feat: add PostgreSQL v17 (#191)

Co-authored-by: Jonathan Gonzalez V. <[email protected]>

.github/generate-strategy.sh

@@ -11,7 +11,7 @@ set -eu
 
 # Define an optional aliases for some major versions
 declare -A aliases=(
-	[16]='latest'
+	[17]='latest'
 )
 
 # Define the current default UBI version
@@ -55,7 +55,7 @@ generator() {
 
 		# A "-beta" suffix will be appended to the beta images.
 		beta=""
-		if [ "${version}" -gt '16' ]; then
+		if [ "${version}" -gt '17' ]; then
 			beta="-beta"
 			# Split PG beta versions before the underscore
 			fullVersion=$(jq -r '.POSTGRES_VERSION | split("_") | .[0]' "${versionFile}")
@@ -170,7 +170,7 @@ generator_postgis() {
 
 		# A "-beta" suffix will be appended to the beta images.
 		beta=""
-		if [ "${version}" -gt '16' ]; then
+		if [ "${version}" -gt '17' ]; then
 			beta="-beta"
 			# Split PG beta versions before the underscore
 			fullVersion=$(jq -r '.POSTGRES_VERSION | split("_") | .[0]' "${versionFile}")

README.md

@@ -1,7 +1,7 @@
 # PostgreSQL Container Images by EnterpriseDB
 
 Maintenance scripts to generate Immutable Application Containers
-for all available PostgreSQL versions (12 to 16) based on
+for all available PostgreSQL versions (12 to 17) based on
 Red Hat Universal Base Images (UBI) 8 and 9:
 
 - Standard minimal image - amd64/arm64

UBI/17/.versions-postgis-ubi8.json

@@ -0,0 +1,7 @@
+{
+  "BARMAN_VERSION": "3.11.1",
+  "IMAGE_RELEASE_VERSION": "1",
+  "POSTGIS_VERSION": "3.5.0",
+  "POSTGRES_VERSION": "17.0",
+  "UBI_VERSION": "8.10-1088"
+}

UBI/17/.versions-postgis-ubi9.json

@@ -0,0 +1,7 @@
+{
+  "BARMAN_VERSION": "3.11.1",
+  "IMAGE_RELEASE_VERSION": "1",
+  "POSTGIS_VERSION": "3.5.0",
+  "POSTGRES_VERSION": "17.0",
+  "UBI_VERSION": "9.4-1214.1726694543"
+}

UBI/17/.versions-ubi8.json

@@ -0,0 +1,6 @@
+{
+  "BARMAN_VERSION": "3.11.1",
+  "IMAGE_RELEASE_VERSION": "1",
+  "POSTGRES_VERSION": "17.0",
+  "UBI_VERSION": "8.10-1088"
+}

UBI/17/.versions-ubi9.json

@@ -0,0 +1,6 @@
+{
+  "BARMAN_VERSION": "3.11.1",
+  "IMAGE_RELEASE_VERSION": "1",
+  "POSTGRES_VERSION": "17.0",
+  "UBI_VERSION": "9.4-1214.1726694543"
+}

