用户 postgres 设置密码 @@ -335,34 +321,46 @@ postgresql_configure_recovery() { postgresql_alter_postgres_user() { local -r escaped_password="${1//\'/\'\'}" LOG_I "Changing password of postgres" + echo "ALTER ROLE postgres WITH PASSWORD '$escaped_password';" | postgresql_execute + if [[ -n "${PG_POSTGRES_CONNECTION_LIMIT}" ]]; then + echo "ALTER ROLE postgres WITH CONNECTION LIMIT ${PG_POSTGRES_CONNECTION_LIMIT};" | postgresql_execute + fi } # 为数据库 $PG_DATABASE 创建管理员账户 postgresql_create_admin_user() { local -r escaped_password="${PG_PASSWORD//\'/\'\'}" + + local connlimit_string="" + if [[ -n "${PG_USERNAME_CONNECTION_LIMIT}" ]]; then + connlimit_string="CONNECTION LIMIT ${PG_USERNAME_CONNECTION_LIMIT}" + fi + LOG_I "Creating user ${PG_USERNAME}" - echo "CREATE ROLE \"${PG_USERNAME}\" WITH LOGIN CREATEDB PASSWORD '${escaped_password}';" | postgresql_execute + echo "CREATE ROLE \"${PG_USERNAME}\" WITH LOGIN ${connlimit_string} CREATEDB PASSWORD '${escaped_password}';" | postgresql_execute LOG_I "Granting access to \"${PG_USERNAME}\" to the database \"${PG_DATABASE}\"" - echo "GRANT ALL PRIVILEGES ON DATABASE \"${PG_DATABASE}\" TO \"${PG_USERNAME}\"\;" | postgresql_execute "" "postgres" "$PG_POSTGRES_PASSWORD" + echo "GRANT ALL PRIVILEGES ON DATABASE \"${PG_DATABASE}\" TO \"${PG_USERNAME}\"\;" | postgresql_execute "" "postgres" "${PG_POSTGRES_PASSWORD}" } -# 为 master-slave 复制模式创建用户 +# 为 primary-standby 复制模式创建用户 postgresql_create_replication_user() { local -r escaped_password="${PG_REPLICATION_PASSWORD//\'/\'\'}" LOG_I "Creating replication user ${PG_REPLICATION_USER}" - echo "CREATE ROLE \"$PG_REPLICATION_USER\" REPLICATION LOGIN ENCRYPTED PASSWORD '$escaped_password'" | postgresql_execute + + echo "CREATE ROLE \"${PG_REPLICATION_USER}\" WITH REPLICATION LOGIN ENCRYPTED PASSWORD '$escaped_password'" | postgresql_execute } # 创建用户自定义数据库 $PG_DATABASE postgresql_create_custom_database() { LOG_I "Creating custom database ${PG_DATABASE}" + echo "CREATE DATABASE \"${PG_DATABASE}\"" | postgresql_execute "" "postgres" "" "localhost" } # 检测用户参数信息是否满足条件; 针对部分权限过于开放情况,打印提示信息 -app_verify_minimum_env() { +postgresql_verify_minimum_env() { local error_code=0 LOG_D "Validating settings in PG_* env vars..." @@ -378,6 +376,7 @@ app_verify_minimum_env() { empty_password_error() { print_validation_error "The $1 environment variable is empty or not set. Set the environment variable ALLOW_ANONYMOUS_LOGIN=yes to allow the container to be started with blank passwords. This is recommended only for development." } + if is_boolean_yes "${ALLOW_ANONYMOUS_LOGIN}"; then empty_password_warn else @@ -396,19 +395,19 @@ app_verify_minimum_env() { fi if [[ -n "${PG_REPLICATION_MODE}" ]]; then - if [[ "${PG_REPLICATION_MODE}" = "master" ]]; then + if [[ "${PG_REPLICATION_MODE}" = "primary" ]]; then if (( PG_NUM_SYNCHRONOUS_REPLICAS < 0 )); then print_validation_error "The number of synchronous replicas cannot be less than 0. Set the environment variable PG_NUM_SYNCHRONOUS_REPLICAS" fi - elif [[ "${PG_REPLICATION_MODE}" = "slave" ]]; then - if [[ -z "${PG_MASTER_HOST}" ]]; then - print_validation_error "Slave replication mode chosen without setting the environment variable PG_MASTER_HOST. Use it to indicate where the Master node is running" + elif [[ "${PG_REPLICATION_MODE}" = "standby" ]]; then + if [[ -z "${PG_PRIMARY_HOST}" ]]; then + print_validation_error "Slave replication mode chosen without setting the environment variable PG_PRIMARY_HOST. Use it to indicate where the Master node is running" fi if [[ -z "${PG_REPLICATION_USER}" ]]; then - print_validation_error "Slave replication mode chosen without setting the environment variable PG_REPLICATION_USER. Make sure that the master also has this parameter set" + print_validation_error "Slave replication mode chosen without setting the environment variable PG_REPLICATION_USER. Make sure that the primary also has this parameter set" fi else - print_validation_error "Invalid replication mode. Available options are 'master/slave'" + print_validation_error "Invalid replication mode. Available options are 'primary/standby'" fi # Common replication checks if [[ -n "${PG_REPLICATION_USER}" ]] && [[ -z "${PG_REPLICATION_PASSWORD}" ]]; then @@ -435,18 +434,46 @@ app_verify_minimum_env() { empty_password_error "You can not set PG_LDAP_URL and PG_LDAP_SERVER at the same time. Check your LDAP configuration." fi + if ! is_yes_no_value "${PG_ENABLE_TLS}"; then + print_validation_error "The values allowed for PG_ENABLE_TLS are: yes or no" + elif is_boolean_yes "${PG_ENABLE_TLS}"; then + if [[ -z "${PG_TLS_CERT_FILE}" ]]; then + print_validation_error "You must provide a X.509 certificate in order to use TLS" + elif [[ ! -f "${PG_TLS_CERT_FILE}" ]]; then + print_validation_error "The X.509 certificate file in the specified path ${PG_TLS_CERT_FILE} does not exist" + fi + if [[ -z "${PG_TLS_KEY_FILE}" ]]; then + print_validation_error "You must provide a private key in order to use TLS" + elif [[ ! -f "${PG_TLS_KEY_FILE}" ]]; then + print_validation_error "The private key file in the specified path ${PG_TLS_KEY_FILE} does not exist" + fi + if [[ -z "${PG_TLS_CA_FILE}" ]]; then + warn "A CA X.509 certificate was not provided. Client verification will not be performed in TLS connections" + elif [[ ! -f "${PG_TLS_CA_FILE}" ]]; then + print_validation_error "The CA X.509 certificate file in the specified path ${PG_TLS_CA_FILE} does not exist" + fi + if [[ -n "${PG_TLS_CRL_FILE}" ]] && [[ ! -f "${PG_TLS_CRL_FILE}" ]]; then + print_validation_error "The CRL file in the specified path ${PG_TLS_CRL_FILE} does not exist" + fi + if ! is_yes_no_value "${PG_TLS_PREFER_SERVER_CIPHERS}"; then + print_validation_error "The values allowed for PG_TLS_PREFER_SERVER_CIPHERS are: yes or no" + fi + fi + [[ "$error_code" -eq 0 ]] || exit "$error_code" } # 更改默认监听地址为 "*" 或 "0.0.0.0",以对容器外提供服务;默认配置文件应当为仅监听 localhost(127.0.0.1) -app_enable_remote_connections() { +postgresql_enable_remote_connections() { LOG_I "Modify default config to enable all IP access" + postgresql_conf_set "listen_addresses" "*" } # 以后台方式启动应用服务,并等待启动就绪 -app_start_server_bg() { - is_app_server_running && return +postgresql_start_server_bg() { + postgresql_is_server_running && return + LOG_I "Starting ${APP_NAME} in background..." # -w wait until operation completes (default) # -W don't wait until operation completes @@ -456,21 +483,20 @@ app_start_server_bg() { # --config-file 指定配置文件 # --external_pid_file 指定 PID 文件,在配置文件中已定义 # --hba_file 指定 HBA 文件,在配置文件中已定义 - local -r pg_ctl_flags=("-W" "-D" "${PGDATA}" "-o" "--config-file=${PG_CONF_FILE} --external_pid_file=${PG_PID_FILE} --hba_file=${PG_HBA_FILE}") - LOG_I "Starting ${APP_NAME} in background..." - local pg_ctl_cmd=(pg_ctl) + local -r pg_ctl_flags=("-w" "-D" "${PG_DATA_DIR}" "-l" "${PG_LOG_FILE}" "-o" "--config-file=${PG_CONF_FILE} --external_pid_file=${PG_EXT_PID_FILE} --hba_file=${PG_HBA_FILE}") + local pg_ctl_cmd=("${APP_HOME_DIR}/bin/pg_ctl") if is_boolean_yes "${ENV_DEBUG}"; then "${pg_ctl_cmd[@]}" "start" "${pg_ctl_flags[@]}" else "${pg_ctl_cmd[@]}" "start" "${pg_ctl_flags[@]}" "-s" >/dev/null 2>&1 fi - local -r check_args=("-h" "localhost" "-p" "${PG_PORT_NUMBER}" "-U" "postgres") - local check_cmd=(pg_isready) + local -r check_args=("-U" "postgres") + local check_cmd=("${APP_HOME_DIR}/bin/pg_isready") local counter=${PG_INIT_MAX_TIMEOUT} # 通过命令或特定端口检测应用是否就绪 LOG_I "Checking ${APP_NAME} ready status..." - while ! PGPASSWORD=${PG_PASSWORD} "${check_cmd[@]}" "${check_args[@]}" "-q" >/dev/null 2>&1; do + while ! "${check_cmd[@]}" "${check_args[@]}" "-q" >/dev/null 2>&1; do sleep 1 counter=$(( counter - 1 )) if (( counter <= 0 )); then @@ -483,27 +509,27 @@ app_start_server_bg() { } # 停止应用服务 -app_stop_server_bg() { - if is_app_server_running ; then +postgresql_stop_server() { + if postgresql_is_server_running ; then LOG_I "Stopping background ${APP_NAME}..." if is_boolean_yes "${ENV_DEBUG}"; then - PGUSER="${PG_USERNAME}" pg_ctl -D "${PGDATA}" -m fast -w stop "-s" + PGUSER="postgres" pg_ctl -D "${PG_DATA_DIR}" -m fast -w stop "-s" else - PGUSER="${PG_USERNAME}" pg_ctl -D "${PGDATA}" -m fast -w stop "-s" >/dev/null 2>&1 + PGUSER="postgres" pg_ctl -D "${PG_DATA_DIR}" -m fast -w stop "-s" >/dev/null 2>&1 fi fi # 使用 PID 文件 kill 进程 - #stop_service_using_pid "${PG_PID_FILE}" + #stop_service_using_pid "${PG_EXT_PID_FILE}" } # 检测应用服务是否在后台运行中 -is_app_server_running() { +postgresql_is_server_running() { LOG_D "Check if ${APP_NAME} is running..." local pid - pid="$(get_pid_from_file "${PG_PID_FILE}")" + pid="$(get_pid_from_file "${PG_EXT_PID_FILE}")" if [[ -z "${pid}" ]]; then false @@ -512,67 +538,56 @@ is_app_server_running() { fi } -# 清理初始化应用时生成的临时文件 -app_clean_tmp_file() { - LOG_D "Clean ${APP_NAME} tmp files for init..." +# 清理数据文件 +postgresql_clean_data() { + LOG_D "Clean ${APP_NAME} data files..." - rm -rf "${PG_LOG_FILE}" "${PG_PID_FILE}" "${PGDATA}/standby.signal" "${PGDATA}/recovery.signal" + rm -rf "${PG_DATA_DIR}/*" "${APP_DATA_DIR}/.data_init_flag" } # 在重新启动容器时,删除标志文件及必须删除的临时文件 (容器重新启动) -app_clean_from_restart() { +postgresql_clean_from_restart() { LOG_D "Clean ${APP_NAME} tmp files for restart..." + local -r -a files=( - "${PGDATA}/postmaster.pid" - "${PGDATA}/standby.signal" - "${PGDATA}/recovery.signal" + "${PG_DATA_DIR}/postmaster.pid" + "${PG_DATA_DIR}/standby.signal" + "${PG_DATA_DIR}/recovery.signal" + "${PG_EXT_PID_FILE}" ) - for file in ${files[@]}; do + for file in "${files[@]}"; do if [[ -f "$file" ]]; then - LOG_I "Cleaning stale $file file" - rm "$file" + LOG_I "Remove file: $file" + rm -rf "$file" fi done } +# 清空数据库及配置文件 +postgresql_reset() { + LOG_I "Clean all configuration and database files..." + rm -rf "${PG_DATA_DIR}/*" + rm -rf "${APP_DATA_DIR}/.data_init_flag" "${APP_DATA_DIR}/.custom_preinit_flag" "${APP_DATA_DIR}/.custom_init_flag" + rm -rf "${APP_CONF_DIR}/*" + rm -rf "${APP_CONF_DIR}/.app_init_flag" +} + # 应用默认初始化操作 # 执行完毕后,生成文件 ${APP_CONF_DIR}/.app_init_flag 及 ${APP_DATA_DIR}/.data_init_flag 文件 -app_default_init() { - app_clean_from_restart - LOG_D "Check init status of ${APP_NAME}..." +postgresql_default_init() { + LOG_D "Check default init status of ${APP_NAME}..." + postgresql_clean_from_restart - if [[ ! -f "${APP_DATA_DIR}/.data_init_flag" ]]; then - if [[ "${PG_REPLICATION_MODE}" = "master" ]]; then - postgresql_master_init_db - else - postgresql_slave_init_db - fi - fi - - # 检测配置文件是否存在 - if [[ ! -f "${APP_CONF_DIR}/.app_init_flag" ]]; then - LOG_I "No injected configuration file found, creating default config files..." - postgresql_default_postgresql_config - postgresql_default_hba_config - - if [[ "${PG_REPLICATION_MODE}" = "master" ]]; then - [[ -n "${PG_REPLICATION_USER}" ]] && postgresql_add_replication_to_pghba - else - postgresql_configure_recovery - fi - - touch "${APP_CONF_DIR}/.app_init_flag" - echo "$(date '+%Y-%m-%d %H:%M:%S') : Init success." >> "${APP_CONF_DIR}/.app_init_flag" - else - LOG_I "User injected custom configuration detected!" - fi - - if [[ ! -f "${APP_DATA_DIR}/.data_init_flag" ]]; then + if is_dir_empty "${PG_DATA_DIR}"; then LOG_I "Deploying ${APP_NAME} from scratch..." - if [[ "${PG_REPLICATION_MODE}" = "master" ]]; then - # 检测服务是否运行中如果未运行,则启动后台服务 - is_app_server_running || app_start_server_bg + [ ! -e "${PG_HBA_FILE}" ] && postgresql_default_hba_config && postgresql_hba_allow_local_connection + [ ! -e "${PG_CONF_FILE}" ] && postgresql_default_postgresql_config + + if [[ "${PG_REPLICATION_MODE}" = "primary" ]]; then + postgresql_primary_init_db + + postgresql_start_server_bg [[ "${PG_DATABASE}" != "postgres" ]] && postgresql_create_custom_database # 为数据库授权;默认用户不为 postgres 时,需要创建管理员账户 @@ -580,25 +595,60 @@ app_default_init() { if [[ "${PG_USERNAME}" = "postgres" ]]; then [[ -n "${PG_PASSWORD}" ]] && postgresql_alter_postgres_user "${PG_PASSWORD}" else - if [[ -n "${PG_POSTGRES_PASSWORD}" ]]; then - postgresql_alter_postgres_user "${PG_POSTGRES_PASSWORD}" - fi + [[ -n "${PG_POSTGRES_PASSWORD}" ]] && postgresql_alter_postgres_user "${PG_POSTGRES_PASSWORD}" postgresql_create_admin_user fi [[ -n "${PG_REPLICATION_USER}" ]] && postgresql_create_replication_user + else + postgresql_standby_init_db fi - - touch ${APP_DATA_DIR}/.data_init_flag - echo "$(date '+%Y-%m-%d %H:%M:%S') : Init success." >> ${APP_DATA_DIR}/.data_init_flag else LOG_I "Deploying ${APP_NAME} with persisted data..." + export PG_FIRST_BOOT="no" fi + + # 检测配置文件是否存在 + if [[ ! -f "${APP_CONF_DIR}/.app_init_flag" ]]; then + LOG_I "Deploying postgresql with new configuration" + postgresql_default_postgresql_config + postgresql_default_hba_config + postgresql_hba_allow_local_connection + + if [[ "${PG_REPLICATION_MODE}" = "primary" ]]; then + [[ -n "${PG_REPLICATION_USER}" ]] && postgresql_hba_allow_replication_connection + else + postgresql_configure_recovery + fi + + if is_boolean_yes "${PG_ENABLE_TLS}" ; then + postgresql_configure_tls + [[ -n "${PG_TLS_CA_FILE}" ]] && postgresql_hba_allow_tls_connection + fi + + postgresql_configure_logging + postgresql_configure_connections + + touch "${APP_CONF_DIR}/.app_init_flag" + echo "$(date '+%Y-%m-%d %H:%M:%S') : Init success." >> "${APP_CONF_DIR}/.app_init_flag" + else + LOG_I "Deploying postgresql with persisted configuration" + fi + + if [[ ! -f "${APP_DATA_DIR}/.data_init_flag" ]]; then + touch ${APP_DATA_DIR}/.data_init_flag + echo "$(date '+%Y-%m-%d %H:%M:%S') : Init success." >> ${APP_DATA_DIR}/.data_init_flag + fi + + postgresql_restrict_hba_config + + # 删除第一次运行时生成的默认配置文件 + rm -f "${PG_DATA_DIR}"/postgresql.conf "${PG_DATA_DIR}"/pg_hba.conf } # 用户自定义的前置初始化操作,依次执行目录 preinitdb.d 中的初始化脚本 # 执行完毕后,生成文件 ${APP_DATA_DIR}/.custom_preinit_flag -app_custom_preinit() { - LOG_D "Check custom pre-init status of ${APP_NAME}..." +postgresql_custom_preinit() { + LOG_I "Check custom pre-init status of ${APP_NAME}..." # 检测用户配置文件目录是否存在 preinitdb.d 文件夹,如果存在,尝试执行目录中的初始化脚本 if [ -d "/srv/conf/${APP_NAME}/preinitdb.d" ]; then @@ -626,8 +676,8 @@ app_custom_preinit() { # 用户自定义的应用初始化操作,依次执行目录initdb.d中的初始化脚本 # 执行完毕后,生成文件 ${APP_DATA_DIR}/.custom_init_flag -app_custom_init() { - LOG_D "Check custom init status of ${APP_NAME}..." +postgresql_custom_init() { + LOG_I "Check custom initdb status of ${APP_NAME}..." # 检测用户配置文件目录是否存在 initdb.d 文件夹,如果存在,尝试执行目录中的初始化脚本 if [ -d "/srv/conf/${APP_NAME}/initdb.d" ]; then @@ -636,8 +686,8 @@ app_custom_init() { [[ ! -f "${APP_DATA_DIR}/.custom_init_flag" ]]; then LOG_I "Process custom init scripts from /srv/conf/${APP_NAME}/initdb.d..." - # 检测服务是否运行中;如果未运行,则启动后台服务 - is_app_server_running || app_start_server_bg + # 启动后台服务 + postgresql_start_server_bg # 检索所有可执行脚本,排序后执行 find "/srv/conf/${APP_NAME}/initdb.d/" -type f -regex ".*\.\(sh\|sql\|sql.gz\)" | sort | while read -r f; do @@ -649,9 +699,16 @@ app_custom_init() { LOG_D "Sourcing $f"; . "$f" fi ;; - *.sql) LOG_D "Executing $f"; postgresql_execute "$PG_DATABASE" "$PG_INITSCRIPTS_USERNAME" "$PG_INITSCRIPTS_PASSWORD" < "$f";; - *.sql.gz) LOG_D "Executing $f"; gunzip -c "$f" | postgresql_execute "$PG_DATABASE" "$PG_INITSCRIPTS_USERNAME" "$PG_INITSCRIPTS_PASSWORD";; - *) LOG_D "Ignoring $f" ;; + *.sql) + LOG_D "Executing $f"; + postgresql_execute "${PG_DATABASE}" "${PG_INITSCRIPTS_USERNAME}" "${PG_INITSCRIPTS_PASSWORD}" < "$f" + ;; + *.sql.gz) + LOG_D "Executing $f"; + gunzip -c "$f" | postgresql_execute "${PG_DATABASE}" "${PG_INITSCRIPTS_USERNAME}" "${PG_INITSCRIPTS_PASSWORD}" + ;; + *) + LOG_D "Ignoring $f" ;; esac done @@ -662,29 +719,11 @@ app_custom_init() { LOG_I "Custom init for ${APP_NAME} already done before, skipping initialization." fi fi - - # 检测服务是否运行中;如果运行,则停止后台服务 - app_stop_server_bg - - # 删除第一次运行生成的临时文件 - app_clean_tmp_file - - # 如果设置了用户密码,启用 md5 加密的密码认证 - postgresql_restrict_hba_config - - # 绑定所有 IP ,启用远程访问 - app_enable_remote_connections } # 初始化 Master 节点数据库 -postgresql_master_init_db() { - if ! is_dir_empty "${PGDATA}"; then - LOG_E "Directory ${PGDATA} exists but is not empty," - LOG_E "If you want to create a new database system, either remove or empty" - LOG_E "the directory ${PGDATA}, or run initdb" - LOG_E "with an argument other than ${PGDATA}." - exit 1 - fi +postgresql_primary_init_db() { + LOG_I "Initializing PostgreSQL database" postgresql_enable_nss_wrapper @@ -694,47 +733,47 @@ postgresql_master_init_db() { read -r -a envExtraFlags <<< "${PG_INITDB_ARGS}" initdb_args+=("${envExtraFlags[@]}") fi - #initdb+=("-o" "--config-file=${PG_CONF_FILE} --external_pid_file=${PG_PID_FILE} --hba_file=${PG_HBA_FILE}") - initdb_args+=("--waldir=${PG_INITDB_WAL_DIR}") + #initdb+=("-o" "--config-file=${PG_CONF_FILE} --external_pid_file=${PG_EXT_PID_FILE} --hba_file=${PG_HBA_FILE}") + if [[ -n "${PG_INITDB_WAL_DIR:-}" ]]; then + initdb_args+=("--waldir=${PG_INITDB_WAL_DIR}") + fi - local initdb_cmd=(initdb) - - LOG_I "Initializing PostgreSQL database" + local initdb_cmd=("${APP_HOME_DIR}/bin/initdb") if [[ -n "${initdb_args[*]}" ]]; then LOG_I "extra initdb arguments: ${initdb_args[*]}" fi if is_boolean_yes "${ENV_DEBUG}"; then - "${initdb_cmd[@]}" -E UTF8 -D "${PGDATA}" -U "postgres" "${initdb_args[@]}" + "${initdb_cmd[@]}" -E UTF8 -D "${PG_DATA_DIR}" -U "postgres" "${initdb_args[@]}" else - "${initdb_cmd[@]}" -E UTF8 -D "${PGDATA}" -U "postgres" "${initdb_args[@]}" >/dev/null 2>&1 + "${initdb_cmd[@]}" -E UTF8 -D "${PG_DATA_DIR}" -U "postgres" "${initdb_args[@]}" >/dev/null 2>&1 fi postgresql_disable_nss_wrapper } # 初始化 Slave 节点数据库 -postgresql_slave_init_db() { - LOG_I "Waiting for replication master to accept connections (${PG_INIT_MAX_TIMEOUT} seconds)..." - local -r check_args=("-U" "${PG_REPLICATION_USER}" "-h" "${PG_MASTER_HOST}" "-p" "${PG_MASTER_PORT_NUMBER}" "-d" "${PG_DATABASE}") - local check_cmd=(pg_isready) +postgresql_standby_init_db() { + LOG_I "Waiting for replication primary to accept connections (${PG_INIT_MAX_TIMEOUT} seconds)..." + local -r check_args=("-U" "${PG_REPLICATION_USER}" "-h" "${PG_PRIMARY_HOST}" "-p" "${PG_PRIMARY_PORT}" "-d" "${PG_DATABASE}") + local check_cmd=("${APP_HOME_DIR}/bin/pg_isready") local ready_counter=${PG_INIT_MAX_TIMEOUT} while ! PGPASSWORD=${PG_REPLICATION_PASSWORD} "${check_cmd[@]}" "${check_args[@]}" >/dev/null 2>&1;do sleep 1 ready_counter=$(( ready_counter - 1 )) if (( ready_counter <= 0 )); then - LOG_E "PostgreSQL master is not ready after ${PG_INIT_MAX_TIMEOUT} seconds" + LOG_E "PostgreSQL primary is not ready after ${PG_INIT_MAX_TIMEOUT} seconds" exit 1 fi done - LOG_I "Replicating the database from node master..." - #local -r backup_args=("-D" "$PGDATA" -d "hostaddr=$PG_MASTER_HOST port=$PG_MASTER_PORT_NUMBER user=$PG_REPLICATION_USER password=$PG_REPLICATION_PASSWORD" -v -Fp -Xs - local -r backup_args=("-D" "${PGDATA}" "-U" "${PG_REPLICATION_USER}" "-h" "${PG_MASTER_HOST}" "-p" "${PG_MASTER_PORT_NUMBER}" "-X" "stream" "-w" "-v" "-P") - local backup_cmd=(pg_basebackup) - local replication_counter=$PG_INIT_MAX_TIMEOUT + LOG_I "Replicating the database from node primary..." + #local -r backup_args=("-D" "$PG_DATA_DIR" -d "hostaddr=$PG_PRIMARY_HOST port=$PG_PRIMARY_PORT user=$PG_REPLICATION_USER password=$PG_REPLICATION_PASSWORD" -v -Fp -Xs + local -r backup_args=("-D" "${PG_DATA_DIR}" "-U" "${PG_REPLICATION_USER}" "-h" "${PG_PRIMARY_HOST}" "-p" "${PG_PRIMARY_PORT}" "-X" "stream" "-w" "-v" "-P") + local backup_cmd=("${APP_HOME_DIR}/bin/pg_basebackup") + local replication_counter=${PG_INIT_MAX_TIMEOUT} while ! PGPASSWORD=${PG_REPLICATION_PASSWORD} "${backup_cmd[@]}" "${backup_args[@]}";do LOG_D "Backup command failed. Sleeping and trying again" diff --git a/alpine/customer/usr/local/bin/entry.sh