diff --git a/9.1/Dockerfile b/9.1/Dockerfile index 2e37c310fc..4dbef3709b 100644 --- a/9.1/Dockerfile +++ b/9.1/Dockerfile @@ -23,6 +23,9 @@ RUN apt-get update && apt-get install -y locales && rm -rf /var/lib/apt/lists/* && localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8 ENV LANG en_US.utf8 +# auto generate a self-signed certificate in /etc/ssl/certs/ssl-cert-snakeoil.pem +RUN apt-get update && apt-get install -y ssl-cert && rm -rf /var/lib/apt/lists/* + RUN mkdir /docker-entrypoint-initdb.d RUN apt-key adv --keyserver ha.pool.sks-keyservers.net --recv-keys B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8 diff --git a/9.1/docker-entrypoint.sh b/9.1/docker-entrypoint.sh index 3b436e4adf..350ba538b3 100755 --- a/9.1/docker-entrypoint.sh +++ b/9.1/docker-entrypoint.sh @@ -42,9 +42,38 @@ if [ "$1" = 'postgres' ]; then authMethod=trust fi - { echo; echo "host all all 0.0.0.0/0 $authMethod"; } >> "$PGDATA/pg_hba.conf" + hostMethod=host + if [[ ! -z "$POSTGRES_ENABLE_SSL" && ! $POSTGRES_ENABLE_SSL =~ ^([nN][oO]|[nN]|[fF][aA][lL][sS][eE]|[fF]|0)$ ]] ; then + if [ ! -f "/etc/ssl/certs/postgresql.crt" ]; then + cat >&2 <<-'EOWARN' + **************************************************** + WARNING: Using an auto-generated certificate for SSL. + Please consider using your own certificate + in production environments. + + Use "-v /my/cert.crt:/etc/ssl/certs/postgresql.crt" + and "-v /my/cert.key:/etc/ssl/private/postgresql.key" + to mount your own certificate as a volume. + **************************************************** + EOWARN + DEBIAN_FRONTEND=noninteractive make-ssl-cert generate-default-snakeoil --force-overwrite + cp /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/certs/postgresql.crt + cp /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/private/postgresql.key + fi + + cp /etc/ssl/certs/postgresql.crt "$PGDATA/server.crt" + cp /etc/ssl/private/postgresql.key "$PGDATA/server.key" + chown postgres "$PGDATA/server.crt" + chown postgres "$PGDATA/server.key" + chmod og-rwx "$PGDATA/server.key" + + sed -i "s|#\?ssl \?=.*|ssl = on|g" "$PGDATA/postgresql.conf" + hostMethod=hostssl + fi + + { echo; echo "$hostMethod all all 0.0.0.0/0 $authMethod"; } >> "$PGDATA/pg_hba.conf" - # internal start of server in order to allow set-up using psql-client + # internal start of server in order to allow set-up using psql-client # does not listen on external TCP/IP and waits until start finishes gosu postgres pg_ctl -D "$PGDATA" \ -o "-c listen_addresses='localhost'" \ diff --git a/9.2/Dockerfile b/9.2/Dockerfile index 0fb6f71a3f..cdb720ab45 100644 --- a/9.2/Dockerfile +++ b/9.2/Dockerfile @@ -23,6 +23,9 @@ RUN apt-get update && apt-get install -y locales && rm -rf /var/lib/apt/lists/* && localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8 ENV LANG en_US.utf8 +# auto generate a self-signed certificate in /etc/ssl/certs/ssl-cert-snakeoil.pem +RUN apt-get update && apt-get install -y ssl-cert && rm -rf /var/lib/apt/lists/* + RUN mkdir /docker-entrypoint-initdb.d RUN apt-key adv --keyserver ha.pool.sks-keyservers.net --recv-keys B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8 diff --git a/9.2/docker-entrypoint.sh b/9.2/docker-entrypoint.sh index 3b436e4adf..350ba538b3 100755 --- a/9.2/docker-entrypoint.sh +++ b/9.2/docker-entrypoint.sh @@ -42,9 +42,38 @@ if [ "$1" = 'postgres' ]; then authMethod=trust fi - { echo; echo "host all all 0.0.0.0/0 $authMethod"; } >> "$PGDATA/pg_hba.conf" + hostMethod=host + if [[ ! -z "$POSTGRES_ENABLE_SSL" && ! $POSTGRES_ENABLE_SSL =~ ^([nN][oO]|[nN]|[fF][aA][lL][sS][eE]|[fF]|0)$ ]] ; then + if [ ! -f "/etc/ssl/certs/postgresql.crt" ]; then + cat >&2 <<-'EOWARN' + **************************************************** + WARNING: Using an auto-generated certificate for SSL. + Please consider using your own certificate + in production environments. + + Use "-v /my/cert.crt:/etc/ssl/certs/postgresql.crt" + and "-v /my/cert.key:/etc/ssl/private/postgresql.key" + to mount your own certificate as a volume. + **************************************************** + EOWARN + DEBIAN_FRONTEND=noninteractive make-ssl-cert generate-default-snakeoil --force-overwrite + cp /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/certs/postgresql.crt + cp /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/private/postgresql.key + fi + + cp /etc/ssl/certs/postgresql.crt "$PGDATA/server.crt" + cp /etc/ssl/private/postgresql.key "$PGDATA/server.key" + chown postgres "$PGDATA/server.crt" + chown postgres "$PGDATA/server.key" + chmod og-rwx "$PGDATA/server.key" + + sed -i "s|#\?ssl \?=.*|ssl = on|g" "$PGDATA/postgresql.conf" + hostMethod=hostssl + fi + + { echo; echo "$hostMethod all all 0.0.0.0/0 $authMethod"; } >> "$PGDATA/pg_hba.conf" - # internal start of server in order to allow set-up using psql-client + # internal start of server in order to allow set-up using psql-client # does not listen on external TCP/IP and waits until start finishes gosu postgres pg_ctl -D "$PGDATA" \ -o "-c listen_addresses='localhost'" \ diff --git a/9.3/Dockerfile b/9.3/Dockerfile index 36d9e0f91b..e7c36a53b0 100644 --- a/9.3/Dockerfile +++ b/9.3/Dockerfile @@ -23,6 +23,9 @@ RUN apt-get update && apt-get install -y locales && rm -rf /var/lib/apt/lists/* && localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8 ENV LANG en_US.utf8 +# auto generate a self-signed certificate in /etc/ssl/certs/ssl-cert-snakeoil.pem +RUN apt-get update && apt-get install -y ssl-cert && rm -rf /var/lib/apt/lists/* + RUN mkdir /docker-entrypoint-initdb.d RUN apt-key adv --keyserver ha.pool.sks-keyservers.net --recv-keys B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8 diff --git a/9.3/docker-entrypoint.sh b/9.3/docker-entrypoint.sh index 3b436e4adf..350ba538b3 100755 --- a/9.3/docker-entrypoint.sh +++ b/9.3/docker-entrypoint.sh @@ -42,9 +42,38 @@ if [ "$1" = 'postgres' ]; then authMethod=trust fi - { echo; echo "host all all 0.0.0.0/0 $authMethod"; } >> "$PGDATA/pg_hba.conf" + hostMethod=host + if [[ ! -z "$POSTGRES_ENABLE_SSL" && ! $POSTGRES_ENABLE_SSL =~ ^([nN][oO]|[nN]|[fF][aA][lL][sS][eE]|[fF]|0)$ ]] ; then + if [ ! -f "/etc/ssl/certs/postgresql.crt" ]; then + cat >&2 <<-'EOWARN' + **************************************************** + WARNING: Using an auto-generated certificate for SSL. + Please consider using your own certificate + in production environments. + + Use "-v /my/cert.crt:/etc/ssl/certs/postgresql.crt" + and "-v /my/cert.key:/etc/ssl/private/postgresql.key" + to mount your own certificate as a volume. + **************************************************** + EOWARN + DEBIAN_FRONTEND=noninteractive make-ssl-cert generate-default-snakeoil --force-overwrite + cp /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/certs/postgresql.crt + cp /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/private/postgresql.key + fi + + cp /etc/ssl/certs/postgresql.crt "$PGDATA/server.crt" + cp /etc/ssl/private/postgresql.key "$PGDATA/server.key" + chown postgres "$PGDATA/server.crt" + chown postgres "$PGDATA/server.key" + chmod og-rwx "$PGDATA/server.key" + + sed -i "s|#\?ssl \?