Skip to content

Error when POSTGRES_PASSWORD is unset like mysql #658

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Feb 12, 2020
Merged

Error when POSTGRES_PASSWORD is unset like mysql #658

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
42ce743
Error when POSTGRES_PASSWORD is unset like mysql
yosifkit Dec 23, 2019
46161d6
Add missing -n's to bash test
yosifkit Dec 23, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
64 changes: 41 additions & 23 deletions 10/alpine/docker-entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ docker_create_db_directories() {
chmod 775 /var/run/postgresql || :

# Create the transaction log directory before initdb is run so the directory is owned by the correct user
if [ "$POSTGRES_INITDB_WALDIR" ]; then
if [ -n "$POSTGRES_INITDB_WALDIR" ]; then
mkdir -p "$POSTGRES_INITDB_WALDIR"
if [ "$user" = '0' ]; then
find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
Expand Down Expand Up @@ -74,7 +74,7 @@ docker_init_database_dir() {
echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"
fi

if [ "$POSTGRES_INITDB_WALDIR" ]; then
if [ -n "$POSTGRES_INITDB_WALDIR" ]; then
set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
fi

Expand All @@ -87,7 +87,10 @@ docker_init_database_dir() {
fi
}

# print large warning if POSTGRES_PASSWORD is empty
# print large warning if POSTGRES_PASSWORD is long
# error if both POSTGRES_PASSWORD is unset and POSTGRES_HOST_AUTH_METHOD is not 'trust'
# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
docker_verify_minimum_env() {
# check password first so we can output the warning before postgres
# messes it up
Expand All @@ -103,22 +106,36 @@ docker_verify_minimum_env() {

EOWARN
fi
if [ -z "$POSTGRES_PASSWORD" ]; then
if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
# The - option suppresses leading tabs but *not* spaces. :)
cat >&2 <<-'EOE'
Error: Database is uninitialized and superuser password is not specified.
You must specify POSTGRES_PASSWORD for the superuser. Use
"-e POSTGRES_PASSWORD=password" to set it in "docker run".

You may also use POSTGRES_HOST_AUTH_METHOD=trust to allow all connections
without a password. This is *not* recommended. See PostgreSQL
documentation about "trust":
https://www.postgresql.org/docs/current/auth-trust.html
EOE
exit 1
fi
if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
cat >&2 <<-'EOWARN'
****************************************************
WARNING: No password has been set for the database.
This will allow anyone with access to the
Postgres port to access your database. In
Docker's default configuration, this is
effectively any other container on the same
system.

Use "-e POSTGRES_PASSWORD=password" to set
it in "docker run".
****************************************************
********************************************************************************
WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
anyone with access to the Postgres port to access your database without
a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
documentation about "trust":
https://www.postgresql.org/docs/current/auth-trust.html
In Docker's default configuration, this is effectively any other
container on the same system.

It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
it with "-e POSTGRES_PASSWORD=password" instead to set a password in
"docker run".
********************************************************************************
EOWARN

fi
}

Expand Down Expand Up @@ -185,6 +202,8 @@ docker_setup_env() {
file_env 'POSTGRES_USER' 'postgres'
file_env 'POSTGRES_DB' "$POSTGRES_USER"
file_env 'POSTGRES_INITDB_ARGS'
# default authentication method is md5
: "${POSTGRES_HOST_AUTH_METHOD:=md5}"

declare -g DATABASE_ALREADY_EXISTS
# look specifically for PG_VERSION, as it is expected in the DB dir
Expand All @@ -193,16 +212,15 @@ docker_setup_env() {
fi
}

# append md5 or trust auth to pg_hba.conf based on existence of POSTGRES_PASSWORD
# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
pg_setup_hba_conf() {
local authMethod='md5'
if [ -z "$POSTGRES_PASSWORD" ]; then
authMethod='trust'
fi

{
echo
echo "host all all all $authMethod"
if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
echo '# warning trust is enabled for all connections'
echo '# see https://www.postgresql.org/docs/12/auth-trust.html'
fi
echo "host all all all $POSTGRES_HOST_AUTH_METHOD"
} >> "$PGDATA/pg_hba.conf"
}

Expand Down
64 changes: 41 additions & 23 deletions 10/docker-entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ docker_create_db_directories() {
chmod 775 /var/run/postgresql || :

