From b69247bc64ade7e6b02988bf7074ff6c20191fc8 Mon Sep 17 00:00:00 2001 From: Endial Fang Date: Sun, 13 Sep 2020 20:38:28 +0800 Subject: [PATCH] =?UTF-8?q?[feat:12]=E5=A2=9E=E5=8A=A0Alpine=E7=B3=BB?= =?UTF-8?q?=E7=BB=9F=E7=89=88=E6=9C=AC=E7=9A=84Dockerfile=EF=BC=9B?= =?UTF-8?q?=E4=BD=BF=E7=94=A8=E6=96=B0=E7=9A=84=E9=95=9C=E5=83=8F=E7=BC=96?= =?UTF-8?q?=E8=AF=91=E6=96=B9=E5=BC=8F?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- alpine/Dockerfile | 172 ++++ alpine/customer/usr/local/bin/appcommon.sh | 749 ++++++++++++++++++ alpine/customer/usr/local/bin/entry.sh | 36 + alpine/customer/usr/local/bin/init.sh | 25 + alpine/customer/usr/local/bin/run.sh | 25 + alpine/customer/usr/local/bin/setup.sh | 44 + .../usr/local/overrides/overrides-12.4.sh | 35 + alpine/customer/usr/sbin/create_user | 10 + alpine/customer/usr/sbin/prepare_env | 8 + 9 files changed, 1104 insertions(+) create mode 100644 alpine/Dockerfile create mode 100644 alpine/customer/usr/local/bin/appcommon.sh create mode 100755 alpine/customer/usr/local/bin/entry.sh create mode 100755 alpine/customer/usr/local/bin/init.sh create mode 100755 alpine/customer/usr/local/bin/run.sh create mode 100755 alpine/customer/usr/local/bin/setup.sh create mode 100644 alpine/customer/usr/local/overrides/overrides-12.4.sh create mode 100755 alpine/customer/usr/sbin/create_user create mode 100755 alpine/customer/usr/sbin/prepare_env diff --git a/alpine/Dockerfile b/alpine/Dockerfile new file mode 100644 index 0000000..6e6335c --- /dev/null +++ b/alpine/Dockerfile @@ -0,0 +1,172 @@ +# Ver: 1.2 by Endial Fang (endial@126.com) +# + +# 预处理 ========================================================================= +FROM colovu/abuilder as builder + +# sources.list 可使用版本:default / tencent / ustc / aliyun / huawei +ARG apt_source=default + +# 编译镜像时指定用于加速的本地服务器地址 +ARG local_url="" + +ENV APP_NAME=postgresql \ + APP_VERSION=12.4 + +WORKDIR /usr/local + +RUN select_source ${apt_source}; +RUN install_pkg bison coreutils flex libedit-dev libxml2-dev libxslt-dev util-linux-dev zlib-dev icu-dev \ +# configure: error: prove not found + perl-utils \ +# configure: error: Perl module IPC::Run is required to run TAP tests + perl-ipc-run + +# 下载并解压软件包 +RUN set -eux; \ + appName="${APP_NAME}-${APP_VERSION}.tar.bz2"; \ + sha256="bee93fbe2c32f59419cb162bcc0145c58da9a8644ee154a30b9a5ce47de606cc"; \ + [ ! -z ${local_url} ] && localURL=${local_url}/${APP_NAME}; \ + appUrls="${localURL:-} \ + https://ftp.postgresql.org/pub/source/v${APP_VERSION} \ + "; \ + download_pkg unpack ${appName} "${appUrls}" -s "${sha256}"; + +# 源码编译软件包 +RUN set -eux; \ +# 源码编译方式安装: 编译后将原始配置文件拷贝至 ${APP_DEF_DIR} 中 + APP_SRC="/usr/local/${APP_NAME}-${APP_VERSION}"; \ + mkdir -p /usr/local/${APP_NAME}/bin /usr/local/${APP_NAME}/lib; \ + cd ${APP_SRC}; \ + \ +# update "DEFAULT_PGSOCKET_DIR" to "/var/run/postgresql" (matching Debian) +# see https://anonscm.debian.org/git/pkg-postgresql/postgresql.git/tree/debian/patches/51-default-sockets-in-var.patch?id=8b539fcb3e093a521c095e70bdfa76887217b89f + awk '$1 == "#define" && $2 == "DEFAULT_PGSOCKET_DIR" && $3 == "\"/tmp\"" { $3 = "\"/var/run/postgresql\""; print; next } { print }' src/include/pg_config_manual.h > src/include/pg_config_manual.h.new; \ + grep '/var/run/postgresql' src/include/pg_config_manual.h.new; \ + mv src/include/pg_config_manual.h.new src/include/pg_config_manual.h; \ + gnuArch="$(dpkg-architecture --query DEB_BUILD_GNU_TYPE)"; \ +# explicitly update autoconf config.guess and config.sub so they support more arches/libcs + wget -O config/config.guess 'https://git.savannah.gnu.org/cgit/config.git/plain/config.guess?id=7d3d27baf8107b630586c962c057e22149653deb'; \ + wget -O config/config.sub 'https://git.savannah.gnu.org/cgit/config.git/plain/config.sub?id=7d3d27baf8107b630586c962c057e22149653deb'; \ + \ +# configure options taken from: +# https://anonscm.debian.org/cgit/pkg-postgresql/postgresql.git/tree/debian/rules?h=9.5 + ./configure \ + --prefix=/usr/local/${APP_NAME} \ + --build="$gnuArch" \ + --enable-integer-datetimes \ + --enable-thread-safety \ + --enable-tap-tests \ + --disable-rpath \ + --with-uuid=e2fs \ + --with-gnu-ld \ + --with-pgport=5432 \ + --with-system-tzdata=/usr/share/zoneinfo \ + --prefix=/usr/local \ + --with-includes=/usr/local/include \ + --with-libraries=/usr/local/lib \ + --with-openssl \ + --with-libxml \ + --with-libxslt \ + --with-icu \ +# "/usr/src/postgresql/src/backend/access/common/tupconvert.c:105: undefined reference to `libintl_gettext'" +# --enable-nls \ +# these make our image abnormally large (at least 100MB larger), which seems uncouth for an "Alpine" (ie, "small") variant :) +# --enable-debug \ +# --with-krb5 \ +# --with-gssapi \ +# --with-ldap \ +# --with-tcl \ +# --with-perl \ +# --with-python \ +# --with-pam \ + ; \ + make PG_SYSROOT=/usr/local/${APP_NAME} -j "$(nproc)" world; \ + make PREFIX=/usr/local/${APP_NAME} install-world; \ + make PREFIX=/usr/local/${APP_NAME} -C contrib install; \ + runDeps="$( \ + scanelf --needed --nobanner --format '%n#p' --recursive /usr/local \ + | tr ',' '\n' \ + | sort -u \ + | awk 'system("[ -e /usr/local/lib/" $1 " ]") == 0 { next } { print "so:" $1 }' \ + )"; \ + echo "${runDeps}" >/usr/local/${APP_NAME}/runDeps; \ + mv /usr/local/lib/* /usr/local/${APP_NAME}/lib/; \ + mv /usr/local/bin/* /usr/local/${APP_NAME}/bin/; \ + mkdir -p /usr/local/${APP_NAME}/share; \ + mv /usr/local/share/${APP_NAME} /usr/local/${APP_NAME}/share; \ + find /usr/local -name '*.a' -delete; + + +#ENV LD_LIBRARY_PATH=/usr/local/${APP_NAME}/lib + +# 镜像生成 ======================================================================== +FROM colovu/alpine:3.12 + +ARG apt_source=default +ARG local_url="" + +ENV APP_NAME=postgresql \ + APP_USER=postgres \ + APP_EXEC=postgres \ + APP_VERSION=12.4 + +ENV APP_HOME_DIR=/usr/local/${APP_NAME} \ + APP_DEF_DIR=/etc/${APP_NAME} \ + APP_CONF_DIR=/srv/conf/${APP_NAME} \ + APP_DATA_DIR=/srv/data/${APP_NAME} \ + APP_DATA_LOG_DIR=/srv/datalog/${APP_NAME} \ + APP_CACHE_DIR=/var/cache/${APP_NAME} \ + APP_RUN_DIR=/var/run/${APP_NAME} \ + APP_LOG_DIR=/var/log/${APP_NAME} \ + APP_CERT_DIR=/srv/cert/${APP_NAME} + +ENV \ + PATH="${APP_HOME_DIR}/bin:${PATH}" \ + LD_LIBRARY_PATH=${APP_HOME_DIR}/lib + +LABEL \ + "Version"="v${APP_VERSION}" \ + "Description"="Docker image for ${APP_NAME}(v${APP_VERSION})." \ + "Dockerfile"="https://github.com/colovu/docker-${APP_NAME}" \ + "Vendor"="Endial Fang (endial@126.com)" + +COPY customer / + +# 以包管理方式安装软件包(Optional) +RUN select_source ${apt_source} +RUN install_pkg tzdata +#RUN install_pkg bash tini sudo libssl1.1 + +RUN create_user && prepare_env + +# 从预处理过程中拷贝软件包(Optional) +#COPY --from=0 /usr/local/bin/gosu-amd64 /usr/local/bin/gosu +#COPY --from=builder /usr/local/bin /usr/local/postgresql/bin +#COPY --from=builder /usr/local/lib /usr/local/lib +COPY --from=builder ${APP_HOME_DIR} ${APP_HOME_DIR} + +RUN install_pkg `cat ${APP_HOME_DIR}/runDeps`; + +# 执行预处理脚本,并验证安装的软件包 +RUN set -eux; \ + override_file="/usr/local/overrides/overrides-${APP_VERSION}.sh"; \ + [ -e "${override_file}" ] && /bin/bash "${override_file}"; \ +# cp -rf ${APP_HOME_DIR}/share/${APP_NAME} /etc/; \ +# mkdir -p ${APP_DEF_DIR}/conf.d; \ + export LD_LIBRARY_PATH=${APP_HOME_DIR}/lib; \ + gosu ${APP_USER} ${APP_EXEC} --version ; \ + :; + +# 默认提供的数据卷 +VOLUME ["/srv/conf", "/srv/data", "/srv/datalog", "/srv/cert", "/var/log"] + +# 默认使用gosu切换为新建用户启动,必须保证端口在1024之上 +EXPOSE 5432 + +# 容器初始化命令,默认存放在:/usr/local/bin/entry.sh +ENTRYPOINT ["entry.sh"] + +# 应用程序的服务命令,必须使用非守护进程方式运行。如果使用变量,则该变量必须在运行环境中存在(ENV可以获取) +CMD ["${APP_EXEC}", "-D", "${PGDATA}"] + diff --git a/alpine/customer/usr/local/bin/appcommon.sh b/alpine/customer/usr/local/bin/appcommon.sh new file mode 100644 index 0000000..34fc3a7 --- /dev/null +++ b/alpine/customer/usr/local/bin/appcommon.sh @@ -0,0 +1,749 @@ +#!/bin/bash +# Ver: 1.0 by Endial Fang (endial@126.com) +# +# 应用通用业务处理函数 + +# 加载依赖脚本 +. /usr/local/scripts/libcommon.sh # 通用函数库 + +. /usr/local/scripts/libfile.sh +. /usr/local/scripts/libfs.sh +. /usr/local/scripts/libos.sh +. /usr/local/scripts/libservice.sh +. /usr/local/scripts/libvalidations.sh + +# 函数列表 + +# 加载应用使用的环境变量初始值,该函数在相关脚本中以 eval 方式调用 +# 全局变量: +# ENV_* : 容器使用的全局变量 +# APP_* : 在镜像创建时定义的全局变量 +# *_* : 应用配置文件使用的全局变量,变量名根据配置项定义 +# 返回值: +# 可以被 'eval' 使用的序列化输出 +app_env() { + cat <<-'EOF' + # Common Settings + export ENV_DEBUG=${ENV_DEBUG:-false} + export ALLOW_ANONYMOUS_LOGIN="${ALLOW_ANONYMOUS_LOGIN:-no}" + + # Paths configuration + export PGDATA="${APP_DATA_DIR}/data" + export PG_INITDB_WAL_DIR="${PG_INITDB_WAL_DIR:-${APP_DATA_LOG_DIR}}" + + export PG_CONF_FILE="${PGDATA}/postgresql.conf" + export PG_HBA_FILE="${PGDATA}/pg_hba.conf" + export PG_IDENT_FILE="${PGDATA}/pg_ident.conf" + export PG_RECOVERY_FILE="${PGDATA}/recovery.conf" + + export PG_PID_FILE="${APP_RUN_DIR}/postgresql.pid" + export PG_LOG_FILE="${APP_LOG_DIR}/postgresql.log" + + # Cluster configuration + export PG_CLUSTER_APP_NAME=${PG_CLUSTER_APP_NAME:-cvcluster} + export PG_REPLICATION_MODE="${PG_REPLICATION_MODE:-master}" + + export PG_MASTER_HOST="${PG_MASTER_HOST:-}" + export PG_MASTER_PORT_NUMBER="${PG_MASTER_PORT_NUMBER:-5432}" + export PG_NUM_SYNCHRONOUS_REPLICAS="${PG_NUM_SYNCHRONOUS_REPLICAS:-0}" + export PG_REPLICATION_USER="${PG_REPLICATION_USER:-}" + export PG_REPLICATION_PASSWORD="${PG_REPLICATION_PASSWORD:-}" + + export PG_SYNCHRONOUS_COMMIT_MODE="${PG_SYNCHRONOUS_COMMIT_MODE:-on}" + export PG_FSYNC="${PG_FSYNC:-on}" + + # PostgreSQL settings + export PG_INIT_MAX_TIMEOUT=${PG_INIT_MAX_TIMEOUT:-60} + export PG_INITDB_ARGS="${PG_INITDB_ARGS:-}" + export PG_PORT_NUMBER="${PG_PORT_NUMBER:-5432}" + export PG_HOST_AUTH_METHOD="${PG_HOST_AUTH_METHOD:-md5}" + + # PostgreSQL TLS Settings + + # PostgreSQL LDAP Settings + export PG_ENABLE_LDAP="${PG_ENABLE_LDAP:-no}" + export PG_LDAP_URL="${PG_LDAP_URL:-}" + export PG_LDAP_PREFIX="${PG_LDAP_PREFIX:-}" + export PG_LDAP_SUFFIX="${PG_LDAP_SUFFIX:-}" + export PG_LDAP_SERVER="${PG_LDAP_SERVER:-}" + export PG_LDAP_PORT="${PG_LDAP_PORT:-}" + export PG_LDAP_SCHEME="${PG_LDAP_SCHEME:-}" + export PG_LDAP_TLS="${PG_LDAP_TLS:-}" + export PG_LDAP_BASE_DN="${PG_LDAP_BASE_DN:-}" + export