UBI/17/Dockerfile.multiarch.ubi8

@@ -0,0 +1,140 @@
+# vim:set ft=dockerfile:
+FROM quay.io/enterprisedb/edb-ubi:8.10-1088
+
+# Do not split the description, otherwise we will see a blank space in the labels
+LABEL name="PostgreSQL Container Images" \
+      vendor="EnterpriseDB" \
+      url="https://www.enterprisedb.com/" \
+      version="17.0" \
+      release="1" \
+      summary="PostgreSQL Container images." \
+      description="This Docker image contains PostgreSQL and Barman Cloud based on RedHat Universal Base Images (UBI) 8."
+
+COPY root/ /
+
+ARG TARGETARCH
+RUN --mount=type=secret,id=cs_token \
+	set -xe ; \
+	ARCH="${TARGETARCH}" ; \
+	base_url="https://download.postgresql.org/pub/repos/yum/reporpms" ; \
+	pg_failover_slots_pkg="pg_failover_slots_17" ; \
+	pg_squeeze_pkg="pg_squeeze_17" ; \
+	pgvector="pgvector_17" ; \
+	pg_audit_pkg="pgaudit19_17" ; \
+	case $ARCH in \
+			amd64) \
+					yum -y install "${base_url}/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm" ; \
+					curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ; \
+					if [ "17" -gt "15" ]; then pg_audit_pkg="pgaudit_17"; fi ;; \
+			arm64) \
+					yum -y install "${base_url}/EL-8-aarch64/pgdg-redhat-repo-latest.noarch.rpm" ; \
+					curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ; \
+					if [ "17" -gt "15" ]; then pg_audit_pkg="pgaudit_17"; fi ;; \
+			ppc64le) \
+					curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ; \
+					pg_failover_slots_pkg="edb-pg17-pg-failover-slots1" ; \
+					pg_squeeze_pkg="edb-pg17-pg-squeeze1" ; \
+					pgvector="edb-pg17-pgvector0" ; \
+					pg_audit_pkg="edb-pg17-pgaudit1" ; \
+					if [ "17" -gt "15" ]; then pg_audit_pkg="edb-pg17-pgaudit17"; fi ;; \
+			s390x) \
+					curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/edb/setup.rpm.sh | bash ; \
+					pg_failover_slots_pkg="edb-pg17-pg-failover-slots1" ; \
+					pg_squeeze_pkg="edb-pg17-pg-squeeze1" ; \
+					pgvector="edb-pg17-pgvector0" ; \
+					pg_audit_pkg="edb-pg17-pgaudit1" ; \
+					if [ "17" -gt "15" ]; then pg_audit_pkg="edb-pg17-pgaudit17"; fi ;; \
+			*) \
+					exit 1 ;; \
+	esac ; \
+	yum -y upgrade glibc-common ; \
+	yum -y reinstall glibc-common ; \
+	rm -fr /etc/rpm/macros.image-language-conf ; \
+	yum -y install hostname rsync tar gettext bind-utils nss_wrapper glibc-locale-source glibc-langpack-en glibc-all-langpacks ; \
+	yum -y --setopt=tsflags=nodocs install \
+			postgresql17-17.0 \
+			postgresql17-contrib-17.0 \
+			postgresql17-server-17.0 \
+			postgresql17-libs-17.0 \
+			"$pg_audit_pkg" \
+			"$pg_squeeze_pkg" \
+			"$pg_failover_slots_pkg" \
+			"$pgvector" \
+	; \
+	rm -fr /etc/yum.repos.d/enterprisedb-*.repo ; \
+	rm -fr /tmp/* ; \
+	yum -y clean all --enablerepo='*'
+
+# Install barman-cloud
+RUN set -xe ; \
+	yum -y install python3.11-pip python3.11-psycopg2 ; \
+	pip3.11 install --upgrade pip ; \
+	pip3.11 install -r requirements.txt ; \
+	yum -y clean all --enablerepo='*'
+
+# make the sample config easier to munge (and "correct by default")
+RUN set -eux; \
+	sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/pgsql-17/share/postgresql.conf.sample; \
+	grep -F "listen_addresses = '*'" /usr/pgsql-17/share/postgresql.conf.sample
+
+# prepare the environment and make sure postgres user has the correct UID
+RUN set -xeu ; \
+	localedef -f UTF-8 -i en_US en_US.UTF-8 ; \
+	test "$(id postgres)" = "uid=26(postgres) gid=26(postgres) groups=26(postgres)" ; \
+	mkdir -p /var/run/postgresql ; \
+	chown postgres:postgres /var/run/postgresql ; \
+	chmod 0755 /var/run/postgresql
+
+ENV PATH $PATH:/usr/pgsql-17/bin
+
+RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql
+
+ENV PGDATA /var/lib/postgresql/data/pgdata
+# this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values)
+RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA"
+VOLUME /var/lib/postgresql/data
+
+RUN mkdir /docker-entrypoint-initdb.d
+
+# Remove example certificates in pem and enc format from /usr/share/doc folder
+RUN find /usr/share/doc -type f '(' -iname "*.pem" -o -iname "*.enc" ')' -exec rm -rf {} \; || true
+
+# DoD 2.3 - remove setuid/setgid from any binary that not strictly requires it, and before doing that list them on the stdout
+RUN find / -not -path "/proc/*" -perm /6000 -type f -exec ls -ld {} \; -exec chmod a-s {} \; || true
+
+USER 26
+
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
+# calls "Fast Shutdown mode" wherein new connections are disallowed and any
+# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
+# flush tables to disk, which is the best compromise available to avoid data
+# corruption.
+#
+# Users who know their applications do not keep open long-lived idle connections
+# may way to use a value of SIGTERM instead, which corresponds to "Smart
+# Shutdown mode" in which any existing sessions are allowed to finish and the
+# server stops when all sessions are terminated.
+#
+# See https://www.postgresql.org/docs/12/server-shutdown.html for more details
+# about available PostgreSQL server shutdown signals.
+#
+# See also https://www.postgresql.org/docs/12/server-start.html for further
+# justification of this as the default value, namely that the example (and
+# shipped) systemd service files use the "Fast Shutdown mode" for service
+# termination.
+#
+STOPSIGNAL SIGINT
+#
+# An additional setting that is recommended for all users regardless of this
+# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
+# equivalent) for controlling how long to wait between sending the defined
+# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption).
+#
+# The default in most runtimes (such as Docker) is 10 seconds, and the
+# documentation at https://www.postgresql.org/docs/12/server-start.html notes
+# that even 90 seconds may not be long enough in many instances.
+
+EXPOSE 5432
+CMD ["postgres"]

