11.8.0-debian-10-r57 release

2020-07-07 21:16:37 +00:00 · 2020-07-07 21:16:37 +00:00 · 075e8480e9
parent 146faa7d39
commit 075e8480e9
4 changed files with 147 additions and 3 deletions
--- a/bitnami/postgresql/11/debian-10/Dockerfile
+++ b/bitnami/postgresql/11/debian-10/Dockerfile
@ -9,7 +9,7 @@ ENV HOME="/" \
 COPY prebuildfs /
 # Install required system packages and dependencies
 RUN install_packages acl ca-certificates curl gzip libbsd0 libc6 libedit2 libffi6 libgcc1 libgmp10 libgnutls30 libhogweed4 libicu63 libidn2-0 libldap-2.4-2 liblzma5 libnettle6 libp11-kit0 libsasl2-2 libsqlite3-0 libssl1.1 libstdc++6 libtasn1-6 libtinfo6 libunistring2 libuuid1 libxml2 libxslt1.1 locales procps tar zlib1g
-RUN . /opt/bitnami/scripts/libcomponent.sh && component_unpack "postgresql" "11.8.0-8" --checksum 3d46a33bb8dea47e5dd608e009ce4c6b5cbe63a6c77be8973d55d1660e2ad439
+RUN . /opt/bitnami/scripts/libcomponent.sh && component_unpack "postgresql" "11.8.0-9" --checksum 9900be45bb1b31254b34550e9395605ed6ac53dc05a2b1a3292d7d5157b40774
 RUN . /opt/bitnami/scripts/libcomponent.sh && component_unpack "gosu" "1.12.0-1" --checksum 51cfb1b7fd7b05b8abd1df0278c698103a9b1a4964bdacd87ca1d5c01631d59c
 RUN apt-get update && apt-get upgrade -y && \
    rm -r /var/lib/apt/lists /var/cache/apt/archives
@ -22,7 +22,7 @@ RUN echo 'en_US.UTF-8 UTF-8' >> /etc/locale.gen && locale-gen
 COPY rootfs /
 RUN /opt/bitnami/scripts/postgresql/postunpack.sh
 ENV BITNAMI_APP_NAME="postgresql" \
-    BITNAMI_IMAGE_VERSION="11.8.0-debian-10-r56" \
+    BITNAMI_IMAGE_VERSION="11.8.0-debian-10-r57" \
    LANG="en_US.UTF-8" \
    LANGUAGE="en_US:en" \
    NSS_WRAPPER_LIB="/opt/bitnami/common/lib/libnss_wrapper.so" \
--- a/bitnami/postgresql/11/debian-10/rootfs/opt/bitnami/scripts/libpostgresql.sh
+++ b/bitnami/postgresql/11/debian-10/rootfs/opt/bitnami/scripts/libpostgresql.sh
@ -116,6 +116,33 @@ postgresql_validate() {
        empty_password_error "You can not set POSTGRESQL_LDAP_URL and POSTGRESQL_LDAP_SERVER at the same time. Check your LDAP configuration."
    fi

+    if ! is_yes_no_value "$POSTGRESQL_ENABLE_TLS"; then
+        print_validation_error "The values allowed for POSTGRESQL_ENABLE_TLS are: yes or no"
+    elif is_boolean_yes "$POSTGRESQL_ENABLE_TLS"; then
+        # TLS Checks
+        if [[ -z "$POSTGRESQL_TLS_CERT_FILE" ]]; then
+            print_validation_error "You must provide a X.509 certificate in order to use TLS"
+        elif [[ ! -f "$POSTGRESQL_TLS_CERT_FILE" ]]; then
+            print_validation_error "The X.509 certificate file in the specified path ${POSTGRESQL_TLS_CERT_FILE} does not exist"
+        fi
+        if [[ -z "$POSTGRESQL_TLS_KEY_FILE" ]]; then
+            print_validation_error "You must provide a private key in order to use TLS"
+        elif [[ ! -f "$POSTGRESQL_TLS_KEY_FILE" ]]; then
+            print_validation_error "The private key file in the specified path ${POSTGRESQL_TLS_KEY_FILE} does not exist"
+        fi
+        if [[ -z "$POSTGRESQL_TLS_CA_FILE" ]]; then
+            warn "A CA X.509 certificate was not provided. Client verification will not be performed in TLS connections"
+        elif [[ ! -f "$POSTGRESQL_TLS_CA_FILE" ]]; then
+            print_validation_error "The CA X.509 certificate file in the specified path ${POSTGRESQL_TLS_CA_FILE} does not exist"
+        fi
+        if [[ -n "$POSTGRESQL_TLS_CRL_FILE" ]] && [[ ! -f "$POSTGRESQL_TLS_CRL_FILE" ]]; then
+            print_validation_error "The CRL file in the specified path ${POSTGRESQL_TLS_CRL_FILE} does not exist"
+        fi
+        if ! is_yes_no_value "$POSTGRESQL_TLS_PREFER_SERVER_CIPHERS"; then
+            print_validation_error "The values allowed for POSTGRESQL_TLS_PREFER_SERVER_CIPHERS are: yes or no"
+        fi
+    fi
+
    [[ "$error_code" -eq 0 ]] || exit "$error_code"
 }

