From c8b15861d9eefe2b438019a8ea8cfc874b5f1d25 Mon Sep 17 00:00:00 2001 From: Konstantin Demin Date: Fri, 15 Aug 2025 17:02:15 +0300 Subject: [PATCH] major upgrade except citus - no packages for Debian 13 yet --- Dockerfile | 6 ++++-- Dockerfile.base | 34 ++++++++++++++++------------------ Dockerfile.deps | 21 ++++++++++++--------- apt/preferences.backports | 23 ----------------------- apt/preferences.pgdg | 2 +- apt/preferences.pgdg-ver.in | 2 +- apt/sources.citus | 2 +- apt/sources.debian | 4 ++-- apt/sources.pgdg | 2 +- apt/sources.pgdg-ver.in | 2 +- build-scripts/image-base.sh | 4 ++-- build-scripts/image-deps.sh | 4 ++-- build-scripts/image.sh | 2 +- requirements.txt | 8 ++++---- 14 files changed, 48 insertions(+), 68 deletions(-) delete mode 100644 apt/preferences.backports diff --git a/Dockerfile b/Dockerfile index 799673f..aa0d479 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ ARG UPSTREAM_IMAGE_VERSION ARG DEPS_IMAGE -FROM docker.io/library/postgres:${UPSTREAM_IMAGE_VERSION}-bookworm AS postgresql-upstream +FROM docker.io/library/postgres:${UPSTREAM_IMAGE_VERSION}-trixie AS postgresql-upstream FROM ${DEPS_IMAGE} AS deps ## --- @@ -105,7 +105,9 @@ VOLUME [ "${PGHOME}" ] ## --- -FROM citus +## TODO: disabled until citus packages are ready for Debian 13 +# FROM citus +FROM postgresql-extras SHELL [ "/bin/sh", "-ec" ] COPY /Dockerfile /usr/local/share/ diff --git a/Dockerfile.base b/Dockerfile.base index 2906453..d7f6245 100644 --- a/Dockerfile.base +++ b/Dockerfile.base @@ -1,11 +1,9 @@ -ARG PYTHONTAG=3.12.10-slim-bookworm +ARG PYTHONTAG=3.12.11-slim-trixie FROM docker.io/python:${PYTHONTAG} AS base-upstream FROM base-upstream AS base-intermediate SHELL [ "/bin/sh", "-ec" ] -COPY /Dockerfile.base /usr/local/share/ - COPY /scripts/* /usr/local/sbin/ COPY /extra-scripts/* /usr/local/sbin/ @@ -20,8 +18,7 @@ ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \ PYTHONUNBUFFERED=1 \ PYTHONDONTWRITEBYTECODE=1 -COPY /apt/preferences.backports /etc/apt/preferences.d/backports -COPY /apt/sources.debian /etc/apt/sources.list.d/debian.sources +COPY /apt/sources.debian /etc/apt/sources.list.d/debian.sources ## prevent services from auto-starting, part 1 RUN s='/usr/sbin/policy-rc.d' ; b='/usr/bin/policy-rc.d' ; \ @@ -60,7 +57,6 @@ RUN apt-env.sh apt-get update ; \ jq \ less \ libcap2-bin \ - libjemalloc2 \ libnss-wrapper \ logrotate \ lsof \ @@ -70,13 +66,16 @@ RUN apt-env.sh apt-get update ; \ openssl \ procps \ psmisc \ + systemd-standalone-sysusers \ tzdata \ vim \ xxd \ xz-utils \ zstd \ ; \ - apt-clean.sh + apt-clean.sh ; \ + ## remove broken symlinks + find /etc/ -xdev -follow -type l -ls -delete ## perl-base: hardlink->symlink RUN set +e ; \ @@ -228,12 +227,8 @@ RUN set -f ; \ rm -fv "$p" ; \ done ; \ done ; \ - ## fixup - rm -f \ - /bin/lastb \ - /bin/sg \ - /sbin/getty \ - ; : + ## remove broken symlinks + find /bin/ /sbin/ -xdev -follow -type l -ls -delete ## remove excessive privileges from binaries: setuid/setgid RUN find / -xdev -type f -perm /7000 \ @@ -279,14 +274,14 @@ SHELL [ "/bin/sh", "-ec" ] COPY /scripts/* /usr/local/sbin/ COPY /extra-scripts/* /usr/local/sbin/ -## "2025.01.31" -ENV CERTIFI_COMMIT=088f93122ea7c91cfdaeea7fa76ab2f850b8064d +## "2025.08.03" +ENV CERTIFI_COMMIT=a97d9ad8f87c382378dddc0b0b33b9770932404e # 'https://raw.githubusercontent.com/certifi/python-certifi' ARG CERTIFI_BASE_URI='https://github.com/certifi/python-certifi/raw' ARG CERTIFI_URI="${CERTIFI_BASE_URI}/${CERTIFI_COMMIT}/certifi/cacert.pem" -ADD "${CERTIFI_URI}" /tmp/certifi.crt +ADD "${CERTIFI_URI}" /tmp/certifi.crt RUN apt-install.sh ca-certificates ; \ apt-clean.sh ; \ @@ -320,7 +315,8 @@ RUN pkg='gnupg' ; \ apt-remove.sh ${pkg} COPY /apt/sources.pgdg /etc/apt/sources.list.d/pgdg.sources -COPY /apt/sources.citus /etc/apt/sources.list.d/citus.sources +## TODO: disabled until citus packages are ready for Debian 13 +# COPY /apt/sources.citus /etc/apt/sources.list.d/citus.sources ## verify sources! RUN apt-env.sh apt-get update ; \ @@ -329,6 +325,9 @@ RUN apt-env.sh apt-get update ; \ ## --- FROM base-intermediate AS base +SHELL [ "/bin/sh", "-ec" ] + +COPY /Dockerfile.base /usr/local/share/ COPY --from=certs /etc/ssl/certs/ca-certificates.* /etc/ssl/certs/ COPY --from=apt-gpg /etc/apt/keyrings/ /etc/apt/keyrings/ @@ -365,7 +364,6 @@ RUN apt-clean.sh RUN find /usr/local/sbin/ ! -type d -ls -delete ; \ find /run/ -mindepth 1 -ls -delete || : ; \ install -d -m 01777 /run/lock ; \ - jdupes -1LSpr /usr/local/ ; \ jdupes -1LSpr /usr/ ENTRYPOINT [ ] diff --git a/Dockerfile.deps b/Dockerfile.deps index c00ea1f..85ae19b 100644 --- a/Dockerfile.deps +++ b/Dockerfile.deps @@ -3,7 +3,7 @@ FROM ${BASE_IMAGE} AS base ## --- -FROM base AS catatonit +FROM base AS tools SHELL [ "/bin/sh", "-ec" ] COPY /scripts/* /usr/local/sbin/ @@ -23,6 +23,13 @@ ADD "${CATATONIT_URI}" /tmp/catatonit.tar.gz RUN pkg='build-essential debhelper musl-dev autoconf autoconf-archive' ; \ apt-install.sh ${pkg} ; \ + DEB_HOST_GNU_TYPE=$(dpkg-architecture -q DEB_HOST_GNU_TYPE) ; \ + export HOSTCC="${DEB_HOST_GNU_TYPE}-gcc" ; \ + DEB_TARGET_GNU_TYPE=$(dpkg-architecture -q DEB_TARGET_GNU_TYPE) ; \ + DEB_TARGET_MUSL_TYPE=$(printf '%s' "${DEB_TARGET_GNU_TYPE}" | sed -E 's/-gnu$/-musl/') ; \ + CFLAGS_LTO="-flto=2 -fuse-linker-plugin -ffat-lto-objects -flto-partition=none" ; \ + CFLAGS_COMMON="-O2 -g -pipe -fPIE -fstack-protector-strong -fstack-clash-protection -fcf-protection" ; \ + CPPFLAGS="-Wall -Wextra -Werror=format-security -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2" ; \ ## build catatonit d=/tmp/catatonit ; \ rm -rf "$d" ; \ @@ -32,13 +39,9 @@ RUN pkg='build-essential debhelper musl-dev autoconf autoconf-archive' ; \ tar --strip-components=1 -xf /tmp/catatonit.tar.gz ; \ commit_abbrev=$(printf '%s' "${CATATONIT_COMMIT}" | cut -c1-8) ; \ sed -i "s/+dev/+git.