b/alpine/customer/usr/local/bin/entry.sh index b306dfc..6d4f9b9 100755 --- a/alpine/customer/usr/local/bin/entry.sh +++ b/alpine/customer/usr/local/bin/entry.sh @@ -8,9 +8,10 @@ set -eu set -o pipefail -. /usr/local/bin/appcommon.sh # 应用专用函数库 +. /usr/local/bin/comm-${APP_NAME}.sh # 应用专用函数库 + +. /usr/local/bin/comm-env.sh # 设置环境变量 -eval "$(app_env)" LOG_I "** Processing entry.sh **" if ! is_sourced; then diff --git a/alpine/customer/usr/local/bin/init.sh b/alpine/customer/usr/local/bin/init.sh index 727d9fa..937c4cd 100755 --- a/alpine/customer/usr/local/bin/init.sh +++ b/alpine/customer/usr/local/bin/init.sh @@ -8,18 +8,25 @@ set -eu set -o pipefail -. /usr/local/bin/appcommon.sh # 应用专用函数库 +. /usr/local/bin/comm-${APP_NAME}.sh # 应用专用函数库 + +. /usr/local/bin/comm-env.sh # 设置环境变量 -eval "$(app_env)" LOG_I "** Processing init.sh **" +trap "postgresql_stop_server" EXIT + # 执行应用预初始化操作 -app_custom_preinit +${APP_NAME}_custom_preinit # 执行应用初始化操作 -app_default_init +${APP_NAME}_default_init # 执行用户自定义初始化脚本 -app_custom_init +${APP_NAME}_custom_init + +# 绑定所有 IP 及 指定端口 ,启用远程访问 +postgresql_enable_remote_connections +postgresql_conf_set "port" "${PG_PORT_NUMBER}" LOG_I "** Processing init.sh finished! **" diff --git a/alpine/customer/usr/local/bin/run.sh b/alpine/customer/usr/local/bin/run.sh index 7f2c095..bdb6ea8 100755 --- a/alpine/customer/usr/local/bin/run.sh +++ b/alpine/customer/usr/local/bin/run.sh @@ -8,18 +8,20 @@ set -eu set -o pipefail -. /usr/local/bin/appcommon.sh # 应用专用函数库 +. /usr/local/bin/comm-${APP_NAME}.sh # 应用专用函数库 + +. /usr/local/bin/comm-env.sh # 设置环境变量 -eval "$(app_env)" LOG_I "** Processing run.sh **" -flags=("${APP_CONF_FILE:-}") +flags=("-D" "/srv/data/${APP_NAME}/data") [[ -z "${APP_EXTRA_FLAGS:-}" ]] || flags=("${flags[@]}" "${APP_EXTRA_FLAGS[@]}") -START_COMMAND=("${APP_EXEC}" "${flags[@]}") +START_COMMAND=("${APP_EXEC}") LOG_I "** Starting ${APP_NAME} **" if is_root; then - exec gosu "${APP_USER}" tini -s -- "${START_COMMAND[@]}" + exec gosu "${APP_USER}" tini -s -- "${START_COMMAND[@]}" "${flags[@]}" else - exec tini -s -- "${START_COMMAND[@]}" + exec tini -s -- "${START_COMMAND[@]}" "${flags[@]}" fi + diff --git a/alpine/customer/usr/local/bin/setup.sh b/alpine/customer/usr/local/bin/setup.sh index e8e73ce..8b51233 100755 --- a/alpine/customer/usr/local/bin/setup.sh +++ b/alpine/customer/usr/local/bin/setup.sh @@ -8,34 +8,38 @@ set -eu set -o pipefail -. /usr/local/bin/appcommon.sh # 应用专用函数库 +. /usr/local/bin/comm-${APP_NAME}.sh # 应用专用函数库 + +. /usr/local/bin/comm-env.sh # 设置环境变量 -eval "$(app_env)" LOG_I "** Processing setup.sh **" APP_DIRS="${APP_CONF_DIR:-} ${APP_DATA_DIR:-} ${APP_LOG_DIR:-} ${APP_CERT_DIR:-} ${APP_DATA_LOG_DIR:-}" -APP_DIRS="${APP_DIRS} ${PGDATA}" +APP_DIRS="${APP_DIRS} ${PG_DATA_DIR:-} ${PG_INITDB_WAL_DIR:-}" +LOG_I "Ensure directory exists: ${APP_DIRS}" for dir in ${APP_DIRS}; do ensure_dir_exists ${dir} done -app_verify_minimum_env +${APP_NAME}_verify_minimum_env # 检测指定文件是否在配置文件存储目录存在,如果不存在则拷贝(新挂载数据卷、手动删除都会导致不存在) -LOG_I "Check config files in: ${APP_CONF_DIR}" -if [[ ! -z "$(ls -A "${APP_DEF_DIR}")" ]]; then +# PG 将使用默认模板生成配置文件,并放置在PGDATA目录 +#LOG_I "Check config files in: ${APP_CONF_DIR}" +#if [[ ! -z "$(ls -A "${APP_DEF_DIR}")" ]]; then # ensure_config_file_exist "${APP_DEF_DIR}" $(ls -A "${APP_DEF_DIR}") - : -fi +# : +#fi +LOG_I "Ensure directory ownership: ${APP_USER}" for dir in ${APP_DIRS}; do configure_permissions_ownership "$dir" -u "${APP_USER}" -g "${APP_USER}" done # 解决 PostgreSQL 目录权限过于开放,无法初始化问题:FATAL: data directory "/srv/data/postgresql" has group or world access -LOG_D "Lack of permissions on data directory: ${PGDATA}" -chmod 0700 ${PGDATA} +LOG_D "Lack of permissions on data directory: ${PG_DATA_DIR}" +chmod 0700 ${PG_DATA_DIR} # 解决使用gosu后,nginx: [emerg] open() "/dev/stdout" failed (13: Permission denied) LOG_D "Change permissions of stdout/stderr to 0622" diff --git a/alpine/customer/usr/local/overrides/overrides-12.4.sh b/alpine/customer/usr/local/overrides/overrides-12.4.sh index eebd74e..c5b6e9e 100644 --- a/alpine/customer/usr/local/overrides/overrides-12.4.sh +++ b/alpine/customer/usr/local/overrides/overrides-12.4.sh @@ -1,6 +1,6 @@ #!/bin/bash -ex -POSTGRESQL_CONF="${APP_HOME_DIR}/share/${APP_NAME}/postgresql.conf.sample" +POSTGRESQL_CONF="${APP_HOME_DIR}/share/postgresql.conf.sample" # 在安装完应用后,使用该脚本修改默认配置文件中部分配置项 # 如果相应的配置项已经定义整体环境变量,则不需要在这里修改 @@ -10,23 +10,23 @@ echo "Process overrides for default configs..." # 设置默认监听地址为 localhost ,防止初始化操作期间外部链接,在容器初始化完成后修改为监听所有地址 sed -i -E "s/^#?(listen_addresses) .*/\1 = 'localhost'/g" ${POSTGRESQL_CONF} -sed -i -E "s/^data_directory .*/data_directory = '\/srv\/data\/${APP_NAME}\/data'/g" ${POSTGRESQL_CONF} -sed -i -E "s/^hba_file .*/hba_file = '\/srv\/data\/${APP_NAME}\/data\/pg_hba.conf'/g" ${POSTGRESQL_CONF} -sed -i -E "s/^ident_file .*/ident_file = '\/srv\/data\/${APP_NAME}\/data\/pg_ident.conf'/g" ${POSTGRESQL_CONF} -sed -i -E "s/^#external_pid_file .*/external_pid_file = '\/var\/run\/${APP_NAME}\/postgresql.pid'/g" ${POSTGRESQL_CONF} -sed -i -E "s/^max_connections .*/max_connections = 2000/g" ${POSTGRESQL_CONF} -sed -i -E "s/^#password_encryption .*/password_encryption = md5/g" ${POSTGRESQL_CONF} +sed -i -E "s/^#?data_directory .*/data_directory = '\/srv\/data\/${APP_NAME}\/data'/g" ${POSTGRESQL_CONF} +sed -i -E "s/^#?hba_file .*/hba_file = '\/srv\/conf\/${APP_NAME}\/pg_hba.conf'/g" ${POSTGRESQL_CONF} +sed -i -E "s/^#?ident_file .*/ident_file = '\/srv\/data\/${APP_NAME}\/data\/pg_ident.conf'/g" ${POSTGRESQL_CONF} +sed -i -E "s/^#?external_pid_file .*/external_pid_file = '\/var\/run\/${APP_NAME}\/postgresql.pid'/g" ${POSTGRESQL_CONF} +sed -i -E "s/^#?max_connections .*/max_connections = 2000/g" ${POSTGRESQL_CONF} +sed -i -E "s/^#?password_encryption .*/password_encryption = md5/g" ${POSTGRESQL_CONF} -sed -i -E "s/^#log_destination .*/log_destination = 'stderr'/g" ${POSTGRESQL_CONF} -sed -i -E "s/^#logging_collector .*/logging_collector = on/g" ${POSTGRESQL_CONF} -sed -i -E "s/^#log_directory .*/log_directory = '\/var\/log\/${APP_NAME}'/g" ${POSTGRESQL_CONF} -sed -i -E "s/^#log_filename .*/log_filename = 'postgresql-\%Y-\%m-\%d_\%H\%M\%S.log'/g" ${POSTGRESQL_CONF} -sed -i -E "s/^#log_truncate_on_rotation .*/log_truncate_on_rotation = on/g" ${POSTGRESQL_CONF} -sed -i -E "s/^#log_rotation_age .*/log_rotation_age = 1d/g" ${POSTGRESQL_CONF} -sed -i -E "s/^#log_rotation_size .*/log_rotation_size = 0/g" ${POSTGRESQL_CONF} -sed -i -E "s/^log_timezone .*/log_timezone = 'Asia\/Shanghai'/g" ${POSTGRESQL_CONF} +sed -i -E "s/^#?log_destination .*/log_destination = 'stderr'/g" ${POSTGRESQL_CONF} +sed -i -E "s/^#?logging_collector .*/logging_collector = on/g" ${POSTGRESQL_CONF} +sed -i -E "s/^#?log_directory .*/log_directory = '\/var\/log\/${APP_NAME}'/g" ${POSTGRESQL_CONF} +sed -i -E "s/^#?log_filename .*/log_filename = 'postgresql-\%Y-\%m-\%d_\%H\%M\%S.log'/g" ${POSTGRESQL_CONF} +sed -i -E "s/^#?log_truncate_on_rotation .*/log_truncate_on_rotation = on/g" ${POSTGRESQL_CONF} +sed -i -E "s/^#?log_rotation_age .*/log_rotation_age = 1d/g" ${POSTGRESQL_CONF} +sed -i -E "s/^#?log_rotation_size .*/log_rotation_size = 0/g" ${POSTGRESQL_CONF} +sed -i -E "s/^#?log_timezone .*/log_timezone = 'Asia\/Shanghai'/g" ${POSTGRESQL_CONF} -#sed -i -E "s/^#include_dir .*/include_dir = 'conf\.d'/g" ${POSTGRESQL_CONF} +#sed -i -E "s/^#?include_dir .*/include_dir = 'conf\.d'/g" ${POSTGRESQL_CONF} # 修改 unix_socket_directories 与 PID 文件同目录,解决修改 PID 输出目录后 psql 不指定`-h`时 Unix Socket 无法找到问题: # psql: could not connect to server: No such file or directory diff --git a/alpine/customer/usr/sbin/create_user b/alpine/customer/usr/sbin/create_user index e71bc99..a61a90b 100755 --- a/alpine/customer/usr/sbin/create_user +++ b/alpine/customer/usr/sbin/create_user @@ -2,8 +2,8 @@ # shell 执行参数,分别为 -e(命令执行错误则退出脚本) -u(变量未定义则报错) -x(打印实际待执行的命令行) set -eux addgroup -g 998 -S ${APP_USER} -adduser -G ${APP_USER} -u 999 -s /bin/bash -h ${APP_DATA_DIR} -D -S ${APP_USER} -#adduser -G ${APP_USER} -u 999 -s /usr/sbin/nologin -h ${APP_DATA_DIR} -D -S ${APP_USER} +adduser -G ${APP_USER} -u 999 -s /bin/bash -h /srv/data/${APP_NAME} -D -S ${APP_USER} +#adduser -G ${APP_USER} -u 999 -s /usr/sbin/nologin -h /srv/data/${APP_NAME} -D -S ${APP_USER} # 如果需要 sudo 权限,需要安装 su 软件包:apk add sudo #sed -i -e 's/^\sDefaults\s*secure_path\s*=/# Defaults secure_path=/' /etc/sudoers diff --git a/alpine/customer/usr/sbin/prepare_env b/alpine/customer/usr/sbin/prepare_env index cb7b34b..05ce3b1 100755 --- a/alpine/customer/usr/sbin/prepare_env +++ b/alpine/customer/usr/sbin/prepare_env @@ -2,7 +2,16 @@ # shell 执行参数,分别为 -e(命令执行错误则退出脚本) -u(变量未定义则报错) -x(打印实际待执行的命令行) set -eux -APP_DIRS="${APP_DEF_DIR:-} ${APP_CONF_DIR:-} ${APP_DATA_DIR:-} ${APP_DATA_LOG_DIR:-} ${APP_CACHE_DIR:-} ${APP_RUN_DIR:-} ${APP_LOG_DIR:-} ${APP_CERT_DIR:-} ${APP_HOME_DIR:-}" +APP_DIRS=" \ + /usr/local/${APP_NAME} \ + /etc/${APP_NAME} \ + /srv/conf/${APP_NAME} \ + /srv/data/${APP_NAME} \ + /srv/datalog/${APP_NAME} \ + /var/cache/${APP_NAME} \ + /var/run/${APP_NAME} \ + /var/log/${APP_NAME} \ + /srv/cert/${APP_NAME}" mkdir -p ${APP_DIRS} chown -Rf ${APP_USER}:${APP_USER} ${APP_DIRS}; diff --git a/customer/usr/local/bin/comm-env.sh b/customer/usr/local/bin/comm-env.sh new file mode 100644 index 0000000..30d614b --- /dev/null +++ b/customer/usr/local/bin/comm-env.sh @@ -0,0 +1,115 @@ +#!