=.*|ssl = on|g" "$PGDATA/postgresql.conf" + hostMethod=hostssl + fi + + { echo; echo "$hostMethod all all 0.0.0.0/0 $authMethod"; } >> "$PGDATA/pg_hba.conf" - # internal start of server in order to allow set-up using psql-client + # internal start of server in order to allow set-up using psql-client # does not listen on external TCP/IP and waits until start finishes gosu postgres pg_ctl -D "$PGDATA" \ -o "-c listen_addresses='localhost'" \ diff --git a/9.4/Dockerfile b/9.4/Dockerfile index 21e7852638..624a64504f 100644 --- a/9.4/Dockerfile +++ b/9.4/Dockerfile @@ -23,6 +23,9 @@ RUN apt-get update && apt-get install -y locales && rm -rf /var/lib/apt/lists/* && localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8 ENV LANG en_US.utf8 +# auto generate a self-signed certificate in /etc/ssl/certs/ssl-cert-snakeoil.pem +RUN apt-get update && apt-get install -y ssl-cert && rm -rf /var/lib/apt/lists/* + RUN mkdir /docker-entrypoint-initdb.d RUN apt-key adv --keyserver ha.pool.sks-keyservers.net --recv-keys B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8 diff --git a/9.4/docker-entrypoint.sh b/9.4/docker-entrypoint.sh index 3b436e4adf..350ba538b3 100755 --- a/9.4/docker-entrypoint.sh +++ b/9.4/docker-entrypoint.sh @@ -42,9 +42,38 @@ if [ "$1" = 'postgres' ]; then authMethod=trust fi - { echo; echo "host all all 0.0.0.0/0 $authMethod"; } >> "$PGDATA/pg_hba.conf" + hostMethod=host + if [[ ! -z "$POSTGRES_ENABLE_SSL" && ! $POSTGRES_ENABLE_SSL =~ ^([nN][oO]|[nN]|[fF][aA][lL][sS][eE]|[fF]|0)$ ]] ; then + if [ ! -f "/etc/ssl/certs/postgresql.crt" ]; then + cat >&2 <<-'EOWARN' + **************************************************** + WARNING: Using an auto-generated certificate for SSL. + Please consider using your own certificate + in production environments. + + Use "-v /my/cert.crt:/etc/ssl/certs/postgresql.crt" + and "-v /my/cert.key:/etc/ssl/private/postgresql.key" + to mount your own certificate as a volume. + **************************************************** + EOWARN + DEBIAN_FRONTEND=noninteractive make-ssl-cert generate-default-snakeoil --force-overwrite + cp /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/certs/postgresql.crt + cp /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/private/postgresql.key + fi + + cp /etc/ssl/certs/postgresql.crt "$PGDATA/server.crt" + cp /etc/ssl/private/postgresql.key "$PGDATA/server.key" + chown postgres "$PGDATA/server.crt" + chown postgres "$PGDATA/server.key" + chmod og-rwx "$PGDATA/server.key" + + sed -i "s|#\?ssl \?=.*|ssl = on|g" "$PGDATA/postgresql.conf" + hostMethod=hostssl + fi + + { echo; echo "$hostMethod all all 0.0.0.0/0 $authMethod"; } >> "$PGDATA/pg_hba.conf" - # internal start of server in order to allow set-up using psql-client + # internal start of server in order to allow set-up using psql-client # does not listen on external TCP/IP and waits until start finishes gosu postgres pg_ctl -D "$PGDATA" \ -o "-c listen_addresses='localhost'" \ diff --git a/9.5/Dockerfile b/9.5/Dockerfile index 095a9fa88d..e96e9f5407 100644 --- a/9.5/Dockerfile +++ b/9.5/Dockerfile @@ -23,6 +23,9 @@ RUN apt-get update && apt-get install -y locales && rm -rf /var/lib/apt/lists/* && localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8 ENV LANG en_US.utf8 +# auto generate a self-signed certificate in /etc/ssl/certs/ssl-cert-snakeoil.pem +RUN apt-get update && apt-get install -y ssl-cert && rm -rf /var/lib/apt/lists/* + RUN mkdir /docker-entrypoint-initdb.d RUN apt-key adv --keyserver ha.pool.sks-keyservers.net --recv-keys B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8 diff --git a/9.5/docker-entrypoint.sh b/9.5/docker-entrypoint.sh index 3b436e4adf..350ba538b3 100755 --- a/9.5/docker-entrypoint.sh +++ b/9.5/docker-entrypoint.sh @@ -42,9 +42,38 @@ if [ "$1" = 'postgres' ]; then authMethod=trust fi - { echo; echo "host all all 0.0.0.0/0 $authMethod"; } >> "$PGDATA/pg_hba.conf" + hostMethod=host + if [[ ! -z "$POSTGRES_ENABLE_SSL" && ! $POSTGRES_ENABLE_SSL =~ ^([nN][oO]|[nN]|[fF][aA][lL][sS][eE]|[fF]|0)$ ]] ; then + if [ ! -f "/etc/ssl/certs/postgresql.crt" ]; then + cat >&2 <<-'EOWARN' + **************************************************** + WARNING: Using an auto-generated certificate for SSL. + Please consider using your own certificate + in production environments. + + Use "-v /my/cert.crt:/etc/ssl/certs/postgresql.crt" + and "-v /my/cert.key:/etc/ssl/private/postgresql.key" + to mount your own certificate as a volume. + **************************************************** + EOWARN + DEBIAN_FRONTEND=noninteractive make-ssl-cert generate-default-snakeoil --force-overwrite + cp /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/certs/postgresql.crt + cp /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/private/postgresql.key + fi + + cp /etc/ssl/certs/postgresql.crt "$PGDATA/server.crt" + cp /etc/ssl/private/postgresql.key "$PGDATA/server.key" + chown postgres "$PGDATA/server.crt" + chown postgres "$PGDATA/server.key" + chmod og-rwx "$PGDATA/server.key" + + sed -i "s|#\?ssl \?=.*|ssl = on|g" "$PGDATA/postgresql.conf" + hostMethod=hostssl + fi + + { echo; echo "$hostMethod all all 0.0.0.0/0 $authMethod"; } >> "$PGDATA/pg_hba.conf" - # internal start of server in order to allow set-up using psql-client + # internal start of server in order to allow set-up using psql-client # does not listen on external TCP/IP and waits until start finishes gosu postgres pg_ctl -D "$PGDATA" \ -o "-c listen_addresses='localhost'" \ diff --git a/9.6/Dockerfile b/9.6/Dockerfile index fa11c1acd1..a35b2faaa9 100644 --- a/9.6/Dockerfile +++ b/9.6/Dockerfile @@ -23,6 +23,9 @@ RUN apt-get update && apt-get install -y locales && rm -rf /var/lib/apt/lists/* && localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8 ENV LANG en_US.utf8 +# auto generate a self-signed certificate in /etc/ssl/certs/ssl-cert-snakeoil.pem +RUN apt-get update && apt-get install -y ssl-cert && rm -rf /var/lib/apt/lists/* + RUN mkdir /docker-entrypoint-initdb.d RUN apt-key adv --keyserver ha.pool.sks-keyservers.net --recv-keys B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8 diff --git a/9.6/docker-entrypoint.sh b/9.6/docker-entrypoint.sh index 3b436e4adf..350ba538b3 100755 --- a/9.6/docker-entrypoint.sh +++ b/9.6/docker-entrypoint.sh @@ -42,9 +42,38 @@ if [ "$1" = 'postgres' ]; then authMethod=trust fi - { echo; echo "host all all 0.0.0.0/0 $authMethod"; } >> "$PGDATA/pg_hba.conf" + hostMethod=host + if [[ ! -z "$POSTGRES_ENABLE_SSL" && ! $POSTGRES_ENABLE_SSL =~ ^([nN][oO]|[nN]|[fF][aA][lL][sS][eE]|[fF]|0)$ ]] ; then + if [ ! -f "/etc/ssl/certs/postgresql.crt" ]; then + cat >&2 <<-'EOWARN' + **************************************************** + WARNING: Using an auto-generated certificate for SSL. + Please consider using your own certificate + in production environments. + + Use "-v /my/cert.crt:/etc/ssl/certs/postgresql.crt" + and "-v /my/cert.key:/etc/ssl/private/postgresql.key" + to mount your own