${commit_abbrev}/" configure.ac ; \ - # DEB_HOST_GNU_TYPE=$(dpkg-architecture -q DEB_HOST_GNU_TYPE) ; \ - # export HOSTCC="${DEB_HOST_GNU_TYPE}-gcc" ; \ - DEB_TARGET_GNU_TYPE=$(dpkg-architecture -q DEB_TARGET_GNU_TYPE) ; \ - DEB_TARGET_MUSL_TYPE=$(printf '%s' "${DEB_TARGET_GNU_TYPE}" | sed -E 's/-gnu$/-musl/') ; \ export CC="${DEB_TARGET_MUSL_TYPE}-gcc" ; \ - export CFLAGS='-Os -g -pipe -fpie -fstack-protector-strong -fstack-clash-protection -fcf-protection -D_FORTIFY_SOURCE=2' ; \ - export LDFLAGS='-static-pie -Wl,-z -Wl,relro' ; \ + export CFLAGS="${CFLAGS_LTO} ${CFLAGS_COMMON} ${CPPFLAGS}" ; \ + export LDFLAGS="-static-pie -Wl,-z,relro -Wl,-z,now" ; \ autoreconf -fiv ; \ ./configure ; \ make -j1 ; \ @@ -83,7 +86,7 @@ RUN w=$(mktemp -d) ; : "${w:?}" ; \ set -e ; \ rm -rf "$w/" ; unset w ; \ apt-install.sh build-essential ; \ - pip-env.sh pip install 'cython~=3.0.12' ; \ + pip-env.sh pip install 'cython~=3.1.3' ; \ pip-env.sh pip install \ --no-binary 'cffi,psutil,pyyaml' \ -r /tmp/requirements.txt \ @@ -135,7 +138,7 @@ COPY /scripts/* /usr/local/sbin/ COPY /apt/sources.pgdg /etc/apt/sources.list.d/pgdg.sources COPY /apt/preferences.pgdg /etc/apt/preferences.d/pgdg -COPY --from=catatonit /usr/local/bin/catatonit /usr/local/bin/ +COPY --from=tools /usr/local/bin/catatonit /usr/local/bin/ COPY --from=patroni /usr/local/bin/ /usr/local/bin/ COPY --from=patroni /${PYTHON_SITE_PACKAGES}/ /${PYTHON_SITE_PACKAGES}/ diff --git a/apt/preferences.backports b/apt/preferences.backports deleted file mode 100644 index fe469f4..0000000 --- a/apt/preferences.backports +++ /dev/null @@ -1,23 +0,0 @@ -Package: src:curl -Pin: release n=bookworm-backports -Pin-Priority: 600 - -Package: src:elfutils -Pin: release n=bookworm-backports -Pin-Priority: 600 - -Package: src:iproute2 -Pin: release n=bookworm-backports -Pin-Priority: 600 - -Package: src:libbpf -Pin: release n=bookworm-backports -Pin-Priority: 600 - -Package: src:systemd -Pin: release n=bookworm-backports -Pin-Priority: 600 - -Package: src:sysvinit -Pin: release n=bookworm-backports -Pin-Priority: 600 diff --git a/apt/preferences.pgdg b/apt/preferences.pgdg index c111a84..f22239b 100644 --- a/apt/preferences.pgdg +++ b/apt/preferences.pgdg @@ -1,3 +1,3 @@ Package: * -Pin: release a=bookworm-pgdg +Pin: release a=trixie-pgdg Pin-Priority: 600 diff --git a/apt/preferences.pgdg-ver.in b/apt/preferences.pgdg-ver.in index 003eaeb..87bc44f 100644 --- a/apt/preferences.pgdg-ver.in +++ b/apt/preferences.pgdg-ver.in @@ -1,3 +1,3 @@ Package: src:postgresql-%{PG_MAJOR} -Pin: release a=bookworm-pgdg +Pin: release a=trixie-pgdg Pin-Priority: 650 diff --git a/apt/sources.citus b/apt/sources.citus index 31b68a4..1d1a783 100644 --- a/apt/sources.citus +++ b/apt/sources.citus @@ -1,5 +1,5 @@ Types: deb URIs: https://packagecloud.io/citusdata/community/debian/ -Suites: bookworm +Suites: trixie Components: main Signed-By: /etc/apt/keyrings/citus.gpg.asc diff --git a/apt/sources.debian b/apt/sources.debian index 75c083a..3433414 100644 --- a/apt/sources.debian +++ b/apt/sources.debian @@ -1,11 +1,11 @@ Types: deb URIs: http://deb.debian.org/debian -Suites: bookworm bookworm-updates bookworm-proposed-updates bookworm-backports +Suites: trixie trixie-updates trixie-proposed-updates trixie-backports Components: main Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg Types: deb URIs: http://deb.debian.org/debian-security -Suites: bookworm-security +Suites: trixie-security Components: main Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg diff --git a/apt/sources.pgdg b/apt/sources.pgdg index 1bfe8f1..8b19e2f 100644 --- a/apt/sources.pgdg +++ b/apt/sources.pgdg @@ -1,5 +1,5 @@ Types: deb URIs: http://apt.postgresql.org/pub/repos/apt/ -Suites: bookworm-pgdg +Suites: trixie-pgdg Components: main Signed-By: /etc/apt/keyrings/pgdg.gpg.asc diff --git a/apt/sources.pgdg-ver.in b/apt/sources.pgdg-ver.in index e1be7ed..8e970d0 100644 --- a/apt/sources.pgdg-ver.in +++ b/apt/sources.pgdg-ver.in @@ -1,5 +1,5 @@ Types: deb URIs: http://apt.postgresql.org/pub/repos/apt/ -Suites: bookworm-pgdg +Suites: trixie-pgdg Components: %{PG_MAJOR} Signed-By: /etc/apt/keyrings/pgdg.gpg.asc diff --git a/build-scripts/image-base.sh b/build-scripts/image-base.sh index 002d740..0fd8c96 100755 --- a/build-scripts/image-base.sh +++ b/build-scripts/image-base.sh @@ -8,7 +8,7 @@ BUILDAH_ISOLATION="${BUILDAH_ISOLATION:-chroot}" BUILDAH_NETWORK="${BUILDAH_NETWORK:-host}" set +a -PYTHONTAG="${PYTHONTAG:-3.12.10-slim-bookworm}" +PYTHONTAG="${PYTHONTAG:-3.12.11-slim-trixie}" grab_site_packages() { podman run \ @@ -27,7 +27,7 @@ grab_site_packages() { PYTHON_SITE_PACKAGES=$(grab_site_packages "docker.io/python:${PYTHONTAG}") [ -n "${PYTHON_SITE_PACKAGES:?}" ] -img="docker.io/rockdrilla/postgresql:base-v5" +img="docker.io/rockdrilla/postgresql:base-v6" buildah bud \ -f ./Dockerfile.base \ diff --git a/build-scripts/image-deps.sh b/build-scripts/image-deps.sh index cedbce3..a2befee 100755 --- a/build-scripts/image-deps.sh +++ b/build-scripts/image-deps.sh @@ -8,8 +8,8 @@ BUILDAH_ISOLATION="${BUILDAH_ISOLATION:-chroot}" BUILDAH_NETWORK="${BUILDAH_NETWORK:-host}" set +a -img="docker.io/rockdrilla/postgresql:deps-v5" -base="docker.io/rockdrilla/postgresql:base-v5" +img="docker.io/rockdrilla/postgresql:deps-v6" +base="docker.io/rockdrilla/postgresql:base-v6" exec buildah bud \ -f ./Dockerfile.deps \ diff --git a/build-scripts/image.sh b/build-scripts/image.sh index b4e186d..b16dae0 100755 --- a/build-scripts/image.sh +++ b/build-scripts/image.sh @@ -12,7 +12,7 @@ POSTGRESQL_VERSION="${1:-16.7}" PG_MAJOR="${POSTGRESQL_VERSION%%.*}" img="docker.io/rockdrilla/postgresql:${POSTGRESQL_VERSION}" -deps="docker.io/rockdrilla/postgresql:deps-v5" +deps="docker.io/rockdrilla/postgresql:deps-v6" c=$(buildah from --pull=missing "${deps}") [ -n "${c:?}" ] diff --git a/requirements.txt b/requirements.txt index e9864fd..70bb426 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,7 +1,7 @@ ## psycopg[c,pool] psycopg-c==3.2.9 -typing_extensions==4.13.2 +typing_extensions==4.14.1 psycopg-pool==3.2.6 psycopg[c,pool]==3.2.9 @@ -14,15 +14,15 @@ psutil==7.0.0 six==1.17.0 python-dateutil==2.9.0.post0 PyYAML==6.0.2 -urllib3==2.4.0 +urllib3==2.5.0 ydiff==1.4.2 dnspython==2.7.0 python-etcd==0.4.5 -patroni[etcd3,kubernetes]==4.0.5 +patroni[etcd3,kubernetes]==4.0.6 ## misc cdiff==1.0 pycparser==2.22 cffi==1.17.1 -cryptography==45.0.2 +cryptography==45.0.6 netaddr==1.3.0