profile
viewpoint
Tianon Gravi tianon ::1 https://tianon.xyz bashochist; debian, dragon, father, gentoo, go, perl, tron, vim; basically nine years old; he/him or they/them

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha 59a063769ba75595876367329993783a6006b9fc

Update debian-security.json

view details

push time in a few seconds

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha 3948612e125933109227978c727ecd4b32904422

Update debian-security.json

view details

push time in 2 hours

push eventtianon/boot2docker-legacy

Tianon Gravi

commit sha ab6b28e35f05d714b7da3e9051299c5a0d4e5e7a

Remove haveged in favor of backported upstream kernel commit Quoting the `Dockerfile` comment: > apply kernel entropy patch from 5.4; this same patch was backported in Debian in 5.3.9-1 > > - https://git.kernel.org/linus/50ee7529ec4500c88f8664560770a7a1b65db72b > - https://salsa.debian.org/kernel-team/linux/commit/c323c453b2485a33bfb33635a07f3a50bc1db1ee > - https://lists.debian.org/debian-boot/2019/11/msg00077.html > > specifically, this solves the problem of early-boot entropy (SSH key generation, for example), avoiding the need for userspace solutions like haveged

view details

push time in 5 hours

PR opened boot2docker/boot2docker

Remove haveged in favor of backported upstream kernel commit

Quoting the Dockerfile comment:

apply kernel entropy patch from 5.4; this same patch was backported in Debian in 5.3.9-1

  • https://git.kernel.org/linus/50ee7529ec4500c88f8664560770a7a1b65db72b
  • https://salsa.debian.org/kernel-team/linux/commit/c323c453b2485a33bfb33635a07f3a50bc1db1ee
  • https://lists.debian.org/debian-boot/2019/11/msg00077.html

specifically, this solves the problem of early-boot entropy (SSH key generation, for example), avoiding the need for userspace solutions like haveged

+9 -96

0 comment

3 changed files

pr created time in 5 hours

create barnchtianon/boot2docker-legacy

branch : ditch-haveged

created branch time in 5 hours

issue commentalpinelinux/docker-alpine

Space character before #

I cannot reproduce: :confused:

$ echo 'qwerasdf!@#$' > test.txt
$ { echo 'FROM openjdk:8-jdk-alpine'; echo 'ADD test.txt /srv/test.txt'; } > Dockerfile
$ cat test.txt
qwerasdf!@#$
$ cat Dockerfile
FROM openjdk:8-jdk-alpine
ADD test.txt /srv/test.txt
$ docker build .
Sending build context to Docker daemon  16.38kB
Step 1/2 : FROM openjdk:8-jdk-alpine
8-jdk-alpine: Pulling from library/openjdk
e7c96db7181b: Already exists 
f910a506b6cb: Already exists 
c2274a1a0e27: Pull complete 
Digest: sha256:94792824df2df33402f201713f932b58cb9de94a0cd524164a0f2283343547b3
Status: Downloaded newer image for openjdk:8-jdk-alpine
 ---> a3562aa0b991
Step 2/2 : ADD test.txt /srv/test.txt
 ---> 4c385a95cca8
Successfully built 4c385a95cca8
$ docker run --rm 4c385a95cca8 cat /srv/test.txt
qwerasdf!@#$
PloughLiu

comment created time in 5 hours

issue commentdocker-library/wordpress

php-gb missing

@mkrupczak3 I'd recommend opening a new issue with detailed reproduction steps from a vanilla fresh WordPress install so we can reliably reproduce the issue and thus debug/fix it more appropriately.

soichih

comment created time in 5 hours

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha 3c6c7cf5e286b841cd28b12a7ee8cfce9d720f43

Update debian-security.json

view details

push time in 6 hours

Pull request review commentdocker-library/postgres

Functionalize the entrypoint to allow outside sourcing for extreme customizing of startup

 file_env() { 	unset "$fileVar" } -if [ "${1:0:1}" = '-' ]; then-	set -- postgres "$@"-fi+# check to see if this file is being run or sourced from another script+_is_sourced() {+	# https://unix.stackexchange.com/a/215279+	[ "${#FUNCNAME[@]}" -ge 2 ] \+		&& [ "${FUNCNAME[0]}" = '_is_sourced' ] \+		&& [ "${FUNCNAME[1]}" = 'source' ]+}++# used to create initial posgres directories and if run as root, ensure ownership to the "postgres" user+docker_create_db_directories() {+	local user="$(id -u)" -# allow the container to be started with `--user`-if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then 	mkdir -p "$PGDATA"-	chown -R postgres "$PGDATA" 	chmod 700 "$PGDATA" -	mkdir -p /var/run/postgresql-	chown -R postgres /var/run/postgresql-	chmod 775 /var/run/postgresql+	# ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289+	mkdir -p /var/run/postgresql || :+	chmod 775 /var/run/postgresql || : -	# Create the transaction log directory before initdb is run (below) so the directory is owned by the correct user+	# Create the transaction log directory before initdb is run so the directory is owned by the correct user 	if [ "$POSTGRES_INITDB_WALDIR" ]; then 		mkdir -p "$POSTGRES_INITDB_WALDIR"-		chown -R postgres "$POSTGRES_INITDB_WALDIR"+		[ "$user" = '0' ] && find "$POSTGRES_INITDB_WALDIR" \! -user postgres - exec chown postgres '{}' + 		chmod 700 "$POSTGRES_INITDB_WALDIR" 	fi -	exec su-exec postgres "$BASH_SOURCE" "$@"-fi--if [ "$1" = 'postgres' ]; then-	mkdir -p "$PGDATA"-	chown -R "$(id -u)" "$PGDATA" 2>/dev/null || :-	chmod 700 "$PGDATA" 2>/dev/null || :+	# allow the container to be started with `--user`+	if [ "$user" = '0' ]; then+		find "$PGDATA" \! -user postgres -exec chown postgres '{}' ++		find /var/run/postgresql \! -user postgres -exec chown postgres '{}' ++	fi+} -	# look specifically for PG_VERSION, as it is expected in the DB dir-	if [ ! -s "$PGDATA/PG_VERSION" ]; then-		# "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary-		# see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html-		if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then-			export LD_PRELOAD='/usr/lib/libnss_wrapper.so'-			export NSS_WRAPPER_PASSWD="$(mktemp)"-			export NSS_WRAPPER_GROUP="$(mktemp)"-			echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD"-			echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"-		fi+# initialize empty PGDATA directory with new database via 'initdb'+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames+# this is also where the database user is created, specified by `POSTGRES_USER` env+docker_init_database_dir() {+	# "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary+	# see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html+	if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then+		export LD_PRELOAD='/usr/lib/libnss_wrapper.so'+		export NSS_WRAPPER_PASSWD="$(mktemp)"+		export NSS_WRAPPER_GROUP="$(mktemp)"+		echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD"+		echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"+	fi -		file_env 'POSTGRES_USER' 'postgres'-		file_env 'POSTGRES_PASSWORD'+	if [ "$POSTGRES_INITDB_WALDIR" ]; then+		set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"+	fi -		file_env 'POSTGRES_INITDB_ARGS'-		if [ "$POSTGRES_INITDB_WALDIR" ]; then-			export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --waldir $POSTGRES_INITDB_WALDIR"-		fi-		eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"+	eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' -		# unset/cleanup "nss_wrapper" bits-		if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then-			rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"-			unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP-		fi+	# unset/cleanup "nss_wrapper" bits+	if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then+		rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"+		unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP+	fi+} -		# check password first so we can output the warning before postgres-		# messes it up-		if [ -n "$POSTGRES_PASSWORD" ]; then-			authMethod=md5+# print large warning if POSTGRES_PASSWORD is empty+docker_verify_minimum_env() {+	# check password first so we can output the warning before postgres+	# messes it up+	if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then+		cat >&2 <<-'EOWARN' -			if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then-				cat >&2 <<-'EOWARN'+			WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. -					WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.+			  This will not work if used via PGPASSWORD with "psql". -					  This will not work if used via PGPASSWORD with "psql".+			  https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)+			  https://github.com/docker-library/postgres/issues/507 -					  https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)-					  https://github.com/docker-library/postgres/issues/507+		EOWARN+	fi+	if [ -z "$POSTGRES_PASSWORD" ]; then+		# The - option suppresses leading tabs but *not* spaces. :)+		cat >&2 <<-'EOWARN'+			****************************************************+			WARNING: No password has been set for the database.+			         This will allow anyone with access to the+			         Postgres port to access your database. In+			         Docker's default configuration, this is+			         effectively any other container on the same+			         system. -				EOWARN-			fi-		else-			# The - option suppresses leading tabs but *not* spaces. :)-			cat >&2 <<-'EOWARN'-				****************************************************-				WARNING: No password has been set for the database.-				         This will allow anyone with access to the-				         Postgres port to access your database. In-				         Docker's default configuration, this is-				         effectively any other container on the same-				         system.--				         Use "-e POSTGRES_PASSWORD=password" to set-				         it in "docker run".-				****************************************************-			EOWARN--			authMethod=trust-		fi+			         Use "-e POSTGRES_PASSWORD=password" to set+			         it in "docker run".+			****************************************************+		EOWARN -		{-			echo-			echo "host all all all $authMethod"-		} >> "$PGDATA/pg_hba.conf"+	fi+} -		# internal start of server in order to allow set-up using psql-client-		# does not listen on external TCP/IP and waits until start finishes-		PGUSER="${PGUSER:-$POSTGRES_USER}" \-		pg_ctl -D "$PGDATA" \-			-o "-c listen_addresses=''" \-			-w start+# usage: docker_process_init_files [file [file [...]]]+#    ie: docker_process_init_files /always-initdb.d/*+# process initializer files, based on file extensions and permissions+docker_process_init_files() {+	# psql here for backwards compatiblilty "${psql[@]}"+	psql=( docker_process_sql ) -		file_env 'POSTGRES_DB' "$POSTGRES_USER"+	echo+	local f+	for f; do+		case "$f" in+			*.sh)+				# https://github.com/docker-library/postgres/issues/450#issuecomment-393167936+				# https://github.com/docker-library/postgres/pull/452+				if [ -x "$f" ]; then+					echo "$0: running $f"+					"$f"+				else+					echo "$0: sourcing $f"+					. "$f"+				fi+				;;+			*.sql)    echo "$0: running $f"; docker_process_sql -f "$f"; echo ;;+			*.sql.gz) echo "$0: running $f"; gunzip -c "$f" | docker_process_sql; echo ;;+			*)        echo "$0: ignoring $f" ;;+		esac+		echo+	done+} -		export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"-		psql=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password )+# Execute sql script, passed via stdin (or -f flag of pqsl)+# usage: docker_process_sql [psql-cli-args]+#    ie: docker_process_sql --dbname=mydb <<<'INSERT ...'+#    ie: docker_process_sql -f my-file.sql+#    ie: docker_process_sql <my-file.sql+docker_process_sql() {+	local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password )+	if [ -n "$POSTGRES_DB" ]; then+		query_runner+=( --dbname "$POSTGRES_DB" )+	fi -		if [ "$POSTGRES_DB" != 'postgres' ]; then-			"${psql[@]}" --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'-				CREATE DATABASE :"db" ;-			EOSQL-			echo-		fi-		psql+=( --dbname "$POSTGRES_DB" )+	"${query_runner[@]}" "$@"+} +# create initial database+# uses environment variables for input: POSTGRES_DB+docker_setup_db() {+	if [ "$POSTGRES_DB" != 'postgres' ]; then+		POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'+			CREATE DATABASE :"db" ;+		EOSQL 		echo-		for f in /docker-entrypoint-initdb.d/*; do-			case "$f" in-				*.sh)-					# https://github.com/docker-library/postgres/issues/450#issuecomment-393167936-					# https://github.com/docker-library/postgres/pull/452-					if [ -x "$f" ]; then-						echo "$0: running $f"-						"$f"-					else-						echo "$0: sourcing $f"-						. "$f"-					fi-					;;-				*.sql)    echo "$0: running $f"; "${psql[@]}" -f "$f"; echo ;;-				*.sql.gz) echo "$0: running $f"; gunzip -c "$f" | "${psql[@]}"; echo ;;-				*)        echo "$0: ignoring $f" ;;-			esac-			echo-		done+	fi+} -		PGUSER="${PGUSER:-$POSTGRES_USER}" \-		pg_ctl -D "$PGDATA" -m fast -w stop+# Loads various settings that are used elsewhere in the script+# This should be called before any other functions+docker_setup_env() {+	file_env 'POSTGRES_PASSWORD' -		unset PGPASSWORD+	file_env 'POSTGRES_USER' 'postgres'+	file_env 'POSTGRES_DB' "$POSTGRES_USER"+	file_env 'POSTGRES_INITDB_ARGS' +	declare -g DATABASE_ALREADY_EXISTS+	# look specifically for PG_VERSION, as it is expected in the DB dir+	if [ -s "$PGDATA/PG_VERSION" ]; then+		DATABASE_ALREADY_EXISTS='true'+	fi+}++# append md5 or trust auth to pg_hba.conf based on existence of POSTGRES_PASSWORD+pg_setup_hba_conf() {+	local authMethod+	if [ "$POSTGRES_PASSWORD" ]; then+		authMethod='md5'+	else+		authMethod='trust'+	fi++	{ 		echo-		echo 'PostgreSQL init process complete; ready for start up.'-		echo+		echo "host all all all $authMethod"+	} >> "$PGDATA/pg_hba.conf"+}++# start socket-only postgresql server for setting up or running scripts+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)+docker_temp_server_start() {+	if [ "$1" = 'postgres' ]; then+		shift 	fi-fi+	# internal start of server in order to allow setup using psql client+	# does not listen on external TCP/IP and waits until start finishes (can be overridden via args)+	PGUSER="${PGUSER:-$POSTGRES_USER}" \+	pg_ctl -D "$PGDATA" \+		-o "-c listen_addresses='' $([ "$#" -gt 0 ] && printf '%q ' "$@")" \+		-w start+}++# stop postgresql server after done setting up user and running scripts+docker_temp_server_stop() {+	PGUSER="${PGUSER:-postgres}" \+	pg_ctl -D "$PGDATA" -m fast -w stop+}++_main() {+	# if first arg looks like a flag, assume we want to run postgres server+	if [ "${1:0:1}" = '-' ]; then+		set -- postgres "$@"+	fi+++	if [ "$1" = 'postgres' ]; then+		docker_setup_env+		# setup data directories and permissions (when run as root)+		docker_create_db_directories+		if [ "$(id -u)" = '0' ]; then+			# then restart script as postgres user+			exec su-exec postgres "$BASH_SOURCE" "$@"+		fi++		# only run initialization on an empty data directory+		if [ -z "$DATABASE_ALREADY_EXISTS" ]; then+			docker_verify_minimum_env+			docker_init_database_dir+			pg_setup_hba_conf++			# PGPASSWORD is required for psql when authentication is required for 'local' connections via pg_hba.conf and is otherwise harmless+			# e.g. when '--auth=md5' or '--auth-local=md5' is used in POSTGRES_INITDB_ARGS+			export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"+			docker_temp_server_start "$@"

