Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update postgres #17012

Merged
merged 1 commit into from
Jun 19, 2024
Merged

Update postgres #17012

merged 1 commit into from
Jun 19, 2024

Conversation

tianon
Copy link
Member

@tianon tianon commented Jun 18, 2024

Changes:

Changes:

- docker-library/postgres@cefde5f: Merge pull request docker-library/postgres#1246 from infosiftr/su-noexec
- docker-library/postgres@3e9b4ea: Replace `su-exec` with `gosu`
@tianon tianon requested a review from a team as a code owner June 18, 2024 21:50
Copy link

Diff for 4bd28b2:
diff --git a/_bashbrew-cat b/_bashbrew-cat
index cad263c..142d5f2 100644
--- a/_bashbrew-cat
+++ b/_bashbrew-cat
@@ -8,12 +8,12 @@ Directory: 12/bookworm
 
 Tags: 12.19-alpine3.19, 12-alpine3.19
 Architectures: amd64, arm32v6, arm32v7, arm64v8, i386, ppc64le, s390x
-GitCommit: 3a7be2f3213ce6e0f13f6a01b927d86aa53d9539
+GitCommit: 3e9b4eaaebf00d7a8ece67f02e2d6546402f4de7
 Directory: 12/alpine3.19
 
 Tags: 12.19-alpine3.20, 12-alpine3.20, 12.19-alpine, 12-alpine
 Architectures: amd64, arm32v6, arm32v7, arm64v8, i386, ppc64le, riscv64, s390x
-GitCommit: 3a7be2f3213ce6e0f13f6a01b927d86aa53d9539
+GitCommit: 3e9b4eaaebf00d7a8ece67f02e2d6546402f4de7
 Directory: 12/alpine3.20
 
 Tags: 12.19-bullseye, 12-bullseye
@@ -28,12 +28,12 @@ Directory: 13/bookworm
 
 Tags: 13.15-alpine3.19, 13-alpine3.19
 Architectures: amd64, arm32v6, arm32v7, arm64v8, i386, ppc64le, s390x
-GitCommit: 3a7be2f3213ce6e0f13f6a01b927d86aa53d9539
+GitCommit: 3e9b4eaaebf00d7a8ece67f02e2d6546402f4de7
 Directory: 13/alpine3.19
 
 Tags: 13.15-alpine3.20, 13-alpine3.20, 13.15-alpine, 13-alpine
 Architectures: amd64, arm32v6, arm32v7, arm64v8, i386, ppc64le, riscv64, s390x
-GitCommit: 3a7be2f3213ce6e0f13f6a01b927d86aa53d9539
+GitCommit: 3e9b4eaaebf00d7a8ece67f02e2d6546402f4de7
 Directory: 13/alpine3.20
 
 Tags: 13.15-bullseye, 13-bullseye
@@ -48,12 +48,12 @@ Directory: 14/bookworm
 
 Tags: 14.12-alpine3.19, 14-alpine3.19
 Architectures: amd64, arm32v6, arm32v7, arm64v8, i386, ppc64le, s390x
-GitCommit: 3a7be2f3213ce6e0f13f6a01b927d86aa53d9539
+GitCommit: 3e9b4eaaebf00d7a8ece67f02e2d6546402f4de7
 Directory: 14/alpine3.19
 
 Tags: 14.12-alpine3.20, 14-alpine3.20, 14.12-alpine, 14-alpine
 Architectures: amd64, arm32v6, arm32v7, arm64v8, i386, ppc64le, riscv64, s390x
-GitCommit: 3a7be2f3213ce6e0f13f6a01b927d86aa53d9539
+GitCommit: 3e9b4eaaebf00d7a8ece67f02e2d6546402f4de7
 Directory: 14/alpine3.20
 
 Tags: 14.12-bullseye, 14-bullseye
@@ -68,12 +68,12 @@ Directory: 15/bookworm
 
 Tags: 15.7-alpine3.19, 15-alpine3.19
 Architectures: amd64, arm32v6, arm32v7, arm64v8, i386, ppc64le, s390x
-GitCommit: 3a7be2f3213ce6e0f13f6a01b927d86aa53d9539
+GitCommit: 3e9b4eaaebf00d7a8ece67f02e2d6546402f4de7
 Directory: 15/alpine3.19
 
 Tags: 15.7-alpine3.20, 15-alpine3.20, 15.7-alpine, 15-alpine
 Architectures: amd64, arm32v6, arm32v7, arm64v8, i386, ppc64le, riscv64, s390x
-GitCommit: 3a7be2f3213ce6e0f13f6a01b927d86aa53d9539
+GitCommit: 3e9b4eaaebf00d7a8ece67f02e2d6546402f4de7
 Directory: 15/alpine3.20
 
 Tags: 15.7-bullseye, 15-bullseye
@@ -88,12 +88,12 @@ Directory: 16/bookworm
 
 Tags: 16.3-alpine3.19, 16-alpine3.19, alpine3.19
 Architectures: amd64, arm32v6, arm32v7, arm64v8, i386, ppc64le, s390x
-GitCommit: 3a7be2f3213ce6e0f13f6a01b927d86aa53d9539
+GitCommit: 3e9b4eaaebf00d7a8ece67f02e2d6546402f4de7
 Directory: 16/alpine3.19
 