PG_LDAP_BIND_DN="${PG_LDAP_BIND_DN:-}" + export PG_LDAP_BIND_PASSWORD="${PG_LDAP_BIND_PASSWORD:-}" + export PG_LDAP_SEARCH_ATTR="${PG_LDAP_SEARCH_ATTR:-}" + export PG_LDAP_SEARCH_FILTER="${PG_LDAP_SEARCH_FILTER:-}" + + # Authentication + export PG_USERNAME="${PG_USERNAME:-postgres}" + export PG_PASSWORD="${PG_PASSWORD:-}" + export PG_DATABASE="${PG_DATABASE:-postgres}" + + export PG_INITSCRIPTS_USERNAME="${PG_INITSCRIPTS_USERNAME:-${PG_USERNAME}}" + export PG_INITSCRIPTS_PASSWORD="${PG_INITSCRIPTS_PASSWORD:-${PG_PASSWORD}}" +EOF + + # 利用 *_FILE 设置密码,不在配置命令中设置密码,增强安全性 + if [[ -f "${PG_POSTGRES_PASSWORD_FILE:-}" ]]; then + cat <<-'EOF' + export PG_POSTGRES_PASSWORD="$(< "${PG_POSTGRES_PASSWORD_FILE}")" +EOF + else + cat <<-'EOF' + export PG_POSTGRES_PASSWORD="${PG_POSTGRES_PASSWORD:-}" +EOF + fi + + if [[ -f "${PG_PASSWORD_FILE:-}" ]]; then + cat <<-'EOF' + export PG_PASSWORD="$(< "${PG_PASSWORD_FILE}")" +EOF + fi + + if [[ -f "${PG_REPLICATION_PASSWORD_FILE:-}" ]]; then + cat <<-'EOF' + export PG_REPLICATION_PASSWORD="$(< "${PG_REPLICATION_PASSWORD_FILE}")" +EOF + fi +} + +# 配置 libnss_wrapper 以使得 PostgreSQL 命令可以以任意用户身份执行 +postgresql_enable_nss_wrapper() { + if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then + LOG_D "Configuring libnss_wrapper..." + export LD_PRELOAD='/usr/lib/libnss_wrapper.so' + export NSS_WRAPPER_PASSWD="$(mktemp)" + export NSS_WRAPPER_GROUP="$(mktemp)" + echo "postgres:x:$(id -u):$(id -g):PostgreSQL:${PGDATA}:/bin/false" > "$NSS_WRAPPER_PASSWD" + echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP" + fi +} + +postgresql_disable_nss_wrapper() { + # unset/cleanup "nss_wrapper" bits + if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then + rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP" + unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP + fi +} + +# 将变量配置更新至配置文件 +# 参数: +# $1 - 文件 +# $2 - 变量 +# $3 - 值(列表) +postgresql_common_conf_set() { + local file="${1:?missing file}" + local key="${2:?missing key}" + shift + shift + local values=("$@") + + if [[ "${#values[@]}" -eq 0 ]]; then + LOG_E "missing value" + return 1 + elif [[ "${#values[@]}" -ne 1 ]]; then + for i in "${!values[@]}"; do + postgresql_common_conf_set "$file" "${key[$i]}" "${values[$i]}" + done + else + value="${values[0]}" + # Check if the value was set before + if grep -q "^[#\\s]*$key\s*=.*" "$file"; then + # Update the existing key + replace_in_file "$file" "^[#\\s]*${key}\s*=.*" "${key} = \'${value}\'" false + else + # 增加一个新的配置项;如果在其他位置有类似操作,需要注意换行 + printf "%s = %s" "$key" "$value" >>"$file" + fi + fi +} + +# 更新 postgresql.conf 配置文件中指定变量值 +# 变量: +# $1 - 变量 +# $2 - 值(列表) +postgresql_conf_set() { + postgresql_common_conf_set "${PG_CONF_FILE}" "$@" +} + +# 更新 pg_hba.conf 配置文件中指定变量值 +# 变量: +# $1 - 变量 +# $2 - 值(列表) +postgresql_hba_set() { + replace_in_file "${PG_HBA_FILE}" "${1}" "${2}" false +} + +# 更新 pg_ident.conf 配置文件中指定变量值 +# 变量: +# $1 - 变量 +# $2 - 值(列表) +postgresql_ident_set() { + postgresql_common_conf_set "${PG_IDENT_FILE}" "$@" +} + +# 更新 recover.conf 配置文件中指定变量值 +# 变量: +# $1 - 变量 +# $2 - 值(列表) +postgresql_recover_set() { + postgresql_common_conf_set "${PG_RECOVERY_FILE}" "$@" +} + +# 初始化 pg_hba.conf 文件,增加 LDAP 配置;同时保留本地认证 +postgresql_ldap_auth_configuration() { + LOG_I "Generating LDAP authentication configuration" + local ldap_configuration="" + + if [[ -n "${PG_LDAP_URL}" ]]; then + ldap_configuration="ldapurl=\"${PG_LDAP_URL}\"" + else + ldap_configuration="ldapserver=${PG_LDAP_SERVER}" + + [[ -n "${PG_LDAP_PREFIX}" ]] && ldap_configuration+=" ldapprefix=\"${PG_LDAP_PREFIX}\"" + [[ -n "${PG_LDAP_SUFFIX}" ]] && ldap_configuration+=" ldapsuffix=\"${PG_LDAP_SUFFIX}\"" + [[ -n "${PG_LDAP_PORT}" ]] && ldap_configuration+=" ldapport=${PG_LDAP_PORT}" + [[ -n "${PG_LDAP_BASE_DN}" ]] && ldap_configuration+=" ldapbasedn=\"${PG_LDAP_BASE_DN}\"" + [[ -n "${PG_LDAP_BIND_DN}" ]] && ldap_configuration+=" ldapbinddn=\"${PG_LDAP_BIND_DN}\"" + [[ -n "${PG_LDAP_BIND_PASSWORD}" ]] && ldap_configuration+=" ldapbindpasswd=${PG_LDAP_BIND_PASSWORD}" + [[ -n "${PG_LDAP_SEARCH_ATTR}" ]] && ldap_configuration+=" ldapsearchattribute=${PG_LDAP_SEARCH_ATTR}" + [[ -n "${PG_LDAP_SEARCH_FILTER}" ]] && ldap_configuration+=" ldapsearchfilter=\"${PG_LDAP_SEARCH_FILTER}\"" + [[ -n "${PG_LDAP_TLS}" ]] && ldap_configuration+=" ldaptls=${PG_LDAP_TLS}" + [[ -n "${PG_LDAP_SCHEME}" ]] && ldap_configuration+=" ldapscheme=${PG_LDAP_SCHEME}" + fi + + cat <<-'EOF' > "${PG_HBA_FILE}" + local all all trust + host all postgres 0.0.0.0/0 trust + host all postgres ::/0 trust + host all all 0.0.0.0/0 ldap ${ldap_configuration} + host all all ::/0 ldap ${ldap_configuration} +EOF +} + +# 修改 pg_hba.conf 文件,增加主从复制从服务器认证许可 +postgresql_add_replication_to_pghba() { + local replication_auth="trust" + if [[ -n "$PG_REPLICATION_PASSWORD" ]]; then + replication_auth="md5" + fi + cat <<-'EOF' >> "$PG_HBA_FILE" + host replication all 0.0.0.0/0 ${replication_auth} + host replication all ::/0 ${replication_auth} +EOF +} + +# 初始化 pg_hba.conf 文件 +postgresql_password_auth_configuration() { + LOG_I "Generating local authentication configuration" + cat <<-'EOF' > "$PG_HBA_FILE" + local all all trust + host all all 0.0.0.0/0 trust + host all all ::/0 trust +EOF +} + +# 使用运行中的 PostgreSQL 服务执行 SQL 操作 +# 参数: +# $1 - 需要操作的数据库名 +# $2 - 操作使用的用户名 +# $3 - 操作用户密码 +# $4 - 主机 +# $5 - 端口 +# $6 - 扩展参数 (如: -tA) +postgresql_execute() { + local -r db="${1:-}" + local -r user="${2:-postgres}" + local -r pass="${3:-}" + local -r host="${4:-localhost}" + local -r port="${5:-${PG_PORT_NUMBER}}" + local -r opts="${6:-}" + + local args=( "-h" "$host" "-p" "$port" "-U" "$user" ) + local cmd=("psql") + [[ -n "$db" ]] && args+=( "-d" "$db" ) + [[ -n "$opts" ]] && args+=( "$opts" ) + LOG_D "Execute args: ${args[@]}" + if is_boolean_yes "${ENV_DEBUG}"; then + PGPASSWORD=$pass "${cmd[@]}" "${args[@]}" + else + PGPASSWORD=$pass "${cmd[@]}" "${args[@]}" >/dev/null 2>&1 + fi +} + +# 生成初始 postgres.conf 配置 +postgresql_default_postgresql_config() { + LOG_I "Modify postgresql.conf with default values..." + + [ ! -e "${PG_CONF_FILE}" ] && cp -rf "${APP_DEF_DIR}/postgresql.conf.sample" "${PG_CONF_FILE}" + + postgresql_conf_set "wal_level" "hot_standby" + postgresql_conf_set "max_wal_size" "400MB" + postgresql_conf_set "max_wal_senders" "16" + postgresql_conf_set "wal_keep_segments" "12" + postgresql_conf_set "hot_standby" "on" + if (( PG_NUM_SYNCHRONOUS_REPLICAS > 0 )); then + postgresql_conf_set "synchronous_commit" "$PG_SYNCHRONOUS_COMMIT_MODE" + postgresql_conf_set "synchronous_standby_names" "${PG_NUM_SYNCHRONOUS_REPLICAS} (\"${PG_CLUSTER_APP_NAME}\")" + fi + postgresql_conf_set "fsync" "$PG_FSYNC" +} + +# 生成初始 pg_hba.conf 配置 +postgresql_default_hba_config() { + LOG_I "Modify pg_hba.conf with default values..." + + if is_boolean_yes "${PG_ENABLE_LDAP:-no}"; then + postgresql_ldap_auth_configuration + else + postgresql_password_auth_configuration + fi +} + +# 生成初始 pg_hba.conf 配置 +postgresql_restrict_hba_config() { + LOG_I "Modify pg_hba.conf for restrict configs..." + + if [[ -n "$PG_PASSWORD" ]]; then + LOG_I "Configuring md5 encrypt" + postgresql_hba_set "trust" "md5" + fi +} + +# 为 Slava 模式工作的节点创建 recovery.conf 文件 +postgresql_configure_recovery() { + LOG_I "Setting up streaming replication slave..." + [ ! -e "${PG_RECOVERY_FILE}" ] && cp -f "${APP_DEF_DIR}/recovery.conf.sample" "${PG_RECOVERY_FILE}" + + # 版本为12以上时, Slave 节点配置保存在 postgresql.conf 文件中 + postgresql_conf_set "primary_conninfo" "host=${PG_MASTER_HOST} port=${PG_MASTER_PORT_NUMBER} user=${PG_REPLICATION_USER} password=${PG_REPLICATION_PASSWORD} application_name=${PG_CLUSTER_APP_NAME}" + postgresql_conf_set "promote_trigger_file" "/tmp/postgresql.trigger.${PG_MASTER_PORT_NUMBER}" + touch "${PGDATA}"/standby.signal + + # 版本低于12时, Slave 节点配置保存在 recover.conf 文件中 + #chmod 600 "${PG_RECOVERY_FILE}" + #postgresql_recover_set "standby_mode" "on" + #postgresql_recover_set "primary_conninfo" "host=${PG_MASTER_HOST} port=${PG_MASTER_PORT_NUMBER} user=${PG_REPLICATION_USER} password=${PG_REPLICATION_PASSWORD} application_name=${PG_CLUSTER_APP_NAME}" + #postgresql_recover_set "trigger_file" "/tmp/postgresql.trigger.${PG_MASTER_PORT_NUMBER}" +} + +# 为默认的数据库用户 postgres 设置密码 +# 参数: +# $1 - 用户密码 +postgresql_alter_postgres_user() { + local -r escaped_password="${1//\'/\'\'}" + LOG_I "Changing password of postgres" + echo "ALTER ROLE postgres WITH PASSWORD '$escaped_password';" | postgresql_execute +} + +# 为数据库 $PG_DATABASE 创建管理员账户 +postgresql_create_admin_user() { + local -r escaped_password="${PG_PASSWORD//\'/\'\'}" + LOG_I "Creating user ${PG_USERNAME}" + echo "CREATE ROLE \"${PG_USERNAME}\" WITH LOGIN CREATEDB PASSWORD '${escaped_password}';" | postgresql_execute + + LOG_I "Granting access to \"${PG_USERNAME}\" to the database \"${PG_DATABASE}\"" + echo "GRANT ALL PRIVILEGES ON DATABASE \"${PG_DATABASE}\" TO \"${PG_USERNAME}\"\;" | postgresql_execute "" "postgres" "$PG_POSTGRES_PASSWORD" +} + +# 为 master-slave 复制模式创建用户 +postgresql_create_replication_user() { + local -r escaped_password="${PG_REPLICATION_PASSWORD//\'/\'\'}" + LOG_I "Creating replication user ${PG_REPLICATION_USER}" + echo "CREATE ROLE \"$PG_REPLICATION_USER\" REPLICATION LOGIN ENCRYPTED PASSWORD '$escaped_password'" | postgresql_execute +} + +# 创建用户自定义数据库 $PG_DATABASE +postgresql_create_custom_database() { + LOG_I "Creating custom database ${PG_DATABASE}" + echo "CREATE DATABASE \"${PG_DATABASE}\"" | postgresql_execute "" "postgres" "" "localhost" +} + +# 检测用户参数信息是否满足条件; 针对部分权限过于开放情况,打印提示信息 +app_verify_minimum_env() { + local error_code=0 + LOG_D "Validating settings in PG_* env vars..." + + print_validation_error() { + LOG_E "$1" + error_code=1 + } + + # 检测认证设置。