UBI/17/Dockerfile.multiarch.ubi9

@@ -0,0 +1,140 @@
+# vim:set ft=dockerfile:
+FROM quay.io/enterprisedb/edb-ubi:9.4-1214.1726694543
+
+# Do not split the description, otherwise we will see a blank space in the labels
+LABEL name="PostgreSQL Container Images" \
+      vendor="EnterpriseDB" \
+      url="https://www.enterprisedb.com/" \
+      version="17.0" \
+      release="1" \
+      summary="PostgreSQL Container images." \
+      description="This Docker image contains PostgreSQL and Barman Cloud based on RedHat Universal Base Images (UBI) 9."
+
+COPY root/ /
+
+ARG TARGETARCH
+RUN --mount=type=secret,id=cs_token \
+	set -xe ; \
+	ARCH="${TARGETARCH}" ; \
+	base_url="https://download.postgresql.org/pub/repos/yum/reporpms" ; \
+	pg_failover_slots_pkg="pg_failover_slots_17" ; \
+	pg_squeeze_pkg="pg_squeeze_17" ; \
+	pgvector="pgvector_17" ; \
+	pg_audit_pkg="pgaudit19_17" ; \
+	case $ARCH in \
+			amd64) \
+					yum -y install "${base_url}/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm" ; \
+					curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ; \
+					if [ "17" -gt "15" ]; then pg_audit_pkg="pgaudit_17"; fi ;; \
+			arm64) \
+					yum -y install "${base_url}/EL-9-aarch64/pgdg-redhat-repo-latest.noarch.rpm" ; \
+					curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ; \
+					if [ "17" -gt "15" ]; then pg_audit_pkg="pgaudit_17"; fi ;; \
+			ppc64le) \
+					curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/enterprise/setup.rpm.sh | bash ; \
+					pg_failover_slots_pkg="edb-pg17-pg-failover-slots1" ; \
+					pg_squeeze_pkg="edb-pg17-pg-squeeze1" ; \
+					pgvector="edb-pg17-pgvector0" ; \
+					pg_audit_pkg="edb-pg17-pgaudit1" ; \
+					if [ "17" -gt "15" ]; then pg_audit_pkg="edb-pg17-pgaudit17"; fi ;; \
+			s390x) \
+					curl -u token:$(cat /run/secrets/cs_token) -1sLf https://downloads.enterprisedb.com/basic/edb/setup.rpm.sh | bash ; \
+					pg_failover_slots_pkg="edb-pg17-pg-failover-slots1" ; \
+					pg_squeeze_pkg="edb-pg17-pg-squeeze1" ; \
+					pgvector="edb-pg17-pgvector0" ; \
+					pg_audit_pkg="edb-pg17-pgaudit1" ; \
+					if [ "17" -gt "15" ]; then pg_audit_pkg="edb-pg17-pgaudit17"; fi ;; \
+			*) \
+					exit 1 ;; \
+	esac ; \
+	yum -y upgrade glibc-common ; \
+	yum -y reinstall glibc-common ; \
+	rm -fr /etc/rpm/macros.image-language-conf ; \
+	yum -y install hostname rsync tar gettext bind-utils nss_wrapper glibc-locale-source glibc-langpack-en glibc-all-langpacks ; \
+	yum -y --setopt=tsflags=nodocs install \
+			postgresql17-17.0 \
+			postgresql17-contrib-17.0 \
+			postgresql17-server-17.0 \
+			postgresql17-libs-17.0 \
+			"$pg_audit_pkg" \
+			"$pg_squeeze_pkg" \
+			"$pg_failover_slots_pkg" \
+			"$pgvector" \
+	; \
+	rm -fr /etc/yum.repos.d/enterprisedb-*.repo ; \
+	rm -fr /tmp/* ; \
+	yum -y clean all --enablerepo='*'
+
+# Install barman-cloud
+RUN set -xe ; \
+	yum -y install python3.11-pip python3.11-psycopg2 ; \
+	pip3.11 install --upgrade pip ; \
+	pip3.11 install -r requirements.txt ; \
+	yum -y clean all --enablerepo='*'
+
+# make the sample config easier to munge (and "correct by default")