 Tags: 16.3-alpine3.20, 16-alpine3.20, alpine3.20, 16.3-alpine, 16-alpine, alpine
 Architectures: amd64, arm32v6, arm32v7, arm64v8, i386, ppc64le, riscv64, s390x
-GitCommit: 3a7be2f3213ce6e0f13f6a01b927d86aa53d9539
+GitCommit: 3e9b4eaaebf00d7a8ece67f02e2d6546402f4de7
 Directory: 16/alpine3.20
 
 Tags: 16.3-bullseye, 16-bullseye, bullseye
@@ -108,12 +108,12 @@ Directory: 17/bookworm
 
 Tags: 17beta1-alpine3.19
 Architectures: amd64, arm32v6, arm32v7, arm64v8, i386, ppc64le, s390x
-GitCommit: 3a7be2f3213ce6e0f13f6a01b927d86aa53d9539
+GitCommit: 3e9b4eaaebf00d7a8ece67f02e2d6546402f4de7
 Directory: 17/alpine3.19
 
 Tags: 17beta1-alpine3.20, 17beta1-alpine
 Architectures: amd64, arm32v6, arm32v7, arm64v8, i386, ppc64le, riscv64, s390x
-GitCommit: 3a7be2f3213ce6e0f13f6a01b927d86aa53d9539
+GitCommit: 3e9b4eaaebf00d7a8ece67f02e2d6546402f4de7
 Directory: 17/alpine3.20
 
 Tags: 17beta1-bullseye
diff --git a/postgres_12-alpine/Dockerfile b/postgres_12-alpine/Dockerfile
index 74d5277..f1caf31 100644
--- a/postgres_12-alpine/Dockerfile
+++ b/postgres_12-alpine/Dockerfile
@@ -14,7 +14,36 @@ RUN set -eux; \
 	mkdir -p /var/lib/postgresql; \
 	chown -R postgres:postgres /var/lib/postgresql
 
-# su-exec (gosu-compatible) is installed further down
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+	\
+	apk add --no-cache --virtual .gosu-deps \
+		ca-certificates \
+		dpkg \
+		gnupg \
+	; \
+	\
+	dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+	wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+	wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+	\
+# verify the signature
+	export GNUPGHOME="$(mktemp -d)"; \
+	gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+	gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+	gpgconf --kill all; \
+	rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+	\
+# clean up fetch dependencies
+	apk del --no-network .gosu-deps; \
+	\
+	chmod +x /usr/local/bin/gosu; \
+# verify that the binary works
+	gosu --version; \
+	gosu nobody true
+RUN set -eux; ln -svf gosu /usr/local/bin/su-exec; su-exec nobody true # backwards compatibility (removed in PostgreSQL 17+)
 
 # make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
 # alpine doesn't require explicit locale-file generation
@@ -135,7 +164,6 @@ RUN set -eux; \
 	apk add --no-cache --virtual .postgresql-rundeps \
 		$runDeps \
 		bash \
-		su-exec \
 		tzdata \
 		zstd \
 # https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split
diff --git a/postgres_12-alpine/docker-ensure-initdb.sh b/postgres_12-alpine/docker-ensure-initdb.sh
index 2a97586..ae1f6b6 100755
--- a/postgres_12-alpine/docker-ensure-initdb.sh
+++ b/postgres_12-alpine/docker-ensure-initdb.sh
@@ -27,7 +27,7 @@ docker_setup_env
 docker_create_db_directories
 if [ "$(id -u)" = '0' ]; then
 	# then restart script as postgres user
-	exec su-exec postgres "$BASH_SOURCE" "$@"
+	exec gosu postgres "$BASH_SOURCE" "$@"
 fi
 
 # only run initialization on an empty data directory
diff --git a/postgres_12-alpine/docker-entrypoint.sh b/postgres_12-alpine/docker-entrypoint.sh
index 8163d10..6f59993 100755
--- a/postgres_12-alpine/docker-entrypoint.sh
+++ b/postgres_12-alpine/docker-entrypoint.sh
@@ -310,7 +310,7 @@ _main() {
 		docker_create_db_directories
 		if [ "$(id -u)" = '0' ]; then
 			# then restart script as postgres user
-			exec su-exec postgres "$BASH_SOURCE" "$@"
+			exec gosu postgres "$BASH_SOURCE" "$@"
 		fi
 
 		# only run initialization on an empty data directory
diff --git a/postgres_12-alpine3.19/Dockerfile b/postgres_12-alpine3.19/Dockerfile
index ecc8522..eb46f0f 100644
--- a/postgres_12-alpine3.19/Dockerfile
+++ b/postgres_12-alpine3.19/Dockerfile
@@ -14,7 +14,36 @@ RUN set -eux; \
 	mkdir -p /var/lib/postgresql; \
 	chown -R postgres:postgres /var/lib/postgresql
 
-# su-exec (gosu-compatible) is installed further down
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+	\
+	apk add --no-cache --virtual .gosu-deps \
+		ca-certificates \
+		dpkg \
+		gnupg \
+	; \
+	\
+	dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+	wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+	wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+	\
+# verify the signature
+	export GNUPGHOME="$(mktemp -d)"; \
+	gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+	gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+	gpgconf --kill all; \
+	rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+	\
+# clean up fetch dependencies
+	apk del --no-network .gosu-deps; \
+	\
+	chmod +x /usr/local/bin/gosu; \
+# verify that the binary works
+	gosu --version; \
+	gosu nobody true
+RUN set -eux; ln -svf gosu /usr/local/bin/su-exec; su-exec nobody true # backwards compatibility (removed in PostgreSQL 17+)
 