如果不允许匿名登录,检测登录用户名及密码是否设置 + empty_password_warn() { + LOG_W "You set the environment variable ALLOW_ANONYMOUS_LOGIN=${ALLOW_ANONYMOUS_LOGIN}. For safety reasons, do not use this flag in a production environment." + } + empty_password_error() { + print_validation_error "The $1 environment variable is empty or not set. Set the environment variable ALLOW_ANONYMOUS_LOGIN=yes to allow the container to be started with blank passwords. This is recommended only for development." + } + if is_boolean_yes "${ALLOW_ANONYMOUS_LOGIN}"; then + empty_password_warn + else + if [[ -z "${PG_PASSWORD}" ]]; then + empty_password_error "{PG_PASSWORD}" + fi + if (( ${#PG_PASSWORD} > 100 )); then + print_validation_error "The password cannot be longer than 100 characters. Set the environment variable PG_PASSWORD with a shorter value" + fi + if [[ -n "${PG_USERNAME}" ]] && [[ -z "${PG_PASSWORD}" ]]; then + empty_password_error "{PG_PASSWORD}" + fi + if [[ -n "${PG_USERNAME}" ]] && [[ "${PG_USERNAME}" != "postgres" ]] && [[ -n "${PG_PASSWORD}" ]] && [[ -z "${PG_DATABASE}" ]]; then + print_validation_error "In order to use a custom PostgreSQL user you need to set the environment variable PG_DATABASE as well" + fi + fi + + if [[ -n "${PG_REPLICATION_MODE}" ]]; then + if [[ "${PG_REPLICATION_MODE}" = "master" ]]; then + if (( PG_NUM_SYNCHRONOUS_REPLICAS < 0 )); then + print_validation_error "The number of synchronous replicas cannot be less than 0. Set the environment variable PG_NUM_SYNCHRONOUS_REPLICAS" + fi + elif [[ "${PG_REPLICATION_MODE}" = "slave" ]]; then + if [[ -z "${PG_MASTER_HOST}" ]]; then + print_validation_error "Slave replication mode chosen without setting the environment variable PG_MASTER_HOST. Use it to indicate where the Master node is running" + fi + if [[ -z "${PG_REPLICATION_USER}" ]]; then + print_validation_error "Slave replication mode chosen without setting the environment variable PG_REPLICATION_USER. Make sure that the master also has this parameter set" + fi + else + print_validation_error "Invalid replication mode. Available options are 'master/slave'" + fi + # Common replication checks + if [[ -n "${PG_REPLICATION_USER}" ]] && [[ -z "${PG_REPLICATION_PASSWORD}" ]]; then + empty_password_error "{PG_REPLICATION_PASSWORD}" + fi + else + if is_boolean_yes "${ALLOW_ANONYMOUS_LOGIN}"; then + empty_password_warn + else + if [[ -z "${PG_PASSWORD}" ]]; then + empty_password_error "{PG_PASSWORD}" + fi + if [[ -n "${PG_USERNAME}" ]] && [[ -z "${PG_PASSWORD}" ]]; then + empty_password_error "{PG_PASSWORD}" + fi + fi + fi + + if ! is_yes_no_value "${PG_ENABLE_LDAP}"; then + empty_password_error "The values allowed for PG_ENABLE_LDAP are: yes or no" + fi + + if is_boolean_yes "${PG_ENABLE_LDAP}" && [[ -n "${PG_LDAP_URL}" ]] && [[ -n "${PG_LDAP_SERVER}" ]]; then + empty_password_error "You can not set PG_LDAP_URL and PG_LDAP_SERVER at the same time. Check your LDAP configuration." + fi + + [[ "$error_code" -eq 0 ]] || exit "$error_code" +} + +# 更改默认监听地址为 "*" 或 "0.0.0.0",以对容器外提供服务;默认配置文件应当为仅监听 localhost(127.0.0.1) +app_enable_remote_connections() { + LOG_I "Modify default config to enable all IP access" + postgresql_conf_set "listen_addresses" "*" +} + +# 以后台方式启动应用服务,并等待启动就绪 +app_start_server_bg() { + is_app_server_running && return + + # -w wait until operation completes (default) + # -W don't wait until operation completes + # -D location of the database storage area + # -l write (or append) server log to FILENAME + # -o command line options to pass to postgres or initdb + # --config-file 指定配置文件 + # --external_pid_file 指定 PID 文件,在配置文件中已定义 + # --hba_file 指定 HBA 文件,在配置文件中已定义 + local -r pg_ctl_flags=("-W" "-D" "${PGDATA}" "-o" "--config-file=${PG_CONF_FILE} --external_pid_file=${PG_PID_FILE} --hba_file=${PG_HBA_FILE}") + LOG_I "Starting ${APP_NAME} in background..." + local pg_ctl_cmd=(pg_ctl) + if is_boolean_yes "${ENV_DEBUG}"; then + "${pg_ctl_cmd[@]}" "start" "${pg_ctl_flags[@]}" + else + "${pg_ctl_cmd[@]}" "start" "${pg_ctl_flags[@]}" "-s" >/dev/null 2>&1 + fi + + local -r check_args=("-h" "localhost" "-p" "${PG_PORT_NUMBER}" "-U" "postgres") + local check_cmd=(pg_isready) + local counter=${PG_INIT_MAX_TIMEOUT} + # 通过命令或特定端口检测应用是否就绪 + LOG_I "Checking ${APP_NAME} ready status..." + while ! PGPASSWORD=${PG_PASSWORD} "${check_cmd[@]}" "${check_args[@]}" "-q" >/dev/null 2>&1; do + sleep 1 + counter=$(( counter - 1 )) + if (( counter <= 0 )); then + LOG_E "PostgreSQL is not ready after ${PG_INIT_MAX_TIMEOUT} seconds" + exit 1 + fi + LOG_D "PostgreSQL is not ready now: ${counter}" + done + LOG_D "${APP_NAME} is ready for service" +} + +# 停止应用服务 +app_stop_server_bg() { + if is_app_server_running ; then + LOG_I "Stopping background ${APP_NAME}..." + + if is_boolean_yes "${ENV_DEBUG}"; then + PGUSER="${PG_USERNAME}" pg_ctl -D "${PGDATA}" -m fast -w stop "-s" + else + PGUSER="${PG_USERNAME}" pg_ctl -D "${PGDATA}" -m fast -w stop "-s" >/dev/null 2>&1 + fi + fi + + # 使用 PID 文件 kill 进程 + #stop_service_using_pid "${PG_PID_FILE}" +} + +# 检测应用服务是否在后台运行中 +is_app_server_running() { + LOG_D "Check if ${APP_NAME} is running..." + + local pid + pid="$(get_pid_from_file "${PG_PID_FILE}")" + + if [[ -z "${pid}" ]]; then + false + else + is_service_running "${pid}" + fi +} + +# 清理初始化应用时生成的临时文件 +app_clean_tmp_file() { + LOG_D "Clean ${APP_NAME} tmp files for init..." + + rm -rf "${PG_LOG_FILE}" "${PG_PID_FILE}" "${PGDATA}/standby.signal" "${PGDATA}/recovery.signal" +} + +# 在重新启动容器时,删除标志文件及必须删除的临时文件 (容器重新启动) +app_clean_from_restart() { + LOG_D "Clean ${APP_NAME} tmp files for restart..." + local -r -a