Passing in $@ here for the temporary server is technically a minor change in behavior, but IMO it's really a bug that we weren't doing that before now (and this PR itself gives folks the ability to customize all of this to their hearts desires, including whether to pass $@ here or not :+1:).

yosifkit

comment created time in 6 hours

Pull request review commentdocker-library/postgres

Functionalize the entrypoint to allow outside sourcing for extreme customizing of startup

 file_env() { 	unset "$fileVar" } -if [ "${1:0:1}" = '-' ]; then-	set -- postgres "$@"-fi+# check to see if this file is being run or sourced from another script+_is_sourced() {+	# https://unix.stackexchange.com/a/215279+	[ "${#FUNCNAME[@]}" -ge 2 ] \+		&& [ "${FUNCNAME[0]}" = '_is_sourced' ] \+		&& [ "${FUNCNAME[1]}" = 'source' ]+}++# used to create initial posgres directories and if run as root, ensure ownership to the "postgres" user+docker_create_db_directories() {+	local user="$(id -u)" -# allow the container to be started with `--user`-if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then 	mkdir -p "$PGDATA"-	chown -R postgres "$PGDATA" 	chmod 700 "$PGDATA" -	mkdir -p /var/run/postgresql-	chown -R postgres /var/run/postgresql-	chmod 775 /var/run/postgresql+	# ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289+	mkdir -p /var/run/postgresql || :+	chmod 775 /var/run/postgresql || : -	# Create the transaction log directory before initdb is run (below) so the directory is owned by the correct user+	# Create the transaction log directory before initdb is run so the directory is owned by the correct user 	if [ "$POSTGRES_INITDB_WALDIR" ]; then 		mkdir -p "$POSTGRES_INITDB_WALDIR"-		chown -R postgres "$POSTGRES_INITDB_WALDIR"+		[ "$user" = '0' ] && find "$POSTGRES_INITDB_WALDIR" \! -user postgres - exec chown postgres '{}' + 		chmod 700 "$POSTGRES_INITDB_WALDIR" 	fi -	exec gosu postgres "$BASH_SOURCE" "$@"-fi--if [ "$1" = 'postgres' ]; then-	mkdir -p "$PGDATA"-	chown -R "$(id -u)" "$PGDATA" 2>/dev/null || :-	chmod 700 "$PGDATA" 2>/dev/null || :+	# allow the container to be started with `--user`+	if [ "$user" = '0' ]; then+		find "$PGDATA" \! -user postgres -exec chown postgres '{}' ++		find /var/run/postgresql \! -user postgres -exec chown postgres '{}' ++	fi+} -	# look specifically for PG_VERSION, as it is expected in the DB dir-	if [ ! -s "$PGDATA/PG_VERSION" ]; then-		# "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary-		# see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html-		if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then-			export LD_PRELOAD='/usr/lib/libnss_wrapper.so'-			export NSS_WRAPPER_PASSWD="$(mktemp)"-			export NSS_WRAPPER_GROUP="$(mktemp)"-			echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD"-			echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"-		fi+# initialize empty PGDATA directory with new database via 'initdb'+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames+# this is also where the database user is created, specified by `POSTGRES_USER` env+docker_init_database_dir() {+	# "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary+	# see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html+	if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then+		export LD_PRELOAD='/usr/lib/libnss_wrapper.so'+		export NSS_WRAPPER_PASSWD="$(mktemp)"+		export NSS_WRAPPER_GROUP="$(mktemp)"+		echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD"+		echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"+	fi -		file_env 'POSTGRES_USER' 'postgres'-		file_env 'POSTGRES_PASSWORD'+	if [ "$POSTGRES_INITDB_WALDIR" ]; then+		set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"+	fi -		file_env 'POSTGRES_INITDB_ARGS'-		if [ "$POSTGRES_INITDB_WALDIR" ]; then-			export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --waldir $POSTGRES_INITDB_WALDIR"-		fi-		eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"+	eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' -		# unset/cleanup "nss_wrapper" bits-		if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then-			rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"-			unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP-		fi+	# unset/cleanup "nss_wrapper" bits+	if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then+		rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"+		unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP+	fi+} -		# check password first so we can output the warning before postgres-		# messes it up-		if [ -n "$POSTGRES_PASSWORD" ]; then-			authMethod=md5+# print large warning if POSTGRES_PASSWORD is empty+docker_verify_minimum_env() {+	# check password first so we can output the warning before postgres+	# messes it up+	if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then+		cat >&2 <<-'EOWARN' -			if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then-				cat >&2 <<-'EOWARN'+			WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. -					WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.+			  This will not work if used via PGPASSWORD with "psql". -					  This will not work if used via PGPASSWORD with "psql".+			  https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)+			  https://github.com/docker-library/postgres/issues/507 -					  https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)-					  https://github.com/docker-library/postgres/issues/507+		EOWARN+	fi+	if [ -z "$POSTGRES_PASSWORD" ]; then+		# The - option suppresses leading tabs but *not* spaces. :)+		cat >&2 <<-'EOWARN'+			****************************************************+			WARNING: No password has been set for the database.+			         This will allow anyone with access to the+			         Postgres port to access your database. In+			         Docker's default configuration, this is+			         effectively any other container on the same+			         system. -				EOWARN-			fi-		else-			# The - option suppresses leading tabs but *not* spaces. :)-			cat >&2 <<-'EOWARN'-				****************************************************-				WARNING: No password has been set for the database.-				         This will allow anyone with access to the-				         Postgres port to access your database. In-				         Docker's default configuration, this is-				         effectively any other container on the same-				         system.--				         Use "-e POSTGRES_PASSWORD=password" to set-				         it in "docker run".-				****************************************************-			EOWARN--			authMethod=trust-		fi+			         Use "-e POSTGRES_PASSWORD=password" to set+			         it in "docker run".+			****************************************************+		EOWARN -		{-			echo-			echo "host all all all $authMethod"-		} >> "$PGDATA/pg_hba.conf"+	fi+} -		# internal start of server in order to allow set-up using psql-client-		# does not listen on external TCP/IP and waits until start finishes-		PGUSER="${PGUSER:-$POSTGRES_USER}" \-		pg_ctl -D "$PGDATA" \-			-o "-c listen_addresses=''" \-			-w start+# usage: docker_process_init_files [file [file [...]]]+#    ie: docker_process_init_files /always-initdb.d/*+# process initializer files, based on file extensions and permissions+docker_process_init_files() {+	# psql here for backwards compatiblilty "${psql[@]}"+	psql=( docker_process_sql ) -		file_env 'POSTGRES_DB' "$POSTGRES_USER"+	echo+	local f+	for f; do+		case "$f" in+			*.sh)+				# https://github.com/docker-library/postgres/issues/450#issuecomment-393167936+				# https://github.com/docker-library/postgres/pull/452+				if [ -x "$f" ]; then+					echo "$0: running $f"+					"$f"+				else+					echo "$0: sourcing $f"+					. "$f"+				fi+				;;+			*.sql)    echo "$0: running $f"; docker_process_sql -f "$f"; echo ;;+			*.sql.gz) echo "$0: running $f"; gunzip -c "$f" | docker_process_sql; echo ;;+			*)        echo "$0: ignoring $f" ;;+		esac+		echo+	done+} -		export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"-		psql=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password )+# Execute sql script, passed via stdin (or -f flag of pqsl)+# usage: docker_process_sql [psql-cli-args]+#    ie: docker_process_sql --dbname=mydb <<<'INSERT ...'+#    ie: docker_process_sql -f my-file.sql+#    ie: docker_process_sql <my-file.sql+docker_process_sql() {+	local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password )+	if [ -n "$POSTGRES_DB" ]; then+		query_runner+=( --dbname "$POSTGRES_DB" )+	fi -		if [ "$POSTGRES_DB" != 'postgres' ]; then-			"${psql[@]}" --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'-				CREATE DATABASE :"db" ;-			EOSQL-			echo-		fi-		psql+=( --dbname "$POSTGRES_DB" )+	"${query_runner[@]}" "$@"+} +# create initial database+# uses environment variables for input: POSTGRES_DB+docker_setup_db() {+	if [ "$POSTGRES_DB" != 'postgres' ]; then+		POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'+			CREATE DATABASE :"db" ;+		EOSQL 		echo-		for f in /docker-entrypoint-initdb.d/*; do-			case "$f" in-				*.sh)-					# https://github.com/docker-library/postgres/issues/450#issuecomment-393167936-					# https://github.com/docker-library/postgres/pull/452-					if [ -x "$f" ]; then-						echo "$0: running $f"-						"$f"-					else-						echo "$0: sourcing $f"-						. "$f"-					fi-					;;-				*.sql)    echo "$0: running $f"; "${psql[@]}" -f "$f"; echo ;;-				*.sql.gz) echo "$0: running $f"; gunzip -c "$f" | "${psql[@]}"; echo ;;-				*)        echo "$0: ignoring $f" ;;-			esac-			echo-		done+	fi+} -		PGUSER="${PGUSER:-$POSTGRES_USER}" \-		pg_ctl -D "$PGDATA" -m fast -w stop+# Loads various settings that are used elsewhere in the script+# This should be called before any other functions+docker_setup_env() {+	file_env 'POSTGRES_PASSWORD' -		unset PGPASSWORD+	file_env 'POSTGRES_USER' 'postgres'+	file_env 'POSTGRES_DB' "$POSTGRES_USER"+	file_env 'POSTGRES_INITDB_ARGS' +	declare -g DATABASE_ALREADY_EXISTS+	# look specifically for PG_VERSION, as it is expected in the DB dir+	if [ -s "$PGDATA/PG_VERSION" ]; then+		DATABASE_ALREADY_EXISTS='true'+	fi+}++# append md5 or trust auth to pg_hba.conf based on existence of POSTGRES_PASSWORD+pg_setup_hba_conf() {+	local authMethod+	if [ "$POSTGRES_PASSWORD" ]; then