 # make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
 # alpine doesn't require explicit locale-file generation
@@ -135,7 +164,6 @@ RUN set -eux; \
 	apk add --no-cache --virtual .postgresql-rundeps \
 		$runDeps \
 		bash \
-		su-exec \
 		tzdata \
 		zstd \
 # https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split
diff --git a/postgres_12-alpine3.19/docker-ensure-initdb.sh b/postgres_12-alpine3.19/docker-ensure-initdb.sh
index 2a97586..ae1f6b6 100755
--- a/postgres_12-alpine3.19/docker-ensure-initdb.sh
+++ b/postgres_12-alpine3.19/docker-ensure-initdb.sh
@@ -27,7 +27,7 @@ docker_setup_env
 docker_create_db_directories
 if [ "$(id -u)" = '0' ]; then
 	# then restart script as postgres user
-	exec su-exec postgres "$BASH_SOURCE" "$@"
+	exec gosu postgres "$BASH_SOURCE" "$@"
 fi
 
 # only run initialization on an empty data directory
diff --git a/postgres_12-alpine3.19/docker-entrypoint.sh b/postgres_12-alpine3.19/docker-entrypoint.sh
index 8163d10..6f59993 100755
--- a/postgres_12-alpine3.19/docker-entrypoint.sh
+++ b/postgres_12-alpine3.19/docker-entrypoint.sh
@@ -310,7 +310,7 @@ _main() {
 		docker_create_db_directories
 		if [ "$(id -u)" = '0' ]; then
 			# then restart script as postgres user
-			exec su-exec postgres "$BASH_SOURCE" "$@"
+			exec gosu postgres "$BASH_SOURCE" "$@"
 		fi
 
 		# only run initialization on an empty data directory
diff --git a/postgres_13-alpine/Dockerfile b/postgres_13-alpine/Dockerfile
index eb373d2..567da31 100644
--- a/postgres_13-alpine/Dockerfile
+++ b/postgres_13-alpine/Dockerfile
@@ -14,7 +14,36 @@ RUN set -eux; \
 	mkdir -p /var/lib/postgresql; \
 	chown -R postgres:postgres /var/lib/postgresql
 
-# su-exec (gosu-compatible) is installed further down
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+	\
+	apk add --no-cache --virtual .gosu-deps \
+		ca-certificates \
+		dpkg \
+		gnupg \
+	; \
+	\
+	dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+	wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+	wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+	\
+# verify the signature
+	export GNUPGHOME="$(mktemp -d)"; \
+	gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+	gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+	gpgconf --kill all; \
+	rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+	\
+# clean up fetch dependencies
+	apk del --no-network .gosu-deps; \
+	\
+	chmod +x /usr/local/bin/gosu; \
+# verify that the binary works
+	gosu --version; \
+	gosu nobody true
+RUN set -eux; ln -svf gosu /usr/local/bin/su-exec; su-exec nobody true # backwards compatibility (removed in PostgreSQL 17+)
 
 # make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
 # alpine doesn't require explicit locale-file generation
@@ -135,7 +164,6 @@ RUN set -eux; \
 	apk add --no-cache --virtual .postgresql-rundeps \
 		$runDeps \
 		bash \
-		su-exec \
 		tzdata \
 		zstd \
 # https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split
diff --git a/postgres_13-alpine/docker-ensure-initdb.sh b/postgres_13-alpine/docker-ensure-initdb.sh
index 2a97586..ae1f6b6 100755
--- a/postgres_13-alpine/docker-ensure-initdb.sh
+++ b/postgres_13-alpine/docker-ensure-initdb.sh
@@ -27,7 +27,7 @@ docker_setup_env
 docker_create_db_directories
 if [ "$(id -u)" = '0' ]; then
 	# then restart script as postgres user
-	exec su-exec postgres "$BASH_SOURCE" "$@"
+	exec gosu postgres "$BASH_SOURCE" "$@"
 fi
 
 # only run initialization on an empty data directory
diff --git a/postgres_13-alpine/docker-entrypoint.sh b/postgres_13-alpine/docker-entrypoint.sh
index 8163d10..6f59993 100755
--- a/postgres_13-alpine/docker-entrypoint.sh
+++ b/postgres_13-alpine/docker-entrypoint.sh
@@ -310,7 +310,7 @@ _main() {
 		docker_create_db_directories
 		if [ "$(id -u)" = '0' ]; then
 			# then restart script as postgres user
-			exec su-exec postgres "$BASH_SOURCE" "$@"
+			exec gosu postgres "$BASH_SOURCE" "$@"
 		fi
 
 		# only run initialization on an empty data directory
diff --git a/postgres_13-alpine3.19/Dockerfile b/postgres_13-alpine3.19/Dockerfile
index 962b528..39a2352 100644
--- a/postgres_13-alpine3.19/Dockerfile
+++ b/postgres_13-alpine3.19/Dockerfile
@@ -14,7 +14,36 @@ RUN set -eux; \
 	mkdir -p /var/lib/postgresql; \
 	chown -R postgres:postgres /var/lib/postgresql
 