files=( + "${PGDATA}/postmaster.pid" + "${PGDATA}/standby.signal" + "${PGDATA}/recovery.signal" + ) + + for file in ${files[@]}; do + if [[ -f "$file" ]]; then + LOG_I "Cleaning stale $file file" + rm "$file" + fi + done +} + +# 应用默认初始化操作 +# 执行完毕后,生成文件 ${APP_CONF_DIR}/.app_init_flag 及 ${APP_DATA_DIR}/.data_init_flag 文件 +app_default_init() { + app_clean_from_restart + LOG_D "Check init status of ${APP_NAME}..." + + if [[ ! -f "${APP_DATA_DIR}/.data_init_flag" ]]; then + if [[ "${PG_REPLICATION_MODE}" = "master" ]]; then + postgresql_master_init_db + else + postgresql_slave_init_db + fi + fi + + # 检测配置文件是否存在 + if [[ ! -f "${APP_CONF_DIR}/.app_init_flag" ]]; then + LOG_I "No injected configuration file found, creating default config files..." + postgresql_default_postgresql_config + postgresql_default_hba_config + + if [[ "${PG_REPLICATION_MODE}" = "master" ]]; then + [[ -n "${PG_REPLICATION_USER}" ]] && postgresql_add_replication_to_pghba + else + postgresql_configure_recovery + fi + + touch "${APP_CONF_DIR}/.app_init_flag" + echo "$(date '+%Y-%m-%d %H:%M:%S') : Init success." >> "${APP_CONF_DIR}/.app_init_flag" + else + LOG_I "User injected custom configuration detected!" + fi + + if [[ ! -f "${APP_DATA_DIR}/.data_init_flag" ]]; then + LOG_I "Deploying ${APP_NAME} from scratch..." + if [[ "${PG_REPLICATION_MODE}" = "master" ]]; then + # 检测服务是否运行中如果未运行,则启动后台服务 + is_app_server_running || app_start_server_bg + [[ "${PG_DATABASE}" != "postgres" ]] && postgresql_create_custom_database + + # 为数据库授权;默认用户不为 postgres 时,需要创建管理员账户 + LOG_D "Set password for postgres user" + if [[ "${PG_USERNAME}" = "postgres" ]]; then + [[ -n "${PG_PASSWORD}" ]] && postgresql_alter_postgres_user "${PG_PASSWORD}" + else + if [[ -n "${PG_POSTGRES_PASSWORD}" ]]; then + postgresql_alter_postgres_user "${PG_POSTGRES_PASSWORD}" + fi + postgresql_create_admin_user + fi + [[ -n "${PG_REPLICATION_USER}" ]] && postgresql_create_replication_user + fi + + touch ${APP_DATA_DIR}/.data_init_flag + echo "$(date '+%Y-%m-%d %H:%M:%S') : Init success." >> ${APP_DATA_DIR}/.data_init_flag + else + LOG_I "Deploying ${APP_NAME} with persisted data..." + fi +} + +# 用户自定义的前置初始化操作,依次执行目录 preinitdb.d 中的初始化脚本 +# 执行完毕后,生成文件 ${APP_DATA_DIR}/.custom_preinit_flag +app_custom_preinit() { + LOG_D "Check custom pre-init status of ${APP_NAME}..." + + # 检测用户配置文件目录是否存在 preinitdb.d 文件夹,如果存在,尝试执行目录中的初始化脚本 + if [ -d "/srv/conf/${APP_NAME}/preinitdb.d" ]; then + # 检测数据存储目录是否存在已初始化标志文件;如果不存在,检索可执行脚本文件并进行初始化操作 + if [[ -n $(find "/srv/conf/${APP_NAME}/preinitdb.d/" -type f -regex ".*\.\(sh\)") ]] && \ + [[ ! -f "${APP_DATA_DIR}/.custom_preinit_flag" ]]; then + LOG_I "Process custom pre-init scripts from /srv/conf/${APP_NAME}/preinitdb.d..." + + # 检索所有可执行脚本,排序后执行 + find "/srv/conf/${APP_NAME}/preinitdb.d/" -type f -regex ".*\.\(sh\)" | sort | process_init_files + + touch "${APP_DATA_DIR}/.custom_preinit_flag" + echo "$(date '+%Y-%m-%d %H:%M:%S') : Init success." >> "${APP_DATA_DIR}/.custom_preinit_flag" + LOG_I "Custom preinit for ${APP_NAME} complete." + else + LOG_I "Custom preinit for ${APP_NAME} already done before, skipping initialization." + fi + fi + + # 检测依赖的服务是否就绪 + #for i in ${SERVICE_PRECONDITION[@]}; do + # app_wait_service "${i}" + #done +} + +# 用户自定义的应用初始化操作,依次执行目录initdb.d中的初始化脚本 +# 执行完毕后,生成文件 ${APP_DATA_DIR}/.custom_init_flag +app_custom_init() { + LOG_D "Check custom init status of ${APP_NAME}..." + + # 检测用户配置文件目录是否存在 initdb.d 文件夹,如果存在,尝试执行目录中的初始化脚本 + if [ -d "/srv/conf/${APP_NAME}/initdb.d" ]; then + # 检测数据存储目录是否存在已初始化标志文件;如果不存在,检索可执行脚本文件并进行初始化操作 + if [[ -n $(find "/srv/conf/${APP_NAME}/initdb.d/" -type f -regex ".*\.\(sh\|sql\|sql.gz\)") ]] && \ + [[ ! -f "${APP_DATA_DIR}/.custom_init_flag" ]]; then + LOG_I "Process custom init scripts from /srv/conf/${APP_NAME}/initdb.d..." + + # 检测服务是否运行中;如果未运行,则启动后台服务 + is_app_server_running || app_start_server_bg + + # 检索所有可执行脚本,排序后执行 + find "/srv/conf/${APP_NAME}/initdb.d/" -type f -regex ".*\.\(sh\|sql\|sql.gz\)" | sort | while read -r f; do + case "$f" in + *.sh) + if [[ -x "$f" ]]; then + LOG_D "Executing $f"; "$f" + else + LOG_D "Sourcing $f"; . "$f" + fi + ;; + *.sql) LOG_D "Executing $f"; postgresql_execute "$PG_DATABASE" "$PG_INITSCRIPTS_USERNAME" "$PG_INITSCRIPTS_PASSWORD" < "$f";; + *.sql.gz) LOG_D "Executing $f"; gunzip -c "$f" | postgresql_execute "$PG_DATABASE" "$PG_INITSCRIPTS_USERNAME" "$PG_INITSCRIPTS_PASSWORD";; + *) LOG_D "Ignoring $f" ;; + esac + done + + touch "${APP_DATA_DIR}/.custom_init_flag" + echo "$(date '+%Y-%m-%d %H:%M:%S') : Init success." >> "${APP_DATA_DIR}/.custom_init_flag" + LOG_I "Custom init for ${APP_NAME} complete." + else + LOG_I "Custom init for ${APP_NAME} already done before, skipping initialization." + fi + fi + + # 检测服务是否运行中;如果运行,则停止后台服务 + app_stop_server_bg + + # 删除第一次运行生成的临时文件 + app_clean_tmp_file + + # 如果设置了用户密码,启用 md5 加密的密码认证 + postgresql_restrict_hba_config + + # 绑定所有 IP ,启用远程访问 + app_enable_remote_connections +} + +# 初始化 Master 节点数据库 +postgresql_master_init_db() { + if ! is_dir_empty "${PGDATA}"; then + LOG_E "Directory ${PGDATA} exists but is not empty," + LOG_E "If you want to create a new database