# Create the transaction log directory before initdb is run so the directory is owned by the correct user
if [ "$POSTGRES_INITDB_WALDIR" ]; then
if [ -n "$POSTGRES_INITDB_WALDIR" ]; then
mkdir -p "$POSTGRES_INITDB_WALDIR"
if [ "$user" = '0' ]; then
find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
Expand Down Expand Up @@ -74,7 +74,7 @@ docker_init_database_dir() {
echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"
fi

if [ "$POSTGRES_INITDB_WALDIR" ]; then
if [ -n "$POSTGRES_INITDB_WALDIR" ]; then
set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
fi

Expand All @@ -87,7 +87,10 @@ docker_init_database_dir() {
fi
}

# print large warning if POSTGRES_PASSWORD is empty
# print large warning if POSTGRES_PASSWORD is long
# error if both POSTGRES_PASSWORD is unset and POSTGRES_HOST_AUTH_METHOD is not 'trust'
# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
docker_verify_minimum_env() {
# check password first so we can output the warning before postgres
# messes it up
Expand All @@ -103,22 +106,36 @@ docker_verify_minimum_env() {

EOWARN
fi
if [ -z "$POSTGRES_PASSWORD" ]; then
if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
# The - option suppresses leading tabs but *not* spaces. :)
cat >&2 <<-'EOE'
Error: Database is uninitialized and superuser password is not specified.
You must specify POSTGRES_PASSWORD for the superuser. Use
"-e POSTGRES_PASSWORD=password" to set it in "docker run".

You may also use POSTGRES_HOST_AUTH_METHOD=trust to allow all connections
without a password. This is *not* recommended. See PostgreSQL
documentation about "trust":
https://www.postgresql.org/docs/current/auth-trust.html
EOE
exit 1
fi
if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
cat >&2 <<-'EOWARN'
****************************************************
WARNING: No password has been set for the database.
This will allow anyone with access to the
Postgres port to access your database. In
Docker's default configuration, this is
effectively any other container on the same
system.

Use "-e POSTGRES_PASSWORD=password" to set
it in "docker run".
****************************************************
********************************************************************************
WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
anyone with access to the Postgres port to access your database without
a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
documentation about "trust":
https://www.postgresql.org/docs/current/auth-trust.html
In Docker's default configuration, this is effectively any other
container on the same system.

It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
it with "-e POSTGRES_PASSWORD=password" instead to set a password in
"docker run".
********************************************************************************
EOWARN

fi
}

Expand Down Expand Up @@ -185,6 +202,8 @@ docker_setup_env() {
file_env 'POSTGRES_USER' 'postgres'
file_env 'POSTGRES_DB' "$POSTGRES_USER"
file_env 'POSTGRES_INITDB_ARGS'
# default authentication method is md5
: "${POSTGRES_HOST_AUTH_METHOD:=md5}"

declare -g DATABASE_ALREADY_EXISTS
# look specifically for PG_VERSION, as it is expected in the DB dir
Expand All @@ -193,16 +212,15 @@ docker_setup_env() {
fi
}

# append md5 or trust auth to pg_hba.conf based on existence of POSTGRES_PASSWORD
# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
pg_setup_hba_conf() {
local authMethod='md5'
if [ -z "$POSTGRES_PASSWORD" ]; then
authMethod='trust'
fi

{
echo
echo "host all all all $authMethod"
if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
echo '# warning trust is enabled for all connections'
echo '# see https://www.postgresql.org/docs/12/auth-trust.html'
fi
echo "host all all all $POSTGRES_HOST_AUTH_METHOD"
} >> "$PGDATA/pg_hba.conf"
}

Expand Down
64 changes: 41 additions & 23 deletions 11/alpine/docker-entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ docker_create_db_directories() {
chmod 775 /var/run/postgresql || :

