From 075e8480e9ec96cd0c227c4f9cea23ebb5cbbfeb Mon Sep 17 00:00:00 2001 From: Bitnami Bot Date: Tue, 7 Jul 2020 21:16:37 +0000 Subject: [PATCH] 11.8.0-debian-10-r57 release --- bitnami/postgresql/11/debian-10/Dockerfile | 4 +- .../opt/bitnami/scripts/libpostgresql.sh | 75 +++++++++++++++++++ .../opt/bitnami/scripts/postgresql-env.sh | 24 ++++++ bitnami/postgresql/README.md | 47 +++++++++++- 4 files changed, 147 insertions(+), 3 deletions(-) diff --git a/bitnami/postgresql/11/debian-10/Dockerfile b/bitnami/postgresql/11/debian-10/Dockerfile index 4ba17141cc27..e7f7c4fd1c8b 100644 --- a/bitnami/postgresql/11/debian-10/Dockerfile +++ b/bitnami/postgresql/11/debian-10/Dockerfile @@ -9,7 +9,7 @@ ENV HOME="/" \ COPY prebuildfs / # Install required system packages and dependencies RUN install_packages acl ca-certificates curl gzip libbsd0 libc6 libedit2 libffi6 libgcc1 libgmp10 libgnutls30 libhogweed4 libicu63 libidn2-0 libldap-2.4-2 liblzma5 libnettle6 libp11-kit0 libsasl2-2 libsqlite3-0 libssl1.1 libstdc++6 libtasn1-6 libtinfo6 libunistring2 libuuid1 libxml2 libxslt1.1 locales procps tar zlib1g -RUN . /opt/bitnami/scripts/libcomponent.sh && component_unpack "postgresql" "11.8.0-8" --checksum 3d46a33bb8dea47e5dd608e009ce4c6b5cbe63a6c77be8973d55d1660e2ad439 +RUN . /opt/bitnami/scripts/libcomponent.sh && component_unpack "postgresql" "11.8.0-9" --checksum 9900be45bb1b31254b34550e9395605ed6ac53dc05a2b1a3292d7d5157b40774 RUN . /opt/bitnami/scripts/libcomponent.sh && component_unpack "gosu" "1.12.0-1" --checksum 51cfb1b7fd7b05b8abd1df0278c698103a9b1a4964bdacd87ca1d5c01631d59c RUN apt-get update && apt-get upgrade -y && \ rm -r /var/lib/apt/lists /var/cache/apt/archives @@ -22,7 +22,7 @@ RUN echo 'en_US.UTF-8 UTF-8' >> /etc/locale.gen && locale-gen COPY rootfs / RUN /opt/bitnami/scripts/postgresql/postunpack.sh ENV BITNAMI_APP_NAME="postgresql" \ - BITNAMI_IMAGE_VERSION="11.8.0-debian-10-r56" \ + BITNAMI_IMAGE_VERSION="11.8.0-debian-10-r57" \ LANG="en_US.UTF-8" \ LANGUAGE="en_US:en" \ NSS_WRAPPER_LIB="/opt/bitnami/common/lib/libnss_wrapper.so" \ diff --git a/bitnami/postgresql/11/debian-10/rootfs/opt/bitnami/scripts/libpostgresql.sh b/bitnami/postgresql/11/debian-10/rootfs/opt/bitnami/scripts/libpostgresql.sh index 444b8c52dfeb..678f83695706 100644 --- a/bitnami/postgresql/11/debian-10/rootfs/opt/bitnami/scripts/libpostgresql.sh +++ b/bitnami/postgresql/11/debian-10/rootfs/opt/bitnami/scripts/libpostgresql.sh @@ -116,6 +116,33 @@ postgresql_validate() { empty_password_error "You can not set POSTGRESQL_LDAP_URL and POSTGRESQL_LDAP_SERVER at the same time. Check your LDAP configuration." fi + if ! is_yes_no_value "$POSTGRESQL_ENABLE_TLS"; then + print_validation_error "The values allowed for POSTGRESQL_ENABLE_TLS are: yes or no" + elif is_boolean_yes "$POSTGRESQL_ENABLE_TLS"; then + # TLS Checks + if [[ -z "$POSTGRESQL_TLS_CERT_FILE" ]]; then + print_validation_error "You must provide a X.509 certificate in order to use TLS" + elif [[ ! -f "$POSTGRESQL_TLS_CERT_FILE" ]]; then + print_validation_error "The X.509 certificate file in the specified path ${POSTGRESQL_TLS_CERT_FILE} does not exist" + fi + if [[ -z "$POSTGRESQL_TLS_KEY_FILE" ]]; then + print_validation_error "You must provide a private key in order to use TLS" + elif [[ ! -f "$POSTGRESQL_TLS_KEY_FILE" ]]; then + print_validation_error "The private key file in the specified path ${POSTGRESQL_TLS_KEY_FILE} does not