-# su-exec (gosu-compatible) is installed further down
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+	\
+	apk add --no-cache --virtual .gosu-deps \
+		ca-certificates \
+		dpkg \
+		gnupg \
+	; \
+	\
+	dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+	wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+	wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+	\
+# verify the signature
+	export GNUPGHOME="$(mktemp -d)"; \
+	gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+	gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+	gpgconf --kill all; \
+	rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+	\
+# clean up fetch dependencies
+	apk del --no-network .gosu-deps; \
+	\
+	chmod +x /usr/local/bin/gosu; \
+# verify that the binary works
+	gosu --version; \
+	gosu nobody true
+RUN set -eux; ln -svf gosu /usr/local/bin/su-exec; su-exec nobody true # backwards compatibility (removed in PostgreSQL 17+)
 
 # make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
 # alpine doesn't require explicit locale-file generation
@@ -135,7 +164,6 @@ RUN set -eux; \
 	apk add --no-cache --virtual .postgresql-rundeps \
 		$runDeps \
 		bash \
-		su-exec \
 		tzdata \
 		zstd \
 # https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split
diff --git a/postgres_13-alpine3.19/docker-ensure-initdb.sh b/postgres_13-alpine3.19/docker-ensure-initdb.sh
index 2a97586..ae1f6b6 100755
--- a/postgres_13-alpine3.19/docker-ensure-initdb.sh
+++ b/postgres_13-alpine3.19/docker-ensure-initdb.sh
@@ -27,7 +27,7 @@ docker_setup_env
 docker_create_db_directories
 if [ "$(id -u)" = '0' ]; then
 	# then restart script as postgres user
-	exec su-exec postgres "$BASH_SOURCE" "$@"
+	exec gosu postgres "$BASH_SOURCE" "$@"
 fi
 
 # only run initialization on an empty data directory
diff --git a/postgres_13-alpine3.19/docker-entrypoint.sh b/postgres_13-alpine3.19/docker-entrypoint.sh
index 8163d10..6f59993 100755
--- a/postgres_13-alpine3.19/docker-entrypoint.sh
+++ b/postgres_13-alpine3.19/docker-entrypoint.sh
@@ -310,7 +310,7 @@ _main() {
 		docker_create_db_directories
 		if [ "$(id -u)" = '0' ]; then
 			# then restart script as postgres user
-			exec su-exec postgres "$BASH_SOURCE" "$@"
+			exec gosu postgres "$BASH_SOURCE" "$@"
 		fi
 
 		# only run initialization on an empty data directory
diff --git a/postgres_14-alpine/Dockerfile b/postgres_14-alpine/Dockerfile
index a577a1f..dc839d7 100644
--- a/postgres_14-alpine/Dockerfile
+++ b/postgres_14-alpine/Dockerfile
@@ -14,7 +14,36 @@ RUN set -eux; \
 	mkdir -p /var/lib/postgresql; \
 	chown -R postgres:postgres /var/lib/postgresql
 
-# su-exec (gosu-compatible) is installed further down
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+	\
+	apk add --no-cache --virtual .gosu-deps \
+		ca-certificates \
+		dpkg \
+		gnupg \
+	; \
+	\
+	dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+	wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+	wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+	\
+# verify the signature
+	export GNUPGHOME="$(mktemp -d)"; \
+	gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+	gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+	gpgconf --kill all; \
+	rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+	\
+# clean up fetch dependencies
+	apk del --no-network .gosu-deps; \
+	\
+	chmod +x /usr/local/bin/gosu; \
+# verify that the binary works
+	gosu --version; \
+	gosu nobody true
+RUN set -eux; ln -svf gosu /usr/local/bin/su-exec; su-exec nobody true # backwards compatibility (removed in PostgreSQL 17+)
 
 # make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
 # alpine doesn't require explicit locale-file generation
@@ -138,7 +167,6 @@ RUN set -eux; \
 	apk add --no-cache --virtual .postgresql-rundeps \
 		$runDeps \
 		bash \
-		su-exec \
 		tzdata \
 		zstd \
 # https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split
diff --git a/postgres_14-alpine/docker-ensure-initdb.sh b/postgres_14-alpine/docker-ensure-initdb.sh
index 2a97586..ae1f6b6 100755
--- a/postgres_14-alpine/docker-ensure-initdb.sh
+++ b/postgres_14-alpine/docker-ensure-initdb.sh
@@ -27,7 +27,7 @@ docker_setup_env
 docker_create_db_directories
 if [ "$(id -u)" = '0' ]; then
 	# then restart script as postgres user
-	exec su-exec postgres "$BASH_SOURCE" "$@"
+	exec gosu postgres "$BASH_SOURCE" "$@"
 fi
 
 # only run initialization on an empty data directory
diff --git a/postgres_14-alpine/docker-entrypoint.sh b/postgres_14-alpine/docker-entrypoint.sh
index 8163d10..6f59993 100755
--- a/postgres_14-alpine/docker-entrypoint.sh
+++ b/postgres_14-alpine/docker-entrypoint.sh
@@ -310,7 +310,7 @@ _main() {
 		docker_create_db_directories
 		if [ "$(id -u)" = '0' ]; then
 			# then restart script as postgres user
-			exec su-exec postgres "$BASH_SOURCE" "$@"
+			exec gosu postgres "$BASH_SOURCE" "$@"
 		fi
 