# Create the transaction log directory before initdb is run so the directory is owned by the correct user
if [ "$POSTGRES_INITDB_WALDIR" ]; then
if [ -n "$POSTGRES_INITDB_WALDIR" ]; then
mkdir -p "$POSTGRES_INITDB_WALDIR"
if [ "$user" = '0' ]; then
find "$POSTGRES_INITDB_WALDIR" \! -user postgres -exec chown postgres '{}' +
Expand Down Expand Up @@ -74,7 +74,7 @@ docker_init_database_dir() {
echo "postgres:x:$(id -g):" > "$NSS_WRAPPER_GROUP"
fi

if [ "$POSTGRES_INITDB_WALDIR" ]; then
if [ -n "$POSTGRES_INITDB_WALDIR" ]; then
set -- --waldir "$POSTGRES_INITDB_WALDIR" "$@"
fi

Expand All @@ -87,7 +87,10 @@ docker_init_database_dir() {
fi
}

# print large warning if POSTGRES_PASSWORD is empty
# print large warning if POSTGRES_PASSWORD is long
# error if both POSTGRES_PASSWORD is unset and POSTGRES_HOST_AUTH_METHOD is not 'trust'
# print large warning if POSTGRES_HOST_AUTH_METHOD is set to 'trust'
# assumes database is not set up, ie: [ -z "$DATABASE_ALREADY_EXISTS" ]
docker_verify_minimum_env() {
# check password first so we can output the warning before postgres
# messes it up
Expand All @@ -103,22 +106,36 @@ docker_verify_minimum_env() {

EOWARN
fi
if [ -z "$POSTGRES_PASSWORD" ]; then
if [ -z "$POSTGRES_PASSWORD" ] && [ 'trust' != "$POSTGRES_HOST_AUTH_METHOD" ]; then
# The - option suppresses leading tabs but *not* spaces. :)
cat >&2 <<-'EOE'
Error: Database is uninitialized and superuser password is not specified.
You must specify POSTGRES_PASSWORD for the superuser. Use
"-e POSTGRES_PASSWORD=password" to set it in "docker run".

You may also use POSTGRES_HOST_AUTH_METHOD=trust to allow all connections
without a password. This is *not* recommended. See PostgreSQL
documentation about "trust":
https://www.postgresql.org/docs/current/auth-trust.html
EOE
exit 1
fi
if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
cat >&2 <<-'EOWARN'
****************************************************
WARNING: No password has been set for the database.
This will allow anyone with access to the
Postgres port to access your database. In
Docker's default configuration, this is
effectively any other container on the same
system.

Use "-e POSTGRES_PASSWORD=password" to set
it in "docker run".
****************************************************
********************************************************************************
WARNING: POSTGRES_HOST_AUTH_METHOD has been set to "trust". This will allow
anyone with access to the Postgres port to access your database without
a password, even if POSTGRES_PASSWORD is set. See PostgreSQL
documentation about "trust":
https://www.postgresql.org/docs/current/auth-trust.html
In Docker's default configuration, this is effectively any other
container on the same system.

It is not recommended to use POSTGRES_HOST_AUTH_METHOD=trust. Replace
it with "-e POSTGRES_PASSWORD=password" instead to set a password in
"docker run".
********************************************************************************
EOWARN

fi
}

Expand Down Expand Up @@ -185,6 +202,8 @@ docker_setup_env() {
file_env 'POSTGRES_USER' 'postgres'
file_env 'POSTGRES_DB' "$POSTGRES_USER"
file_env 'POSTGRES_INITDB_ARGS'
# default authentication method is md5
: "${POSTGRES_HOST_AUTH_METHOD:=md5}"

declare -g DATABASE_ALREADY_EXISTS
# look specifically for PG_VERSION, as it is expected in the DB dir
Expand All @@ -193,16 +212,15 @@ docker_setup_env() {
fi
}

# append md5 or trust auth to pg_hba.conf based on existence of POSTGRES_PASSWORD
# append POSTGRES_HOST_AUTH_METHOD to pg_hba.conf for "host" connections
pg_setup_hba_conf() {
local authMethod='md5'
if [ -z "$POSTGRES_PASSWORD" ]; then
authMethod='trust'
fi

{
echo
echo "host all all all $authMethod"
if [ 'trust' = "$POSTGRES_HOST_AUTH_METHOD" ]; then
echo '# warning trust is enabled for all connections'
echo '# see https://www.postgresql.org/docs/12/auth-trust.html'
fi
echo "host all all all $POSTGRES_HOST_AUTH_METHOD"
} >> "$PGDATA/pg_hba.conf"
}

Expand Down
Loading