Or maybe even something like this:

local authMethod='md5'
if [ -z "$POSTGRES_PASSWORD" ]; then
	authMethod='trust'
fi
yosifkit

comment created time in 7 hours

Pull request review commentdocker-library/postgres

Functionalize the entrypoint to allow outside sourcing for extreme customizing of startup

 file_env() { 	unset "$fileVar" } -if [ "${1:0:1}" = '-' ]; then-	set -- postgres "$@"-fi+# check to see if this file is being run or sourced from another script+_is_sourced() {+	# https://unix.stackexchange.com/a/215279+	[ "${#FUNCNAME[@]}" -ge 2 ] \+		&& [ "${FUNCNAME[0]}" = '_is_sourced' ] \+		&& [ "${FUNCNAME[1]}" = 'source' ]+}++# used to create initial posgres directories and if run as root, ensure ownership to the "postgres" user+docker_create_db_directories() {+	local user="$(id -u)" -# allow the container to be started with `--user`-if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then 	mkdir -p "$PGDATA"-	chown -R postgres "$PGDATA" 	chmod 700 "$PGDATA" -	mkdir -p /var/run/postgresql-	chown -R postgres /var/run/postgresql-	chmod 775 /var/run/postgresql+	# ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289+	mkdir -p /var/run/postgresql || :+	chmod 775 /var/run/postgresql || : -	# Create the transaction log directory before initdb is run (below) so the directory is owned by the correct user+	# Create the transaction log directory before initdb is run so the directory is owned by the correct user 	if [ "$POSTGRES_INITDB_WALDIR" ]; then 		mkdir -p "$POSTGRES_INITDB_WALDIR"-		chown -R postgres "$POSTGRES_INITDB_WALDIR"+		[ "$user" = '0' ] && find "$POSTGRES_INITDB_WALDIR" \! -user postgres - exec chown postgres '{}' +
		if [ "$user" = '0' ]; then
			find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
		fi
yosifkit

comment created time in 7 hours

Pull request review commentdocker-library/postgres

Functionalize the entrypoint to allow outside sourcing for extreme customizing of startup

 file_env() { 	unset "$fileVar" } -if [ "${1:0:1}" = '-' ]; then-	set -- postgres "$@"-fi+# check to see if this file is being run or sourced from another script+_is_sourced() {+	# https://unix.stackexchange.com/a/215279+	[ "${#FUNCNAME[@]}" -ge 2 ] \+		&& [ "${FUNCNAME[0]}" = '_is_sourced' ] \+		&& [ "${FUNCNAME[1]}" = 'source' ]+}++# used to create initial posgres directories and if run as root, ensure ownership to the "postgres" user+docker_create_db_directories() {+	local user="$(id -u)" -# allow the container to be started with `--user`-if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then 	mkdir -p "$PGDATA"-	chown -R postgres "$PGDATA" 	chmod 700 "$PGDATA" -	mkdir -p /var/run/postgresql-	chown -R postgres /var/run/postgresql-	chmod 775 /var/run/postgresql+	# ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289+	mkdir -p /var/run/postgresql || :+	chmod 775 /var/run/postgresql || : -	# Create the transaction log directory before initdb is run (below) so the directory is owned by the correct user+	# Create the transaction log directory before initdb is run so the directory is owned by the correct user 	if [ "$POSTGRES_INITDB_WALDIR" ]; then 		mkdir -p "$POSTGRES_INITDB_WALDIR"-		chown -R postgres "$POSTGRES_INITDB_WALDIR"+		[ "$user" = '0' ] && find "$POSTGRES_INITDB_WALDIR" \! -user postgres - exec chown postgres '{}' + 		chmod 700 "$POSTGRES_INITDB_WALDIR" 	fi -	exec gosu postgres "$BASH_SOURCE" "$@"-fi--if [ "$1" = 'postgres' ]; then-	mkdir -p "$PGDATA"-	chown -R "$(id -u)" "$PGDATA" 2>/dev/null || :-	chmod 700 "$PGDATA" 2>/dev/null || :+	# allow the container to be started with `--user`+	if [ "$user" = '0' ]; then+		find "$PGDATA" \! -user postgres -exec chown postgres '{}' ++		find /var/run/postgresql \! -user postgres -exec chown postgres '{}' ++	fi+} -	# look specifically for PG_VERSION, as it is expected in the DB dir-	if [ ! -s "$PGDATA/PG_VERSION" ]; then-		# "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary-		# see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html-		if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then-			export LD_PRELOAD='/usr/lib/libnss_wrapper.so'-			export NSS_WRAPPER_PASSWD="$(mktemp)"-			export NSS_WRAPPER_GROUP="$(mktemp)"-			echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD"-			echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"-		fi+# initialize empty PGDATA directory with new database via 'initdb'+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames+# this is also where the database user is created, specified by `POSTGRES_USER` env+docker_init_database_dir() {+	# "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary+	# see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html+	if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then+		export LD_PRELOAD='/usr/lib/libnss_wrapper.so'+		export NSS_WRAPPER_PASSWD="$(mktemp)"+		export NSS_WRAPPER_GROUP="$(mktemp)"+		echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD"+		echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"+	fi -		file_env 'POSTGRES_USER' 'postgres'-		file_env 'POSTGRES_PASSWORD'+	if [ "$POSTGRES_INITDB_WALDIR" ]; then+		set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"+	fi -		file_env 'POSTGRES_INITDB_ARGS'-		if [ "$POSTGRES_INITDB_WALDIR" ]; then-			export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --waldir $POSTGRES_INITDB_WALDIR"-		fi-		eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"+	eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' -		# unset/cleanup "nss_wrapper" bits-		if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then-			rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"-			unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP-		fi+	# unset/cleanup "nss_wrapper" bits+	if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then+		rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"+		unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP+	fi+} -		# check password first so we can output the warning before postgres-		# messes it up-		if [ -n "$POSTGRES_PASSWORD" ]; then-			authMethod=md5+# print large warning if POSTGRES_PASSWORD is empty+docker_verify_minimum_env() {+	# check password first so we can output the warning before postgres+	# messes it up+	if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then+		cat >&2 <<-'EOWARN' -			if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then-				cat >&2 <<-'EOWARN'+			WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. -					WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.+			  This will not work if used via PGPASSWORD with "psql". -					  This will not work if used via PGPASSWORD with "psql".+			  https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)+			  https://github.com/docker-library/postgres/issues/507 -					  https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)-					  https://github.com/docker-library/postgres/issues/507+		EOWARN+	fi+	if [ -z "$POSTGRES_PASSWORD" ]; then+		# The - option suppresses leading tabs but *not* spaces. :)+		cat >&2 <<-'EOWARN'+			****************************************************+			WARNING: No password has been set for the database.+			         This will allow anyone with access to the+			         Postgres port to access your database. In+			         Docker's default configuration, this is+			         effectively any other container on the same+			         system. -				EOWARN-			fi-		else-			# The - option suppresses leading tabs but *not* spaces. :)-			cat >&2 <<-'EOWARN'-				****************************************************-				WARNING: No password has been set for the database.-				         This will allow anyone with access to the-				         Postgres port to access your database. In-				         Docker's default configuration, this is-				         effectively any other container on the same-				         system.--				         Use "-e POSTGRES_PASSWORD=password" to set-				         it in "docker run".-				****************************************************-			EOWARN--			authMethod=trust-		fi+			         Use "-e POSTGRES_PASSWORD=password" to set+			         it in "docker run".+			****************************************************+		EOWARN -		{-			echo-			echo "host all all all $authMethod"-		} >> "$PGDATA/pg_hba.conf"+	fi+} -		# internal start of server in order to allow set-up using psql-client-		# does not listen on external TCP/IP and waits until start finishes-		PGUSER="${PGUSER:-$POSTGRES_USER}" \-		pg_ctl -D "$PGDATA" \-			-o "-c listen_addresses=''" \-			-w start+# usage: docker_process_init_files [file [file [...]]]+#    ie: docker_process_init_files /always-initdb.d/*+# process initializer files, based on file extensions and permissions+docker_process_init_files() {+	# psql here for backwards compatiblilty "${psql[@]}"+	psql=( docker_process_sql ) -		file_env 'POSTGRES_DB' "$POSTGRES_USER"+	echo+	local f+	for f; do+		case "$f" in+			*.sh)+				# https://github.com/docker-library/postgres/issues/450#issuecomment-393167936+				# https://github.com/docker-library/postgres/pull/452+				if [ -x "$f" ]; then+					echo "$0: running $f"+					"$f"+				else+					echo "$0: sourcing $f"+					. "$f"+				fi+				;;+			*.sql)    echo "$0: running $f"; docker_process_sql -f "$f"; echo ;;+			*.sql.gz) echo "$0: running $f"; gunzip -c "$f" | docker_process_sql; echo ;;+			*)        echo "$0: ignoring $f" ;;+		esac+		echo+	done+} -		export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"-		psql=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password )+# Execute sql script, passed via stdin (or -f flag of pqsl)+# usage: docker_process_sql [psql-cli-args]+#    ie: docker_process_sql --dbname=mydb <<<'INSERT ...'+#    ie: docker_process_sql -f my-file.sql+#    ie: docker_process_sql <my-file.sql+docker_process_sql() {+	local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password )+	if [ -n "$POSTGRES_DB" ]; then+		query_runner+=( --dbname "$POSTGRES_DB" )+	fi -		if [ "$POSTGRES_DB" != 'postgres' ]; then-			"${psql[@]}" --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'-				CREATE DATABASE :"db" ;-			EOSQL-			echo-		fi-		psql+=( --dbname "$POSTGRES_DB" )+	"${query_runner[@]}" "$@"+} +# create initial database+# uses environment variables for input: POSTGRES_DB+docker_setup_db() {+	if [ "$POSTGRES_DB" != 'postgres' ]; then+		POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'+			CREATE DATABASE :"db" ;+		EOSQL 		echo-		for f in /docker-entrypoint-initdb.d/*; do-			case "$f" in-				*.sh)-					# https://github.com/docker-library/postgres/issues/450#issuecomment-393167936-					# https://github.com/docker-library/postgres/pull/452-					if [ -x "$f" ]; then-						echo "$0: running $f"-						"$f"-					else-						echo "$0: sourcing $f"-						. "$f"-					fi-					;;-				*.sql)    echo "$0: running $f"; "${psql[@]}" -f "$f"; echo ;;-				*.sql.gz) echo "$0: running $f"; gunzip -c "$f" | "${psql[@]}"; echo ;;-				*)        echo "$0: ignoring $f" ;;-			esac-			echo-		done+	fi+} -		PGUSER="${PGUSER:-$POSTGRES_USER}" \-		pg_ctl -D "$PGDATA" -m fast -w stop+# Loads various settings that are used elsewhere in the script+# This should be called before any other functions+docker_setup_env() {+	file_env 'POSTGRES_PASSWORD' -		unset PGPASSWORD+	file_env 'POSTGRES_USER' 'postgres'+	file_env 'POSTGRES_DB' "$POSTGRES_USER"+	file_env 'POSTGRES_INITDB_ARGS' +	declare -g DATABASE_ALREADY_EXISTS+	# look specifically for PG_VERSION, as it is expected in the DB dir+	if [ -s "$PGDATA/PG_VERSION" ]; then+		DATABASE_ALREADY_EXISTS='true'+	fi+}++# append md5 or trust auth to pg_hba.conf based on existence of POSTGRES_PASSWORD+pg_setup_hba_conf() {+	local authMethod+	if [ "$POSTGRES_PASSWORD" ]; then+		authMethod='md5'+	else+		authMethod='trust'+	fi++	{ 		echo-		echo 'PostgreSQL init process complete; ready for start up.'-		echo+		echo "host all all all $authMethod"+	} >> "$PGDATA/pg_hba.conf"+}++# start socket-only postgresql server for setting up or running scripts+# all arguments will be passed along as arguments to `postgres` (via pg_ctl)+docker_temp_server_start() {+	if [ "$1" = 'postgres' ]; then+		shift 	fi-fi+	# internal start of server in order to allow setup using psql client+	# does not listen on external TCP/IP and waits until start finishes (can be overridden via args)+	PGUSER="${PGUSER:-$POSTGRES_USER}" \+	pg_ctl -D "$PGDATA" \+		-o "-c listen_addresses='' $([ "$#" -gt 0 ] && printf '%q ' "$@")" \+		-w start+}++# stop postgresql server after done setting up user and running scripts+docker_temp_server_stop() {+	PGUSER="${PGUSER:-postgres}" \+	pg_ctl -D "$PGDATA" -m fast -w stop+}++_main() {+	# if first arg looks like a flag, assume we want to run postgres server+	if [ "${1:0:1}" = '-' ]; then+		set -- postgres "$@"+	fi++

