postgres-containers icon indicating copy to clipboard operation
postgres-containers copied to clipboard

Published 20 hours ago verified publisher icon cloudnative-pg

Support debian bookworm images

Open bdun1013 opened this issue 1 year ago • 7 comments

The official Postgres images now include a debian bookworm base image build: https://github.com/docker-library/postgres/tree/master/16/bookworm

bdun1013 avatar Nov 15 '23 20:11 bdun1013

Following the conversation here that we talk in the community meeting.

So the issue here will be that if we keep the current tags we will overwrite the current ones with a different version of the base OS, meaning that people will switch from bulleyes to bookworm without notice and this could bring some issues if that's not alerted.

One of the proposals was to add a new description to the images that will record the distribution version where the image is based, something like postgresql-bookworm-16.2-2. The other proposal is just to switch to bookworm without caring about the switch, what do you think @NiccoloFei and everyone interested on this discussion ?

Regards

sxd avatar Feb 22 '24 09:02 sxd

people will switch from bulleyes to bookworm without notice and this could bring some issues if that's not alerted.

Do we have an idea of what exactly changes? Something like comparison at an SBOM-level (example, with dependency track)

Prima facie, the leaner the use of the base image - the lower the impact.

From a principle point of view: the lower the implicit dependencies / assumptions from the base OS the better for reasons such as this very issue. Anything else that may be required such as:

  • a very easy to spot postgres related component such as pg_failover_slots: bake it in explicitly
  • not so easy to spot changes (depends on who one asks) in glibc such as https://github.com/ardentperf/glibc-unicode-sorting : probably would come as a surprise and a leaner SBOM makes it easy to spot the impact.

nareshov avatar Feb 22 '24 13:02 nareshov

@sxd Hi I want to make my own image based on groonga/pgroonga, this image is only available for bookworm, And in the build part I have to add --break-system-packages to pip install commands in Dockerfile, so far that's it for changes I think, I will report what happened in the runtime part later on.

mhkarimi1383 avatar Apr 08 '24 21:04 mhkarimi1383

IDK if with can switch to PyENV or some other alternatives for python.

I'm in for helping with upgrading images to bookworm

mhkarimi1383 avatar Apr 08 '24 21:04 mhkarimi1383

Everything is working in production environment I think adding --break-system-packages is Ok

mhkarimi1383 avatar Apr 16 '24 12:04 mhkarimi1383

Here is my Dockerfile (with postgres 14)

[Used in our Zulip K8s service]

# vim:set ft=dockerfile:
#
# Copyright The CloudNativePG Contributors
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# 
#    http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
FROM groonga/pgroonga:latest-debian-14

# Do not split the description, otherwise we will see a blank space in the labels
LABEL name="PostgreSQL + PGRoonga Container Images" \
    vendor="ParminCloud" \
    version="${PG_VERSION}" \
    release="1" \
    summary="PostgreSQL + PGRoonga Container Images." \
    description="This Docker image contains PostgreSQL, PGRoonga and Barman Cloud based on Postgres 14."

COPY requirements.txt /

# Install additional extensions
RUN set -xe; \
    apt-get update; \
    apt-get install -y --no-install-recommends \
    "postgresql-${PG_MAJOR}-pgaudit" \
    "postgresql-${PG_MAJOR}-pg-failover-slots" \
    "postgresql-${PG_MAJOR}-pgrouting" \
    "hunspell-en*" \
    "curl" \
    ; \
    rm -fr /tmp/* ; \
    rm -rf /var/lib/apt/lists/*;

RUN ln -sf /usr/share/hunspell/en_US.dic /usr/share/postgresql/${PG_MAJOR}/tsearch_data/en_us.dict && \
    ln -sf /usr/share/hunspell/en_US.aff /usr/share/postgresql/${PG_MAJOR}/tsearch_data/en_us.affix

RUN curl -sSL --fail https://raw.githubusercontent.com/zulip/zulip/main/puppet/zulip/files/postgresql/zulip_english.stop \
    --output /usr/share/postgresql/${PG_MAJOR}/tsearch_data/zulip_english.stop

# Install barman-cloud
RUN set -xe; \
    apt-get update; \
    apt-get install -y --no-install-recommends \
    python3-pip \
    python3-psycopg2 \
    python3-setuptools \
    ; \
    pip3 install --break-system-packages --upgrade pip; \
    # TODO: Remove --no-deps once https://github.com/pypa/pip/issues/9644 is solved
    pip3 install --break-system-packages --no-deps -r requirements.txt; \
    rm -rf /var/lib/apt/lists/*;

# Change the uid of postgres to 26
RUN usermod -u 26 postgres
USER 26

mhkarimi1383 avatar Apr 24 '24 13:04 mhkarimi1383

Here's a diff of the CVE scanning between bullseye and bookworm images (using trivy):

ghcr.io/cloudnative-pg/postgresql-testing:16.2-16-bullseye@sha256:40b5ef1783c137223709f3423b1af470a4b142c52faf8edb123395165ca70865 (debian 11.9)
================================================================================================================================================
Total: 300 (UNKNOWN: 0, LOW: 143, MEDIUM: 80, HIGH: 71, CRITICAL: 6)


ghcr.io/cloudnative-pg/postgresql-testing:16.2-1-bookworm@sha256:3c4063f3d2bb3254564eda4d00eea45010809838584e396db0a30ae5180d938c (debian 12.5)
===============================================================================================================================================
Total: 203 (UNKNOWN: 0, LOW: 108, MEDIUM: 60, HIGH: 34, CRITICAL: 1)

Bookworm testing images have been generated in the postgresql-testing registry. Leaving here an ImageCatalog in case anyone is interested in helping test them:

ClusterImageCatalog: 
apiVersion: postgresql.cnpg.io/v1
kind: ClusterImageCatalog
metadata:
  name: postgresql
spec:
  images:
    - major: 11
      image: ghcr.io/cloudnative-pg/postgresql-testing:11.22-1-bookworm@sha256:f34ebdfff1653c548e528d692249faf0531dbb375e8f91355648b58713eee4f3
    - major: 12
      image: ghcr.io/cloudnative-pg/postgresql-testing:12.18-1-bookworm@sha256:503fe965194e4ff6cb597ebdcca74e5ca3b8002981309d4e4053d23eb0f6e2af
    - major: 13
      image: ghcr.io/cloudnative-pg/postgresql-testing:13.14-1-bookworm@sha256:eca23348de88004fc07ed70d9391ac34de1cd8b3a0b74009e7dff899e43721cb
    - major: 14
      image: ghcr.io/cloudnative-pg/postgresql-testing:14.11-1-bookworm@sha256:72e3a46d33f11ce141eea67934ff5261e9b2c6c2bebea089e160a7eb4b69802f
    - major: 15
      image: ghcr.io/cloudnative-pg/postgresql-testing:15.6-1-bookworm@sha256:3db563da96858340495ea630742d9c06230afa089e8a3b3d5fae9e72db5e5fe7
    - major: 16
      image: ghcr.io/cloudnative-pg/postgresql-testing:16.2-1-bookworm@sha256:3c4063f3d2bb3254564eda4d00eea45010809838584e396db0a30ae5180d938c

NiccoloFei avatar Apr 30 '24 13:04 NiccoloFei