certificate as a volume. + **************************************************** + EOWARN + DEBIAN_FRONTEND=noninteractive make-ssl-cert generate-default-snakeoil --force-overwrite + cp /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/certs/postgresql.crt + cp /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/private/postgresql.key + fi + + cp /etc/ssl/certs/postgresql.crt "$PGDATA/server.crt" + cp /etc/ssl/private/postgresql.key "$PGDATA/server.key" + chown postgres "$PGDATA/server.crt" + chown postgres "$PGDATA/server.key" + chmod og-rwx "$PGDATA/server.key" + + sed -i "s|#\?ssl \?=.*|ssl = on|g" "$PGDATA/postgresql.conf" + hostMethod=hostssl + fi + + { echo; echo "$hostMethod all all 0.0.0.0/0 $authMethod"; } >> "$PGDATA/pg_hba.conf" - # internal start of server in order to allow set-up using psql-client + # internal start of server in order to allow set-up using psql-client # does not listen on external TCP/IP and waits until start finishes gosu postgres pg_ctl -D "$PGDATA" \ -o "-c listen_addresses='localhost'" \ diff --git a/Dockerfile.template b/Dockerfile.template index 83eb859b98..313fa0a544 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -23,6 +23,9 @@ RUN apt-get update && apt-get install -y locales && rm -rf /var/lib/apt/lists/* && localedef -i en_US -c -f UTF-8 -A /usr/share/locale/locale.alias en_US.UTF-8 ENV LANG en_US.utf8 +# auto generate a self-signed certificate in /etc/ssl/certs/ssl-cert-snakeoil.pem +RUN apt-get update && apt-get install -y ssl-cert && rm -rf /var/lib/apt/lists/* + RUN mkdir /docker-entrypoint-initdb.d RUN apt-key adv --keyserver ha.pool.sks-keyservers.net --recv-keys B97B0AFCAA1A47F044F244A07FCC7D46ACCC4CF8 diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 3b436e4adf..350ba538b3 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -42,9 +42,38 @@ if [ "$1" = 'postgres' ]; then authMethod=trust fi - { echo; echo "host all all 0.0.0.0/0 $authMethod"; } >> "$PGDATA/pg_hba.conf" + hostMethod=host + if [[ ! -z "$POSTGRES_ENABLE_SSL" && ! $POSTGRES_ENABLE_SSL =~ ^([nN][oO]|[nN]|[fF][aA][lL][sS][eE]|[fF]|0)$ ]] ; then + if [ ! -f "/etc/ssl/certs/postgresql.crt" ]; then + cat >&2 <<-'EOWARN' + **************************************************** + WARNING: Using an auto-generated certificate for SSL. + Please consider using your own certificate + in production environments. + + Use "-v /my/cert.crt:/etc/ssl/certs/postgresql.crt" + and "-v /my/cert.key:/etc/ssl/private/postgresql.key" + to mount your own certificate as a volume. + **************************************************** + EOWARN + DEBIAN_FRONTEND=noninteractive make-ssl-cert generate-default-snakeoil --force-overwrite + cp /etc/ssl/certs/ssl-cert-snakeoil.pem /etc/ssl/certs/postgresql.crt + cp /etc/ssl/private/ssl-cert-snakeoil.key /etc/ssl/private/postgresql.key + fi + + cp /etc/ssl/certs/postgresql.crt "$PGDATA/server.crt" + cp /etc/ssl/private/postgresql.key "$PGDATA/server.key" + chown postgres "$PGDATA/server.crt" + chown postgres "$PGDATA/server.key" + chmod og-rwx "$PGDATA/server.key" + + sed -i "s|#\?ssl \?=.*|ssl = on|g" "$PGDATA/postgresql.conf" + hostMethod=hostssl + fi + + { echo; echo "$hostMethod all all 0.0.0.0/0 $authMethod"; } >> "$PGDATA/pg_hba.conf" - # internal start of server in order to allow set-up using psql-client + # internal start of server in order to allow set-up using psql-client # does not listen on external TCP/IP and waits until start finishes gosu postgres pg_ctl -D "$PGDATA" \ -o "-c listen_addresses='localhost'" \