 		# only run initialization on an empty data directory
diff --git a/postgres_14-alpine3.19/Dockerfile b/postgres_14-alpine3.19/Dockerfile
index 74f2c53..461318e 100644
--- a/postgres_14-alpine3.19/Dockerfile
+++ b/postgres_14-alpine3.19/Dockerfile
@@ -14,7 +14,36 @@ RUN set -eux; \
 	mkdir -p /var/lib/postgresql; \
 	chown -R postgres:postgres /var/lib/postgresql
 
-# su-exec (gosu-compatible) is installed further down
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+	\
+	apk add --no-cache --virtual .gosu-deps \
+		ca-certificates \
+		dpkg \
+		gnupg \
+	; \
+	\
+	dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+	wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+	wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+	\
+# verify the signature
+	export GNUPGHOME="$(mktemp -d)"; \
+	gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+	gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+	gpgconf --kill all; \
+	rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+	\
+# clean up fetch dependencies
+	apk del --no-network .gosu-deps; \
+	\
+	chmod +x /usr/local/bin/gosu; \
+# verify that the binary works
+	gosu --version; \
+	gosu nobody true
+RUN set -eux; ln -svf gosu /usr/local/bin/su-exec; su-exec nobody true # backwards compatibility (removed in PostgreSQL 17+)
 
 # make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
 # alpine doesn't require explicit locale-file generation
@@ -138,7 +167,6 @@ RUN set -eux; \
 	apk add --no-cache --virtual .postgresql-rundeps \
 		$runDeps \
 		bash \
-		su-exec \
 		tzdata \
 		zstd \
 # https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split
diff --git a/postgres_14-alpine3.19/docker-ensure-initdb.sh b/postgres_14-alpine3.19/docker-ensure-initdb.sh
index 2a97586..ae1f6b6 100755
--- a/postgres_14-alpine3.19/docker-ensure-initdb.sh
+++ b/postgres_14-alpine3.19/docker-ensure-initdb.sh
@@ -27,7 +27,7 @@ docker_setup_env
 docker_create_db_directories
 if [ "$(id -u)" = '0' ]; then
 	# then restart script as postgres user
-	exec su-exec postgres "$BASH_SOURCE" "$@"
+	exec gosu postgres "$BASH_SOURCE" "$@"
 fi
 
 # only run initialization on an empty data directory
diff --git a/postgres_14-alpine3.19/docker-entrypoint.sh b/postgres_14-alpine3.19/docker-entrypoint.sh
index 8163d10..6f59993 100755
--- a/postgres_14-alpine3.19/docker-entrypoint.sh
+++ b/postgres_14-alpine3.19/docker-entrypoint.sh
@@ -310,7 +310,7 @@ _main() {
 		docker_create_db_directories
 		if [ "$(id -u)" = '0' ]; then
 			# then restart script as postgres user
-			exec su-exec postgres "$BASH_SOURCE" "$@"
+			exec gosu postgres "$BASH_SOURCE" "$@"
 		fi
 
 		# only run initialization on an empty data directory
diff --git a/postgres_15-alpine/Dockerfile b/postgres_15-alpine/Dockerfile
index 1fac96c..79b20ac 100644
--- a/postgres_15-alpine/Dockerfile
+++ b/postgres_15-alpine/Dockerfile
@@ -14,7 +14,36 @@ RUN set -eux; \
 	mkdir -p /var/lib/postgresql; \
 	chown -R postgres:postgres /var/lib/postgresql
 
-# su-exec (gosu-compatible) is installed further down
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+	\
+	apk add --no-cache --virtual .gosu-deps \
+		ca-certificates \
+		dpkg \
+		gnupg \
+	; \
+	\
+	dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+	wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+	wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+	\
+# verify the signature
+	export GNUPGHOME="$(mktemp -d)"; \
+	gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+	gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+	gpgconf --kill all; \
+	rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+	\
+# clean up fetch dependencies
+	apk del --no-network .gosu-deps; \
+	\
+	chmod +x /usr/local/bin/gosu; \
+# verify that the binary works
+	gosu --version; \
+	gosu nobody true
+RUN set -eux; ln -svf gosu /usr/local/bin/su-exec; su-exec nobody true # backwards compatibility (removed in PostgreSQL 17+)
 
 # make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
 # alpine doesn't require explicit locale-file generation
@@ -141,7 +170,6 @@ RUN set -eux; \
 	apk add --no-cache --virtual .postgresql-rundeps \
 		$runDeps \
 		bash \
-		su-exec \
 		tzdata \
 		zstd \
 # https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split
diff --git a/postgres_15-alpine/docker-ensure-initdb.sh b/postgres_15-alpine/docker-ensure-initdb.sh
index 2a97586..ae1f6b6 100755
--- a/postgres_15-alpine/docker-ensure-initdb.sh
+++ b/postgres_15-alpine/docker-ensure-initdb.sh
@@ -27,7 +27,7 @@ docker_setup_env
 docker_create_db_directories
 if [ "$(id -u)" = '0' ]; then
 	# then restart script as postgres user
-	exec su-exec postgres "$BASH_SOURCE" "$@"
+	exec gosu postgres "$BASH_SOURCE" "$@"
 fi
 