+RUN set -eux; \
+	sed -ri "s!^#?(listen_addresses)\s*=\s*\S+.*!\1 = '*'!" /usr/pgsql-17/share/postgresql.conf.sample; \
+	grep -F "listen_addresses = '*'" /usr/pgsql-17/share/postgresql.conf.sample
+
+# prepare the environment and make sure postgres user has the correct UID
+RUN set -xeu ; \
+	localedef -f UTF-8 -i en_US en_US.UTF-8 ; \
+	test "$(id postgres)" = "uid=26(postgres) gid=26(postgres) groups=26(postgres)" ; \
+	mkdir -p /var/run/postgresql ; \
+	chown postgres:postgres /var/run/postgresql ; \
+	chmod 0755 /var/run/postgresql
+
+ENV PATH $PATH:/usr/pgsql-17/bin
+
+RUN mkdir -p /var/run/postgresql && chown -R postgres:postgres /var/run/postgresql && chmod 2777 /var/run/postgresql
+
+ENV PGDATA /var/lib/postgresql/data/pgdata
+# this 777 will be replaced by 700 at runtime (allows semi-arbitrary "--user" values)
+RUN mkdir -p "$PGDATA" && chown -R postgres:postgres "$PGDATA" && chmod 777 "$PGDATA"
+VOLUME /var/lib/postgresql/data
+
+RUN mkdir /docker-entrypoint-initdb.d
+
+# Remove example certificates in pem and enc format from /usr/share/doc folder
+RUN find /usr/share/doc -type f '(' -iname "*.pem" -o -iname "*.enc" ')' -exec rm -rf {} \; || true
+
+# DoD 2.3 - remove setuid/setgid from any binary that not strictly requires it, and before doing that list them on the stdout
+RUN find / -not -path "/proc/*" -perm /6000 -type f -exec ls -ld {} \; -exec chmod a-s {} \; || true
+
+USER 26
+
+ENTRYPOINT ["docker-entrypoint.sh"]
+
+# We set the default STOPSIGNAL to SIGINT, which corresponds to what PostgreSQL
+# calls "Fast Shutdown mode" wherein new connections are disallowed and any
+# in-progress transactions are aborted, allowing PostgreSQL to stop cleanly and
+# flush tables to disk, which is the best compromise available to avoid data
+# corruption.
+#
+# Users who know their applications do not keep open long-lived idle connections
+# may way to use a value of SIGTERM instead, which corresponds to "Smart
+# Shutdown mode" in which any existing sessions are allowed to finish and the
+# server stops when all sessions are terminated.
+#
+# See https://www.postgresql.org/docs/12/server-shutdown.html for more details
+# about available PostgreSQL server shutdown signals.
+#
+# See also https://www.postgresql.org/docs/12/server-start.html for further
+# justification of this as the default value, namely that the example (and
+# shipped) systemd service files use the "Fast Shutdown mode" for service
+# termination.
+#
+STOPSIGNAL SIGINT
+#
+# An additional setting that is recommended for all users regardless of this
+# value is the runtime "--stop-timeout" (or your orchestrator/runtime's
+# equivalent) for controlling how long to wait between sending the defined
+# STOPSIGNAL and sending SIGKILL (which is likely to cause data corruption).
+#
+# The default in most runtimes (such as Docker) is 10 seconds, and the
+# documentation at https://www.postgresql.org/docs/12/server-start.html notes
+# that even 90 seconds may not be long enough in many instances.
+
+EXPOSE 5432
+CMD ["postgres"]