Extra empty line here?

yosifkit

comment created time in 7 hours

Pull request review commentdocker-library/postgres

Functionalize the entrypoint to allow outside sourcing for extreme customizing of startup

 file_env() { 	unset "$fileVar" } -if [ "${1:0:1}" = '-' ]; then-	set -- postgres "$@"-fi+# check to see if this file is being run or sourced from another script+_is_sourced() {+	# https://unix.stackexchange.com/a/215279+	[ "${#FUNCNAME[@]}" -ge 2 ] \+		&& [ "${FUNCNAME[0]}" = '_is_sourced' ] \+		&& [ "${FUNCNAME[1]}" = 'source' ]+}++# used to create initial posgres directories and if run as root, ensure ownership to the "postgres" user+docker_create_db_directories() {+	local user="$(id -u)" -# allow the container to be started with `--user`-if [ "$1" = 'postgres' ] && [ "$(id -u)" = '0' ]; then 	mkdir -p "$PGDATA"-	chown -R postgres "$PGDATA" 	chmod 700 "$PGDATA" -	mkdir -p /var/run/postgresql-	chown -R postgres /var/run/postgresql-	chmod 775 /var/run/postgresql+	# ignore failure since it will be fine when using the image provided directory; see also https://github.com/docker-library/postgres/pull/289+	mkdir -p /var/run/postgresql || :+	chmod 775 /var/run/postgresql || : -	# Create the transaction log directory before initdb is run (below) so the directory is owned by the correct user+	# Create the transaction log directory before initdb is run so the directory is owned by the correct user 	if [ "$POSTGRES_INITDB_WALDIR" ]; then 		mkdir -p "$POSTGRES_INITDB_WALDIR"-		chown -R postgres "$POSTGRES_INITDB_WALDIR"+		[ "$user" = '0' ] && find "$POSTGRES_INITDB_WALDIR" \! -user postgres - exec chown postgres '{}' + 		chmod 700 "$POSTGRES_INITDB_WALDIR" 	fi -	exec gosu postgres "$BASH_SOURCE" "$@"-fi--if [ "$1" = 'postgres' ]; then-	mkdir -p "$PGDATA"-	chown -R "$(id -u)" "$PGDATA" 2>/dev/null || :-	chmod 700 "$PGDATA" 2>/dev/null || :+	# allow the container to be started with `--user`+	if [ "$user" = '0' ]; then+		find "$PGDATA" \! -user postgres -exec chown postgres '{}' ++		find /var/run/postgresql \! -user postgres -exec chown postgres '{}' ++	fi+} -	# look specifically for PG_VERSION, as it is expected in the DB dir-	if [ ! -s "$PGDATA/PG_VERSION" ]; then-		# "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary-		# see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html-		if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then-			export LD_PRELOAD='/usr/lib/libnss_wrapper.so'-			export NSS_WRAPPER_PASSWD="$(mktemp)"-			export NSS_WRAPPER_GROUP="$(mktemp)"-			echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD"-			echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"-		fi+# initialize empty PGDATA directory with new database via 'initdb'+# arguments to `initdb` can be passed via POSTGRES_INITDB_ARGS or as arguments to this function+# `initdb` automatically creates the "postgres", "template0", and "template1" dbnames+# this is also where the database user is created, specified by `POSTGRES_USER` env+docker_init_database_dir() {+	# "initdb" is particular about the current user existing in "/etc/passwd", so we use "nss_wrapper" to fake that if necessary+	# see https://github.com/docker-library/postgres/pull/253, https://github.com/docker-library/postgres/issues/359, https://cwrap.org/nss_wrapper.html+	if ! getent passwd "$(id -u)" &> /dev/null && [ -e /usr/lib/libnss_wrapper.so ]; then+		export LD_PRELOAD='/usr/lib/libnss_wrapper.so'+		export NSS_WRAPPER_PASSWD="$(mktemp)"+		export NSS_WRAPPER_GROUP="$(mktemp)"+		echo "postgres:x:$(id -u):$(id -g):PostgreSQL:$PGDATA:/bin/false" > "$NSS_WRAPPER_PASSWD"+		echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"+	fi -		file_env 'POSTGRES_USER' 'postgres'-		file_env 'POSTGRES_PASSWORD'+	if [ "$POSTGRES_INITDB_WALDIR" ]; then+		set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"+	fi -		file_env 'POSTGRES_INITDB_ARGS'-		if [ "$POSTGRES_INITDB_WALDIR" ]; then-			export POSTGRES_INITDB_ARGS="$POSTGRES_INITDB_ARGS --waldir $POSTGRES_INITDB_WALDIR"-		fi-		eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"+	eval 'initdb --username="$POSTGRES_USER" --pwfile=<(echo "$POSTGRES_PASSWORD") '"$POSTGRES_INITDB_ARGS"' "$@"' -		# unset/cleanup "nss_wrapper" bits-		if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then-			rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"-			unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP-		fi+	# unset/cleanup "nss_wrapper" bits+	if [ "${LD_PRELOAD:-}" = '/usr/lib/libnss_wrapper.so' ]; then+		rm -f "$NSS_WRAPPER_PASSWD" "$NSS_WRAPPER_GROUP"+		unset LD_PRELOAD NSS_WRAPPER_PASSWD NSS_WRAPPER_GROUP+	fi+} -		# check password first so we can output the warning before postgres-		# messes it up-		if [ -n "$POSTGRES_PASSWORD" ]; then-			authMethod=md5+# print large warning if POSTGRES_PASSWORD is empty+docker_verify_minimum_env() {+	# check password first so we can output the warning before postgres+	# messes it up+	if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then+		cat >&2 <<-'EOWARN' -			if [ "${#POSTGRES_PASSWORD}" -ge 100 ]; then-				cat >&2 <<-'EOWARN'+			WARNING: The supplied POSTGRES_PASSWORD is 100+ characters. -					WARNING: The supplied POSTGRES_PASSWORD is 100+ characters.+			  This will not work if used via PGPASSWORD with "psql". -					  This will not work if used via PGPASSWORD with "psql".+			  https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)+			  https://github.com/docker-library/postgres/issues/507 -					  https://www.postgresql.org/message-id/flat/E1Rqxp2-0004Qt-PL%40wrigleys.postgresql.org (BUG #6412)-					  https://github.com/docker-library/postgres/issues/507+		EOWARN+	fi+	if [ -z "$POSTGRES_PASSWORD" ]; then+		# The - option suppresses leading tabs but *not* spaces. :)+		cat >&2 <<-'EOWARN'+			****************************************************+			WARNING: No password has been set for the database.+			         This will allow anyone with access to the+			         Postgres port to access your database. In+			         Docker's default configuration, this is+			         effectively any other container on the same+			         system. -				EOWARN-			fi-		else-			# The - option suppresses leading tabs but *not* spaces. :)-			cat >&2 <<-'EOWARN'-				****************************************************-				WARNING: No password has been set for the database.-				         This will allow anyone with access to the-				         Postgres port to access your database. In-				         Docker's default configuration, this is-				         effectively any other container on the same-				         system.--				         Use "-e POSTGRES_PASSWORD=password" to set-				         it in "docker run".-				****************************************************-			EOWARN--			authMethod=trust-		fi+			         Use "-e POSTGRES_PASSWORD=password" to set+			         it in "docker run".+			****************************************************+		EOWARN -		{-			echo-			echo "host all all all $authMethod"-		} >> "$PGDATA/pg_hba.conf"+	fi+} -		# internal start of server in order to allow set-up using psql-client-		# does not listen on external TCP/IP and waits until start finishes-		PGUSER="${PGUSER:-$POSTGRES_USER}" \-		pg_ctl -D "$PGDATA" \-			-o "-c listen_addresses=''" \-			-w start+# usage: docker_process_init_files [file [file [...]]]+#    ie: docker_process_init_files /always-initdb.d/*+# process initializer files, based on file extensions and permissions+docker_process_init_files() {+	# psql here for backwards compatiblilty "${psql[@]}"+	psql=( docker_process_sql ) -		file_env 'POSTGRES_DB' "$POSTGRES_USER"+	echo+	local f+	for f; do+		case "$f" in+			*.sh)+				# https://github.com/docker-library/postgres/issues/450#issuecomment-393167936+				# https://github.com/docker-library/postgres/pull/452+				if [ -x "$f" ]; then+					echo "$0: running $f"+					"$f"+				else+					echo "$0: sourcing $f"+					. "$f"+				fi+				;;+			*.sql)    echo "$0: running $f"; docker_process_sql -f "$f"; echo ;;+			*.sql.gz) echo "$0: running $f"; gunzip -c "$f" | docker_process_sql; echo ;;+			*)        echo "$0: ignoring $f" ;;+		esac+		echo+	done+} -		export PGPASSWORD="${PGPASSWORD:-$POSTGRES_PASSWORD}"-		psql=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password )+# Execute sql script, passed via stdin (or -f flag of pqsl)+# usage: docker_process_sql [psql-cli-args]+#    ie: docker_process_sql --dbname=mydb <<<'INSERT ...'+#    ie: docker_process_sql -f my-file.sql+#    ie: docker_process_sql <my-file.sql+docker_process_sql() {+	local query_runner=( psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --no-password )+	if [ -n "$POSTGRES_DB" ]; then+		query_runner+=( --dbname "$POSTGRES_DB" )+	fi -		if [ "$POSTGRES_DB" != 'postgres' ]; then-			"${psql[@]}" --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'-				CREATE DATABASE :"db" ;-			EOSQL-			echo-		fi-		psql+=( --dbname "$POSTGRES_DB" )+	"${query_runner[@]}" "$@"+} +# create initial database+# uses environment variables for input: POSTGRES_DB+docker_setup_db() {+	if [ "$POSTGRES_DB" != 'postgres' ]; then+		POSTGRES_DB= docker_process_sql --dbname postgres --set db="$POSTGRES_DB" <<-'EOSQL'+			CREATE DATABASE :"db" ;+		EOSQL 		echo-		for f in /docker-entrypoint-initdb.d/*; do-			case "$f" in-				*.sh)-					# https://github.com/docker-library/postgres/issues/450#issuecomment-393167936-					# https://github.com/docker-library/postgres/pull/452-					if [ -x "$f" ]; then-						echo "$0: running $f"-						"$f"-					else-						echo "$0: sourcing $f"-						. "$f"-					fi-					;;-				*.sql)    echo "$0: running $f"; "${psql[@]}" -f "$f"; echo ;;-				*.sql.gz) echo "$0: running $f"; gunzip -c "$f" | "${psql[@]}"; echo ;;-				*)        echo "$0: ignoring $f" ;;-			esac-			echo-		done+	fi+} -		PGUSER="${PGUSER:-$POSTGRES_USER}" \-		pg_ctl -D "$PGDATA" -m fast -w stop+# Loads various settings that are used elsewhere in the script+# This should be called before any other functions+docker_setup_env() {+	file_env 'POSTGRES_PASSWORD' -		unset PGPASSWORD+	file_env 'POSTGRES_USER' 'postgres'+	file_env 'POSTGRES_DB' "$POSTGRES_USER"+	file_env 'POSTGRES_INITDB_ARGS' +	declare -g DATABASE_ALREADY_EXISTS+	# look specifically for PG_VERSION, as it is expected in the DB dir+	if [ -s "$PGDATA/PG_VERSION" ]; then+		DATABASE_ALREADY_EXISTS='true'+	fi+}++# append md5 or trust auth to pg_hba.conf based on existence of POSTGRES_PASSWORD+pg_setup_hba_conf() {+	local authMethod+	if [ "$POSTGRES_PASSWORD" ]; then
	if [ -n "$POSTGRES_PASSWORD" ]; then
yosifkit

comment created time in 7 hours

Pull request review commentdocker-library/postgres

Functionalize the entrypoint to allow outside sourcing for extreme customizing of startup

 file_env() { 	unset "$fileVar" } -if [ "${1:0:1}" = '-' ]; then-	set -- postgres "$@"-fi+# check to see if this file is being run or sourced from another script+_is_sourced() {+	# https://unix.stackexchange.com/a/215279+	[ "${#FUNCNAME[@]}" -ge 2 ] \+		&& [ "${FUNCNAME[0]}" = '_is_sourced' ] \+		&& [ "${FUNCNAME[1]}" = 'source' ]+}++# used to create initial posgres directories and if run as root, ensure ownership to the "postgres" user+docker_create_db_directories() {+	local user="$(id -u)"
	local user; user="$(id -u)"
yosifkit

comment created time in 7 hours

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha 758f761f1bb0349dc773318e676ff876f94f5e15

