diff --git a/optional/postgresql/Dockerfile b/optional/postgresql/Dockerfile index f0e603e9..6a78f600 100644 --- a/optional/postgresql/Dockerfile +++ b/optional/postgresql/Dockerfile @@ -7,7 +7,7 @@ RUN apk add --no-cache \ RUN pip3 install jinja2 # Image specific layers under this line RUN apk add --no-cache \ - postgresql postgresql-libs postgresql-contrib busybox-suid \ + postgresql postgresql-libs postgresql-contrib busybox-suid sudo\ && apk add --virtual .build-deps gcc musl-dev postgresql-dev python3-dev \ && pip3 install psycopg2 anosql \ && apk --purge del .build-deps @@ -30,3 +30,4 @@ VOLUME /backup EXPOSE 5432 CMD /start.py +HEALTHCHECK CMD psql -h 127.0.0.1 -d postgres -U health -c "select 1 as ok;" || exit 1 diff --git a/optional/postgresql/conf/pg_hba.conf b/optional/postgresql/conf/pg_hba.conf index f1333b20..af5122e8 100644 --- a/optional/postgresql/conf/pg_hba.conf +++ b/optional/postgresql/conf/pg_hba.conf @@ -80,7 +80,7 @@ local all all peer map=local # IPv4 connections: host all mailu {{ SUBNET }} md5 -host postgres health 127.0.0.1/32 md5 +host postgres health 127.0.0.1/32 trust # IPv6 local connections: host all all ::1/128 reject # Allow replication connections from localhost, by a user with the diff --git a/optional/postgresql/conf/pg_ident.conf b/optional/postgresql/conf/pg_ident.conf index dcfa34f3..4538ff9c 100644 --- a/optional/postgresql/conf/pg_ident.conf +++ b/optional/postgresql/conf/pg_ident.conf @@ -42,4 +42,3 @@ # MAPNAME SYSTEM-USERNAME PG-USERNAME local postgres postgres local root postgres -local root health diff --git a/optional/postgresql/conf/queries.sql b/optional/postgresql/conf/queries.sql index 3a058a94..999efbb2 100644 --- a/optional/postgresql/conf/queries.sql +++ b/optional/postgresql/conf/queries.sql @@ -18,6 +18,12 @@ begin end $$; +-- name: grant_health! +-- Grant connect permission for the health user +grant connect + on database postgres + to health; + -- name: update_pw! alter user mailu diff --git a/optional/postgresql/start.py b/optional/postgresql/start.py index 65f0a57c..1ee540d5 100755 --- a/optional/postgresql/start.py +++ b/optional/postgresql/start.py @@ -15,6 +15,7 @@ def setup(): queries.update_pw(conn, pw=os.environ.get("SECRET_KEY")) # Healthcheck user queries.create_health_user(conn) + queries.grant_health(conn) conn.commit() # create db cannot be atomic. But this script is the only active connection, this is kinda safe. if not queries.check_db(conn): @@ -30,7 +31,7 @@ def setup(): # Bootstrap the database if postgresql is running for the first time if not os.path.exists('/data/pg_wal'): os.system("chown -R postgres:postgres /data") - os.system("su - postgres -c 'initdb -D /data'") + os.system("sudo -u postgres initdb -D /data") # Create backup directory structure, if it does not yet exist os.system("mkdir -p /backup/wal_archive") @@ -42,13 +43,13 @@ for pg_file in glob.glob("/conf/*.conf"): convert(pg_file, os.path.join("/data", os.path.basename(pg_file))) # Run postgresql locally for DB and user creation -os.system("su - postgres -c 'pg_ctl start -D /data -o \"-h localhost\"'") +os.system("sudo -u postgres pg_ctl start -D /data -o '-h \"''\" '") setup() -os.system("su - postgres -c 'pg_ctl stop -m smart -w -D /data'") +os.system("sudo -u postgres pg_ctl stop -m smart -w -D /data") out=open("/proc/1/fd/1", "w") err=open("/proc/1/fd/2", "w") # Run the cron deamon -subprocess.Popen(["crond", "-f", "-d7"], stdout=out, stderr=err) +subprocess.Popen(["crond", "-f"], stdout=out, stderr=err) # Run postgresql service -os.system("su - postgres -c 'postgres -D /data -h \*'") +os.system("sudo -u postgres postgres -D /data -h \*")