@ -198,6 +225,28 @@ host     all             all             ::/0                    trust
 EOF
 }

+########################
+# Enforce Certificate client authentication
+# for TLS connections in pg_hba
+# Globals:
+#   POSTGRESQL_*
+# Arguments:
+#   None
+# Returns:
+#   None
+#########################
+postgresql_tls_auth_configuration() {
+    info "Enabling TLS Client authentication"
+    local previous_content
+    previous_content=$(cat "$POSTGRESQL_PGHBA_FILE")
+
+    cat << EOF > "$POSTGRESQL_PGHBA_FILE"
+hostssl     all             all             0.0.0.0/0               cert
+hostssl     all             all             ::/0                    cert
+$previous_content
+EOF
+}
+
 ########################
 # Create basic pg_hba.conf file
 # Globals:
@ -326,6 +375,27 @@ postgresql_configure_replication_parameters() {
    fi
 }

+########################
+# Change postgresql.conf by setting TLS properies
+# Globals:
+#   POSTGRESQL_*
+# Arguments:
+#   None
+# Returns:
+#   None
+#########################
+postgresql_configure_tls() {
+    info "Configuring TLS"
+    chmod 600 "$POSTGRESQL_TLS_KEY_FILE" || warn "Could not set compulsory permissions (600) on file ${POSTGRESQL_TLS_KEY_FILE}"
+    postgresql_set_property "ssl" "on"
+    # Server ciphers are prefered by default
+    ! is_boolean_yes "$POSTGRESQL_TLS_PREFER_SERVER_CIPHERS" && postgresql_set_property "ssl_prefer_server_ciphers" "off"
+    [[ -n $POSTGRESQL_TLS_CA_FILE ]] && postgresql_set_property "ssl_ca_file" "$POSTGRESQL_TLS_CA_FILE"
+    [[ -n $POSTGRESQL_TLS_CRL_FILE ]] && postgresql_set_property "ssl_crl_file" "$POSTGRESQL_TLS_CRL_FILE"
+    postgresql_set_property "ssl_cert_file" "$POSTGRESQL_TLS_CERT_FILE"
+    postgresql_set_property "ssl_key_file" "$POSTGRESQL_TLS_KEY_FILE"
+}
+
 ########################
 # Change postgresql.conf by setting fsync
 # Globals:
@ -490,6 +560,7 @@ postgresql_initialize() {
        is_boolean_yes "$create_pghba_file" && postgresql_restrict_pghba
        is_boolean_yes "$create_conf_file" && postgresql_configure_replication_parameters
        is_boolean_yes "$create_conf_file" && postgresql_configure_fsync
+        is_boolean_yes "$create_conf_file" && is_boolean_yes "$POSTGRESQL_ENABLE_TLS" && postgresql_configure_tls
        [[ "$POSTGRESQL_REPLICATION_MODE" = "master" ]] && [[ -n "$POSTGRESQL_REPLICATION_USER" ]] && is_boolean_yes "$create_pghba_file" && postgresql_add_replication_to_pghba
        [[ "$POSTGRESQL_REPLICATION_MODE" = "slave" ]] && postgresql_configure_recovery
    else
@ -509,14 +580,18 @@ postgresql_initialize() {
            [[ -n "$POSTGRESQL_REPLICATION_USER" ]] && postgresql_create_replication_user
            is_boolean_yes "$create_conf_file" && postgresql_configure_replication_parameters
            is_boolean_yes "$create_conf_file" && postgresql_configure_fsync
+            is_boolean_yes "$create_conf_file" && is_boolean_yes "$POSTGRESQL_ENABLE_TLS" && postgresql_configure_tls
            [[ -n "$POSTGRESQL_REPLICATION_USER" ]] && is_boolean_yes "$create_pghba_file" && postgresql_add_replication_to_pghba
        else
            postgresql_slave_init_db
            is_boolean_yes "$create_pghba_file" && postgresql_restrict_pghba
            is_boolean_yes "$create_conf_file" && postgresql_configure_replication_parameters
            is_boolean_yes "$create_conf_file" && postgresql_configure_fsync
+            is_boolean_yes "$create_conf_file" && is_boolean_yes "$POSTGRESQL_ENABLE_TLS" && postgresql_configure_tls
            postgresql_configure_recovery
        fi
+        # TLS Modifications on pghba need to be performed after properly configuring postgresql.conf file
+        (is_boolean_yes "$create_pghba_file" && is_boolean_yes "$POSTGRESQL_ENABLE_TLS" && [[ -n $POSTGRESQL_TLS_CA_FILE ]] && postgresql_tls_auth_configuration) || true
    fi