/bin/bash +# Ver: 1.0 by Endial Fang (endial@126.com) +# +# 应用环境变量定义及初始化 + +# 通用设置 +export ENV_DEBUG=${ENV_DEBUG:-false} +export ALLOW_ANONYMOUS_LOGIN="${ALLOW_ANONYMOUS_LOGIN:-no}" + +# 通过读取变量名对应的 *_FILE 文件,获取变量值;如果对应文件存在,则通过传入参数设置的变量值会被文件中对应的值覆盖 +# 变量优先级: *_FILE > 传入变量 > 默认值 +app_env_file_lists=( + PG_POSTGRES_PASSWORD + PG_PASSWORD + PG_REPLICATION_PASSWORD + PG_LDAP_BIND_PASSWORD +) +for env_var in "${app_env_file_lists[@]}"; do + file_env_var="${env_var}_FILE" + if [[ -n "${!file_env_var:-}" ]]; then + export "${env_var}=$(< "${!file_env_var}")" + unset "${file_env_var}" + fi +done +unset postgresql_env_vars + +# 应用路径参数 +export APP_HOME_DIR="/usr/local/${APP_NAME}" +export APP_DEF_DIR="/etc/${APP_NAME}" +export APP_CONF_DIR="/srv/conf/${APP_NAME}" +export APP_DATA_DIR="/srv/data/${APP_NAME}" +export APP_DATA_LOG_DIR="/srv/datalog/${APP_NAME}" +export APP_CACHE_DIR="/var/cache/${APP_NAME}" +export APP_RUN_DIR="/var/run/${APP_NAME}" +export APP_LOG_DIR="/var/log/${APP_NAME}" +export APP_CERT_DIR="/srv/cert/${APP_NAME}" + +export PG_DATA_DIR="${APP_DATA_DIR}/data" + +export PG_CONF_FILE="${APP_CONF_DIR}/postgresql.conf" +export PG_HBA_FILE="${APP_CONF_DIR}/pg_hba.conf" +export PG_RECOVERY_FILE="${PG_DATA_DIR}/recovery.conf" +export PG_IDENT_FILE="${PG_DATA_DIR}/pg_ident.conf" +export PG_EXT_PID_FILE="${APP_RUN_DIR}/postgresql.pid" +export PG_LOG_FILE="${APP_LOG_DIR}/postgresql.log" + +# 应用配置参数 +export PG_CLUSTER_APP_NAME=${PG_CLUSTER_APP_NAME:-cvcluster} +export PG_REPLICATION_MODE="${PG_REPLICATION_MODE:-primary}" +export PG_PRIMARY_HOST="${PG_PRIMARY_HOST:-}" +export PG_PRIMARY_PORT="${PG_PRIMARY_PORT:-5432}" +export PG_NUM_SYNCHRONOUS_REPLICAS="${PG_NUM_SYNCHRONOUS_REPLICAS:-0}" +export PG_REPLICATION_USER="${PG_REPLICATION_USER:-}" +export PG_REPLICATION_PASSWORD="${PG_REPLICATION_PASSWORD:-}" +export PG_SYNCHRONOUS_COMMIT_MODE="${PG_SYNCHRONOUS_COMMIT_MODE:-on}" +export PG_FSYNC="${PG_FSYNC:-on}" +export PG_INIT_MAX_TIMEOUT=${PG_INIT_MAX_TIMEOUT:-60} +export PG_INITDB_ARGS="${PG_INITDB_ARGS:-}" +export PG_INITDB_WAL_DIR="${PG_INITDB_WAL_DIR:-}" +export PG_PORT_NUMBER="${PG_PORT_NUMBER:-5432}" +export PG_SHARED_PRELOAD_LIBRARIES="${PG_SHARED_PRELOAD_LIBRARIES:-}" +export PG_USERNAME_CONNECTION_LIMIT="${PG_USERNAME_CONNECTION_LIMIT:-}" +export PG_POSTGRES_CONNECTION_LIMIT="${PG_POSTGRES_CONNECTION_LIMIT:-}" + +export PG_ENABLE_LDAP="${PG_ENABLE_LDAP:-no}" +export PG_LDAP_URL="${PG_LDAP_URL:-}" +export PG_LDAP_PREFIX="${PG_LDAP_PREFIX:-}" +export PG_LDAP_SUFFIX="${PG_LDAP_SUFFIX:-}" +export PG_LDAP_SERVER="${PG_LDAP_SERVER:-}" +export PG_LDAP_PORT="${PG_LDAP_PORT:-}" +export PG_LDAP_SCHEME="${PG_LDAP_SCHEME:-}" +export PG_LDAP_TLS="${PG_LDAP_TLS:-}" +export PG_LDAP_BASE_DN="${PG_LDAP_BASE_DN:-}" +export PG_LDAP_BIND_DN="${PG_LDAP_BIND_DN:-}" +export PG_LDAP_BIND_PASSWORD="${PG_LDAP_BIND_PASSWORD:-}" +export PG_LDAP_SEARCH_ATTR="${PG_LDAP_SEARCH_ATTR:-}" +export PG_LDAP_SEARCH_FILTER="${PG_LDAP_SEARCH_FILTER:-}" + +export PG_ENABLE_TLS="${PG_ENABLE_TLS:-no}" +export PG_TLS_CERT_FILE="${PG_TLS_CERT_FILE:-}" +export PG_TLS_KEY_FILE="${PG_TLS_KEY_FILE:-}" +export PG_TLS_CA_FILE="${PG_TLS_CA_FILE:-}" +export PG_TLS_CRL_FILE="${PG_TLS_CRL_FILE:-}" +export PG_TLS_PREFER_SERVER_CIPHERS="${PG_TLS_PREFER_SERVER_CIPHERS:-yes}" + +export PG_PGAUDIT_LOG="${PG_PGAUDIT_LOG:-}" +export PG_PGAUDIT_LOG_CATALOG="${PG_PGAUDIT_LOG_CATALOG:-}" +export PG_LOG_CONNECTIONS="${PG_LOG_CONNECTIONS:-}" +export PG_LOG_DISCONNECTIONS="${PG_LOG_DISCONNECTIONS:-}" +export PG_LOG_HOSTNAME="${PG_LOG_HOSTNAME:-}" +export PG_CLIENT_MIN_MESSAGES="${PG_CLIENT_MIN_MESSAGES:-error}" +export PG_LOG_LINE_PREFIX="${PG_LOG_LINE_PREFIX:-}" +export PG_LOG_TIMEZONE="${PG_LOG_TIMEZONE:-}" + +export PG_MAX_CONNECTIONS="${PG_MAX_CONNECTIONS:-}" +export PG_TCP_KEEPALIVES_IDLE="${PG_TCP_KEEPALIVES_IDLE:-}" +export PG_TCP_KEEPALIVES_INTERVAL="${PG_TCP_KEEPALIVES_INTERVAL:-}" +export PG_TCP_KEEPALIVES_COUNT="${PG_TCP_KEEPALIVES_COUNT:-}" +export PG_STATEMENT_TIMEOUT="${PG_STATEMENT_TIMEOUT:-}" + +export PG_USERNAME="${PG_USERNAME:-postgres}" +export PG_PASSWORD="${PG_PASSWORD:-}" +export PG_DATABASE="${PG_DATABASE:-postgres}" +# 使用自定义用户名(非"postgres")时的管理员密码 +export PG_POSTGRES_PASSWORD="${PG_POSTGRES_PASSWORD:-}" +export PG_INITSCRIPTS_USERNAME="${PG_INITSCRIPTS_USERNAME:-${PG_USERNAME}}" +export PG_INITSCRIPTS_PASSWORD="${PG_INITSCRIPTS_PASSWORD:-${PG_PASSWORD}}" + +export PGCONNECT_TIMEOUT="${PGCONNECT_TIMEOUT:-10}" + +# 内部变量 +export PG_FIRST_BOOT="yes" + +# 个性化变量 + diff --git a/customer/usr/local/bin/appcommon.sh b/customer/usr/local/bin/comm-postgresql.sh similarity index 52% rename from customer/usr/local/bin/appcommon.sh rename to customer/usr/local/bin/comm-postgresql.sh index 6737241..37805f2 100644 --- a/customer/usr/local/bin/appcommon.sh +++ b/customer/usr/local/bin/comm-postgresql.sh @@ -14,100 +14,6 @@ # 函数列表 -# 加载应用使用的环境变量初始值,该函数在相关脚本中以 eval 方式调用 -# 全局变量: -# ENV_* : 容器使用的全局变量 -# APP_* : 在镜像创建时定义的全局变量 -# *_* : 应用配置文件使用的全局变量,变量名根据配置项定义 -# 返回值: -# 可以被 'eval' 使用的序列化输出 -app_env() { - cat <<-'EOF' - # Common Settings - export ENV_DEBUG=${ENV_DEBUG:-false} - export ALLOW_ANONYMOUS_LOGIN="${ALLOW_ANONYMOUS_LOGIN:-no}" - - # Paths configuration - export PGDATA="${APP_DATA_DIR}/data" - export PG_INITDB_WAL_DIR="${PG_INITDB_WAL_DIR:-${APP_DATA_LOG_DIR}}" - - export PG_CONF_FILE="${PGDATA}/postgresql.conf" - export PG_HBA_FILE="${PGDATA}/pg_hba.conf" - export PG_IDENT_FILE="${PGDATA}/pg_ident.conf" - export PG_RECOVERY_FILE="${PGDATA}/recovery.conf" - - export PG_PID_FILE="${APP_RUN_DIR}/postgresql.pid" - export PG_LOG_FILE="${APP_LOG_DIR}/postgresql.log" - - # Cluster configuration - export PG_CLUSTER_APP_NAME=${PG_CLUSTER_APP_NAME:-cvcluster} - export PG_REPLICATION_MODE="${PG_REPLICATION_MODE:-master}" - - export PG_MASTER_HOST="${PG_MASTER_HOST:-}" - export PG_MASTER_PORT_NUMBER="${PG_MASTER_PORT_NUMBER:-5432}" - export PG_NUM_SYNCHRONOUS_REPLICAS="${PG_NUM_SYNCHRONOUS_REPLICAS:-0}" - export PG_REPLICATION_USER="${PG_REPLICATION_USER:-}" - export PG_REPLICATION_PASSWORD="${PG_REPLICATION_PASSWORD:-}" - - export PG_SYNCHRONOUS_COMMIT_MODE="${PG_SYNCHRONOUS_COMMIT_MODE:-on}" - export PG_FSYNC="${PG_FSYNC:-on}" - - # PostgreSQL settings - export PG_INIT_MAX_TIMEOUT=${PG_INIT_MAX_TIMEOUT:-60} - export PG_INITDB_ARGS="${PG_INITDB_ARGS:-}" - export PG_PORT_NUMBER="${PG_PORT_NUMBER:-5432}" - export PG_HOST_AUTH_METHOD="${PG_HOST_AUTH_METHOD:-md5}" - - # PostgreSQL TLS Settings - - # PostgreSQL LDAP Settings - export PG_ENABLE_LDAP="${PG_ENABLE_LDAP:-no}" - export PG_LDAP_URL="${PG_LDAP_URL:-}" - export PG_LDAP_PREFIX="${PG_LDAP_PREFIX:-}" - export PG_LDAP_SUFFIX="${PG_LDAP_SUFFIX:-}" - export PG_LDAP_SERVER="${PG_LDAP_SERVER:-}" - export PG_LDAP_PORT="${PG_LDAP_PORT:-}" - export PG_LDAP_SCHEME="${PG_LDAP_SCHEME:-}" - export PG_LDAP_TLS="${PG_LDAP_TLS:-}" - export PG_LDAP_BASE_DN="${PG_LDAP_BASE_DN:-}" - export PG_LDAP_BIND_DN="${PG_LDAP_BIND_DN:-}" - export PG_LDAP_BIND_PASSWORD="${PG_LDAP_BIND_PASSWORD:-}" - export PG_LDAP_SEARCH_ATTR="${PG_LDAP_SEARCH_ATTR:-}" - export PG_LDAP_SEARCH_FILTER="${PG_LDAP_SEARCH_FILTER:-}" - - # Authentication - export PG_USERNAME="${PG_USERNAME:-postgres}" - export PG_PASSWORD="${PG_PASSWORD:-}" - export PG_DATABASE="${PG_DATABASE:-postgres}" - - export PG_INITSCRIPTS_USERNAME="${PG_INITSCRIPTS_USERNAME:-${PG_USERNAME}}" - export PG_INITSCRIPTS_PASSWORD="${PG_INITSCRIPTS_PASSWORD:-${PG_PASSWORD}}" -EOF - - # 利用 *_FILE 设置密码,不在配置命令中设置密码,增强安全性 - if [[ -f "${PG_POSTGRES_PASSWORD_FILE:-}" ]]; then - cat <<-'EOF' - export PG_POSTGRES_PASSWORD="$(< "${PG_POSTGRES_PASSWORD_FILE}")" -EOF - else - cat <<-'EOF' - export PG_POSTGRES_PASSWORD="${PG_POSTGRES_PASSWORD:-}" -EOF - fi - - if [[ -f "${PG_PASSWORD_FILE:-}" ]]; then - cat <<-'EOF' - export PG_PASSWORD="$(< "${PG_PASSWORD_FILE}")" -EOF - fi - - if [[ -f "${PG_REPLICATION_PASSWORD_FILE:-}" ]]; then - cat <<-'EOF' - export PG_REPLICATION_PASSWORD="$(< "${PG_REPLICATION_PASSWORD_FILE}")" -EOF - fi -} - # 配置 libnss_wrapper 以使得 PostgreSQL 命令可以以任意用户身份执行 postgresql_enable_nss_wrapper() { if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then @@ -115,15 +21,16 @@ postgresql_enable_nss_wrapper() { export LD_PRELOAD='/usr/lib/libnss_wrapper.so' export NSS_WRAPPER_PASSWD="$(mktemp)" export NSS_WRAPPER_GROUP="$(mktemp)" - echo "postgres:x:$(id -u):$(id -g):PostgreSQL:${PGDATA}:/bin/false" > "$NSS_WRAPPER_PASSWD" - echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" + echo "postgres:x:$(id -u):$(id -g):PostgreSQL:${PG_DATA_DIR}:/bin/false" > "${NSS_WRAPPER_PASSWD}" + echo "postgres:x:$(id -g):" > "${NSS_WRAPPER_GROUP}" fi } +# 禁用 libnss_wrapper postgresql_disable_nss_wrapper() { # unset/cleanup "nss_wrapper" bits if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then - rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" + rm -f "${NSS_WRAPPER_PASSWD}" "${NSS_WRAPPER_GROUP}" unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP fi } @@ -136,27 +43,12 @@ postgresql_disable_nss_wrapper() { postgresql_common_conf_set() { local file="${1:?missing file}" local key="${2:?missing key}" - shift - shift - local values=("$@") + local value="${3:?missing value}" - if [[ "${#values[@]}" -eq 0 ]]; then - LOG_E "missing value" - return 1 - elif [[ "${#values[@]}" -ne 1 ]]; then - for i in "${!values[@]}"; do - postgresql_common_conf_set "$file" "${key[$i]}" "${values[$i]}" - done + if grep -q "^#*\s*${key}" "$file" >/dev/null; then + replace_in_file "$file" "^#*\s*${key}\s*=.*" "${key} = '${value}'" false else - value="${values[0]}" - # Check if the value was set before - if grep -q "^[#\\s]*$key\s*=.*" "$file"; then - # Update the existing key - replace_in_file "$file" "^[#\\s]*${key}\s*=.