system, either remove or empty" + LOG_E "the directory ${PGDATA}, or run initdb" + LOG_E "with an argument other than ${PGDATA}." + exit 1 + fi + + postgresql_enable_nss_wrapper + + local envExtraFlags=() + local initdb_args=() + if [[ -n "${PG_INITDB_ARGS}" ]]; then + read -r -a envExtraFlags <<< "${PG_INITDB_ARGS}" + initdb_args+=("${envExtraFlags[@]}") + fi + #initdb+=("-o" "--config-file=${PG_CONF_FILE} --external_pid_file=${PG_PID_FILE} --hba_file=${PG_HBA_FILE}") + initdb_args+=("--waldir=${PG_INITDB_WAL_DIR}") + + local initdb_cmd=(initdb) + + LOG_I "Initializing PostgreSQL database" + + if [[ -n "${initdb_args[*]}" ]]; then + LOG_I "extra initdb arguments: ${initdb_args[*]}" + fi + + if is_boolean_yes "${ENV_DEBUG}"; then + "${initdb_cmd[@]}" -E UTF8 -D "${PGDATA}" -U "postgres" "${initdb_args[@]}" + else + "${initdb_cmd[@]}" -E UTF8 -D "${PGDATA}" -U "postgres" "${initdb_args[@]}" >/dev/null 2>&1 + fi + + postgresql_disable_nss_wrapper +} + +# 初始化 Slave 节点数据库 +postgresql_slave_init_db() { + LOG_I "Waiting for replication master to accept connections (${PG_INIT_MAX_TIMEOUT} seconds)..." + local -r check_args=("-U" "${PG_REPLICATION_USER}" "-h" "${PG_MASTER_HOST}" "-p" "${PG_MASTER_PORT_NUMBER}" "-d" "${PG_DATABASE}") + local check_cmd=(pg_isready) + local ready_counter=${PG_INIT_MAX_TIMEOUT} + + while ! PGPASSWORD=${PG_REPLICATION_PASSWORD} "${check_cmd[@]}" "${check_args[@]}" >/dev/null 2>&1;do + sleep 1 + ready_counter=$(( ready_counter - 1 )) + if (( ready_counter <= 0 )); then + LOG_E "PostgreSQL master is not ready after ${PG_INIT_MAX_TIMEOUT} seconds" + exit 1 + fi + done + + LOG_I "Replicating the database from node master..." + #local -r backup_args=("-D" "$PGDATA" -d "hostaddr=$PG_MASTER_HOST port=$PG_MASTER_PORT_NUMBER user=$PG_REPLICATION_USER password=$PG_REPLICATION_PASSWORD" -v -Fp -Xs + local -r backup_args=("-D" "${PGDATA}" "-U" "${PG_REPLICATION_USER}" "-h" "${PG_MASTER_HOST}" "-p" "${PG_MASTER_PORT_NUMBER}" "-X" "stream" "-w" "-v" "-P") + local backup_cmd=(pg_basebackup) + local replication_counter=$PG_INIT_MAX_TIMEOUT + + while ! PGPASSWORD=${PG_REPLICATION_PASSWORD} "${backup_cmd[@]}" "${backup_args[@]}";do + LOG_D "Backup command failed. Sleeping and trying again" + sleep 1 + replication_counter=$(( replication_counter - 1 )) + if (( replication_counter <= 0 )); then + LOG_E "Slave replication failed after trying for ${PG_INIT_MAX_TIMEOUT} seconds" + exit 1 + fi + done +} + diff --git a/alpine/customer/usr/local/bin/entry.sh b/alpine/customer/usr/local/bin/entry.sh new file mode 100755 index 0000000..b306dfc --- /dev/null +++ b/alpine/customer/usr/local/bin/entry.sh @@ -0,0 +1,36 @@ +#!/bin/bash +# Ver: 1.0 by Endial Fang (endial@126.com) +# +# 容器入口脚本 + +# 设置 shell 执行参数,可使用'-'(打开)'+'(关闭)控制。常用: +# -e: 命令执行错误则报错; -u: 变量未定义则报错; -x: 打印实际待执行的命令行; -o pipefail: 设置管道中命令遇到失败则报错 +set -eu +set -o pipefail + +. /usr/local/bin/appcommon.sh # 应用专用函数库 + +eval "$(app_env)" +LOG_I "** Processing entry.sh **" + +if ! is_sourced; then + # 替换命令行中的变量 + set -- $(eval echo "$@") + + [ "${1:0:1}" = '-' ] && set -- "${APP_EXEC:-}" "$@" + + print_image_welcome + print_command_help "$@" + + if [ "$1" = "${APP_EXEC}" ] && is_root; then + /usr/local/bin/setup.sh + + LOG_I "Restart with non-root user: ${APP_USER}\n" + exec gosu "${APP_USER}" "$0" "$@" + fi + + [ "$1" = "${APP_EXEC}" ] && /usr/local/bin/init.sh + + LOG_I "Start container with command: $@" + exec tini -- "$@" +fi diff --git a/alpine/customer/usr/local/bin/init.sh b/alpine/customer/usr/local/bin/init.sh new file mode 100755 index 0000000..727d9fa --- /dev/null +++ b/alpine/customer/usr/local/bin/init.sh @@ -0,0 +1,25 @@ +#!/bin/bash +# Ver: 1.0 by Endial Fang (endial@126.com) +# +# 应用初始化脚本 + +# 设置 shell 执行参数,可使用'-'(打开)'+'(关闭)控制。常用: +# -e: 命令执行错误则报错; -u: 变量未定义则报错; -x: 打印实际待执行的命令行; -o pipefail: 设置管道中命令遇到失败则报错 +set -eu +set -o pipefail + +. /usr/local/bin/appcommon.sh # 应用专用函数库 + +eval "$(app_env)" +LOG_I "** Processing init.sh **" + +# 执行应用预初始化操作 +app_custom_preinit + +# 执行应用初始化操作 +app_default_init + +# 执行用户自定义初始化脚本 +app_custom_init + +LOG_I "** Processing init.sh finished! **" diff --git a/alpine/customer/usr/local/bin/run.sh b/alpine/customer/usr/local/bin/run.sh new file mode 100755 index 0000000..7f2c095 --- /dev/null +++ b/alpine/customer/usr/local/bin/run.sh @@ -0,0 +1,25 @@ +#!/bin/bash +# Ver: 1.0 by Endial Fang (endial@126.com) +# +# 应用启动脚本 + +# 设置 shell 执行参数,可使用'-'(打开)'+'(关闭)控制。常用: +# -e: 命令执行错误则报错; -u: 变量未定义则报错; -x: 打印实际待执行的命令行; -o pipefail: 设置管道中命令遇到失败则报错 +set -eu +set -o pipefail + +. /usr/local/bin/appcommon.sh # 应用专用函数库 + +eval "$(app_env)" +LOG_I "** Processing run.sh **" + +flags=("${APP_CONF_FILE:-}") +[[ -z "${APP_EXTRA_FLAGS:-}" ]] || flags=("${flags[@]}" "${APP_EXTRA_FLAGS[@]}") +START_COMMAND=("${APP_EXEC}" "${flags[@]}") + +LOG_I "** Starting ${APP_NAME} **" +if is_root; then + exec gosu "${APP_USER}" tini -s -- "${START_COMMAND[@]}" +else + exec tini -s -- "${START_COMMAND[@]}" +fi diff --git a/alpine/customer/usr/local/bin/setup.sh b/alpine/customer/usr/local/bin/setup.sh new file mode 100755 index 0000000..e8e73ce --- /dev/null +++ b/alpine/customer/usr/local/bin/setup.sh @@ -0,0 +1,44 @@ +#!