exist" + fi + if [[ -z "$POSTGRESQL_TLS_CA_FILE" ]]; then + warn "A CA X.509 certificate was not provided. Client verification will not be performed in TLS connections" + elif [[ ! -f "$POSTGRESQL_TLS_CA_FILE" ]]; then + print_validation_error "The CA X.509 certificate file in the specified path ${POSTGRESQL_TLS_CA_FILE} does not exist" + fi + if [[ -n "$POSTGRESQL_TLS_CRL_FILE" ]] && [[ ! -f "$POSTGRESQL_TLS_CRL_FILE" ]]; then + print_validation_error "The CRL file in the specified path ${POSTGRESQL_TLS_CRL_FILE} does not exist" + fi + if ! is_yes_no_value "$POSTGRESQL_TLS_PREFER_SERVER_CIPHERS"; then + print_validation_error "The values allowed for POSTGRESQL_TLS_PREFER_SERVER_CIPHERS are: yes or no" + fi + fi + [[ "$error_code" -eq 0 ]] || exit "$error_code" } @@ -198,6 +225,28 @@ host all all ::/0 trust EOF } +######################## +# Enforce Certificate client authentication +# for TLS connections in pg_hba +# Globals: +# POSTGRESQL_* +# Arguments: +# None +# Returns: +# None +######################### +postgresql_tls_auth_configuration() { + info "Enabling TLS Client authentication" + local previous_content + previous_content=$(cat "$POSTGRESQL_PGHBA_FILE") + + cat << EOF > "$POSTGRESQL_PGHBA_FILE" +hostssl all all 0.0.0.0/0 cert +hostssl all all ::/0 cert +$previous_content +EOF +} + ######################## # Create basic pg_hba.conf file # Globals: @@ -326,6 +375,27 @@ postgresql_configure_replication_parameters() { fi } +######################## +# Change postgresql.conf by setting TLS properies +# Globals: +# POSTGRESQL_* +# Arguments: +# None +# Returns: +# None +######################### +postgresql_configure_tls() { + info "Configuring TLS" + chmod 600 "$POSTGRESQL_TLS_KEY_FILE" || warn "Could not set compulsory permissions (600) on file ${POSTGRESQL_TLS_KEY_FILE}" + postgresql_set_property "ssl" "on" + # Server ciphers are prefered by default + ! is_boolean_yes "$POSTGRESQL_TLS_PREFER_SERVER_CIPHERS" && postgresql_set_property "ssl_prefer_server_ciphers" "off" + [[ -n $POSTGRESQL_TLS_CA_FILE ]] && postgresql_set_property "ssl_ca_file" "$POSTGRESQL_TLS_CA_FILE" + [[ -n $POSTGRESQL_TLS_CRL_FILE ]] && postgresql_set_property "ssl_crl_file" "$POSTGRESQL_TLS_CRL_FILE" + postgresql_set_property "ssl_cert_file" "$POSTGRESQL_TLS_CERT_FILE" + postgresql_set_property "ssl_key_file" "$POSTGRESQL_TLS_KEY_FILE" +} + ######################## # Change postgresql.conf by setting fsync # Globals: @@ -490,6 +560,7 @@ postgresql_initialize() { is_boolean_yes "$create_pghba_file" && postgresql_restrict_pghba is_boolean_yes "$create_conf_file" && postgresql_configure_replication_parameters is_boolean_yes "$create_conf_file" && postgresql_configure_fsync + is_boolean_yes "$create_conf_file" && is_boolean_yes "$POSTGRESQL_ENABLE_TLS" && postgresql_configure_tls [[ "$POSTGRESQL_REPLICATION_MODE" = "master" ]] && [[ -n "$POSTGRESQL_REPLICATION_USER" ]] && is_boolean_yes "$create_pghba_file" && postgresql_add_replication_to_pghba [[ "$POSTGRESQL_REPLICATION_MODE" = "slave" ]] && postgresql_configure_recovery else @@ -509,14 +580,18 @@ postgresql_initialize() { [[ -n "$POSTGRESQL_REPLICATION_USER" ]] && postgresql_create_replication_user is_boolean_yes "$create_conf_file" && postgresql_configure_replication_parameters is_boolean_yes "$create_conf_file" && postgresql_configure_fsync + is_boolean_yes "$create_conf_file" && is_boolean_yes "$POSTGRESQL_ENABLE_TLS" && postgresql_configure_tls [[ -n "$POSTGRESQL_REPLICATION_USER" ]] && is_boolean_yes "$create_pghba_file" && postgresql_add_replication_to_pghba else postgresql_slave_init_db is_boolean_yes "$create_pghba_file" && postgresql_restrict_pghba is_boolean_yes "$create_conf_file" && postgresql_configure_replication_parameters is_boolean_yes "$create_conf_file" && postgresql_configure_fsync + is_boolean_yes "$create_conf_file" && is_boolean_yes "$POSTGRESQL_ENABLE_TLS" && postgresql_configure_tls postgresql_configure_recovery fi + # TLS Modifications on pghba need to be performed after properly configuring postgresql.conf file + (is_boolean_yes "$create_pghba_file" && is_boolean_yes "$POSTGRESQL_ENABLE_TLS" && [[ -n $POSTGRESQL_TLS_CA_FILE ]] && postgresql_tls_auth_configuration) || true fi # Delete conf files generated on first run diff --git a/bitnami/postgresql/11/debian-10/rootfs/opt/bitnami/scripts/postgresql-env.sh b/bitnami/postgresql/11/debian-10/rootfs/opt/bitnami/scripts/postgresql-env.sh index 877d7be5ca2f..3f2e136f168d 100644 --- a/bitnami/postgresql/11/debian-10/rootfs/opt/bitnami/scripts/postgresql-env.sh +++ b/bitnami/postgresql/11/debian-10/rootfs/opt/bitnami/scripts/postgresql-env.sh @@ -53,6 +53,12 @@ postgresql_env_vars=( POSTGRESQL_POSTGRES_PASSWORD POSTGRESQL_REPLICATION_PASSWORD POSTGRESQL_INITSCRIPTS_PASSWORD + POSTGRESQL_ENABLE_TLS + POSTGRESQL_TLS_CERT_FILE + POSTGRESQL_TLS_KEY_FILE + POSTGRESQL_TLS_CA_FILE + POSTGRESQL_TLS_CRL_FILE + POSTGRESQL_TLS_PREFER_SERVER_CIPHERS ) for env_var in "${postgresql_env_vars[@]}"; do @@ -193,6 +199,24 @@ export POSTGRESQL_REPLICATION_PASSWORD="${POSTGRESQL_REPLICATION_PASSWORD:-}" export POSTGRESQL_INITSCRIPTS_PASSWORD="${POSTGRESQL_INITSCRIPTS_PASSWORD:-"${POSTGRES_INITSCRIPTS_PASSWORD:-}"}" export POSTGRESQL_INITSCRIPTS_PASSWORD="${POSTGRESQL_INITSCRIPTS_PASSWORD:-$POSTGRESQL_PASSWORD}" +export POSTGRESQL_ENABLE_TLS="${POSTGRESQL_ENABLE_TLS:-"${POSTGRES_ENABLE_TLS:-}"}" +export POSTGRESQL_ENABLE_TLS="${POSTGRESQL_ENABLE_TLS:-no}" + +export POSTGRESQL_TLS_CERT_FILE="${POSTGRESQL_TLS_CERT_FILE:-"${POSTGRES_TLS_CERT_FILE:-}"}" +export POSTGRESQL_TLS_CERT_FILE="${POSTGRESQL_TLS_CERT_FILE:-}" + +export POSTGRESQL_TLS_KEY_FILE="${POSTGRESQL_TLS_KEY_FILE:-"${POSTGRES_TLS_KEY_FILE:-}"}" +export POSTGRESQL_TLS_KEY_FILE="${POSTGRESQL_TLS_KEY_FILE:-}" + +export POSTGRESQL_TLS_CA_FILE="${POSTGRESQL_TLS_CA_FILE:-"${POSTGRES_TLS_CA_FILE:-}"}" +export POSTGRESQL_TLS_CA_FILE="${POSTGRESQL_TLS_CA_FILE:-}" + +export POSTGRESQL_TLS_CRL_FILE="${POSTGRESQL_TLS_CRL_FILE:-"${POSTGRES_TLS_CRL_FILE:-}"}" +export POSTGRESQL_TLS_CRL_FILE="${POSTGRESQL_TLS_CRL_FILE:-}" + +export POSTGRESQL_TLS_PREFER_SERVER_CIPHERS="${POSTGRESQL_TLS_PREFER_SERVER_CIPHERS:-"${POSTGRES_TLS_PREFER_SERVER_CIPHERS:-}"}" +export POSTGRESQL_TLS_PREFER_SERVER_CIPHERS="${POSTGRESQL_TLS_PREFER_SERVER_CIPHERS:-yes}" + # Internal export POSTGRESQL_FIRST_BOOT="yes" export NSS_WRAPPER_LIB="/opt/bitnami/common/lib/libnss_wrapper.so" diff --git a/bitnami/postgresql/README.md b/bitnami/postgresql/README.md index d44d9a513da6..39b7802e58a1 100644 --- a/bitnami/postgresql/README.md +++ b/bitnami/postgresql/README.md @@ -43,7 +43,7 @@ Learn more about the Bitnami tagging policy and the difference between rolling t * [`12-debian-10`, `12.3.0-debian-10-r52`, `12`, `12.3.0` (12/debian-10/Dockerfile)](https://github.com/bitnami/bitnami-docker-postgresql/blob/12.3.0-debian-10-r52/12/debian-10/Dockerfile) -* [`11-debian-10`, `11.8.0-debian-10-r56`, `11`, `11.8.0`, `latest` (11/debian-10/Dockerfile)](https://github.com/bitnami/bitnami-docker-postgresql/blob/11.8.0-debian-10-r56/11/debian-10/Dockerfile) +* [`11-debian-10`, `11.8.0-debian-10-r57`, `11`, `11.8.0`, `latest` (11/debian-10/Dockerfile)](https://github.com/bitnami/bitnami-docker-postgresql/blob/11.8.0-debian-10-r57/11/debian-10/Dockerfile) * [`10-debian-10`, `10.13.0-debian-10-r52`, `10`, `10.13.0` (10/debian-10/Dockerfile)](https://github.com/bitnami/bitnami-docker-postgresql/blob/10.13.0-debian-10-r52/10/debian-10/Dockerfile) * [`9.6-debian-10`, `9.6.18-debian-10-r55`, `9.6`, `9.6.18` (9.6/debian-10/Dockerfile)](https://github.com/bitnami/bitnami-docker-postgresql/blob/9.6.18-debian-10-r55/9.6/debian-10/Dockerfile) @@ -446,6 +446,51 @@ The LDAP related parameters are: For more information refer to [Postgresql LDAP auth configuration documentation](https://www.postgresql.org/docs/12/auth-ldap.html). +## Securing PostgreSQL traffic + +PostgreSQL supports the encryption of connections using the SSL/TLS protocol. Should you desire to enable this optional feature, you may use the following enviroment variables to configure the application: + + - `POSTGRESQL_ENABLE_TLS`: Whether to enable TLS for traffic or not. Defaults to `no`. + - `POSTGRESQL_TLS_CERT_FILE`: File containing the certificate file for the TLS traffic. No defaults. + - `POSTGRESQL_TLS_KEY_FILE`: File containing the key for certificate. No defaults. + - `POSTGRESQL_TLS_CA_FILE`: File containing the CA of the certificate. If provided, PostgreSQL will authenticate TLS/SSL clients by requesting them a certificate (see [ref](https://www.postgresql.org/docs/9.6/auth-methods.html)). No defaults. + - `POSTGRESQL_TLS_CRL_FILE`: File containing a Certificate Revocation List. No defaults. + - `POSTGRESQL_TLS_PREFER_SERVER_CIPHERS`: Whether to use the server's TLS cipher preferences rather than the client's. Defaults to `yes`. + +When enabling TLS, PostgreSQL will support both standard and encrypted traffic by default, but prefer the latter. Below there are some examples on how to quickly set up TLS traffic: + +1. Using `docker run` + + ```console + $ docker run \ + -v /path/to/certs:/opt/bitnami/postgresql/certs \ + -e ALLOW_EMPTY_PASSWORD=yes \ + -e POSTGRESQL_ENABLE_TLS=yes \ + -e POSTGRESQL_TLS_CERT_FILE=/opt/bitnami/postgresql/certs/postgres.crt \ + -e POSTGRESQL_TLS_KEY_FILE=/opt/bitnami/postgresql/certs/postgres.key \ + bitnami/postgresql:latest + ``` + +2. Modifying the `docker-compose.yml` file present in this repository: + + ```yaml + services: + postgresql: + ... + environment: + ... + - POSTGRESQL_ENABLE_TLS=yes + - POSTGRESQL_TLS_CERT_FILE=/opt/bitnami/postgresql/certs/postgres.crt + - POSTGRESQL_TLS_KEY_FILE=/opt/bitnami/postgresql/certs/postgres.key + ... + volumes: + ... + - /path/to/certs:/opt/bitnami/postgresql/certs + ... + ``` + +Alternatively, you may also provide this configuration in your [custom](https://github.com/bitnami/bitnami-docker-postgresql#configuration-file) configuration file. + ## Configuration file The image looks for `postgresql.conf` file in `/opt/bitnami/postgresql/conf/`. You can mount a volume at `/bitnami/postgresql/conf/` and copy/edit the `postgresql.conf` file in the `/path/to/postgresql-persistence/conf/`. The default configurations will be populated to the `conf/` directory if it's empty.