Update debian-security.json

view details

push time in 7 hours

Pull request review commenttianon/dockerfiles

Upgrade to Python 3 Alpine

-FROM python:2+FROM python:3.8-alpine

Seems fine (https://github.com/beetbox/beets/blob/v1.4.9/setup.py#L171-L176), just think we should take the opportunity to pin better:

FROM python:3.8-alpine3.10
J0WI

comment created time in 7 hours

Pull request review commenttianon/dockerfiles

Upgrade Ruby to 2.6

-FROM ruby:2.4-alpine+FROM ruby:2.6-alpine

Given they don't seem to publish an official recommended/supported Ruby version (or unfortunately even seem to maintain this tool really), this seems fine to me; just as elsewhere, I think we should take the opportunity to pin:

FROM ruby:2.6-alpine3.10
J0WI

comment created time in 7 hours

delete branch infosiftr/mariadb

delete branch : rsync-with-mysql

delete time in 7 hours

push eventdocker-library/mariadb

Joe Ferguson

commit sha 02abaceb6ff67adf2c124857c1904db8669e7b0e

Resync MySQL entrypoint changes; especially for https://github.com/docker-library/mysql/pull/471

view details

Tianon Gravi

commit sha 3b2e52a6a0a525d879053a33886f35d3a5c38603

Merge pull request #271 from infosiftr/rsync-with-mysql Sync MySQL entrypoint changes

view details

push time in 7 hours

PR merged docker-library/mariadb

Sync MySQL entrypoint changes

especially for https://github.com/docker-library/mysql/pull/471

<details> <summary>MariaDB changes:</summary>

--- ../mysql/8.0/docker-entrypoint.sh	2019-10-31 16:13:59.806906074 -0700
+++ docker-entrypoint.sh	2019-10-31 16:53:32.767350232 -0700
@@ -68,7 +68,7 @@
 }
 
 mysql_check_config() {
-	local toRun=( "$@" --verbose --help ) errors
+	local toRun=( "$@" --verbose --help --log-bin-index="$(mktemp -u)" ) errors
 	if ! errors="$("${toRun[@]}" 2>&1 >/dev/null)"; then
 		mysql_error $'mysqld failed while attempting to check config\n\tcommand was: '"${toRun[*]}"$'\n\t'"$errors"
 	fi
@@ -86,30 +86,23 @@
 
 # Do a temporary startup of the MySQL server, for init purposes
 docker_temp_server_start() {
-	if [ "${MYSQL_MAJOR}" = '5.6' ] || [ "${MYSQL_MAJOR}" = '5.7' ]; then
-		"$@" --skip-networking --socket="${SOCKET}" &
-		mysql_note "Waiting for server startup"
-		local i
-		for i in {30..0}; do
-			# only use the root password if the database has already been initializaed
-			# so that it won't try to fill in a password file when it hasn't been set yet
-			extraArgs=()
-			if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
-				extraArgs+=( '--dont-use-mysql-root-password' )
-			fi
-			if docker_process_sql "${extraArgs[@]}" --database=mysql <<<'SELECT 1' &> /dev/null; then
-				break
-			fi
-			sleep 1
-		done
-		if [ "$i" = 0 ]; then
-			mysql_error "Unable to start server."
+	"$@" --skip-networking --socket="${SOCKET}" &
+	mysql_note "Waiting for server startup"
+	local i
+	for i in {30..0}; do
+		# only use the root password if the database has already been initializaed
+		# so that it won't try to fill in a password file when it hasn't been set yet
+		extraArgs=()
+		if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
+			extraArgs+=( '--dont-use-mysql-root-password' )
 		fi
-	else
-		# For 5.7+ the server is ready for use as soon as startup command unblocks
-		if ! "$@" --daemonize --skip-networking --socket="${SOCKET}"; then
-			mysql_error "Unable to start server."
+		if docker_process_sql "${extraArgs[@]}" --database=mysql <<<'SELECT 1' &> /dev/null; then
+			break
 		fi
+		sleep 1
+	done
+	if [ "$i" = 0 ]; then
+		mysql_error "Unable to start server."
 	fi
 }
 
@@ -146,19 +139,16 @@
 # initializes the database directory
 docker_init_database_dir() {
 	mysql_note "Initializing database files"
-	if [ "$MYSQL_MAJOR" = '5.6' ]; then
-		mysql_install_db --datadir="$DATADIR" --rpm --keep-my-cnf "${@:2}"
-	else
-		"$@" --initialize-insecure
+	installArgs=( --datadir="$DATADIR" --rpm )
+	if { mysql_install_db --help || :; } | grep -q -- '--auth-root-authentication-method'; then
+		# beginning in 10.4.3, install_db uses "socket" which only allows system user root to connect, switch back to "normal" to allow mysql root without a password
+		# see https://github.com/MariaDB/server/commit/b9f3f06857ac6f9105dc65caae19782f09b47fb3
+		# (this flag doesn't exist in 10.0 and below)
+		installArgs+=( --auth-root-authentication-method=normal )
 	fi
+	# "Other options are passed to mysqld." (so we pass all "mysqld" arguments directly here)
+	mysql_install_db "${installArgs[@]}" "${@:2}"
 	mysql_note "Database files initialized"
-
-	if command -v mysql_ssl_rsa_setup > /dev/null && [ ! -e "$DATADIR/server-key.pem" ]; then
-		# https://github.com/mysql/mysql-server/blob/23032807537d8dd8ee4ec1c4d40f0633cd4e12f9/packaging/deb-in/extra/mysql-systemd-start#L81-L84
-		mysql_note "Initializing certificates"
-		mysql_ssl_rsa_setup --datadir="$DATADIR"
-		mysql_note "Certificates initialized"
-	fi
 }
 
 # Loads various settings that are used elsewhere in the script
@@ -227,34 +217,18 @@
 		EOSQL
 	fi
 
-	local passwordSet=
-	if [ "$MYSQL_MAJOR" = '5.6' ]; then
-		# no, we don't care if read finds a terminating character in this heredoc (see above)
-		read -r -d '' passwordSet <<-EOSQL || true
-			DELETE FROM mysql.user WHERE user NOT IN ('mysql.sys', 'mysqlxsys', 'root') OR host NOT IN ('localhost') ;
-			SET PASSWORD FOR 'root'@'localhost'=PASSWORD('${MYSQL_ROOT_PASSWORD}') ;
-
-			-- 5.5: https://github.com/mysql/mysql-server/blob/e48d775c6f066add457fa8cfb2ebc4d5ff0c7613/scripts/mysql_secure_installation.sh#L192-L210
-			-- 5.6: https://github.com/mysql/mysql-server/blob/06bc670db0c0e45b3ea11409382a5c315961f682/scripts/mysql_secure_installation.sh#L218-L236
-			-- 5.7: https://github.com/mysql/mysql-server/blob/913071c0b16cc03e703308250d795bc381627e37/client/mysql_secure_installation.cc#L792-L818
-			-- 8.0: https://github.com/mysql/mysql-server/blob/b93c1661d689c8b7decc7563ba15f6ed140a4eb6/client/mysql_secure_installation.cc#L726-L749
-			DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%' ;
-			-- https://github.com/docker-library/mysql/pull/479#issuecomment-414561272 ("This is only needed for 5.5 and 5.6")
-		EOSQL
-	else
-		# no, we don't care if read finds a terminating character in this heredoc (see above)
-		read -r -d '' passwordSet <<-EOSQL || true
-			ALTER USER 'root'@'localhost' IDENTIFIED BY '${MYSQL_ROOT_PASSWORD}' ;
-		EOSQL
-	fi
-
 	# tell docker_process_sql to not use MYSQL_ROOT_PASSWORD since it is just now being set
 	docker_process_sql --dont-use-mysql-root-password --database=mysql <<-EOSQL
 		-- What's done in this file shouldn't be replicated
 		--  or products like mysql-fabric won't work
 		SET @@SESSION.SQL_LOG_BIN=0;
 
-		${passwordSet}
+		DELETE FROM mysql.user WHERE user NOT IN ('mysql.sys', 'mysqlxsys', 'root') OR host NOT IN ('localhost') ;
+		SET PASSWORD FOR 'root'@'localhost'=PASSWORD('${MYSQL_ROOT_PASSWORD}') ;
+		-- 10.1: https://github.com/MariaDB/server/blob/d925aec1c10cebf6c34825a7de50afe4e630aff4/scripts/mysql_secure_installation.sh#L347-L365
+		-- 10.5: https://github.com/MariaDB/server/blob/00c3a28820c67c37ebbca72691f4897b57f2eed5/scripts/mysql_secure_installation.sh#L351-L369
+		DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%' ;
+
 		GRANT ALL ON *.* TO 'root'@'localhost' WITH GRANT OPTION ;
 		FLUSH PRIVILEGES ;
 		${rootCreate}
@@ -292,16 +266,6 @@
 	fi
 }
 
-# Mark root user as expired so the password must be changed before anything
-# else can be done (only supported for 5.6+)
-mysql_expire_root_user() {
-	if [ -n "$MYSQL_ONETIME_PASSWORD" ]; then
-		docker_process_sql --database=mysql <<-EOSQL
-			ALTER USER 'root'@'%' PASSWORD EXPIRE;
-		EOSQL
-	fi
-}
-
 # check arguments for an option that would cause mysqld to stop
 # return true if there is one
 _mysql_want_help() {
@@ -349,8 +313,6 @@
 			docker_setup_db
 			docker_process_init_files /docker-entrypoint-initdb.d/*
 
-			mysql_expire_root_user
-
 			mysql_note "Stopping temporary server"
 			docker_temp_server_stop
 			mysql_note "Temporary server stopped"

</details>

Related to https://github.com/docker-library/postgres/pull/496

+1365 -705

1 comment

5 changed files

yosifkit

pr closed time in 7 hours

Pull request review commenttianon/dockerfiles

Upgrade Python to 3.7

-FROM python:2-alpine+FROM python:3.7-alpine

Just to keep the needle threaded, this is 3.7 because https://github.com/certbot/certbot/blob/v0.36.0/setup.py#L126-L133 only claims support for 3.7 (and we're still on 0.36.0, which might be more work to actually bump); I'm +1 on this update, but as elsewhere think we should take the opportunity to pin Alpine version:

FROM python:3.7-alpine3.10
J0WI

comment created time in 7 hours

Pull request review commenttianon/dockerfiles

Upgrade ymlfmt to 0.16.5

-FROM python:3.7-alpine+FROM python:3.8-alpine

I verified that nothing in this bump affects the usage of this image in https://github.com/docker-library/docs, so seems sane, although we should take the opportunity to pin as elsewhere:

FROM python:3.8-alpine3.10
J0WI

comment created time in 7 hours

Pull request review commenttianon/dockerfiles

Upgrade to Ruby 2.6 Alpine

 # https://pages.github.com/versions/-FROM ruby:2.5-slim+FROM ruby:2.6-alpine

Given that https://pages.github.com/versions/ still lists Ruby 2.5, I'd prefer to stick to 2.5 here as well, but moving to Alpine seems sane as long as we pin it while we're here:

FROM ruby:2.5-alpine3.10
J0WI

comment created time in 7 hours

Pull request review commenttianon/dockerfiles

Switch to Alpine

-FROM python:2-slim+FROM alpine:3.10++RUN apk add --no-cache bash py2-pip

Can you explain the logic here a bit? Why apk add py2-pip instead of just using FROM python:2-alpine3.10?