 # only run initialization on an empty data directory
diff --git a/postgres_15-alpine/docker-entrypoint.sh b/postgres_15-alpine/docker-entrypoint.sh
index 8163d10..6f59993 100755
--- a/postgres_15-alpine/docker-entrypoint.sh
+++ b/postgres_15-alpine/docker-entrypoint.sh
@@ -310,7 +310,7 @@ _main() {
 		docker_create_db_directories
 		if [ "$(id -u)" = '0' ]; then
 			# then restart script as postgres user
-			exec su-exec postgres "$BASH_SOURCE" "$@"
+			exec gosu postgres "$BASH_SOURCE" "$@"
 		fi
 
 		# only run initialization on an empty data directory
diff --git a/postgres_15-alpine3.19/Dockerfile b/postgres_15-alpine3.19/Dockerfile
index 0a34e0d..2f249aa 100644
--- a/postgres_15-alpine3.19/Dockerfile
+++ b/postgres_15-alpine3.19/Dockerfile
@@ -14,7 +14,36 @@ RUN set -eux; \
 	mkdir -p /var/lib/postgresql; \
 	chown -R postgres:postgres /var/lib/postgresql
 
-# su-exec (gosu-compatible) is installed further down
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+	\
+	apk add --no-cache --virtual .gosu-deps \
+		ca-certificates \
+		dpkg \
+		gnupg \
+	; \
+	\
+	dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+	wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+	wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+	\
+# verify the signature
+	export GNUPGHOME="$(mktemp -d)"; \
+	gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+	gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+	gpgconf --kill all; \
+	rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+	\
+# clean up fetch dependencies
+	apk del --no-network .gosu-deps; \
+	\
+	chmod +x /usr/local/bin/gosu; \
+# verify that the binary works
+	gosu --version; \
+	gosu nobody true
+RUN set -eux; ln -svf gosu /usr/local/bin/su-exec; su-exec nobody true # backwards compatibility (removed in PostgreSQL 17+)
 
 # make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
 # alpine doesn't require explicit locale-file generation
@@ -141,7 +170,6 @@ RUN set -eux; \
 	apk add --no-cache --virtual .postgresql-rundeps \
 		$runDeps \
 		bash \
-		su-exec \
 		tzdata \
 		zstd \
 # https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split
diff --git a/postgres_15-alpine3.19/docker-ensure-initdb.sh b/postgres_15-alpine3.19/docker-ensure-initdb.sh
index 2a97586..ae1f6b6 100755
--- a/postgres_15-alpine3.19/docker-ensure-initdb.sh
+++ b/postgres_15-alpine3.19/docker-ensure-initdb.sh
@@ -27,7 +27,7 @@ docker_setup_env
 docker_create_db_directories
 if [ "$(id -u)" = '0' ]; then
 	# then restart script as postgres user
-	exec su-exec postgres "$BASH_SOURCE" "$@"
+	exec gosu postgres "$BASH_SOURCE" "$@"
 fi
 
 # only run initialization on an empty data directory
diff --git a/postgres_15-alpine3.19/docker-entrypoint.sh b/postgres_15-alpine3.19/docker-entrypoint.sh
index 8163d10..6f59993 100755
--- a/postgres_15-alpine3.19/docker-entrypoint.sh
+++ b/postgres_15-alpine3.19/docker-entrypoint.sh
@@ -310,7 +310,7 @@ _main() {
 		docker_create_db_directories
 		if [ "$(id -u)" = '0' ]; then
 			# then restart script as postgres user
-			exec su-exec postgres "$BASH_SOURCE" "$@"
+			exec gosu postgres "$BASH_SOURCE" "$@"
 		fi
 
 		# only run initialization on an empty data directory
diff --git a/postgres_17beta1-alpine/Dockerfile b/postgres_17beta1-alpine/Dockerfile
index 39375a0..f23096b 100644
--- a/postgres_17beta1-alpine/Dockerfile
+++ b/postgres_17beta1-alpine/Dockerfile
@@ -14,7 +14,35 @@ RUN set -eux; \
 	mkdir -p /var/lib/postgresql; \
 	chown -R postgres:postgres /var/lib/postgresql
 
-# su-exec (gosu-compatible) is installed further down
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+	\
+	apk add --no-cache --virtual .gosu-deps \
+		ca-certificates \
+		dpkg \
+		gnupg \
+	; \
+	\
+	dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+	wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+	wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+	\
+# verify the signature
+	export GNUPGHOME="$(mktemp -d)"; \
+	gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+	gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+	gpgconf --kill all; \
+	rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+	\
+# clean up fetch dependencies
+	apk del --no-network .gosu-deps; \
+	\
+	chmod +x /usr/local/bin/gosu; \
+# verify that the binary works
+	gosu --version; \
+	gosu nobody true
 