/bin/bash +# Ver: 1.0 by Endial Fang (endial@126.com) +# +# 应用环境及依赖文件设置脚本 + +# 设置 shell 执行参数,可使用'-'(打开)'+'(关闭)控制。常用: +# -e: 命令执行错误则报错; -u: 变量未定义则报错; -x: 打印实际待执行的命令行; -o pipefail: 设置管道中命令遇到失败则报错 +set -eu +set -o pipefail + +. /usr/local/bin/appcommon.sh # 应用专用函数库 + +eval "$(app_env)" +LOG_I "** Processing setup.sh **" + +APP_DIRS="${APP_CONF_DIR:-} ${APP_DATA_DIR:-} ${APP_LOG_DIR:-} ${APP_CERT_DIR:-} ${APP_DATA_LOG_DIR:-}" +APP_DIRS="${APP_DIRS} ${PGDATA}" + +for dir in ${APP_DIRS}; do + ensure_dir_exists ${dir} +done + +app_verify_minimum_env + +# 检测指定文件是否在配置文件存储目录存在,如果不存在则拷贝(新挂载数据卷、手动删除都会导致不存在) +LOG_I "Check config files in: ${APP_CONF_DIR}" +if [[ ! -z "$(ls -A "${APP_DEF_DIR}")" ]]; then +# ensure_config_file_exist "${APP_DEF_DIR}" $(ls -A "${APP_DEF_DIR}") + : +fi + +for dir in ${APP_DIRS}; do + configure_permissions_ownership "$dir" -u "${APP_USER}" -g "${APP_USER}" +done + +# 解决 PostgreSQL 目录权限过于开放,无法初始化问题:FATAL: data directory "/srv/data/postgresql" has group or world access +LOG_D "Lack of permissions on data directory: ${PGDATA}" +chmod 0700 ${PGDATA} + +# 解决使用gosu后,nginx: [emerg] open() "/dev/stdout" failed (13: Permission denied) +LOG_D "Change permissions of stdout/stderr to 0622" +chmod 0622 /dev/stdout /dev/stderr + +LOG_I "** Processing setup.sh finished! **" diff --git a/alpine/customer/usr/local/overrides/overrides-12.4.sh b/alpine/customer/usr/local/overrides/overrides-12.4.sh new file mode 100644 index 0000000..eebd74e --- /dev/null +++ b/alpine/customer/usr/local/overrides/overrides-12.4.sh @@ -0,0 +1,35 @@ +#!/bin/bash -ex + +POSTGRESQL_CONF="${APP_HOME_DIR}/share/${APP_NAME}/postgresql.conf.sample" + +# 在安装完应用后,使用该脚本修改默认配置文件中部分配置项 +# 如果相应的配置项已经定义整体环境变量,则不需要在这里修改 +echo "Process overrides for default configs..." +#sed -i -E 's/^listeners=/d' "$KAFKA_HOME/config/server.properties" + +# 设置默认监听地址为 localhost ,防止初始化操作期间外部链接,在容器初始化完成后修改为监听所有地址 +sed -i -E "s/^#?(listen_addresses) .*/\1 = 'localhost'/g" ${POSTGRESQL_CONF} + +sed -i -E "s/^data_directory .*/data_directory = '\/srv\/data\/${APP_NAME}\/data'/g" ${POSTGRESQL_CONF} +sed -i -E "s/^hba_file .*/hba_file = '\/srv\/data\/${APP_NAME}\/data\/pg_hba.conf'/g" ${POSTGRESQL_CONF} +sed -i -E "s/^ident_file .*/ident_file = '\/srv\/data\/${APP_NAME}\/data\/pg_ident.conf'/g" ${POSTGRESQL_CONF} +sed -i -E "s/^#external_pid_file .*/external_pid_file = '\/var\/run\/${APP_NAME}\/postgresql.pid'/g" ${POSTGRESQL_CONF} +sed -i -E "s/^max_connections .*/max_connections = 2000/g" ${POSTGRESQL_CONF} +sed -i -E "s/^#password_encryption .*/password_encryption = md5/g" ${POSTGRESQL_CONF} + +sed -i -E "s/^#log_destination .*/log_destination = 'stderr'/g" ${POSTGRESQL_CONF} +sed -i -E "s/^#logging_collector .*/logging_collector = on/g" ${POSTGRESQL_CONF} +sed -i -E "s/^#log_directory .*/log_directory = '\/var\/log\/${APP_NAME}'/g" ${POSTGRESQL_CONF} +sed -i -E "s/^#log_filename .*/log_filename = 'postgresql-\%Y-\%m-\%d_\%H\%M\%S.log'/g" ${POSTGRESQL_CONF} +sed -i -E "s/^#log_truncate_on_rotation .*/log_truncate_on_rotation = on/g" ${POSTGRESQL_CONF} +sed -i -E "s/^#log_rotation_age .*/log_rotation_age = 1d/g" ${POSTGRESQL_CONF} +sed -i -E "s/^#log_rotation_size .*/log_rotation_size = 0/g" ${POSTGRESQL_CONF} +sed -i -E "s/^log_timezone .*/log_timezone = 'Asia\/Shanghai'/g" ${POSTGRESQL_CONF} + +#sed -i -E "s/^#include_dir .*/include_dir = 'conf\.d'/g" ${POSTGRESQL_CONF} + +# 修改 unix_socket_directories 与 PID 文件同目录,解决修改 PID 输出目录后 psql 不指定`-h`时 Unix Socket 无法找到问题: +# psql: could not connect to server: No such file or directory +# Is the server running locally and accepting +# connections on Unix domain socket "/var/run/postgresql/.s.PGSQL.5432"? +sed -i -E "s/^unix_socket_directories .*/unix_socket_directories = '\/var\/run\/${APP_NAME}'/g" ${POSTGRESQL_CONF} diff --git a/alpine/customer/usr/sbin/create_user b/alpine/customer/usr/sbin/create_user new file mode 100755 index 0000000..e71bc99 --- /dev/null +++ b/alpine/customer/usr/sbin/create_user @@ -0,0 +1,10 @@ +#!/bin/bash +# shell 执行参数,分别为 -e(命令执行错误则退出脚本) -u(变量未定义则报错) -x(打印实际待执行的命令行) +set -eux +addgroup -g 998 -S ${APP_USER} +adduser -G ${APP_USER} -u 999 -s /bin/bash -h ${APP_DATA_DIR} -D -S ${APP_USER} +#adduser -G ${APP_USER} -u 999 -s /usr/sbin/nologin -h ${APP_DATA_DIR} -D -S ${APP_USER} + +# 如果需要 sudo 权限,需要安装 su 软件包:apk add sudo +#sed -i -e 's/^\sDefaults\s*secure_path\s*=/# Defaults secure_path=/' /etc/sudoers +#echo "${APP_USER} ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers diff --git a/alpine/customer/usr/sbin/prepare_env b/alpine/customer/usr/sbin/prepare_env new file mode 100755 index 0000000..cb7b34b --- /dev/null +++ b/alpine/customer/usr/sbin/prepare_env @@ -0,0 +1,8 @@ +#!/bin/bash +# shell 执行参数,分别为 -e(命令执行错误则退出脚本) -u(变量未定义则报错) -x(打印实际待执行的命令行) +set -eux + +APP_DIRS="${APP_DEF_DIR:-} ${APP_CONF_DIR:-} ${APP_DATA_DIR:-} ${APP_DATA_LOG_DIR:-} ${APP_CACHE_DIR:-} ${APP_RUN_DIR:-} ${APP_LOG_DIR:-} ${APP_CERT_DIR:-} ${APP_HOME_DIR:-}" + +mkdir -p ${APP_DIRS} +chown -Rf ${APP_USER}:${APP_USER} ${APP_DIRS};