J0WI

comment created time in 7 hours

push eventtianon/dockerfiles

J0WI

commit sha 0cd2aa7e1444671568523b0ae65ba8fbdf2132eb

Upgrade to 5.51.0

view details

Tianon Gravi

commit sha 5d185b3d49bacb65687cfd6c1dee8876c969ee65

Merge pull request #77 from J0WI/xen-orchestra Upgrade to 5.51.0

view details

push time in 7 hours

PR merged tianon/dockerfiles

Upgrade to 5.51.0
+2 -2

0 comment

1 changed file

J0WI

pr closed time in 7 hours

Pull request review commenttianon/dockerfiles

Upgrade to 12.1.1 and switch to Alpine

-FROM python:2-slim--RUN set -eux; \-	apt-get update; \-	apt-get install -y --no-install-recommends \-		wget \-	; \-	rm -rf /var/lib/apt/lists/*+FROM python:2-alpine

Generally this looks good, but I think we should probably pin this more explicitly to avoid surprises:

FROM python:2-alpine3.10
J0WI

comment created time in 7 hours

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha 62c641a9c2a4505735dc45130c16c73d356b0d57

Update debian-security.json

view details

push time in 8 hours

issue commentdebuerreotype/debuerreotype

Building from an ISO image

It needs some testing before it's made into a PR, but here's the approach I've got in mind for this new behavior:

diff --git a/scripts/debuerreotype-init b/scripts/debuerreotype-init
index 07066f3..73aee77 100755
--- a/scripts/debuerreotype-init
+++ b/scripts/debuerreotype-init
@@ -8,6 +8,7 @@ source "$thisDir/.constants.sh" \
 	--flags 'debootstrap-script:' \
 	--flags 'keyring:,arch:,include:,exclude:' \
 	--flags 'merged-usr,no-merged-usr' \
+	--flags 'check-gpg,no-check-gpg' \
 	-- \
 	'<target-dir> <suite> <timestamp>' \
 	'rootfs stretch 2017-05-08T00:00:00Z
@@ -27,6 +28,7 @@ arch=
 include=
 exclude=
 noMergedUsr=
+noCheckGpg=
 while true; do
 	flag="$1"; shift
 	dgetopt-case "$flag"
@@ -43,6 +45,8 @@ while true; do
 		--exclude) exclude="${exclude:+$exclude,}$1"; shift ;;
 		--merged-usr)    noMergedUsr=  ;;
 		--no-merged-usr) noMergedUsr=1 ;;
+		--check-gpg)    noCheckGpg=  ;;
+		--no-check-gpg) noCheckGpg=1 ;;
 		--) break ;;
 		*) eusage "unknown flag '$flag'" ;;
 	esac
@@ -89,9 +93,13 @@ if [ -z "$nonDebian" ]; then
 	fi
 fi
 
-debootstrapArgs=(
-	--force-check-gpg
-)
+debootstrapArgs=()
+
+if [ -z "$noCheckGpg" ]; then
+	debootstrapArgs+=( --force-check-gpg )
+else
+	debootstrapArgs+=( --no-check-gpg )
+fi
 
 minbaseSupported="$(
 	scriptFile="$(
rico-chet

comment created time in 8 hours

issue commentdebuerreotype/debuerreotype

Building from an ISO image

Ouch -- IMO it's weird that the ISOs don't include Release.gpg files, but I guess it's likely due to them being a partial mirror and thus not being able to include the "official" signatures verbatim and built via a completely separate process and thus not able to securely share the real archive signing key.

For that part of the problem, I'm tentatively :+1: on including a --no-check-gpg flag to debuerreotype-init (which would then get passed to debootstrap).

For the second half (sources.list generation), we only explicitly generate sources.list contents for real Debian builds (via the purpose-built debuerreotype-debian-sources-list script), so I'm still not convinced there's anything for us to do there -- that's more an exercise for the thing invoking our scripts to clean up sources.list after debootstrap does whatever it is it's going to do (because otherwise, the default sources.list is entirely generated by debootstrap, not debuerreotype).

rico-chet

comment created time in 8 hours

push eventtianon/dockerfiles

Tianon Gravi

commit sha 5c67b6fc4454a6f496aab767bde88036d121638a

Run docker-master/update.sh

view details

push time in 8 hours

push eventtianon/dockerfiles

Tianon Gravi

commit sha 711d9dd0238536b4af67146b52067b94633db64f

Update VULTR-CLI to 0.1.9

view details

push time in 9 hours

pull request commentnodejs/docker-node

Added multiple versions of alpine

I didn't verify the architectures files, but the Dockerfiles/contexts look fine to me. :+1:

LaurentGoderre

comment created time in 9 hours

pull request commentnodejs/docker-node

Added multiple versions of alpine

<details> <summary>A simpler diff for review (generated via git diff cli):</summary>

diff --git a/.travis.yml b/.travis.yml
index 9c78b6d..0055174 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -128,13 +128,6 @@ jobs:
         - NODE_VERSION="10"
         - VARIANT="jessie-slim"
 
-    - stage: Build
-      before_script: *auto_skip
-      name: 10 on alpine
-      env:
-        - NODE_VERSION="10"
-        - VARIANT="alpine"
-
     - stage: Build
       before_script: *auto_skip
       name: 10 on stretch
@@ -165,10 +158,17 @@ jobs:
 
     - stage: Build
       before_script: *auto_skip
-      name: 12 on alpine
+      name: 10 on alpine3.9
       env:
-        - NODE_VERSION="12"
-        - VARIANT="alpine"
+        - NODE_VERSION="10"
+        - VARIANT="alpine3.9"
+
+    - stage: Build
+      before_script: *auto_skip
+      name: 10 on alpine3.10
+      env:
+        - NODE_VERSION="10"
+        - VARIANT="alpine3.10"
 
     - stage: Build
       before_script: *auto_skip
@@ -200,10 +200,17 @@ jobs:
 
     - stage: Build
       before_script: *auto_skip
-      name: 13 on alpine
+      name: 12 on alpine3.9
       env:
-        - NODE_VERSION="13"
-        - VARIANT="alpine"
+        - NODE_VERSION="12"
+        - VARIANT="alpine3.9"
+
+    - stage: Build
+      before_script: *auto_skip
+      name: 12 on alpine3.10
+      env:
+        - NODE_VERSION="12"
+        - VARIANT="alpine3.10"
 
     - stage: Build
       before_script: *auto_skip
@@ -233,6 +240,13 @@ jobs:
         - NODE_VERSION="13"
         - VARIANT="buster-slim"
 
+    - stage: Build
+      before_script: *auto_skip
+      name: 13 on alpine3.10
+      env:
+        - NODE_VERSION="13"
+        - VARIANT="alpine3.10"
+
     - stage: Build
       before_script: *auto_skip
       name: 8 on jessie
@@ -249,45 +263,45 @@ jobs:
 
     - stage: Build
       before_script: *auto_skip
-      name: 8 on alpine
+      name: 8 on stretch
       env:
         - NODE_VERSION="8"
-        - VARIANT="alpine"
+        - VARIANT="stretch"
 
     - stage: Build
       before_script: *auto_skip
-      name: 8 on onbuild
+      name: 8 on stretch-slim
       env:
         - NODE_VERSION="8"
-        - VARIANT="onbuild"
+        - VARIANT="stretch-slim"
 
     - stage: Build
       before_script: *auto_skip
-      name: 8 on stretch
+      name: 8 on buster
       env:
         - NODE_VERSION="8"
-        - VARIANT="stretch"
+        - VARIANT="buster"
 
     - stage: Build
       before_script: *auto_skip
-      name: 8 on stretch-slim
+      name: 8 on buster-slim
       env:
         - NODE_VERSION="8"
-        - VARIANT="stretch-slim"
+        - VARIANT="buster-slim"
 
     - stage: Build
       before_script: *auto_skip
-      name: 8 on buster
+      name: 8 on alpine3.9
       env:
         - NODE_VERSION="8"
-        - VARIANT="buster"
+        - VARIANT="alpine3.9"
 
     - stage: Build
       before_script: *auto_skip
-      name: 8 on buster-slim
+      name: 8 on alpine3.10
       env:
         - NODE_VERSION="8"
-        - VARIANT="buster-slim"
+        - VARIANT="alpine3.10"
 
     - stage: Build
       before_script: *auto_skip
diff --git a/10/alpine/Dockerfile b/10/alpine3.10/Dockerfile
similarity index 98%
copy from 10/alpine/Dockerfile
copy to 10/alpine3.10/Dockerfile
index 123238e..4e088fc 100644
--- a/10/alpine/Dockerfile
+++ b/10/alpine3.10/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.9
+FROM alpine:3.10
 
 ENV NODE_VERSION 10.17.0
 
@@ -8,7 +8,7 @@ RUN addgroup -g 1000 node \
         libstdc++ \
     && apk add --no-cache --virtual .build-deps \
         curl \
-    && ARCH= && alpineArch="$(arch)" \
+    && ARCH= && alpineArch="$(apk --print-arch)" \
       && case "${alpineArch##*-}" in \
         x86_64) \
           ARCH='x64' \
diff --git a/10/alpine/docker-entrypoint.sh b/10/alpine3.10/docker-entrypoint.sh
similarity index 100%
copy from 10/alpine/docker-entrypoint.sh
copy to 10/alpine3.10/docker-entrypoint.sh
diff --git a/10/alpine/Dockerfile b/10/alpine3.9/Dockerfile
similarity index 98%
rename from 10/alpine/Dockerfile
rename to 10/alpine3.9/Dockerfile
index 123238e..7bfe8d2 100644
--- a/10/alpine/Dockerfile
+++ b/10/alpine3.9/Dockerfile
@@ -8,7 +8,7 @@ RUN addgroup -g 1000 node \
         libstdc++ \
     && apk add --no-cache --virtual .build-deps \
         curl \
-    && ARCH= && alpineArch="$(arch)" \
+    && ARCH= && alpineArch="$(apk --print-arch)" \
       && case "${alpineArch##*-}" in \
         x86_64) \
           ARCH='x64' \
diff --git a/12/alpine/docker-entrypoint.sh b/10/alpine3.9/docker-entrypoint.sh
similarity index 100%
rename from 12/alpine/docker-entrypoint.sh
rename to 10/alpine3.9/docker-entrypoint.sh
diff --git a/10/architectures b/10/architectures
index 5f77c7c..162fbcb 100644
--- a/10/architectures
+++ b/10/architectures
@@ -1,8 +1,8 @@
 bashbrew-arch   variants
-amd64    jessie,jessie-slim,alpine,stretch,stretch-slim,buster,buster-slim
-arm32v6  alpine
-arm32v7  jessie,jessie-slim,alpine,stretch,stretch-slim,buster,buster-slim
-arm64v8  alpine,stretch,stretch-slim,buster,buster-slim
-i386     alpine
-ppc64le  alpine,stretch,stretch-slim,buster,buster-slim
-s390x    alpine,stretch,stretch-slim,buster,buster-slim
+amd64    jessie,jessie-slim,stretch,stretch-slim,buster,buster-slim,alpine3.9,alpine3.10
+arm32v6  alpine3.9,alpine3.10
+arm32v7  jessie,jessie-slim,stretch,stretch-slim,buster,buster-slim,alpine3.9,alpine3.10
+arm64v8  stretch,stretch-slim,buster,buster-slim,alpine3.9,alpine3.10
+i386     alpine3.9,alpine3.10
+ppc64le  stretch,stretch-slim,buster,buster-slim,alpine3.9,alpine3.10
+s390x    stretch,stretch-slim,buster,buster-slim,alpine3.9,alpine3.10
diff --git a/12/alpine/Dockerfile b/12/alpine3.10/Dockerfile
similarity index 98%
copy from 12/alpine/Dockerfile
copy to 12/alpine3.10/Dockerfile
index ae0bce7..a23bb5b 100644
--- a/12/alpine/Dockerfile
+++ b/12/alpine3.10/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.9
+FROM alpine:3.10
 