    # Delete conf files generated on first run
--- a/bitnami/postgresql/11/debian-10/rootfs/opt/bitnami/scripts/postgresql-env.sh
+++ b/bitnami/postgresql/11/debian-10/rootfs/opt/bitnami/scripts/postgresql-env.sh
@ -53,6 +53,12 @@ postgresql_env_vars=(
    POSTGRESQL_POSTGRES_PASSWORD
    POSTGRESQL_REPLICATION_PASSWORD
    POSTGRESQL_INITSCRIPTS_PASSWORD
+    POSTGRESQL_ENABLE_TLS
+    POSTGRESQL_TLS_CERT_FILE
+    POSTGRESQL_TLS_KEY_FILE
+    POSTGRESQL_TLS_CA_FILE
+    POSTGRESQL_TLS_CRL_FILE
+    POSTGRESQL_TLS_PREFER_SERVER_CIPHERS

 )
 for env_var in "${postgresql_env_vars[@]}"; do
@ -193,6 +199,24 @@ export POSTGRESQL_REPLICATION_PASSWORD="${POSTGRESQL_REPLICATION_PASSWORD:-}"
 export POSTGRESQL_INITSCRIPTS_PASSWORD="${POSTGRESQL_INITSCRIPTS_PASSWORD:-"${POSTGRES_INITSCRIPTS_PASSWORD:-}"}"
 export POSTGRESQL_INITSCRIPTS_PASSWORD="${POSTGRESQL_INITSCRIPTS_PASSWORD:-$POSTGRESQL_PASSWORD}"

+export POSTGRESQL_ENABLE_TLS="${POSTGRESQL_ENABLE_TLS:-"${POSTGRES_ENABLE_TLS:-}"}"
+export POSTGRESQL_ENABLE_TLS="${POSTGRESQL_ENABLE_TLS:-no}"
+
+export POSTGRESQL_TLS_CERT_FILE="${POSTGRESQL_TLS_CERT_FILE:-"${POSTGRES_TLS_CERT_FILE:-}"}"
+export POSTGRESQL_TLS_CERT_FILE="${POSTGRESQL_TLS_CERT_FILE:-}"
+
+export POSTGRESQL_TLS_KEY_FILE="${POSTGRESQL_TLS_KEY_FILE:-"${POSTGRES_TLS_KEY_FILE:-}"}"
+export POSTGRESQL_TLS_KEY_FILE="${POSTGRESQL_TLS_KEY_FILE:-}"
+
+export POSTGRESQL_TLS_CA_FILE="${POSTGRESQL_TLS_CA_FILE:-"${POSTGRES_TLS_CA_FILE:-}"}"
+export POSTGRESQL_TLS_CA_FILE="${POSTGRESQL_TLS_CA_FILE:-}"
+
+export POSTGRESQL_TLS_CRL_FILE="${POSTGRESQL_TLS_CRL_FILE:-"${POSTGRES_TLS_CRL_FILE:-}"}"
+export POSTGRESQL_TLS_CRL_FILE="${POSTGRESQL_TLS_CRL_FILE:-}"
+
+export POSTGRESQL_TLS_PREFER_SERVER_CIPHERS="${POSTGRESQL_TLS_PREFER_SERVER_CIPHERS:-"${POSTGRES_TLS_PREFER_SERVER_CIPHERS:-}"}"
+export POSTGRESQL_TLS_PREFER_SERVER_CIPHERS="${POSTGRESQL_TLS_PREFER_SERVER_CIPHERS:-yes}"
+
 # Internal
 export POSTGRESQL_FIRST_BOOT="yes"
 export NSS_WRAPPER_LIB="/opt/bitnami/common/lib/libnss_wrapper.so"
--- a/bitnami/postgresql/README.md
+++ b/bitnami/postgresql/README.md
@ -43,7 +43,7 @@ Learn more about the Bitnami tagging policy and the difference between rolling t