 # make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
 # alpine doesn't require explicit locale-file generation
@@ -139,7 +167,6 @@ RUN set -eux; \
 	apk add --no-cache --virtual .postgresql-rundeps \
 		$runDeps \
 		bash \
-		su-exec \
 		tzdata \
 		zstd \
 # https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split
diff --git a/postgres_17beta1-alpine/docker-ensure-initdb.sh b/postgres_17beta1-alpine/docker-ensure-initdb.sh
index 2a97586..ae1f6b6 100755
--- a/postgres_17beta1-alpine/docker-ensure-initdb.sh
+++ b/postgres_17beta1-alpine/docker-ensure-initdb.sh
@@ -27,7 +27,7 @@ docker_setup_env
 docker_create_db_directories
 if [ "$(id -u)" = '0' ]; then
 	# then restart script as postgres user
-	exec su-exec postgres "$BASH_SOURCE" "$@"
+	exec gosu postgres "$BASH_SOURCE" "$@"
 fi
 
 # only run initialization on an empty data directory
diff --git a/postgres_17beta1-alpine/docker-entrypoint.sh b/postgres_17beta1-alpine/docker-entrypoint.sh
index 8163d10..6f59993 100755
--- a/postgres_17beta1-alpine/docker-entrypoint.sh
+++ b/postgres_17beta1-alpine/docker-entrypoint.sh
@@ -310,7 +310,7 @@ _main() {
 		docker_create_db_directories
 		if [ "$(id -u)" = '0' ]; then
 			# then restart script as postgres user
-			exec su-exec postgres "$BASH_SOURCE" "$@"
+			exec gosu postgres "$BASH_SOURCE" "$@"
 		fi
 
 		# only run initialization on an empty data directory
diff --git a/postgres_17beta1-alpine3.19/Dockerfile b/postgres_17beta1-alpine3.19/Dockerfile
index 4d6c3d6..14ae82d 100644
--- a/postgres_17beta1-alpine3.19/Dockerfile
+++ b/postgres_17beta1-alpine3.19/Dockerfile
@@ -14,7 +14,35 @@ RUN set -eux; \
 	mkdir -p /var/lib/postgresql; \
 	chown -R postgres:postgres /var/lib/postgresql
 
-# su-exec (gosu-compatible) is installed further down
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+	\
+	apk add --no-cache --virtual .gosu-deps \
+		ca-certificates \
+		dpkg \
+		gnupg \
+	; \
+	\
+	dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+	wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+	wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+	\
+# verify the signature
+	export GNUPGHOME="$(mktemp -d)"; \
+	gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+	gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+	gpgconf --kill all; \
+	rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+	\
+# clean up fetch dependencies
+	apk del --no-network .gosu-deps; \
+	\
+	chmod +x /usr/local/bin/gosu; \
+# verify that the binary works
+	gosu --version; \
+	gosu nobody true
 
 # make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
 # alpine doesn't require explicit locale-file generation
@@ -139,7 +167,6 @@ RUN set -eux; \
 	apk add --no-cache --virtual .postgresql-rundeps \
 		$runDeps \
 		bash \
-		su-exec \
 		tzdata \
 		zstd \
 # https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split
diff --git a/postgres_17beta1-alpine3.19/docker-ensure-initdb.sh b/postgres_17beta1-alpine3.19/docker-ensure-initdb.sh
index 2a97586..ae1f6b6 100755
--- a/postgres_17beta1-alpine3.19/docker-ensure-initdb.sh
+++ b/postgres_17beta1-alpine3.19/docker-ensure-initdb.sh
@@ -27,7 +27,7 @@ docker_setup_env
 docker_create_db_directories
 if [ "$(id -u)" = '0' ]; then
 	# then restart script as postgres user
-	exec su-exec postgres "$BASH_SOURCE" "$@"
+	exec gosu postgres "$BASH_SOURCE" "$@"
 fi
 
 # only run initialization on an empty data directory
diff --git a/postgres_17beta1-alpine3.19/docker-entrypoint.sh b/postgres_17beta1-alpine3.19/docker-entrypoint.sh
index 8163d10..6f59993 100755
--- a/postgres_17beta1-alpine3.19/docker-entrypoint.sh
+++ b/postgres_17beta1-alpine3.19/docker-entrypoint.sh
@@ -310,7 +310,7 @@ _main() {
 		docker_create_db_directories
 		if [ "$(id -u)" = '0' ]; then
 			# then restart script as postgres user
-			exec su-exec postgres "$BASH_SOURCE" "$@"
+			exec gosu postgres "$BASH_SOURCE" "$@"
 		fi
 
 		# only run initialization on an empty data directory
diff --git a/postgres_alpine/Dockerfile b/postgres_alpine/Dockerfile
index 1620037..b7606c5 100644
--- a/postgres_alpine/Dockerfile
+++ b/postgres_alpine/Dockerfile
@@ -14,7 +14,36 @@ RUN set -eux; \
 	mkdir -p /var/lib/postgresql; \
 	chown -R postgres:postgres /var/lib/postgresql
 
-# su-exec (gosu-compatible) is installed further down
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+	\
+	apk add --no-cache --virtual .gosu-deps \
+		ca-certificates \
+		dpkg \
+		gnupg \
+	; \
+	\
+	dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+	wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+	wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+	\
+# verify the signature
+	export GNUPGHOME="$(mktemp -d)"; \
+	gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+	gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+	gpgconf --kill all; \
+	rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+	\
+# clean up fetch dependencies
+	apk del --no-network .gosu-deps; \
+	\
+	chmod +x /usr/local/bin/gosu; \
+# verify that the binary works
+	gosu --version; \
+	gosu nobody true
+RUN set -eux; ln -svf gosu /usr/local/bin/su-exec; su-exec nobody true # backwards compatibility (removed in PostgreSQL 17+)
 