 ENV NODE_VERSION 12.13.0
 
@@ -8,7 +8,7 @@ RUN addgroup -g 1000 node \
         libstdc++ \
     && apk add --no-cache --virtual .build-deps \
         curl \
-    && ARCH= && alpineArch="$(arch)" \
+    && ARCH= && alpineArch="$(apk --print-arch)" \
       && case "${alpineArch##*-}" in \
         x86_64) \
           ARCH='x64' \
diff --git a/13/alpine/docker-entrypoint.sh b/12/alpine3.10/docker-entrypoint.sh
similarity index 100%
rename from 13/alpine/docker-entrypoint.sh
rename to 12/alpine3.10/docker-entrypoint.sh
diff --git a/12/alpine/Dockerfile b/12/alpine3.9/Dockerfile
similarity index 98%
rename from 12/alpine/Dockerfile
rename to 12/alpine3.9/Dockerfile
index ae0bce7..90d90b6 100644
--- a/12/alpine/Dockerfile
+++ b/12/alpine3.9/Dockerfile
@@ -8,7 +8,7 @@ RUN addgroup -g 1000 node \
         libstdc++ \
     && apk add --no-cache --virtual .build-deps \
         curl \
-    && ARCH= && alpineArch="$(arch)" \
+    && ARCH= && alpineArch="$(apk --print-arch)" \
       && case "${alpineArch##*-}" in \
         x86_64) \
           ARCH='x64' \
diff --git a/8/alpine/docker-entrypoint.sh b/12/alpine3.9/docker-entrypoint.sh
similarity index 100%
rename from 8/alpine/docker-entrypoint.sh
rename to 12/alpine3.9/docker-entrypoint.sh
diff --git a/12/architectures b/12/architectures
index 7adab03..0185a0f 100644
--- a/12/architectures
+++ b/12/architectures
@@ -1,8 +1,8 @@
 bashbrew-arch   variants
-amd64    alpine,stretch,stretch-slim,buster,buster-slim
-arm32v6  alpine
-arm32v7  alpine,stretch,stretch-slim,buster,buster-slim
-arm64v8  alpine,stretch,stretch-slim,buster,buster-slim
-i386     alpine
-ppc64le  alpine,stretch,stretch-slim,buster,buster-slim
-s390x    alpine,stretch,stretch-slim,buster,buster-slim
+amd64    stretch,stretch-slim,buster,buster-slim,alpine3.9,alpine3.10
+arm32v6  alpine3.9,alpine3.10
+arm32v7  stretch,stretch-slim,buster,buster-slim,alpine3.9,alpine3.10
+arm64v8  stretch,stretch-slim,buster,buster-slim,alpine3.9,alpine3.10
+i386     alpine3.9,alpine3.10
+ppc64le  stretch,stretch-slim,buster,buster-slim,alpine3.9,alpine3.10
+s390x    stretch,stretch-slim,buster,buster-slim,alpine3.9,alpine3.10
diff --git a/13/alpine/Dockerfile b/13/alpine3.10/Dockerfile
similarity index 100%
rename from 13/alpine/Dockerfile
rename to 13/alpine3.10/Dockerfile
diff --git a/10/alpine/docker-entrypoint.sh b/13/alpine3.10/docker-entrypoint.sh
similarity index 100%
copy from 10/alpine/docker-entrypoint.sh
copy to 13/alpine3.10/docker-entrypoint.sh
diff --git a/8/alpine/Dockerfile b/8/alpine3.10/Dockerfile
similarity index 98%
copy from 8/alpine/Dockerfile
copy to 8/alpine3.10/Dockerfile
index 1822ac3..b0b7637 100644
--- a/8/alpine/Dockerfile
+++ b/8/alpine3.10/Dockerfile
@@ -1,4 +1,4 @@
-FROM alpine:3.9
+FROM alpine:3.10
 
 ENV NODE_VERSION 8.16.2
 
@@ -8,7 +8,7 @@ RUN addgroup -g 1000 node \
         libstdc++ \
     && apk add --no-cache --virtual .build-deps \
         curl \
-    && ARCH= && alpineArch="$(arch)" \
+    && ARCH= && alpineArch="$(apk --print-arch)" \
       && case "${alpineArch##*-}" in \
         x86_64) \
           ARCH='x64' \
diff --git a/10/alpine/docker-entrypoint.sh b/8/alpine3.10/docker-entrypoint.sh
similarity index 100%
copy from 10/alpine/docker-entrypoint.sh
copy to 8/alpine3.10/docker-entrypoint.sh
diff --git a/8/alpine/Dockerfile b/8/alpine3.9/Dockerfile
similarity index 98%
rename from 8/alpine/Dockerfile
rename to 8/alpine3.9/Dockerfile
index 1822ac3..f9ecccd 100644
--- a/8/alpine/Dockerfile
+++ b/8/alpine3.9/Dockerfile
@@ -8,7 +8,7 @@ RUN addgroup -g 1000 node \
         libstdc++ \
     && apk add --no-cache --virtual .build-deps \
         curl \
-    && ARCH= && alpineArch="$(arch)" \
+    && ARCH= && alpineArch="$(apk --print-arch)" \
       && case "${alpineArch##*-}" in \
         x86_64) \
           ARCH='x64' \
diff --git a/10/alpine/docker-entrypoint.sh b/8/alpine3.9/docker-entrypoint.sh
similarity index 100%
rename from 10/alpine/docker-entrypoint.sh
rename to 8/alpine3.9/docker-entrypoint.sh
diff --git a/8/architectures b/8/architectures
index 11c069b..39a08d8 100644
--- a/8/architectures
+++ b/8/architectures
@@ -1,8 +1,8 @@
 bashbrew-arch   variants
-amd64    jessie,jessie-slim,alpine,onbuild,stretch,stretch-slim,buster,buster-slim
-arm32v6  alpine
-arm32v7  jessie,jessie-slim,alpine,onbuild,stretch,stretch-slim,buster,buster-slim
-arm64v8  alpine,onbuild,stretch,stretch-slim,buster,buster-slim
-i386     jessie,jessie-slim,alpine,onbuild,stretch,stretch-slim,buster,buster-slim
-ppc64le  alpine,onbuild,stretch,stretch-slim,buster,buster-slim
-s390x    alpine,onbuild,stretch,stretch-slim,buster,buster-slim
+amd64    jessie,jessie-slim,stretch,stretch-slim,buster,buster-slim,alpine3.9,alpine3.10,onbuild
+arm32v6  alpine3.9,alpine3.10
+arm32v7  jessie,jessie-slim,stretch,stretch-slim,buster,buster-slim,alpine3.9,alpine3.10,onbuild
+arm64v8  stretch,stretch-slim,buster,buster-slim,alpine3.9,alpine3.10,onbuild
+i386     jessie,jessie-slim,alpine,stretch-slim,buster,buster-slim,alpine3.9,alpine3.10,onbuild
+ppc64le  stretch,stretch-slim,buster,buster-slim,alpine3.9,alpine3.10,onbuild
+s390x    stretch,stretch-slim,buster,buster-slim,alpine3.9,alpine3.10,onbuild
diff --git a/architectures b/architectures
index 64b4164..565bbb7 100644
--- a/architectures
+++ b/architectures
@@ -1,8 +1,8 @@
 bashbrew-arch   variants
-amd64    jessie,jessie-slim,alpine,onbuild,stretch,stretch-slim,buster,buster-slim
-arm32v6  jessie,jessie-slim,alpine,onbuild,stretch,stretch-slim,buster,buster-slim
-arm32v7  jessie,jessie-slim,alpine,onbuild,stretch,stretch-slim,buster,buster-slim
-arm64v8  jessie,jessie-slim,alpine,onbuild,stretch,stretch-slim,buster,buster-slim
-i386     jessie,jessie-slim,alpine,onbuild,stretch,stretch-slim,buster,buster-slim
-ppc64le  jessie,jessie-slim,alpine,onbuild,stretch,stretch-slim,buster,buster-slim
-s390x    jessie,jessie-slim,alpine,onbuild,stretch,stretch-slim,buster,buster-slim
+amd64    jessie,jessie-slim,stretch,stretch-slim,buster,buster-slim,alpine3.9,alpine3.10
+arm32v6  jessie,jessie-slim,stretch,stretch-slim,buster,buster-slim,alpine3.9,alpine3.10
+arm32v7  jessie,jessie-slim,stretch,stretch-slim,buster,buster-slim,alpine3.9,alpine3.10
+arm64v8  jessie,jessie-slim,stretch,stretch-slim,buster,buster-slim,alpine3.9,alpine3.10
+i386     jessie,jessie-slim,stretch,stretch-slim,buster,buster-slim,alpine3.9,alpine3.10
+ppc64le  jessie,jessie-slim,stretch,stretch-slim,buster,buster-slim,alpine3.9,alpine3.10
+s390x    jessie,jessie-slim,stretch,stretch-slim,buster,buster-slim,alpine3.9,alpine3.10
diff --git a/functions.sh b/functions.sh
index 203b08a..5f37f35 100755
--- a/functions.sh
+++ b/functions.sh
@@ -169,6 +169,16 @@ function get_versions() {
   fi
 }
 
+function is_alpine() {
+  local variant
+  variant=${1}
+  shift
+
+  if [ "${variant}" = "${variant#alpine}" ]; then
+    return 1
+  fi
+}
+
 function is_debian() {
   local variant
   variant=$1
diff --git a/generate-stackbrew-library.sh b/generate-stackbrew-library.sh
index 5dbe1f1..a29e6e8 100755
--- a/generate-stackbrew-library.sh
+++ b/generate-stackbrew-library.sh
@@ -21,6 +21,8 @@ array_chakracore_10='chakracore-10 chakracore'
 
 default_variant=$(get_config "./" "default_variant")
 
+default_alpine=$(get_config "./" "alpine_version")
+
 cd "$(cd "${0%/*}" && pwd -P)"
 
 self="$(basename "${BASH_SOURCE[0]}")"
@@ -93,11 +95,12 @@ for version in "${versions[@]}"; do
     variantAliases=("${versionAliases[@]/%/-${variant//${slash}/-}}")
     if [ "${variant}" = "${default_variant}-slim" ]; then
       variantAliases+=("${versionAliases[@]/%/-slim}")
-    fi
-    variantAliases=("${variantAliases[@]//latest-/}")
-    if [ "${variant}" = "${default_variant}" ]; then
+    elif [ "${variant}" = "alpine${default_alpine}" ]; then
+      variantAliases+=("${versionAliases[@]/%/-alpine}")
+    elif [ "${variant}" = "${default_variant}" ]; then
       variantAliases+=("${versionAliases[@]}")
     fi
+    variantAliases=("${variantAliases[@]//latest-/}")
 
     # Get supported architectures for a specific version and variant.
     # See details in function.sh
diff --git a/update.sh b/update.sh
index 6805b96..8fd0b86 100755
--- a/update.sh
+++ b/update.sh
@@ -162,16 +162,11 @@ function update_node_version() {
       sed -Ei -e "/${pattern}/d" "${dockerfile}-tmp"
     done
 