*" "${key} = \'${value}\'" false - else - # 增加一个新的配置项;如果在其他位置有类似操作,需要注意换行 - printf "%s = %s" "$key" "$value" >>"$file" - fi + echo "${property} = '${value}'" >>"$file" fi } @@ -193,8 +85,8 @@ postgresql_recover_set() { } # 初始化 pg_hba.conf 文件,增加 LDAP 配置;同时保留本地认证 -postgresql_ldap_auth_configuration() { - LOG_I "Generating LDAP authentication configuration" +postgresql_hba_ldap_auth() { + LOG_I "Enabling LDAP authentication" local ldap_configuration="" if [[ -n "${PG_LDAP_URL}" ]]; then @@ -214,34 +106,56 @@ postgresql_ldap_auth_configuration() { [[ -n "${PG_LDAP_SCHEME}" ]] && ldap_configuration+=" ldapscheme=${PG_LDAP_SCHEME}" fi - cat <<-'EOF' > "${PG_HBA_FILE}" - local all all trust - host all postgres 0.0.0.0/0 trust - host all postgres ::/0 trust - host all all 0.0.0.0/0 ldap ${ldap_configuration} - host all all ::/0 ldap ${ldap_configuration} + cat <"${PG_HBA_FILE}" +host all postgres 0.0.0.0/0 trust +host all postgres ::/0 trust +host all all 0.0.0.0/0 ldap ${ldap_configuration} +host all all ::/0 ldap ${ldap_configuration} EOF } -# 修改 pg_hba.conf 文件,增加主从复制从服务器认证许可 -postgresql_add_replication_to_pghba() { +# 设置 pg_hba.conf 文件,增加 TLS 配置 +postgresql_hba_allow_tls_connection() { + LOG_I "Enabling TLS client authentication" + + cat <>"${PG_HBA_FILE}" +hostssl all all 0.0.0.0/0 cert +hostssl all all ::/0 cert +EOF +} + +# 设置 pg_hba.conf 文件,允许 replication 访问 +postgresql_hba_allow_replication_connection() { + LOG_I "Enabling replication client authentication" + local replication_auth="trust" - if [[ -n "$PG_REPLICATION_PASSWORD" ]]; then + if [[ -n "${PG_REPLICATION_PASSWORD}" ]]; then replication_auth="md5" fi - cat <<-'EOF' >> "$PG_HBA_FILE" - host replication all 0.0.0.0/0 ${replication_auth} - host replication all ::/0 ${replication_auth} + cat <>"${PG_HBA_FILE}" +host replication all 0.0.0.0/0 ${replication_auth} +host replication all ::/0 ${replication_auth} +EOF +} + +# 设置 pg_hba.conf,允许本地访问 +postgresql_hba_allow_local_connection() { + LOG_I "Enabling local client authentication" + + cat <>"${PG_HBA_FILE}" +local all all trust +host all all 127.0.0.1/0 trust +host all all ::1/128 trust EOF } # 初始化 pg_hba.conf 文件 -postgresql_password_auth_configuration() { - LOG_I "Generating local authentication configuration" - cat <<-'EOF' > "$PG_HBA_FILE" - local all all trust - host all all 0.0.0.0/0 trust - host all all ::/0 trust +postgresql_hba_password_auth() { + LOG_I "Enabling password client authentication" + + cat <"${PG_HBA_FILE}" +host all all 0.0.0.0/0 trust +host all all ::/0 trust EOF } @@ -261,10 +175,10 @@ postgresql_execute() { local -r port="${5:-${PG_PORT_NUMBER}}" local -r opts="${6:-}" - local args=( "-h" "$host" "-p" "$port" "-U" "$user" ) - local cmd=("psql") - [[ -n "$db" ]] && args+=( "-d" "$db" ) - [[ -n "$opts" ]] && args+=( "$opts" ) + local args=("-h" "$host" "-p" "$port" "-U" "$user") + local cmd=("${APP_HOME_DIR}/bin/psql") + [[ -n "$db" ]] && args+=("-d" "$db") + [[ -n "$opts" ]] && args+=("$opts") LOG_D "Execute args: ${args[@]}" if is_boolean_yes "${ENV_DEBUG}"; then PGPASSWORD=$pass "${cmd[@]}" "${args[@]}" @@ -273,60 +187,132 @@ postgresql_execute() { fi } +# 使用环境变量中的配置值更新配置文件 +postgresql_configure_from_environment_variables() { + LOG_D "Modify postgresql.conf with PG_CFG_* values..." + for var in "${!PG_CFG_@}"; do + key="$(echo "$var" | sed -e 's/^PG_CFG_//g' | tr '[:upper:]' '[:lower:]')" + value="${!var}" + postgresql_conf_set "$key" "$value" + done +} + # 生成初始 postgres.conf 配置 postgresql_default_postgresql_config() { LOG_I "Modify postgresql.conf with default values..." - [ ! -e "${PG_CONF_FILE}" ] && cp -rf "${APP_DEF_DIR}/postgresql.conf.sample" "${PG_CONF_FILE}" + [ ! -e "${PG_CONF_FILE}" ] && cp -rf "${APP_HOME_DIR}/share/postgresql.conf.sample" "${PG_CONF_FILE}" + postgresql_configure_from_environment_variables + + postgresql_conf_set "logging_collector" "on" postgresql_conf_set "wal_level" "hot_standby" postgresql_conf_set "max_wal_size" "400MB" postgresql_conf_set "max_wal_senders" "16" postgresql_conf_set "wal_keep_segments" "12" + postgresql_conf_set "wal_log_hints" "on" postgresql_conf_set "hot_standby" "on" if (( PG_NUM_SYNCHRONOUS_REPLICAS > 0 )); then - postgresql_conf_set "synchronous_commit" "$PG_SYNCHRONOUS_COMMIT_MODE" + postgresql_conf_set "synchronous_commit" "${PG_SYNCHRONOUS_COMMIT_MODE}" postgresql_conf_set "synchronous_standby_names" "${PG_NUM_SYNCHRONOUS_REPLICAS} (\"${PG_CLUSTER_APP_NAME}\")" fi - postgresql_conf_set "fsync" "$PG_FSYNC" + postgresql_conf_set "fsync" "${PG_FSYNC}" + + [[ -n "${PG_SHARED_PRELOAD_LIBRARIES}" ]] && postgresql_conf_set "shared_preload_libraries" "${PG_SHARED_PRELOAD_LIBRARIES}" + + # Update default value for 'include_dir' directive + # ref: https://github.com/postgres/postgres/commit/fb9c475597c245562a28d1e916b575ac4ec5c19f#diff-f5544d9b6d218cc9677524b454b41c60 + if ! grep include_dir "${PG_CONF_FILE}" > /dev/null; then + postgresql_error "include_dir line is not present in ${PG_CONF_FILE}. This may be due to a changes in a new version of PostgreSQL. Please check" + exit 1 + fi + postgresql_conf_set "include_dir" "conf.d" + mkdir -p "${APP_CONF_DIR}/conf.d" } # 生成初始 pg_hba.conf 配置 postgresql_default_hba_config() { LOG_I "Modify pg_hba.conf with default values..." - if is_boolean_yes "${PG_ENABLE_LDAP:-no}"; then - postgresql_ldap_auth_configuration + if is_boolean_yes "${PG_ENABLE_LDAP}"; then + postgresql_hba_ldap_auth else - postgresql_password_auth_configuration + postgresql_hba_password_auth fi } -# 生成初始 pg_hba.conf 配置 +# 更新 pg_hba.conf 文件,仅允许基于密码认证的访问 postgresql_restrict_hba_config() { - LOG_I "Modify pg_hba.conf for restrict configs..." + LOG_I "Check pg_hba.conf for restrict configs..." - if [[ -n "$PG_PASSWORD" ]]; then - LOG_I "Configuring md5 encrypt" + if [[ -n "${PG_PASSWORD}" ]]; then + LOG_D " Configuring md5 encrypt" postgresql_hba_set "trust" "md5" fi } +# 获取软件主版本号 +postgresql_get_major_version() { + psql --version | grep -oE "[0-9]+\.[0-9]+" | grep -oE "^[0-9]+" +} + # 为 Slava 模式工作的节点创建 recovery.conf 文件 postgresql_configure_recovery() { - LOG_I "Setting up streaming replication slave..." - [ ! -e "${PG_RECOVERY_FILE}" ] && cp -f "${APP_DEF_DIR}/recovery.conf.sample" "${PG_RECOVERY_FILE}" + LOG_I "Setting up streaming replication standby..." - # 版本为12以上时, Slave 节点配置保存在 postgresql.conf 文件中 - postgresql_conf_set "primary_conninfo" "host=${PG_MASTER_HOST} port=${PG_MASTER_PORT_NUMBER} user=${PG_REPLICATION_USER} password=${PG_REPLICATION_PASSWORD} application_name=${PG_CLUSTER_APP_NAME}" - postgresql_conf_set "promote_trigger_file" "/tmp/postgresql.trigger.${PG_MASTER_PORT_NUMBER}" - touch "$PGDATA"/standby.signal + # Recover 配置信息在不同版本保存位置不一样: + # 版本为12及以上时, Slave 节点配置保存在 postgresql.conf 文件中 + # 版本低于12时, Slave 节点配置保存在 recover.conf 文件中 + local -r psql_major_version="$(postgresql_get_major_version)" + if (( psql_major_version >= 12 )); then + postgresql_conf_set "primary_conninfo" "host=${PG_PRIMARY_HOST} port=${PG_PRIMARY_PORT} user=${PG_REPLICATION_USER} password=${PG_REPLICATION_PASSWORD} application_name=${PG_CLUSTER_APP_NAME}" + postgresql_conf_set "promote_trigger_file" "/tmp/postgresql.trigger.${PG_PRIMARY_PORT}" + touch "${PG_DATA_DIR}/standby.signal" + else + [ ! -e "${PG_RECOVERY_FILE}" ] && cp -f "${APP_HOME_DIR}/share/recovery.conf.sample" "${PG_RECOVERY_FILE}" + chmod 600 "${PG_RECOVERY_FILE}" + postgresql_recover_set "standby_mode" "on" + postgresql_recover_set "primary_conninfo" "host=${PG_PRIMARY_HOST} port=${PG_PRIMARY_PORT} user=${PG_REPLICATION_USER} password=${PG_REPLICATION_PASSWORD} application_name=${PG_CLUSTER_APP_NAME}" + postgresql_recover_set "trigger_file" "/tmp/postgresql.trigger.${PG_PRIMARY_PORT}" + fi +} - # 版本低于12时, Slave 节点配置保存在 recover.conf 文件中 - #chmod 600 "${PG_RECOVERY_FILE}" - #postgresql_recover_set "standby_mode" "on" - #postgresql_recover_set "primary_conninfo" "host=${PG_MASTER_HOST} port=${PG_MASTER_PORT_NUMBER} user=${PG_REPLICATION_USER} password=${PG_REPLICATION_PASSWORD} application_name=${PG_CLUSTER_APP_NAME}" - #postgresql_recover_set "trigger_file" "/tmp/postgresql.trigger.${PG_MASTER_PORT_NUMBER}" +# 配置应用日志参数 +postgresql_configure_logging() { + LOG_I "Update logging configuration..." + + [[ -n "${PG_PGAUDIT_LOG}" ]] && postgresql_conf_set "pgaudit.log" "${PG_PGAUDIT_LOG}" + [[ -n "${PG_PGAUDIT_LOG_CATALOG}" ]] && postgresql_conf_set "pgaudit.log_catalog" "${PG_PGAUDIT_LOG_CATALOG}" + [[ -n "${PG_LOG_CONNECTIONS}" ]] && postgresql_conf_set "log_connections" "${PG_LOG_CONNECTIONS}" + [[ -n "${PG_LOG_DISCONNECTIONS}" ]] && postgresql_conf_set "log_disconnections" "${PG_LOG_DISCONNECTIONS}" + [[ -n "${PG_LOG_HOSTNAME}" ]] && postgresql_conf_set "log_hostname" "${PG_LOG_HOSTNAME}" + [[ -n "${PG_CLIENT_MIN_MESSAGES}" ]] && postgresql_conf_set "client_min_messages" "${PG_CLIENT_MIN_MESSAGES}" + [[ -n "${PG_LOG_LINE_PREFIX}" ]] && postgresql_conf_set "log_line_prefix" "${PG_LOG_LINE_PREFIX}" + ([[ -n "${PG_LOG_TIMEZONE}" ]] && postgresql_conf_set "log_timezone" "${PG_LOG_TIMEZONE}") || true +} + +# 配置应用连接控制参数 +postgresql_configure_connections() { + LOG_I "Update TCP connection configuration..." + + [[ -n "${PG_MAX_CONNECTIONS}" ]] && postgresql_conf_set "max_connections" "${PG_MAX_CONNECTIONS}" + [[ -n "${PG_TCP_KEEPALIVES_IDLE}" ]] && postgresql_conf_set "tcp_keepalives_idle" "${PG_TCP_KEEPALIVES_IDLE}" + [[ -n "${PG_TCP_KEEPALIVES_INTERVAL}" ]] && postgresql_conf_set "tcp_keepalives_interval" "${PG_TCP_KEEPALIVES_INTERVAL}" + [[ -n "${PG_TCP_KEEPALIVES_COUNT}" ]] && postgresql_conf_set "tcp_keepalives_count" "${PG_TCP_KEEPALIVES_COUNT}" + ([[ -n "${PG_STATEMENT_TIMEOUT}" ]] && postgresql_conf_set "statement_timeout" "${PG_STATEMENT_TIMEOUT}") || true +} + +# 配置应用 TLS 参数 +postgresql_configure_tls() { + LOG_I "Update TLS configuration..." + + chmod 600 "${PG_TLS_KEY_FILE}" || LOG_W "Could not set compulsory permissions (600) on file ${PG_TLS_KEY_FILE}" + postgresql_conf_set "ssl" "on" + ! is_boolean_yes "${PG_TLS_PREFER_SERVER_CIPHERS}" && postgresql_conf_set "ssl_prefer_server_ciphers" "off" + [[ -n "${PG_TLS_CA_FILE}" ]] && postgresql_conf_set "ssl_ca_file" "${PG_TLS_CA_FILE}" + [[ -n "${PG_TLS_CRL_FILE}" ]] && postgresql_conf_set "ssl_crl_file" "${PG_TLS_CRL_FILE}" + postgresql_conf_set "ssl_cert_file" "${PG_TLS_CERT_FILE}" + postgresql_conf_set "ssl_key_file" "${PG_TLS_KEY_FILE}" } # 为默认的数据库用户 postgres 设置密码 @@ -335,34 +321,46 @@ postgresql_configure_recovery() { postgresql_alter_postgres_user() { local -r escaped_password="${1//\'/\'\'}" LOG_I "Changing password of postgres" + echo "ALTER ROLE postgres WITH PASSWORD '$escaped_password';" | postgresql_execute + if [[ -n "${PG_POSTGRES_CONNECTION_LIMIT}" ]]; then + echo "ALTER ROLE postgres WITH CONNECTION LIMIT ${PG_POSTGRES_CONNECTION_LIMIT};" | postgresql_execute + fi } # 为数据库 $PG_DATABASE 创建管理员账户 postgresql_create_admin_user() { local -r escaped_password="${PG_PASSWORD//\'/\'\'}" + + local connlimit_string="" + if [[ -n "${PG_USERNAME_CONNECTION_LIMIT}" ]]; then + connlimit_string="CONNECTION LIMIT ${PG_USERNAME_CONNECTION_LIMIT}" + fi + LOG_I "Creating user ${PG_USERNAME}" - echo "CREATE ROLE \"${PG_USERNAME}\" WITH LOGIN CREATEDB PASSWORD '${escaped_password}';" | postgresql_execute + echo "CREATE ROLE \"${PG_USERNAME}\" WITH LOGIN ${connlimit_string} CREATEDB PASSWORD '${escaped_password}';" | postgresql_execute LOG_I "Granting access to \"${PG_USERNAME}\" to the database \"${PG_DATABASE}\"" - echo "GRANT ALL PRIVILEGES ON DATABASE \"${PG_DATABASE}\" TO \"${PG_USERNAME}\"\;" | postgresql_execute "" "postgres" "$PG_POSTGRES_PASSWORD" + echo "GRANT ALL PRIVILEGES ON DATABASE \"${PG_DATABASE}\" TO \"${PG_USERNAME}\"\;" | postgresql_execute "" "postgres" "${PG_POSTGRES_PASSWORD}" } -# 为 master-slave 复制模式创建用户 +# 为 primary-standby 复制模式创建用户 postgresql_create_replication_user() { local -r escaped_password="${PG_REPLICATION_PASSWORD//\'/\'\'}" LOG_I "Creating replication user ${PG_REPLICATION_USER}" - echo "CREATE ROLE \"$PG_REPLICATION_USER\" REPLICATION LOGIN ENCRYPTED PASSWORD '$escaped_password'" | postgresql_execute + + echo "CREATE ROLE \"${PG_REPLICATION_USER}\" WITH REPLICATION LOGIN ENCRYPTED PASSWORD '$escaped_password'" | postgresql_execute } # 创建用户自定义数据库 $PG_DATABASE postgresql_create_custom_database() { LOG_I "Creating custom database ${PG_DATABASE}" + echo "CREATE DATABASE \"${PG_DATABASE}\"" | postgresql_execute "" "postgres" "" "localhost" } # 检测用户参数信息是否满足条件; 针对部分权限过于开放情况,打印提示信息 -app_verify_minimum_env() { +postgresql_verify_minimum_env() { local error_code=0 LOG_D "Validating settings in PG_* env vars..." @@ -378,6 +376,7 @@ app_verify_minimum_env() { empty_password_error() { print_validation_error "The $1 environment variable is empty or not set. Set the environment variable ALLOW_ANONYMOUS_LOGIN=yes to allow the container to be started with blank passwords. This is recommended only for development." } + if is_boolean_yes "${ALLOW_ANONYMOUS_LOGIN}"; then empty_password_warn else @@ -396,19 +395,19 @@ app_verify_minimum_env() { fi if [[ -n "${PG_REPLICATION_MODE}" ]]; then - if [[ "${PG_REPLICATION_MODE}" = "master" ]]; then + if [[ "${PG_REPLICATION_MODE}" = "primary" ]]; then if (( PG_NUM_SYNCHRONOUS_REPLICAS < 0 )); then print_validation_error "The number of synchronous replicas cannot be less than 0. Set the environment variable PG_NUM_SYNCHRONOUS_REPLICAS" fi - elif [[ "${PG_REPLICATION_MODE}" = "slave" ]]; then - if [[ -z "${PG_MASTER_HOST}" ]]; then - print_validation_error "Slave replication mode chosen without setting the environment variable PG_MASTER_HOST. Use it to indicate where the Master node is running" + elif [[ "${PG_REPLICATION_MODE}" = "standby" ]]; then + if [[ -z "${PG_PRIMARY_HOST}" ]]; then + print_validation_error "Slave replication mode chosen without setting the environment variable PG_PRIMARY_HOST. Use it to indicate where the Master node is running" fi if [[ -z "${PG_REPLICATION_USER}" ]]; then - print_validation_error "Slave replication mode chosen without setting the environment variable PG_REPLICATION_USER. Make sure that the master also has this parameter set" + print_validation_error "Slave replication mode chosen without setting the environment variable PG_REPLICATION_USER. Make sure that the primary also has this parameter set" fi else - print_validation_error "Invalid replication mode. Available options are 'master/slave'" + print_validation_error "Invalid replication mode. Available options are 'primary/standby'" fi # Common replication checks if [[ -n "${PG_REPLICATION_USER}" ]] && [[ -z "${PG_REPLICATION_PASSWORD}" ]]; then @@ -435,18 +434,46 @@ app_verify_minimum_env() { empty_password_error "You can not set PG_LDAP_URL and PG_LDAP_SERVER at the same time. Check your LDAP configuration." fi + if ! is_yes_no_value "${PG_ENABLE_TLS}"; then + print_validation_error "The values allowed for PG_ENABLE_TLS are: yes or no" + elif is_boolean_yes "${PG_ENABLE_TLS}"; then + if [[ -z "${PG_TLS_CERT_FILE}" ]]; then + print_validation_error "You must provide a X.509 certificate in order to use TLS" + elif [[ ! -f "${PG_TLS_CERT_FILE}" ]]; then + print_validation_error "The X.509 certificate file in the specified path ${PG_TLS_CERT_FILE} does not exist" + fi + if [[ -z "${PG_TLS_KEY_FILE}" ]]; then + print_validation_error "You must provide a private key in order to use TLS" + elif [[ ! -f "${PG_TLS_KEY_FILE}" ]]; then + print_validation_error "The private key file in the specified path ${PG_TLS_KEY_FILE} does not exist" + fi + if [[ -z "${PG_TLS_CA_FILE}" ]]; then + warn "A CA X.509 certificate was not provided. Client verification will not be performed in TLS connections" + elif [[ ! -f "${PG_TLS_CA_FILE}" ]]; then + print_validation_error "The CA X.509 certificate file in the specified path ${PG_TLS_CA_FILE} does not exist" + fi + if [[ -n "${PG_TLS_CRL_FILE}" ]] && [[ ! -f "${PG_TLS_CRL_FILE}" ]]; then + print_validation_error "The CRL file in the specified path ${PG_TLS_CRL_FILE} does not exist" + fi + if ! is_yes_no_value "${PG_TLS_PREFER_SERVER_CIPHERS}"; then + print_validation_error "The values allowed for PG_TLS_PREFER_SERVER_CIPHERS are: yes or no" + fi + fi + [[ "$error_code" -eq 0 ]] || exit "$error_code" } # 更改默认监听地址为 "*" 或 "0.0.0.0",以对容器外提供服务;默认配置文件应当为仅监听 localhost(127.0.0.1) -app_enable_remote_connections() { +postgresql_enable_remote_connections() { LOG_I "Modify default config to enable all IP access" + postgresql_conf_set "listen_addresses" "*" } # 以后台方式启动应用服务,并等待启动就绪 -app_start_server_bg() { - is_app_server_running && return +postgresql_start_server_bg() { + postgresql_is_server_running && return + LOG_I "Starting ${APP_NAME} in background..." # -w wait until operation completes (default) # -W don't wait until operation completes @@ -456,21 +483,20 @@ app_start_server_bg() { # --config-file 指定配置文件 # --external_pid_file 指定 PID 文件,在配置文件中已定义 # --hba_file 指定 HBA 文件,在配置文件中已定义 - local -r pg_ctl_flags=("-W" "-D" "${PGDATA}" "-o" "--config-file=${PG_CONF_FILE} --external_pid_file=${PG_PID_FILE} --hba_file=${PG_HBA_FILE}") - LOG_I "Starting ${APP_NAME} in background..." - local pg_ctl_cmd=(pg_ctl) + local -r pg_ctl_flags=("-w" "-D" "${PG_DATA_DIR}" "-l" "${PG_LOG_FILE}" "-o" "--config-file=${PG_CONF_FILE} --external_pid_file=${PG_EXT_PID_FILE} --hba_file=${PG_HBA_FILE}") + local pg_ctl_cmd=("${APP_HOME_DIR}/bin/pg_ctl") if is_boolean_yes "${ENV_DEBUG}"; then "${pg_ctl_cmd[@]}" "start" "${pg_ctl_flags[@]}" else "${pg_ctl_cmd[@]}" "start" "${pg_ctl_flags[@]}" "-s" >/dev/null 2>&1 fi - local -r check_args=("-h" "localhost" "-p" "${PG_PORT_NUMBER}" "-U" "postgres") - local check_cmd=(pg_isready) + local -r check_args=("-U" "postgres") + local check_cmd=("${APP_HOME_DIR}/bin/pg_isready") local counter=${PG_INIT_MAX_TIMEOUT} # 通过命令或特定端口检测应用是否就绪 LOG_I "Checking ${APP_NAME} ready status..." - while ! PGPASSWORD=${PG_PASSWORD} "${check_cmd[@]}" "${check_args[@]}" "-q" >/dev/null 2>&1; do + while ! "${check_cmd[@]}" "${check_args[@]}" "-q" >/dev/null 2>&1; do sleep 1 counter=$(( counter - 1 )) if (( counter <= 0 )); then @@ -483,27 +509,27 @@ app_start_server_bg() { } # 停止应用服务 -app_stop_server_bg() { - if is_app_server_running ; then +postgresql_stop_server() { + if postgresql_is_server_running ; then LOG_I "Stopping background ${APP_NAME}..." if is_boolean_yes "${ENV_DEBUG}"; then - PGUSER="${PG_USERNAME}" pg_ctl -D "${PGDATA}" -m fast -w stop "-s" + PGUSER="postgres" pg_ctl -D "${PG_DATA_DIR}" -m fast -w stop "-s" else - PGUSER="${PG_USERNAME}" pg_ctl -D "${PGDATA}" -m fast -w stop "-s" >/dev/null 2>&1 + PGUSER="postgres" pg_ctl -D "${PG_DATA_DIR}" -m fast -w stop "-s" >/dev/null 2>&1 fi fi # 使用 PID 文件 kill 进程 - #stop_service_using_pid "${PG_PID_FILE}" + #stop_service_using_pid "${PG_EXT_PID_FILE}" } # 检测应用服务是否在后台运行中 -is_app_server_running() { +postgresql_is_server_running() { LOG_D "Check if ${APP_NAME} is running..." local pid - pid="$(get_pid_from_file "${PG_PID_FILE}")" + pid="$(get_pid_from_file "${PG_EXT_PID_FILE}")" if [[ -z "${pid}" ]]; then false @@ -512,67 +538,56 @@ is_app_server_running() { fi } -# 清理初始化应用时生成的临时文件 -app_clean_tmp_file() { - LOG_D "Clean ${APP_NAME} tmp files for init..." +# 清理数据文件 +postgresql_clean_data() { + LOG_D "Clean ${APP_NAME} data files..." - rm -rf "${PG_LOG_FILE}" "${PG_PID_FILE}" "${PGDATA}/standby.signal" "${PGDATA}/recovery.signal" + rm -rf "${PG_DATA_DIR}/*" "${APP_DATA_DIR}/.data_init_flag" } # 在重新启动容器时,删除标志文件及必须删除的临时文件 (容器重新启动) -app_clean_from_restart() { +postgresql_clean_from_restart() { LOG_D "Clean ${APP_NAME} tmp files for restart..." + local -r -a files=( - "${PGDATA}/postmaster.pid" - "${PGDATA}/standby.signal" - "${PGDATA}/recovery.signal" + "${PG_DATA_DIR}/postmaster.pid" + "${PG_DATA_DIR}/standby.signal" + "${PG_DATA_DIR}/recovery.signal" + "${PG_EXT_PID_FILE}" ) - for file in ${files[@]}; do + for file in "${files[@]}"; do if [[ -f "$file" ]]; then - LOG_I "Cleaning stale $file file" - rm "$file" + LOG_I "Remove file: $file" + rm -rf "$file" fi done } +# 清空数据库及配置文件 +postgresql_reset() { + LOG_I "Clean all configuration and database files..." + rm -rf "${PG_DATA_DIR}/*" + rm -rf "${APP_DATA_DIR}/.data_init_flag" "${APP_DATA_DIR}/.custom_preinit_flag" "${APP_DATA_DIR}/.custom_init_flag" + rm -rf "${APP_CONF_DIR}/*" + rm -rf "${APP_CONF_DIR}/.app_init_flag" +} + # 应用默认初始化操作 # 执行完毕后,生成文件 ${APP_CONF_DIR}/.app_init_flag 及 ${APP_DATA_DIR}/.data_init_flag 文件 -app_default_init() { - app_clean_from_restart - LOG_D "Check init status of ${APP_NAME}..." +postgresql_default_init() { + LOG_D "Check default init status of ${APP_NAME}..." + postgresql_clean_from_restart - if [[ ! -f "${APP_DATA_DIR}/.data_init_flag" ]]; then - if [[ "${PG_REPLICATION_MODE}" = "master" ]]; then - postgresql_master_init_db - else - postgresql_slave_init_db - fi - fi - - # 检测配置文件是否存在 - if [[ ! -f "${APP_CONF_DIR}/.app_init_flag" ]]; then - LOG_I "No injected configuration file found, creating default config files..." - postgresql_default_postgresql_config - postgresql_default_hba_config - - if [[ "${PG_REPLICATION_MODE}" = "master" ]]; then - [[ -n "${PG_REPLICATION_USER}" ]] && postgresql_add_replication_to_pghba - else - postgresql_configure_recovery - fi - - touch "${APP_CONF_DIR}/.app_init_flag" - echo "$(date '+%Y-%m-%d %H:%M:%S') : Init success." >> "${APP_CONF_DIR}/.app_init_flag" - else - LOG_I "User injected custom configuration detected!" - fi - - if [[ ! -f "${APP_DATA_DIR}/.data_init_flag" ]]; then + if is_dir_empty "${PG_DATA_DIR}"; then LOG_I "Deploying ${APP_NAME} from scratch..." - if [[ "${PG_REPLICATION_MODE}" = "master" ]]; then - # 检测服务是否运行中如果未运行,则启动后台服务 - is_app_server_running || app_start_server_bg + [ ! -e "${PG_HBA_FILE}" ] && postgresql_default_hba_config && postgresql_hba_allow_local_connection + [ ! -e "${PG_CONF_FILE}" ] && postgresql_default_postgresql_config + + if [[ "${PG_REPLICATION_MODE}" = "primary" ]]; then + postgresql_primary_init_db + + postgresql_start_server_bg [[ "${PG_DATABASE}" != "postgres" ]] && postgresql_create_custom_database # 为数据库授权;默认用户不为 postgres 时,需要创建管理员账户 @@ -580,25 +595,60 @@ app_default_init() { if [[ "${PG_USERNAME}" = "postgres" ]]; then [[ -n "${PG_PASSWORD}" ]] && postgresql_alter_postgres_user "${PG_PASSWORD}" else - if [[ -n "${PG_POSTGRES_PASSWORD}" ]]; then - postgresql_alter_postgres_user "${PG_POSTGRES_PASSWORD}" - fi + [[ -n "${PG_POSTGRES_PASSWORD}" ]] && postgresql_alter_postgres_user "${PG_POSTGRES_PASSWORD}" postgresql_create_admin_user fi [[ -n "${PG_REPLICATION_USER}" ]] && postgresql_create_replication_user + else + postgresql_standby_init_db fi - - touch ${APP_DATA_DIR}/.data_init_flag - echo "$(date '+%Y-%m-%d %H:%M:%S') : Init success." >> ${APP_DATA_DIR}/.data_init_flag else LOG_I "Deploying ${APP_NAME} with persisted data..." + export PG_FIRST_BOOT="no" fi + + # 检测配置文件是否存在 + if [[ ! -f "${APP_CONF_DIR}/.app_init_flag" ]]; then + LOG_I "Deploying postgresql with new configuration" + postgresql_default_postgresql_config + postgresql_default_hba_config + postgresql_hba_allow_local_connection + + if [[ "${PG_REPLICATION_MODE}" = "primary" ]]; then + [[ -n "${PG_REPLICATION_USER}" ]] && postgresql_hba_allow_replication_connection + else + postgresql_configure_recovery + fi + + if is_boolean_yes "${PG_ENABLE_TLS}" ; then + postgresql_configure_tls + [[ -n "${PG_TLS_CA_FILE}" ]] && postgresql_hba_allow_tls_connection + fi + + postgresql_configure_logging + postgresql_configure_connections + + touch "${APP_CONF_DIR}/.app_init_flag" + echo "$(date '+%Y-%m-%d %H:%M:%S') : Init success." >> "${APP_CONF_DIR}/.app_init_flag" + else + LOG_I "Deploying postgresql with persisted configuration" + fi + + if [[ ! -f "${APP_DATA_DIR}/.data_init_flag" ]]; then + touch ${APP_DATA_DIR}/.data_init_flag + echo "$(date '+%Y-%m-%d %H:%M:%S') : Init success." >> ${APP_DATA_DIR}/.data_init_flag + fi + + postgresql_restrict_hba_config + + # 删除第一次运行时生成的默认配置文件 + rm -f "${PG_DATA_DIR}"/postgresql.conf "${PG_DATA_DIR}"/pg_hba.conf } # 用户自定义的前置初始化操作,依次执行目录 preinitdb.d 中的初始化脚本 # 执行完毕后,生成文件 ${APP_DATA_DIR}/.custom_preinit_flag -app_custom_preinit() { - LOG_D "Check custom pre-init status of ${APP_NAME}..." +postgresql_custom_preinit() { + LOG_I "Check custom pre-init status of ${APP_NAME}..." # 检测用户配置文件目录是否存在 preinitdb.d 文件夹,如果存在,尝试执行目录中的初始化脚本 if [ -d "/srv/conf/${APP_NAME}/preinitdb.d" ]; then @@ -626,8 +676,8 @@ app_custom_preinit() { # 用户自定义的应用初始化操作,依次执行目录initdb.d中的初始化脚本 # 执行完毕后,生成文件 ${APP_DATA_DIR}/.custom_init_flag -app_custom_init() { - LOG_D "Check custom init status of ${APP_NAME}..." +postgresql_custom_init() { + LOG_I "Check custom initdb status of ${APP_NAME}..." # 检测用户配置文件目录是否存在 initdb.d 文件夹,如果存在,尝试执行目录中的初始化脚本 if [ -d "/srv/conf/${APP_NAME}/initdb.d" ]; then @@ -636,8 +686,8 @@ app_custom_init() { [[ ! -f "${APP_DATA_DIR}/.custom_init_flag" ]]; then LOG_I "Process custom init scripts from /srv/conf/${APP_NAME}/initdb.d..." - # 检测服务是否运行中;如果未运行,则启动后台服务 - is_app_server_running || app_start_server_bg + # 启动后台服务 + postgresql_start_server_bg # 检索所有可执行脚本,排序后执行 find "/srv/conf/${APP_NAME}/initdb.d/" -type f -regex ".*\.\(sh\|sql\|sql.gz\)" | sort | while read -r f; do @@ -649,9 +699,16 @@ app_custom_init() { LOG_D "Sourcing $f"; . "$f" fi ;; - *.sql) LOG_D "Executing $f"; postgresql_execute "$PG_DATABASE" "$PG_INITSCRIPTS_USERNAME" "$PG_INITSCRIPTS_PASSWORD" < "$f";; - *.sql.gz) LOG_D "Executing $f"; gunzip -c "$f" | postgresql_execute "$PG_DATABASE" "$PG_INITSCRIPTS_USERNAME" "$PG_INITSCRIPTS_PASSWORD";; - *) LOG_D "Ignoring $f" ;; + *.sql) + LOG_D "Executing $f"; + postgresql_execute "${PG_DATABASE}" "${PG_INITSCRIPTS_USERNAME}" "${PG_INITSCRIPTS_PASSWORD}" < "$f" + ;; + *.sql.gz) + LOG_D "Executing $f"; + gunzip -c "$f" | postgresql_execute "${PG_DATABASE}" "${PG_INITSCRIPTS_USERNAME}" "${PG_INITSCRIPTS_PASSWORD}" + ;; + *) + LOG_D "Ignoring $f" ;; esac done @@ -662,29 +719,11 @@ app_custom_init() { LOG_I "Custom init for ${APP_NAME} already done before, skipping initialization." fi fi - - # 检测服务是否运行中;如果运行,则停止后台服务 - app_stop_server_bg - - # 删除第一次运行生成的临时文件 - app_clean_tmp_file - - # 如果设置了用户密码,启用 md5 加密的密码认证 - postgresql_restrict_hba_config - - # 绑定所有 IP ,启用远程访问 - app_enable_remote_connections } # 初始化 Master 节点数据库 -postgresql_master_init_db() { - if ! is_dir_empty "${PGDATA}"; then - LOG_E "Directory ${PGDATA} exists but is not empty," - LOG_E "If you want to create a new database system, either remove or empty" - LOG_E "the directory ${PGDATA}, or run initdb" - LOG_E "with an argument other than ${PGDATA}." - exit 1 - fi +postgresql_primary_init_db() { + LOG_I "Initializing PostgreSQL database" postgresql_enable_nss_wrapper @@ -694,47 +733,47 @@ postgresql_master_init_db() { read -r -a envExtraFlags <<< "${PG_INITDB_ARGS}" initdb_args+=("${envExtraFlags[@]}") fi - #initdb+=("-o" "--config-file=${PG_CONF_FILE} --external_pid_file=${PG_PID_FILE} --hba_file=${PG_HBA_FILE}") - initdb_args+=("--waldir=${PG_INITDB_WAL_DIR}") + #initdb+=("-o" "--config-file=${PG_CONF_FILE} --external_pid_file=${PG_EXT_PID_FILE} --hba_file=${PG_HBA_FILE}") + if [[ -n "${PG_INITDB_WAL_DIR:-}" ]]; then + initdb_args+=("--waldir=${PG_INITDB_WAL_DIR}") + fi - local initdb_cmd=(initdb) - - LOG_I "Initializing PostgreSQL database" + local initdb_cmd=("${APP_HOME_DIR}/bin/initdb") if [[ -n "${initdb_args[*]}" ]]; then LOG_I "extra initdb arguments: ${initdb_args[*]}" fi if is_boolean_yes "${ENV_DEBUG}"; then - "${initdb_cmd[@]}" -E UTF8 -D "${PGDATA}" -U "postgres" "${initdb_args[@]}" + "${initdb_cmd[@]}" -E UTF8 -D "${PG_DATA_DIR}" -U "postgres" "${initdb_args[@]}" else - "${initdb_cmd[@]}" -E UTF8 -D "${PGDATA}" -U "postgres" "${initdb_args[@]}" >/dev/null 2>&1 + "${initdb_cmd[@]}" -E UTF8 -D "${PG_DATA_DIR}" -U "postgres" "${initdb_args[@]}" >/dev/null 2>&1 fi postgresql_disable_nss_wrapper } # 初始化 Slave 节点数据库 -postgresql_slave_init_db() { - LOG_I "Waiting for replication master to accept connections (${PG_INIT_MAX_TIMEOUT} seconds)..." - local -r check_args=("-U" "${PG_REPLICATION_USER}" "-h" "${PG_MASTER_HOST}" "-p" "${PG_MASTER_PORT_NUMBER}" "-d" "${PG_DATABASE}") - local check_cmd=(pg_isready) +postgresql_standby_init_db() { + LOG_I "Waiting for replication primary to accept connections (${PG_INIT_MAX_TIMEOUT} seconds)..." + local -r check_args=("-U" "${PG_REPLICATION_USER}" "-h" "${PG_PRIMARY_HOST}" "-p" "${PG_PRIMARY_PORT}" "-d" "${PG_DATABASE}") + local check_cmd=("${APP_HOME_DIR}/bin/pg_isready") local ready_counter=${PG_INIT_MAX_TIMEOUT} while ! PGPASSWORD=${PG_REPLICATION_PASSWORD} "${check_cmd[@]}" "${check_args[@]}" >/dev/null 2>&1;do sleep 1 ready_counter=$(( ready_counter - 1 )) if (( ready_counter <= 0 )); then - LOG_E "PostgreSQL master is not ready after ${PG_INIT_MAX_TIMEOUT} seconds" + LOG_E "PostgreSQL primary is not ready after ${PG_INIT_MAX_TIMEOUT} seconds" exit 1 fi done - LOG_I "Replicating the database from node master..." - #local -r backup_args=("-D" "$PGDATA" -d "hostaddr=$PG_MASTER_HOST port=$PG_MASTER_PORT_NUMBER user=$PG_REPLICATION_USER password=$PG_REPLICATION_PASSWORD" -v -Fp -Xs - local -r backup_args=("-D" "${PGDATA}" "-U" "${PG_REPLICATION_USER}" "-h" "${PG_MASTER_HOST}" "-p" "${PG_MASTER_PORT_NUMBER}" "-X" "stream" "-w" "-v" "-P") - local backup_cmd=(pg_basebackup) - local replication_counter=$PG_INIT_MAX_TIMEOUT + LOG_I "Replicating the database from node primary..." + #local -r backup_args=("-D" "$PG_DATA_DIR" -d "hostaddr=$PG_PRIMARY_HOST port=$PG_PRIMARY_PORT user=$PG_REPLICATION_USER password=$PG_REPLICATION_PASSWORD" -v -Fp -Xs + local -r backup_args=("-D" "${PG_DATA_DIR}" "-U" "${PG_REPLICATION_USER}" "-h" "${PG_PRIMARY_HOST}" "-p" "${PG_PRIMARY_PORT}" "-X" "stream" "-w" "-v" "-P") + local backup_cmd=("${APP_HOME_DIR}/bin/pg_basebackup") + local replication_counter=${PG_INIT_MAX_TIMEOUT} while ! PGPASSWORD=${PG_REPLICATION_PASSWORD} "${backup_cmd[@]}" "${backup_args[@]}";do