 * [`12-debian-10`, `12.3.0-debian-10-r52`, `12`, `12.3.0` (12/debian-10/Dockerfile)](https://github.com/bitnami/bitnami-docker-postgresql/blob/12.3.0-debian-10-r52/12/debian-10/Dockerfile)
-* [`11-debian-10`, `11.8.0-debian-10-r56`, `11`, `11.8.0`, `latest` (11/debian-10/Dockerfile)](https://github.com/bitnami/bitnami-docker-postgresql/blob/11.8.0-debian-10-r56/11/debian-10/Dockerfile)
+* [`11-debian-10`, `11.8.0-debian-10-r57`, `11`, `11.8.0`, `latest` (11/debian-10/Dockerfile)](https://github.com/bitnami/bitnami-docker-postgresql/blob/11.8.0-debian-10-r57/11/debian-10/Dockerfile)
 * [`10-debian-10`, `10.13.0-debian-10-r52`, `10`, `10.13.0` (10/debian-10/Dockerfile)](https://github.com/bitnami/bitnami-docker-postgresql/blob/10.13.0-debian-10-r52/10/debian-10/Dockerfile)
 * [`9.6-debian-10`, `9.6.18-debian-10-r55`, `9.6`, `9.6.18` (9.6/debian-10/Dockerfile)](https://github.com/bitnami/bitnami-docker-postgresql/blob/9.6.18-debian-10-r55/9.6/debian-10/Dockerfile)

@ -446,6 +446,51 @@ The LDAP related parameters are:

 For more information refer to [Postgresql LDAP auth configuration documentation](https://www.postgresql.org/docs/12/auth-ldap.html).

+## Securing PostgreSQL traffic
+
+PostgreSQL supports the encryption of connections using the SSL/TLS protocol. Should you desire to enable this optional feature, you may use the following enviroment variables to configure the application:
+
+ - `POSTGRESQL_ENABLE_TLS`: Whether to enable TLS for traffic or not. Defaults to `no`.
+ - `POSTGRESQL_TLS_CERT_FILE`: File containing the certificate file for the TLS traffic. No defaults.
+ - `POSTGRESQL_TLS_KEY_FILE`: File containing the key for certificate. No defaults.
+ - `POSTGRESQL_TLS_CA_FILE`: File containing the CA of the certificate. If provided, PostgreSQL will authenticate TLS/SSL clients by requesting them a certificate (see [ref](https://www.postgresql.org/docs/9.6/auth-methods.html)). No defaults.
+ - `POSTGRESQL_TLS_CRL_FILE`: File containing a Certificate Revocation List. No defaults.
+ - `POSTGRESQL_TLS_PREFER_SERVER_CIPHERS`: Whether to use the server's TLS cipher preferences rather than the client's. Defaults to `yes`.
+
+When enabling TLS, PostgreSQL will support both standard and encrypted traffic by default, but prefer the latter. Below there are some examples on how to quickly set up TLS traffic:
+
+1. Using `docker run`
+
+    ```console
+    $ docker run \
+        -v /path/to/certs:/opt/bitnami/postgresql/certs \
+        -e ALLOW_EMPTY_PASSWORD=yes \
+        -e POSTGRESQL_ENABLE_TLS=yes \
+        -e POSTGRESQL_TLS_CERT_FILE=/opt/bitnami/postgresql/certs/postgres.crt \
+        -e POSTGRESQL_TLS_KEY_FILE=/opt/bitnami/postgresql/certs/postgres.key \
+        bitnami/postgresql:latest
+    ```
+
+2. Modifying the `docker-compose.yml` file present in this repository:
+
+    ```yaml
+    services:
+      postgresql:
+      ...
+        environment:
+          ...
+          - POSTGRESQL_ENABLE_TLS=yes
+          - POSTGRESQL_TLS_CERT_FILE=/opt/bitnami/postgresql/certs/postgres.crt
+          - POSTGRESQL_TLS_KEY_FILE=/opt/bitnami/postgresql/certs/postgres.key
+        ...
+        volumes:
+          ...
+          - /path/to/certs:/opt/bitnami/postgresql/certs
+      ...
+    ```
+
+Alternatively, you may also provide this configuration in your [custom](https://github.com/bitnami/bitnami-docker-postgresql#configuration-file) configuration file.
+
 ## Configuration file

 The image looks for `postgresql.conf` file in `/opt/bitnami/postgresql/conf/`. You can mount a volume at `/bitnami/postgresql/conf/` and copy/edit the `postgresql.conf` file in the `/path/to/postgresql-persistence/conf/`. The default configurations will be populated to the `conf/` directory if it's empty.