-    if [ "${variant}" = "alpine" ]; then
-      if [ "${SKIP}" = true ]; then
-        # Get the currently used Alpine version
-        alpine_version=$(grep "FROM" "${dockerfile}" | cut -d':' -f2)
-        checksum=$(grep -o "CHECKSUM=\".*\"" "${dockerfile}" | cut -d'=' -f2)
-      else
+    if is_alpine "${variant}"; then
+      alpine_version="${variant#*alpine}"
       checksum="\"$(
         curl -sSL --compressed "https://unofficial-builds.nodejs.org/download/release/v${nodeVersion}/SHASUMS256.txt" | grep "node-v${nodeVersion}-linux-x64-musl.tar.xz" | cut -d' ' -f1
       )\""
-      fi
       sed -Ei -e "s/(alpine:)0.0/\\1${alpine_version}/" "${dockerfile}-tmp"
       sed -Ei -e "s/CHECKSUM=CHECKSUM_x64/CHECKSUM=${checksum}/" "${dockerfile}-tmp"
     elif is_debian "${variant}"; then
@@ -249,6 +244,8 @@ for version in "${versions[@]}"; do
       template_file="${parentpath}/Dockerfile-debian.template"
     elif is_debian_slim "${variant}"; then
       template_file="${parentpath}/Dockerfile-slim.template"
+    elif is_alpine "${variant}"; then
+      template_file="${parentpath}/Dockerfile-alpine.template"
     fi
 
     [ "$variant" != "onbuild" ] && cp "${parentpath}/docker-entrypoint.sh" "${version}/${variant}/docker-entrypoint.sh"

</details>

LaurentGoderre

comment created time in 9 hours

pull request commentdocker-library/python

Remove idle_test directory

Thanks!

gliptak

comment created time in 9 hours

push eventdocker-library/python

Gábor Lipták

commit sha 0b1fb9529c79ea85b8c80ff3dd85a32a935b0346

Remove idle_test directory Signed-off-by: Gábor Lipták <gliptak@gmail.com>

view details

Tianon Gravi

commit sha cf68ae064414062b255c7074c58f46e81b31c92e

Merge pull request #430 from gliptak/idletest1 Remove idle_test directory

view details

push time in 9 hours

PR merged docker-library/python

Reviewers
Remove idle_test directory

Signed-off-by: Gábor Lipták gliptak@gmail.com

https://github.com/docker-library/python/issues/214

+70 -70

2 comments

35 changed files

gliptak

pr closed time in 9 hours

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha 1828a90ed26844a34139be33c39af4e542246bdf

Update debian-security.json

view details

push time in 10 hours

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha 2b288ff844fe09740ca750ca2a9666d7a0997c72

Update debian-security.json

view details

push time in 11 hours

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha 33f7bab5903f4f82d641a0fb856f706ef1c5ce7c

Update debian-security.json

view details

push time in 13 hours

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha 8048d155960a387d4b53d4ba6f46354cd6c5194b

Update debian-security.json

view details

push time in 14 hours

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha 778884641b240a6d8bc3a1b591681ce3019d3d52

Update debian-security.json

view details

push time in 16 hours

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha ddd2c5129d0ccc743dd2db66ab5a2ce357542a52

Update debian-security.json

view details

push time in 17 hours

push eventtianon/docker-syncthing

Tianon Gravi

commit sha dab4f7b48155f86ad7e191df5f19e3392c571e47

Update 1-rc to 1.3.2-rc.1

view details

push time in 18 hours

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha 8f36b7647562e762affec336b585cf2aff81b1ad

Update debian-security.json

view details

push time in 20 hours

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha 6f443d044932c1fa93cf9ba45e64deb7d44658e7

Update debian-security.json

view details

push time in a day

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha e89b2fc3b929d15a3ee9f1a55fb04a05f8c2a005

Update debian-security.json

view details

push time in a day

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha e6db39806fa7e2bd5691561cbb79b1e9428241ae

Update debian-security.json

view details

push time in a day

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha 1089fbd0dfa1b6954e2a5150c1140e905f140480

Update debian-security.json

view details

push time in a day

PR opened docker-library/official-images

Update tomcat

Changes:

  • https://github.com/docker-library/tomcat/commit/2aeb637: Merge pull request https://github.com/docker-library/tomcat/pull/177 from infosiftr/drop-12
  • https://github.com/docker-library/tomcat/commit/7945643: adoptopenjdk 12 images are no longer supported
+5 -25

0 comment

1 changed file

pr created time in a day

PR opened docker-library/official-images

Update memcached

Changes:

  • https://github.com/docker-library/memcached/commit/3939abc: Update to 1.5.20
+4 -4

0 comment

1 changed file

pr created time in a day

delete branch infosiftr/tomcat

delete branch : drop-12

delete time in a day

push eventdocker-library/tomcat

Joe Ferguson

commit sha 7945643707a880001f7e1464f3e88d5d0fb15ac7

adoptopenjdk 12 images are no longer supported

view details

Tianon Gravi

commit sha 2aeb637269a745616c2240e04d5e064c90b2d033

Merge pull request #177 from infosiftr/drop-12 Drop adoptopenjdk 12 images

view details

push time in a day

PR merged docker-library/tomcat

Drop adoptopenjdk 12 images

They are no longer supported

+0 -504

0 comment

5 changed files

yosifkit

pr closed time in a day

push eventdocker-library/busybox

Tianon Gravi

commit sha 93d36a8bc4b1accf1f6e61bbc7f409ef456fc7ed

Update Buildroot to 2019.08.2

view details

push time in 2 days

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha 2ad98d293ef1ad9054f890fbef1792f010efef58

Update debian-security.json

view details

push time in 2 days

push eventtianon/dockerfiles

Tianon Gravi

commit sha 6e4f2d3beed0636ccd5ac92b26c39caa73ae0805

Update the new "CS_DAYS_TO_REMOVE_UNUSED" down to 1 for container deployments (since chunkserver IPs will often change on every redeploy in a container environment)

view details

push time in 2 days

push eventtianon/dockerfiles

Tianon Gravi

commit sha d56d574b705cbbb580621753c94d4039eb15dcef

Update MooseFS to 3.0.107

view details

push time in 2 days

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha c14fbfb910192ea7f3e3462be30da78a125e2f56

Update debian-security.json

view details

push time in 2 days

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha 322d809c7e890abfadaf4aad3589e3671eb0c8dc

Update debian-security.json

view details

push time in 2 days

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha 91f3c15a08e251a690b20b987c8747945bcd90a2

Update debian-security.json

view details

push time in 2 days

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha b9e02e5d0ddcb7210c1ce5d4db0adaf78abf2265

Update debian-security.json

view details

push time in 2 days

push eventtianon/dockerfiles

Tianon Gravi

commit sha a85e514ba3857fe878aaae715328bf4e657b4e38

Update jenkins to 2.204

view details

push time in 2 days

push eventtianon/dockerfiles

Tianon Gravi

commit sha 7be277bd1424cd9d934acbc5dac5a5a0fbe8fbb4

Add experimental "docker-chunkservers" script for running multiple chunkservers on a single host more easily

view details

push time in 2 days

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha bf4bd166d9fa013d9f26573b062aacf0119793fa

Update debian-security.json

view details

push time in 2 days

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha a7c2e1116cb0aeb4f0fa02ce74816e0b1712702d

Update debian-security.json

view details

push time in 2 days

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha 281dbf33570678d3d22e4873b3f3831b51493e74

Update debian-security.json

view details

push time in 2 days

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha 5cf2041ed7b8e555a26024bc94955469d3b093a6

Update debian-security.json

view details

push time in 2 days

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha 853254ddea7a098a68e5d7a242d7cf945b5e9e5d

Update debian-security.json

view details

push time in 3 days

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha eaefadd885bc28c224493745884b3cf44791df9c

Update debian-security.json

view details

push time in 3 days

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha bb88b4948e59f4e324b8d6ed97b4feb64e285d3f

Update debian-security.json

view details

push time in 3 days

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha 12eee86d60c51fdb11206f94ba2e2d1bef9b7a7c

Update debian-security.json

view details

push time in 3 days

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha 0237c9858c6089eaa6fb4ef704819f9c0aa6443b

Update debian-security.json

view details

push time in 3 days

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha dd0d2cb9f85910a6fdf1fd94b2098cbfe5a38312

Update debian-security.json

view details

push time in 3 days

pull request commentdocker-library/official-images

updating vault to 1.2.4

Just FYI, we do have some official recommendations for communicating security releases to us to help us make sure they're prioritized: https://github.com/docker-library/official-images#security-releases

chrishoffman

comment created time in 3 days

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha 9512b0427e5bbb8ade2d5f1ec2cd65b2ee4114fe

Update debian-security.json

view details

push time in 3 days

push eventtianon/docker-brew-ubuntu-core

Michael Hudson-Doyle

commit sha 4c7bb70cf3c9314b84dd48e73fe3edf88a0a93f0

do not let stray directories confuse generate-stackbrew-library.sh quite so much

view details

Tianon Gravi

commit sha cb6ea8e6a945b7a33dcaefb2ea7a3af6eb03d55c

Merge pull request #165 from mwhudson/versions-care do not let stray directories confuse generate-stackbrew-library.sh quite so much

view details

push time in 3 days

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha 6a5f0b57a9dd6cc7abd26f63573870ac748a6a1c

Update debian-security.json

view details

push time in 4 days

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha 1a32ea389df39c4da8f443dc7cb8b5046107e3f5

Update debian-security.json

view details

push time in 4 days

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha 60bba48277ebaf96409c2d43a71500b609152a32

Update debian-security.json

view details

push time in 4 days

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha 47979d76dd9d7491572a28932f79a3fb47101b7d

Update debian-security.json

view details

push time in 4 days

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha 6326a5df293f8619041f5b9d3e4f4346aae2e421

Update debian-security.json

view details

push time in 4 days

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha bf42e24385c7529913235a3fcaa372368d96cfc7

Update debian-security.json

view details

push time in 4 days

created tagtianon/docker-tini-tags

tagdocker-19.03.5-rc1

Mapping Docker releases to tini commits (https://github.com/tianon/docker-tini-tags/tags)

created time in 4 days

created tagtianon/docker-runc-tags

tagdocker-19.03.5-rc1

Mapping Docker releases to runc commits (https://github.com/tianon/docker-runc-tags/tags)

created time in 4 days

created tagtianon/docker-libnetwork-tags

tagdocker-19.03.5-rc1

Mapping Docker releases to libnetwork commits (https://github.com/tianon/docker-libnetwork-tags/tags)

created time in 4 days

created tagtianon/docker-containerd-tags

tagdocker-19.03.5-rc1

Mapping Docker releases to containerd commits (https://github.com/tianon/docker-containerd-tags/tags)

created time in 4 days

created tagtianon/docker-tini-tags

tagdocker-19.03.5-beta2

Mapping Docker releases to tini commits (https://github.com/tianon/docker-tini-tags/tags)

created time in 4 days

created tagtianon/docker-runc-tags

tagdocker-19.03.5-beta2

Mapping Docker releases to runc commits (https://github.com/tianon/docker-runc-tags/tags)

created time in 4 days

created tagtianon/docker-libnetwork-tags

tagdocker-19.03.5-beta2

Mapping Docker releases to libnetwork commits (https://github.com/tianon/docker-libnetwork-tags/tags)

created time in 4 days

created tagtianon/docker-containerd-tags

tagdocker-19.03.5-beta2

Mapping Docker releases to containerd commits (https://github.com/tianon/docker-containerd-tags/tags)

created time in 4 days

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha bc6292f9a26bf71c75ae373f2f10894dc2cd07d7

Update debian-security.json

view details

push time in 4 days

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha bfb3e237eda9f961f7c26ba45b4d74322b0e852c

Update debian-security.json

view details

push time in 4 days

push eventtianon/dockerfiles

Tianon Gravi

commit sha b4f763299cef9cfd66ec1cd670e9629535b47799

Run docker-master/update.sh

view details

push time in 4 days

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha 3aa903574d58f57957d2e7fc23335408dd52ffbb

Update debian-security.json

view details

push time in 4 days

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha de03d47e586ba9bcc4cb012f265a4b9160eef2c3

Update debian-security.json

view details

push time in 5 days

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha 9aa6bb0b43d53633664de107092dc4525bbfe149

Update debian-security.json

view details

push time in 5 days

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha 77dac236f05b303483e6024c0174c2fa55925e88

Update debian-security.json

view details

push time in 5 days

push eventtianon/debian-security-tracker-mirror

Tianon Gravi

commit sha fa1d4d8f1fcb1a573e0c9141d89eb52e2ff9c8d0

Update debian-security.json

view details

push time in 5 days

more