LOG_D "Backup command failed. Sleeping and trying again" diff --git a/customer/usr/local/bin/entry.sh b/customer/usr/local/bin/entry.sh index b306dfc..6d4f9b9 100755 --- a/customer/usr/local/bin/entry.sh +++ b/customer/usr/local/bin/entry.sh @@ -8,9 +8,10 @@ set -eu set -o pipefail -. /usr/local/bin/appcommon.sh # 应用专用函数库 +. /usr/local/bin/comm-${APP_NAME}.sh # 应用专用函数库 + +. /usr/local/bin/comm-env.sh # 设置环境变量 -eval "$(app_env)" LOG_I "** Processing entry.sh **" if ! is_sourced; then diff --git a/customer/usr/local/bin/init.sh b/customer/usr/local/bin/init.sh index 727d9fa..937c4cd 100755 --- a/customer/usr/local/bin/init.sh +++ b/customer/usr/local/bin/init.sh @@ -8,18 +8,25 @@ set -eu set -o pipefail -. /usr/local/bin/appcommon.sh # 应用专用函数库 +. /usr/local/bin/comm-${APP_NAME}.sh # 应用专用函数库 + +. /usr/local/bin/comm-env.sh # 设置环境变量 -eval "$(app_env)" LOG_I "** Processing init.sh **" +trap "postgresql_stop_server" EXIT + # 执行应用预初始化操作 -app_custom_preinit +${APP_NAME}_custom_preinit # 执行应用初始化操作 -app_default_init +${APP_NAME}_default_init # 执行用户自定义初始化脚本 -app_custom_init +${APP_NAME}_custom_init + +# 绑定所有 IP 及 指定端口 ,启用远程访问 +postgresql_enable_remote_connections +postgresql_conf_set "port" "${PG_PORT_NUMBER}" LOG_I "** Processing init.sh finished! **" diff --git a/customer/usr/local/bin/run.sh b/customer/usr/local/bin/run.sh index 7f2c095..bdb6ea8 100755 --- a/customer/usr/local/bin/run.sh +++ b/customer/usr/local/bin/run.sh @@ -8,18 +8,20 @@ set -eu set -o pipefail -. /usr/local/bin/appcommon.sh # 应用专用函数库 +. /usr/local/bin/comm-${APP_NAME}.sh # 应用专用函数库 + +. /usr/local/bin/comm-env.sh # 设置环境变量 -eval "$(app_env)" LOG_I "** Processing run.sh **" -flags=("${APP_CONF_FILE:-}") +flags=("-D" "/srv/data/${APP_NAME}/data") [[ -z "${APP_EXTRA_FLAGS:-}" ]] || flags=("${flags[@]}" "${APP_EXTRA_FLAGS[@]}") -START_COMMAND=("${APP_EXEC}" "${flags[@]}") +START_COMMAND=("${APP_EXEC}") LOG_I "** Starting ${APP_NAME} **" if is_root; then - exec gosu "${APP_USER}" tini -s -- "${START_COMMAND[@]}" + exec gosu "${APP_USER}" tini -s -- "${START_COMMAND[@]}" "${flags[@]}" else - exec tini -s -- "${START_COMMAND[@]}" + exec tini -s -- "${START_COMMAND[@]}" "${flags[@]}" fi + diff --git a/customer/usr/local/bin/setup.sh b/customer/usr/local/bin/setup.sh index e8e73ce..8b51233 100755 --- a/customer/usr/local/bin/setup.sh +++ b/customer/usr/local/bin/setup.sh @@ -8,34 +8,38 @@ set -eu set -o pipefail -. /usr/local/bin/appcommon.sh # 应用专用函数库 +. /usr/local/bin/comm-${APP_NAME}.sh # 应用专用函数库 + +. /usr/local/bin/comm-env.sh # 设置环境变量 -eval "$(app_env)" LOG_I "** Processing setup.sh **" APP_DIRS="${APP_CONF_DIR:-} ${APP_DATA_DIR:-} ${APP_LOG_DIR:-} ${APP_CERT_DIR:-} ${APP_DATA_LOG_DIR:-}" -APP_DIRS="${APP_DIRS} ${PGDATA}" +APP_DIRS="${APP_DIRS} ${PG_DATA_DIR:-} ${PG_INITDB_WAL_DIR:-}" +LOG_I "Ensure directory exists: ${APP_DIRS}" for dir in ${APP_DIRS}; do ensure_dir_exists ${dir} done -app_verify_minimum_env +${APP_NAME}_verify_minimum_env # 检测指定文件是否在配置文件存储目录存在,如果不存在则拷贝(新挂载数据卷、手动删除都会导致不存在) -LOG_I "Check config files in: ${APP_CONF_DIR}" -if [[ ! -z "$(ls -A "${APP_DEF_DIR}")" ]]; then +# PG 将使用默认模板生成配置文件,并放置在PGDATA目录 +#LOG_I "Check config files in: ${APP_CONF_DIR}" +#if [[ ! -z "$(ls -A "${APP_DEF_DIR}")" ]]; then # ensure_config_file_exist "${APP_DEF_DIR}" $(ls -A "${APP_DEF_DIR}") - : -fi +# : +#fi +LOG_I "Ensure directory ownership: ${APP_USER}" for dir in ${APP_DIRS}; do configure_permissions_ownership "$dir" -u "${APP_USER}" -g "${APP_USER}" done # 解决 PostgreSQL 目录权限过于开放,无法初始化问题:FATAL: data directory "/srv/data/postgresql" has group or world access -LOG_D "Lack of permissions on data directory: ${PGDATA}" -chmod 0700 ${PGDATA} +LOG_D "Lack of permissions on data directory: ${PG_DATA_DIR}" +chmod 0700 ${PG_DATA_DIR} # 解决使用gosu后,nginx: [emerg] open() "/dev/stdout" failed (13: Permission denied) LOG_D "Change permissions of stdout/stderr to 0622" diff --git a/customer/usr/local/overrides/overrides-12.4.sh b/customer/usr/local/overrides/overrides-12.4.sh index eebd74e..c5b6e9e 100644 --- a/customer/usr/local/overrides/overrides-12.4.sh +++ b/customer/usr/local/overrides/overrides-12.4.sh @@ -1,6 +1,6 @@ #!/bin/bash -ex -POSTGRESQL_CONF="${APP_HOME_DIR}/share/${APP_NAME}/postgresql.conf.sample" +POSTGRESQL_CONF="${APP_HOME_DIR}/share/postgresql.conf.sample" # 在安装完应用后,使用该脚本修改默认配置文件中部分配置项 # 如果相应的配置项已经定义整体环境变量,则不需要在这里修改 @@ -10,23 +10,23 @@ echo "Process overrides for default configs..." # 设置默认监听地址为 localhost ,防止初始化操作期间外部链接,在容器初始化完成后修改为监听所有地址 sed -i -E "s/^#?(listen_addresses) .*/\1 = 'localhost'/g" ${POSTGRESQL_CONF} -sed -i -E "s/^data_directory .*/data_directory = '\/srv\/data\/${APP_NAME}\/data'/g" ${POSTGRESQL_CONF} -sed -i -E "s/^hba_file .*/hba_file = '\/srv\/data\/${APP_NAME}\/data\/pg_hba.conf'/g" ${POSTGRESQL_CONF} -sed -i -E "s/^ident_file .*/ident_file = '\/srv\/data\/${APP_NAME}\/data\/pg_ident.conf'/g" ${POSTGRESQL_CONF} -sed -i -E "s/^#external_pid_file .*/external_pid_file = '\/var\/run\/${APP_NAME}\/postgresql.pid'/g" ${POSTGRESQL_CONF} -sed -i -E "s/^max_connections .*/max_connections = 2000/g" ${POSTGRESQL_CONF} -sed -i -E "s/^#password_encryption .*/password_encryption = md5/g" ${POSTGRESQL_CONF} +sed -i -E "s/^#?data_directory .*/data_directory = '\/srv\/data\/${APP_NAME}\/data'/g" ${POSTGRESQL_CONF} +sed -i -E "s/^#?hba_file .*/hba_file = '\/srv\/conf\/${APP_NAME}\/pg_hba.conf'/g" ${POSTGRESQL_CONF} +sed -i -E "s/^#?ident_file .*/ident_file = '\/srv\/data\/${APP_NAME}\/data\/pg_ident.conf'/g" ${POSTGRESQL_CONF} +sed -i -E "s/^#?external_pid_file .*/external_pid_file = '\/var\/run\/${APP_NAME}\/postgresql.pid'/g" ${POSTGRESQL_CONF} +sed -i -E "s/^#?max_connections .*/max_connections = 2000/g" ${POSTGRESQL_CONF} +sed -i -E "s/^#?password_encryption .*/password_encryption = md5/g" ${POSTGRESQL_CONF} -sed -i -E "s/^#log_destination .*/log_destination = 'stderr'/g" ${POSTGRESQL_CONF} -sed -i -E "s/^#logging_collector .*/logging_collector = on/g" ${POSTGRESQL_CONF} -sed -i -E "s/^#log_directory .*/log_directory = '\/var\/log\/${APP_NAME}'/g" ${POSTGRESQL_CONF} -sed -i -E "s/^#log_filename .*/log_filename = 'postgresql-\%Y-\%m-\%d_\%H\%M\%S.log'/g" ${POSTGRESQL_CONF} -sed -i -E "s/^#log_truncate_on_rotation .*/log_truncate_on_rotation = on/g" ${POSTGRESQL_CONF} -sed -i -E "s/^#log_rotation_age .*/log_rotation_age = 1d/g" ${POSTGRESQL_CONF} -sed -i -E "s/^#log_rotation_size .*/log_rotation_size = 0/g" ${POSTGRESQL_CONF} -sed -i -E "s/^log_timezone .*/log_timezone = 'Asia\/Shanghai'/g" ${POSTGRESQL_CONF} +sed -i -E "s/^#?log_destination .*/log_destination = 'stderr'/g" ${POSTGRESQL_CONF} +sed -i -E "s/^#?logging_collector .*/logging_collector = on/g" ${POSTGRESQL_CONF} +sed -i -E "s/^#?log_directory .*/log_directory = '\/var\/log\/${APP_NAME}'/g" ${POSTGRESQL_CONF} +sed -i -E "s/^#?log_filename .*/log_filename = 'postgresql-\%Y-\%m-\%d_\%H\%M\%S.log'/g" ${POSTGRESQL_CONF} +sed -i -E "s/^#?log_truncate_on_rotation .*/log_truncate_on_rotation = on/g" ${POSTGRESQL_CONF} +sed -i -E "s/^#?log_rotation_age .*/log_rotation_age = 1d/g" ${POSTGRESQL_CONF} +sed -i -E "s/^#?log_rotation_size .*/log_rotation_size = 0/g" ${POSTGRESQL_CONF} +sed -i -E "s/^#?log_timezone .*/log_timezone = 'Asia\/Shanghai'/g" ${POSTGRESQL_CONF} -#sed -i -E "s/^#include_dir .*/include_dir = 'conf\.d'/g" ${POSTGRESQL_CONF} +#sed -i -E "s/^#?include_dir .*/include_dir = 'conf\.d'/g" ${POSTGRESQL_CONF} # 修改 unix_socket_directories 与 PID 文件同目录,解决修改 PID 输出目录后 psql 不指定`-h`时 Unix Socket 无法找到问题: # psql: could not connect to server: No such file or directory diff --git a/customer/usr/sbin/create_user b/customer/usr/sbin/create_user index 687f070..08a4659 100755 --- a/customer/usr/sbin/create_user +++ b/customer/usr/sbin/create_user @@ -2,8 +2,8 @@ # shell 执行参数,分别为 -e(命令执行错误则退出脚本) -u(变量未定义则报错) -x(打印实际待执行的命令行) set -eux groupadd --gid 998 --system ${APP_USER} -useradd --gid 998 --uid 999 --shell /bin/bash --home ${APP_DATA_DIR} --system ${APP_USER} -#useradd --gid 998 --uid 999 --shell /usr/sbin/nologin --home ${APP_DATA_DIR} --system ${APP_USER} +useradd --gid 998 --uid 999 --shell /bin/bash --home /srv/data/${APP_NAME} --system ${APP_USER} +#useradd --gid 998 --uid 999 --shell /usr/sbin/nologin --home /srv/data/${APP_NAME} --system ${APP_USER} # 如果需要 sudo 权限,需要安装 su 软件包:apk add sudo #sed -i -e 's/^\sDefaults\s*secure_path\s*=/# Defaults secure_path=/' /etc/sudoers diff --git a/customer/usr/sbin/prepare_env b/customer/usr/sbin/prepare_env index cb7b34b..05ce3b1 100755 --- a/customer/usr/sbin/prepare_env +++ b/customer/usr/sbin/prepare_env @@ -2,7 +2,16 @@ # shell 执行参数,分别为 -e(命令执行错误则退出脚本) -u(变量未定义则报错) -x(打印实际待执行的命令行) set -eux -APP_DIRS="${APP_DEF_DIR:-} ${APP_CONF_DIR:-} ${APP_DATA_DIR:-} ${APP_DATA_LOG_DIR:-} ${APP_CACHE_DIR:-} ${APP_RUN_DIR:-} ${APP_LOG_DIR:-} ${APP_CERT_DIR:-} ${APP_HOME_DIR:-}" +APP_DIRS=" \ + /usr/local/${APP_NAME} \ + /etc/${APP_NAME} \ + /srv/conf/${APP_NAME} \ + /srv/data/${APP_NAME} \ + /srv/datalog/${APP_NAME} \ + /var/cache/${APP_NAME} \ + /var/run/${APP_NAME} \ + /var/log/${APP_NAME} \ + /srv/cert/${APP_NAME}" mkdir -p ${APP_DIRS} chown -Rf ${APP_USER}:${APP_USER} ${APP_DIRS}; diff --git a/docker-compose.yml b/docker-compose.yml index f9046e9..ebb5157 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -4,16 +4,13 @@ version: '3.8' # 更多配置参数请参考镜像 README.md 文档中说明 services: postgres: - image: 'colovu/postgres:latest' + image: 'colovu/postgres' ports: - - '5432:5432' - volumes: - - 'app_conf:/srv/conf' - - 'app_data:/srv/data' - - 'app_datalog:/srv/datalog' + - 5432:5432 environment: # ALLOW_ANONYMOUS_LOGIN is recommended only for development. - ALLOW_ANONYMOUS_LOGIN=yes + - ENV_DEBUG=yes # 定义本地数据卷,由系统管理,需要手动删除 volumes: @@ -21,5 +18,5 @@ volumes: driver: local app_data: driver: local - app_datalog: + var_log: driver: local