 # make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
 # alpine doesn't require explicit locale-file generation
@@ -140,7 +169,6 @@ RUN set -eux; \
 	apk add --no-cache --virtual .postgresql-rundeps \
 		$runDeps \
 		bash \
-		su-exec \
 		tzdata \
 		zstd \
 # https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split
diff --git a/postgres_alpine/docker-ensure-initdb.sh b/postgres_alpine/docker-ensure-initdb.sh
index 2a97586..ae1f6b6 100755
--- a/postgres_alpine/docker-ensure-initdb.sh
+++ b/postgres_alpine/docker-ensure-initdb.sh
@@ -27,7 +27,7 @@ docker_setup_env
 docker_create_db_directories
 if [ "$(id -u)" = '0' ]; then
 	# then restart script as postgres user
-	exec su-exec postgres "$BASH_SOURCE" "$@"
+	exec gosu postgres "$BASH_SOURCE" "$@"
 fi
 
 # only run initialization on an empty data directory
diff --git a/postgres_alpine/docker-entrypoint.sh b/postgres_alpine/docker-entrypoint.sh
index 8163d10..6f59993 100755
--- a/postgres_alpine/docker-entrypoint.sh
+++ b/postgres_alpine/docker-entrypoint.sh
@@ -310,7 +310,7 @@ _main() {
 		docker_create_db_directories
 		if [ "$(id -u)" = '0' ]; then
 			# then restart script as postgres user
-			exec su-exec postgres "$BASH_SOURCE" "$@"
+			exec gosu postgres "$BASH_SOURCE" "$@"
 		fi
 
 		# only run initialization on an empty data directory
diff --git a/postgres_alpine3.19/Dockerfile b/postgres_alpine3.19/Dockerfile
index 09fb413..f949bbb 100644
--- a/postgres_alpine3.19/Dockerfile
+++ b/postgres_alpine3.19/Dockerfile
@@ -14,7 +14,36 @@ RUN set -eux; \
 	mkdir -p /var/lib/postgresql; \
 	chown -R postgres:postgres /var/lib/postgresql
 
-# su-exec (gosu-compatible) is installed further down
+# grab gosu for easy step-down from root
+# https://github.com/tianon/gosu/releases
+ENV GOSU_VERSION 1.17
+RUN set -eux; \
+	\
+	apk add --no-cache --virtual .gosu-deps \
+		ca-certificates \
+		dpkg \
+		gnupg \
+	; \
+	\
+	dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
+	wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
+	wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
+	\
+# verify the signature
+	export GNUPGHOME="$(mktemp -d)"; \
+	gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
+	gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
+	gpgconf --kill all; \
+	rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
+	\
+# clean up fetch dependencies
+	apk del --no-network .gosu-deps; \
+	\
+	chmod +x /usr/local/bin/gosu; \
+# verify that the binary works
+	gosu --version; \
+	gosu nobody true
+RUN set -eux; ln -svf gosu /usr/local/bin/su-exec; su-exec nobody true # backwards compatibility (removed in PostgreSQL 17+)
 
 # make the "en_US.UTF-8" locale so postgres will be utf-8 enabled by default
 # alpine doesn't require explicit locale-file generation
@@ -140,7 +169,6 @@ RUN set -eux; \
 	apk add --no-cache --virtual .postgresql-rundeps \
 		$runDeps \
 		bash \
-		su-exec \
 		tzdata \
 		zstd \
 # https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.16.0#ICU_data_split
diff --git a/postgres_alpine3.19/docker-ensure-initdb.sh b/postgres_alpine3.19/docker-ensure-initdb.sh
index 2a97586..ae1f6b6 100755
--- a/postgres_alpine3.19/docker-ensure-initdb.sh
+++ b/postgres_alpine3.19/docker-ensure-initdb.sh
@@ -27,7 +27,7 @@ docker_setup_env
 docker_create_db_directories
 if [ "$(id -u)" = '0' ]; then
 	# then restart script as postgres user
-	exec su-exec postgres "$BASH_SOURCE" "$@"
+	exec gosu postgres "$BASH_SOURCE" "$@"
 fi
 
 # only run initialization on an empty data directory
diff --git a/postgres_alpine3.19/docker-entrypoint.sh b/postgres_alpine3.19/docker-entrypoint.sh
index 8163d10..6f59993 100755
--- a/postgres_alpine3.19/docker-entrypoint.sh
+++ b/postgres_alpine3.19/docker-entrypoint.sh
@@ -310,7 +310,7 @@ _main() {
 		docker_create_db_directories
 		if [ "$(id -u)" = '0' ]; then
 			# then restart script as postgres user
-			exec su-exec postgres "$BASH_SOURCE" "$@"
+			exec gosu postgres "$BASH_SOURCE" "$@"
 		fi
 
 		# only run initialization on an empty data directory

Relevant Maintainers:

@yosifkit yosifkit merged commit a64a3ea into docker-library:master Jun 19, 2024
29 checks passed
@yosifkit yosifkit deleted the postgres branch June 19, 2024 00:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants