krd/postgresql-citus-patroni-image
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: krd:dea7d7cd0e5b2b29bd0e632e33ca23e5c420f536
Branches Tags
krd:main
...
compare: krd:main
Branches Tags
krd:main

15 Commits
dea7d7cd0e ... main

Author SHA1 Message Date
Konstantin Demin
eb6e4efca9 refactor layout 
python extensions are built using strictly versioned libpq-dev
 2025-08-29 02:13:51 +03:00
Konstantin Demin
c8b15861d9 major upgrade 
except citus - no packages for Debian 13 yet
 2025-08-15 17:02:15 +03:00
Konstantin Demin
af04718692 update/refactor 2025-05-25 12:48:57 +03:00
Konstantin Demin
91d3a48177 update deps 2025-04-09 14:46:16 +03:00
Konstantin Demin
8b83963828 improve Python cache 2025-02-24 02:50:01 +03:00
Konstantin Demin
6f32deea79 remove remnants after f0d9f41a 2025-02-21 12:43:10 +03:00
Konstantin Demin
2bd64c4c32 adjust Citus package/version selection 2025-02-21 11:43:41 +03:00
Konstantin Demin
b259b17704 update deps 2025-02-21 11:30:25 +03:00
Konstantin Demin
f0d9f41a3d switch to Python 3.12 2025-02-21 11:30:12 +03:00
Konstantin Demin
d8c7de04a5 share pycache 2025-02-21 11:28:45 +03:00
Konstantin Demin
20182ec83f update deps 2025-02-19 11:09:16 +03:00
Konstantin Demin
6765c098f8 update deps 2025-01-14 10:55:55 +03:00
Konstantin Demin
8f0db91465 bump versions 2024-12-05 11:26:39 +03:00
Konstantin Demin
804d6b2544 bump versions 2024-12-04 21:46:38 +03:00
Konstantin Demin
c7ff1d2b5c refactor 2024-12-04 21:17:59 +03:00
21 changed files with 577 additions and 505 deletions
Expand all files Collapse all files

196
Dockerfile
View File

@@ -1,49 +1,11 @@
ARG UPSTREAM_IMAGE_VERSION
ARG DEPS_IMAGE
FROM docker.io/library/postgres:${UPSTREAM_IMAGE_VERSION}-bookworm AS postgresql-upstream
FROM ${DEPS_IMAGE} AS deps
ARG BASE_IMAGE
FROM docker.io/library/postgres:${UPSTREAM_IMAGE_VERSION}-trixie AS postgresql-upstream
FROM ${BASE_IMAGE} AS base
## ---
FROM deps AS pycache
SHELL [ "/bin/sh", "-ec" ]
COPY /scripts/* /usr/local/sbin/
ENV PYTHONDONTWRITEBYTECODE=''
## Python cache preseed
RUN libpython="${PYTHON_SITE_PACKAGES%/*}" ; \
find "${libpython}/" -mindepth 1 -maxdepth 1 -printf '%P\0' \
| sed -zEn \
-e '/^(collections|importlib|json|re)$/p' \
| sort -zV \
| env -C "${libpython}" xargs -0r \
python3 -m compileall -q -j 2 ; \
find "${PYTHON_SITE_PACKAGES}/" -mindepth 1 -maxdepth 1 -printf '%P\0' \
| sed -zE \
-e '/\.(dist-info|pth|txt)$/d' \
-e '/^(pip|pkg_resources|setuptools|wheel)$/d' \
| sort -zV \
| env -C "${PYTHON_SITE_PACKAGES}" xargs -0r \
python3 -m compileall -q -j 2
## Python cache warmup
RUN export PYTHONPROFILEIMPORTTIME=1 ; \
patronictl --help ; \
patroni --help ; \
ydiff --help ; \
cdiff --help
## Python cache adjustments
RUN d="@$(date '+%s')" ; \
find /usr/local/lib/ -name '*.pyc' -exec touch -m -d "$d" {} + ; \
find /usr/local/lib/ -name __pycache__ -exec touch -m -d "$d" {} +
## ---
FROM deps AS postgresql
FROM base AS postgresql
SHELL [ "/bin/sh", "-ec" ]
COPY /scripts/* /usr/local/sbin/
@@ -60,7 +22,9 @@ RUN echo "postgres:x:${PG_UID}:${PG_GID}:postgres:${PGHOME}:/bin/bash" >> /etc/p
RUN install -d -o postgres -g postgres -m 3755 /run/postgresql
VOLUME [ "/run/postgresql" ]
COPY /apt/sources.pgdg /etc/apt/sources.list.d/pgdg.sources
COPY /apt/sources.pgdg-ver.in /tmp/pgdg-ver.sources
COPY /apt/preferences.pgdg /etc/apt/preferences.d/pgdg
COPY /apt/preferences.pgdg-ver.in /tmp/pgdg-ver.prefs
RUN sed "s/%{PG_MAJOR}/${PG_MAJOR}/g" < /tmp/pgdg-ver.sources > "/etc/apt/sources.list.d/pgdg-${PG_MAJOR}.sources" ; \
sed "s/%{PG_MAJOR}/${PG_MAJOR}/g" < /tmp/pgdg-ver.prefs > "/etc/apt/preferences.d/pgdg-${PG_MAJOR}" ; \
@@ -86,7 +50,135 @@ RUN ln -sv /usr/local/sbin/dumb-run-as.sh /usr/local/bin/gosu
## ---
FROM postgresql AS postgresql-extras
FROM postgresql AS pybuild
SHELL [ "/bin/sh", "-ec" ]
COPY /scripts/* /usr/local/sbin/
COPY /requirements.txt /tmp/
ENV DEV_PACKAGES='libffi-dev libpq-dev libyaml-dev'
# psutil
ENV CIBUILDWHEEL=1
# pyyaml
ENV PYYAML_FORCE_CYTHON=1
RUN w=$(mktemp -d) ; : "${w:?}" ; \
{ apt-mark showauto ; apt-mark showmanual ; } | sort -uV > "$w/t0" ; \
printf '%s\n' ${DEV_PACKAGES} | sort -uV > "$w/t1" ; \
apt-install.sh ${DEV_PACKAGES} ; \
{ apt-mark showauto ; apt-mark showmanual ; } | sort -uV > "$w/t2" ; \
set +e ; \
grep -Fxv -f "$w/t0" "$w/t2" > "$w/t3" ; \
grep -Fxv -f "$w/t1" "$w/t3" > "$w/t4" ; \
grep -Ev -e '-(dev|doc)$' "$w/t4" > "${PYTHON_SITE_PACKAGES}/apt-deps.txt" ; \
set -e ; \
rm -rf "$w/" ; unset w ; \
apt-install.sh build-essential ; \
pip-env.sh pip install 'cython~=3.1.3' ; \
pip-env.sh pip install \
--no-binary 'cffi,psutil,pyyaml' \
-r /tmp/requirements.txt \
; \
pip-env.sh pip uninstall -y 'cython' ; \
python-rm-cache.sh /usr/local ; \
rm -rf \
/usr/local/bin/patroni_aws \
/usr/local/bin/patroni_raft_controller \
"${PYTHON_SITE_PACKAGES}/etcd/tests" \
"${PYTHON_SITE_PACKAGES}/netaddr/tests" \
"${PYTHON_SITE_PACKAGES}/psutil/tests" \
; \
truncate -s 0 \
"${PYTHON_SITE_PACKAGES}/netaddr/eui/iab.idx" \
"${PYTHON_SITE_PACKAGES}/netaddr/eui/iab.txt" \
"${PYTHON_SITE_PACKAGES}/netaddr/eui/oui.txt" \
"${PYTHON_SITE_PACKAGES}/netaddr/eui/oui.idx" \
; \
find "${PYTHON_SITE_PACKAGES}/" -type f -name '*.so*' -exec ls -l {} + ; \
echo ; \
find "${PYTHON_SITE_PACKAGES}/" -type f -name '*.so*' -printf '%p\0' \
| sed -zE '/rust/d' \
| xargs -0r strip --strip-debug --strip-unneeded ; \
echo ; \
find "${PYTHON_SITE_PACKAGES}/" -type f -name '*.so*' -exec ls -l {} + ; \
apt-remove.sh build-essential ; \
apt-clean.sh
## avoid changing already present packages
RUN rm -rfv \
/usr/local/bin/pip \
/usr/local/bin/pip3* \
; \
find "${PYTHON_SITE_PACKAGES}/" -mindepth 1 -maxdepth 1 -printf '%P\0' \
| sed -zEn \
-e '/^pip(|-.+\.dist-info)$/p' \
| env -C "${PYTHON_SITE_PACKAGES}" xargs -0r rm -rf
## ---
FROM pybuild AS pycache
SHELL [ "/bin/sh", "-ec" ]
COPY /scripts/* /usr/local/sbin/
ENV PYTHONDONTWRITEBYTECODE=''
## Python cache preseed
RUN libpython="${PYTHON_SITE_PACKAGES%/*}" ; \
find "${libpython}/" -mindepth 1 -maxdepth 1 -printf '%P\0' \
| sed -zEn \
-e '/^(asyncio|collections|concurrent|ctypes|email|encodings|html|http|importlib|json|logging|multiprocessing|re|urllib|zipfile|zoneinfo)$/p' \
| sort -zV \
| env -C "${libpython}" xargs -0r \
python3 -m compileall -q -j 2 ; \
find "${PYTHON_SITE_PACKAGES}/" -mindepth 1 -maxdepth 1 -printf '%P\0' \
| sed -zE \
-e '/\.(dist-info|pth|so|txt)$/d' \
-e '/^pip$/d' \
| sort -zV \
| env -C "${PYTHON_SITE_PACKAGES}" xargs -0r \
python3 -m compileall -q -j 2
## Python cache warmup
RUN export PYTHONPROFILEIMPORTTIME=1 ; \
patroni --help ; \
patronictl --help ; \
patroni_barman --help ; \
patroni_wale_restore --help ; \
cdiff --help ; \
netaddr --help ; \
ydiff --help
## Python cache adjustments
RUN d="@$(date '+%s')" ; \
find /usr/local/lib/ -name '*.pyc' -exec touch -m -d "$d" {} + ; \
find /usr/local/lib/ -name __pycache__ -exec touch -m -d "$d" {} +
WORKDIR /pycache
RUN find /usr/local/ -type f -name '*.py[co]' -printf '%P\0' \
| sort -zV \
| tar -C /usr/local --null -T - -cf - \
| tar -xf -
## ---
FROM postgresql AS postgresql-patroni
COPY --from=pybuild /usr/local/bin/ /usr/local/bin/
COPY --from=pybuild /${PYTHON_SITE_PACKAGES}/ /${PYTHON_SITE_PACKAGES}/
COPY --from=pycache /pycache/ /usr/local/
## install missing dependencies for Python site-packages
RUN f="${PYTHON_SITE_PACKAGES}/apt-deps.txt" ; \
[ -s "$f" ] || exit 0 ; \
xargs -a "$f" apt-install.sh ; \
apt-clean.sh
## ---
FROM postgresql-patroni AS postgresql-extras
SHELL [ "/bin/sh", "-ec" ]
RUN apt-install.sh \
@@ -131,8 +223,11 @@ SHELL [ "/bin/sh", "-ec" ]
COPY /apt/sources.citus /etc/apt/sources.list.d/citus.sources
RUN apt-install.sh \
"postgresql-${PG_MAJOR}-citus-12.1" \
RUN apt-env.sh apt-get update ; \
citus_pkg=$(apt-cache search "^postgresql-${PG_MAJOR}-citus-[0-9.]+\$" | awk '{print $1}' | sort -rV | head -n1) ; \
: "${citus_pkg:?}" ; \
apt-install.sh \
"${citus_pkg}" \
"postgresql-${PG_MAJOR}-topn" \
; apt-clean.sh
@@ -140,15 +235,13 @@ VOLUME [ "${PGHOME}" ]
## ---
FROM citus
## TODO: disabled until citus packages are ready for Debian 13
# FROM citus
FROM postgresql-extras
SHELL [ "/bin/sh", "-ec" ]
COPY /Dockerfile /usr/local/share/
## RFC: Python cache
## TODO: reduce load by selecting only __pycache__ directories in either way
COPY --from=pycache /usr/local/lib/ /usr/local/lib/
COPY /ep.sh /usr/local/sbin/
COPY /postgres-shim.sh /usr/local/sbin/
## quirk
@@ -160,8 +253,7 @@ WORKDIR "${PGHOME}"
## NB: override to SIGTERM in order to switch to "Smart Shutdown mode"
STOPSIGNAL SIGINT
ENV DUMB_INIT_SETSID=0 \
MALLOC_ARENA_MAX=4 \
ENV MALLOC_ARENA_MAX=4 \
GOMAXPROCS=4
ENTRYPOINT [ "ep.sh" ]

304
Dockerfile.base
View File

@@ -1,11 +1,9 @@
ARG PYTHONTAG=3.11.9-slim-bookworm
ARG PYTHONTAG=3.12.11-slim-trixie
FROM docker.io/python:${PYTHONTAG} AS base-upstream
FROM base-upstream AS base
FROM base-upstream AS base-intermediate
SHELL [ "/bin/sh", "-ec" ]
COPY /Dockerfile.base /usr/local/share/
COPY /scripts/* /usr/local/sbin/
COPY /extra-scripts/* /usr/local/sbin/
@@ -20,11 +18,6 @@ ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin \
PYTHONUNBUFFERED=1 \
PYTHONDONTWRITEBYTECODE=1
## local development
# ENV PIP_INDEX="http://127.0.0.1:8081/repository/proxy_pypi/pypi/" \
# PIP_INDEX_URL="http://127.0.0.1:8081/repository/proxy_pypi/simple/" \
# PIP_TRUSTED_HOST="localhost"
COPY /apt/sources.debian /etc/apt/sources.list.d/debian.sources
## prevent services from auto-starting, part 1
@@ -45,13 +38,60 @@ RUN divert_true() { divert-rm.sh "$1" ; ln -sv /bin/true "$1" ; } ; \
divert_true /usr/bin/deb-systemd-invoke
RUN apt-env.sh apt-get update ; \
apt-remove.sh \
ca-certificates \
e2fsprogs \
; \
apt-env.sh apt-get upgrade -y ; \
apt-clean.sh
apt-install.sh \
apt-utils \
brotli \
cron \
curl \
file \
gettext-base \
gnupg \
iproute2 \
iputils-ping \
jdupes \
jq \
less \
libcap2-bin \
libnss-wrapper \
logrotate \
lsof \
ncurses-base \
netbase \
netcat-openbsd \
openssl \
procps \
psmisc \
systemd-standalone-sysusers \
tzdata \
vim \
xxd \
xz-utils \
zstd \
; \
apt-clean.sh ; \
## remove broken symlinks
find /etc/ -xdev -follow -type l -ls -delete
## perl-base: hardlink->symlink
RUN d=/usr/bin ; \
find "$d/" -wholename "$d/perl5*" -exec ln -fsv perl {} ';' ; \
ls -li "$d/perl"*
RUN set +e ; \
d=/usr/bin ; \
ls -li "$d/perl" ; \
find "$d/" -xdev -samefile "$d/perl" 2>/dev/null \
| grep -Fxv -e "$d/perl" \
| while read -r p ; do \
[ -n "$p" ] || continue ; \
[ -e "$p" ] || continue ; \
ls -li "$p" ; \
rm -fv "$p" ; \
ln -fsv perl "$p" ; \
ls -li "$p" ; \
echo ; \
done
## remove unwanted binaries
RUN set -f ; \
@@ -74,6 +114,7 @@ RUN set -f ; \
chsh \
cpgr \
cppw \
crontab \
ctrlaltdel \
debugfs \
delpart \
@@ -160,81 +201,234 @@ RUN set -f ; \
'write.*' \
zramctl \
; do \
for d in /usr/sbin /usr/bin /sbin /bin ; do \
find "$d/" ! -type d -wholename "$d/$i" \
## try dpkg-divert first
for d in /usr/sbin /usr/bin ; do \
find "$d/" ! -type d -wholename "$d/$i" ; \
done \
| while read -r p ; do \
[ -n "$p" ] || continue ; \
[ -e "$p" ] || continue ; \
dpkg -S "$p" >/dev/null 2>&1 || continue ; \
divert-rm.sh "$p" ; \
dpkg-search.sh "$p" || continue ; \
done \
| sed -E '/^diversion by/d' \
| sort -uV \
| while read -r pkg path ; do \
[ -n "${pkg}" ] || continue ; \
[ -e "${path}" ] || continue ; \
divert-rm.sh "${path}" ; \
done ; \
done ; \
for d in /usr/sbin /usr/bin /sbin /bin ; do \
find "$d/" ! -type d -wholename "$d/$i" \
## remove if still exists
for d in /usr/sbin /usr/bin ; do \
find "$d/" ! -type d -wholename "$d/$i" ; \
done \
| while read -r p ; do \
[ -n "$p" ] || continue ; \
[ -e "$p" ] || continue ; \
rm -fv "$p" ; \
done ; \
done ; \
done ; \
## fixup
rm -f \
/bin/lastb \
/bin/sg \
/sbin/getty \
; :
## remove broken symlinks
find /bin/ /sbin/ -xdev -follow -type l -ls -delete
## remove excessive privileges from binaries
RUN set -f ; \
for i in \
passwd \
su \
; do \
for d in /usr/sbin /usr/bin /sbin /bin ; do \
find "$d/" ! -type d -wholename "$d/$i" \
## remove excessive privileges from binaries: setuid/setgid
RUN find / -xdev -type f -perm /7000 \
| sort -V \
| while read -r p ; do \
[ -n "$p" ] || continue ; \
[ -e "$p" ] || continue ; \
dpkg -S "$p" >/dev/null 2>&1 || continue ; \
o=$(env stat -c '%U' "$p") ; \
g=$(env stat -c '%G' "$p") ; \
## clear setuid/setgid bit
m=$(env stat -c '0%a' "$p") ; \
m=$(printf '0%o\n' $((m & 00777)) ) ; \
## try to lookup in dpkg database
n=$(set +e ; dpkg-search.sh "$p" | sed -E '/^diversion by/d' | cut -d ' ' -f2-) ; \
ls -l "$p" ; \
dpkg-statoverride --update --add "$o" "$g" 0755 "$p" ; \
if [ "$p" = "$n" ] ; then \
o=$(env stat -c '%U' "$n") ; \
g=$(env stat -c '%G' "$n") ; \
dpkg-statoverride --force --update --add "$o" "$g" "$m" "$n" ; \
else \
env printf 'unable to find in dpkg database: %q\n' "$n" ; \
chmod "$m" "$p" ; \
fi ; \
ls -l "$p" ; \
done ; \
done ; \
done
RUN apt-remove.sh \
ca-certificates \
e2fsprogs \
; \
apt-clean.sh
## remove excessive privileges from binaries: setcap
RUN find / -xdev -type f -executable -exec getcap {} + \
| sort -V \
| while read -r path caps ; do \
[ -n "${path}" ] || continue ; \
if [ "${path}" = /usr/bin/ping ] ; then continue ; fi ; \
getcap -v "${path}" ; \
setcap -r "${path}" "${caps}" 2>/dev/null || : ; \
getcap -v "${path}" ; \
done
## "docker.io/python"-specific cleanup
RUN rm -f /root/.wget-hsts
RUN env -C /root rm -f .bash_history .python_history .wget-hsts
RUN python-rm-cache.sh /usr/local ; \
pip-env.sh pip list --format freeze \
## ---
FROM base-intermediate AS certs
SHELL [ "/bin/sh", "-ec" ]
## "2025.08.03"
ENV CERTIFI_COMMIT=a97d9ad8f87c382378dddc0b0b33b9770932404e
# 'https://raw.githubusercontent.com/certifi/python-certifi'
ARG CERTIFI_BASE_URI='https://github.com/certifi/python-certifi/raw'
ARG CERTIFI_URI="${CERTIFI_BASE_URI}/${CERTIFI_COMMIT}/certifi/cacert.pem"
ADD "${CERTIFI_URI}" /tmp/certifi.crt
RUN apt-install.sh ca-certificates ; \
apt-clean.sh ; \
ca_file='/etc/ssl/certs/ca-certificates.crt' ; \
ls -l "${ca_file}" ; \
## process certifi
certifi-extras.sh /tmp/certifi.crt ; \
openssl-cert-auto-pem.sh "${ca_file}" "${ca_file}.new" "${ca_file}.fp" ; \
mv -f "${ca_file}.new" "${ca_file}" ; \
chmod 0444 "${ca_file}" "${ca_file}.fp" ; \
ls -l "${ca_file}" "${ca_file}.fp"
## ---
FROM base-intermediate AS apt-gpg
SHELL [ "/bin/sh", "-ec" ]
COPY --from=certs /etc/ssl/certs/ca-certificates.* /etc/ssl/certs/
ADD https://apt.postgresql.org/pub/repos/apt/ACCC4CF8.asc /tmp/pgdg.gpg.bin
ADD https://packagecloud.io/citusdata/community/gpgkey /tmp/citus.gpg.bin
## process GPG keyrings
RUN pkg='gnupg' ; \
apt-install.sh ${pkg} ; \
gpg-export.sh /tmp/pgdg.gpg.bin /etc/apt/keyrings/pgdg.gpg.asc ; \
gpg-export.sh /tmp/citus.gpg.bin /etc/apt/keyrings/citus.gpg.asc ; \
apt-remove.sh ${pkg}
COPY /apt/sources.pgdg /etc/apt/sources.list.d/pgdg.sources
## TODO: disabled until citus packages are ready for Debian 13
# COPY /apt/sources.citus /etc/apt/sources.list.d/citus.sources
## verify sources!
RUN apt-env.sh apt-get update ; \
apt-clean.sh
## ---
FROM base-intermediate AS tools
SHELL [ "/bin/sh", "-ec" ]
## current HEAD: "main: don't use secure_getenv", December 14, 2024
ENV CATATONIT_COMMIT=56579adbb42c0c7ad94fc12d844b38fc5b37b3ce
# ARG CATATONIT_BASE_URI='https://codeload.github.com/openSUSE/catatonit/tar.gz'
# ARG CATATONIT_URI="${CATATONIT_BASE_URI}/${CATATONIT_COMMIT}"
ARG CATATONIT_BASE_URI='https://github.com/openSUSE/catatonit/archive'
ARG CATATONIT_URI="${CATATONIT_BASE_URI}/${CATATONIT_COMMIT}.tar.gz"
# hadolint ignore=DL3020
ADD "${CATATONIT_URI}" /tmp/catatonit.tar.gz
RUN pkg='build-essential debhelper musl-dev autoconf autoconf-archive' ; \
apt-install.sh ${pkg} ; \
DEB_HOST_GNU_TYPE=$(dpkg-architecture -q DEB_HOST_GNU_TYPE) ; \
export HOSTCC="${DEB_HOST_GNU_TYPE}-gcc" ; \
DEB_TARGET_GNU_TYPE=$(dpkg-architecture -q DEB_TARGET_GNU_TYPE) ; \
DEB_TARGET_MUSL_TYPE=$(printf '%s' "${DEB_TARGET_GNU_TYPE}" | sed -E 's/-gnu$/-musl/') ; \
CFLAGS_LTO="-flto=2 -fuse-linker-plugin -ffat-lto-objects -flto-partition=none" ; \
CFLAGS_COMMON="-O2 -g -pipe -fPIE -fstack-protector-strong -fstack-clash-protection -fcf-protection" ; \
CPPFLAGS="-Wall -Wextra -Werror=format-security -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2" ; \
## build catatonit
d=/tmp/catatonit ; \
rm -rf "$d" ; \
mkdir -p "$d" ; \
( \
cd "$d" ; \
tar --strip-components=1 -xf /tmp/catatonit.tar.gz ; \
commit_abbrev=$(printf '%s' "${CATATONIT_COMMIT}" | cut -c1-8) ; \
sed -i "s/+dev/+git.${commit_abbrev}/" configure.ac ; \
export CC="${DEB_TARGET_MUSL_TYPE}-gcc" ; \
export CFLAGS="${CFLAGS_LTO} ${CFLAGS_COMMON} ${CPPFLAGS}" ; \
export LDFLAGS="-static-pie -Wl,-z,relro -Wl,-z,now" ; \
autoreconf -fiv ; \
./configure ; \
make -j1 ; \
ls -l catatonit ; \
# "${DEB_TARGET_GNU_TYPE}-strip" --strip-debug --strip-unneeded catatonit ; \
strip --strip-debug --strip-unneeded catatonit ; \
ls -l catatonit ; \
cp catatonit /usr/local/bin/ ; \
) ; \
## cleanup
rm -rf "$d" ; \
apt-remove.sh ${pkg} ; \
apt-clean.sh
## ---
FROM base-intermediate AS base
SHELL [ "/bin/sh", "-ec" ]
COPY /Dockerfile.base /usr/local/share/
COPY --from=certs /etc/ssl/certs/ca-certificates.* /etc/ssl/certs/
COPY --from=apt-gpg /etc/apt/keyrings/ /etc/apt/keyrings/
COPY --from=tools /usr/local/bin/catatonit /usr/local/bin/
RUN python-rm-cache.sh /usr/local
RUN pip-env.sh pip list --format freeze \
| grep -F '==' | awk -F= '{print $1}' \
| xargs -r pip-env.sh pip install -U ; \
python-rm-cache.sh "${PYTHON_SITE_PACKAGES}"
python-rm-cache.sh /usr/local
RUN python-rm-cache.sh /usr/local ; \
libpython="${PYTHON_SITE_PACKAGES%/*}" ; \
RUN libpython="${PYTHON_SITE_PACKAGES%/*}" ; \
rm -rfv \
/usr/local/bin/idle* \
/usr/local/bin/pydoc* \
"${libpython}/ensurepip/_bundled" \
"${libpython}/idlelib" \
"${libpython}/pydoc.py" \
"${libpython}/pydoc_data" \
"${libpython}/tkinter" \
"${libpython}/turtle.py" \
"${libpython}/turtledemo" \
; :
; \
find "${PYTHON_SITE_PACKAGES}/" -iname '*.exe' -ls -delete
## adjust pip/certifi
RUN certifi_pem="${PYTHON_SITE_PACKAGES}/pip/_vendor/certifi/cacert.pem" ; \
[ -d "${certifi_pem%/*}" ] || exit 0 ; \
rm -f "${certifi_pem}" ; \
ln -sv /etc/ssl/certs/ca-certificates.crt "${certifi_pem}"
## set up locales!
RUN _lang=en_US.UTF8 ; \
{ \
echo "locales locales/default_environment_locale select ${LANG}" ; \
echo "locales locales/locales_to_be_generated multiselect ${LANG} UTF-8" ; \
} | debconf-set-selections ; \
f=/etc/dpkg/dpkg.cfg.d/docker ; \
if [ -f "$f" ] ; then \
sed -Ei '/\/usr\/share\/locale/d' "$f" ; \
fi ; \
echo "LANG=${_lang}" > /etc/default/locale ; \
apt-install.sh locales ; apt-clean.sh ; \
grep -Fixq "${_lang} UTF-8" /etc/locale.gen || { \
echo "${_lang} UTF-8" >> /etc/locale.gen ; \
locale-gen ; \
} ; \
locale -a | grep -Fixq "${_lang}"
ENV LANG=en_US.UTF8
RUN find /usr/local/sbin/ ! -type d -ls -delete ; \
find /run/ -mindepth 1 -ls -delete || : ; \
install -d -m 01777 /run/lock
install -d -m 01777 /run/lock ; \
jdupes -1LSpr /usr/
ENTRYPOINT [ ]
CMD [ "bash" ]

177
Dockerfile.deps
View File

@@ -1,177 +0,0 @@
FROM docker.io/rockdrilla/postgresql:base-v1 AS base
## ---
FROM base AS certs
SHELL [ "/bin/sh", "-ec" ]
COPY /scripts/* /usr/local/sbin/
COPY /extra-scripts/* /usr/local/sbin/
## consult https://github.com/certifi/python-certifi/
ENV CERTIFI_COMMIT=bd8153872e9c6fc98f4023df9c2deaffea2fa463
RUN apt-install.sh ca-certificates curl ; \
apt-clean.sh ; \
## process certifi
ca_file='/etc/ssl/certs/ca-certificates.crt' ; \
ls -l "${ca_file}" ; \
certifi-extras.sh ; \
openssl-cert-fingerprint.sh "${ca_file}" | sort -uV > "${ca_file}.fp" ; \
chmod 0444 "${ca_file}" "${ca_file}.fp" ; \
ls -l "${ca_file}" "${ca_file}.fp"
## ---
FROM base AS apt-gpg
SHELL [ "/bin/sh", "-ec" ]
COPY /scripts/* /usr/local/sbin/
COPY /extra-scripts/* /usr/local/sbin/
COPY --from=certs /etc/ssl/certs/ca-certificates.* /etc/ssl/certs/
ADD https://apt.postgresql.org/pub/repos/apt/ACCC4CF8.asc /tmp/pgdg.gpg.bin
ADD https://packagecloud.io/citusdata/community/gpgkey /tmp/citus.gpg.bin
## process GPG keyrings
RUN pkg='gnupg' ; \
apt-install.sh ${pkg} ; \
gpg-export.sh /tmp/pgdg.gpg.bin /etc/apt/keyrings/pgdg.gpg.asc ; \
gpg-export.sh /tmp/citus.gpg.bin /etc/apt/keyrings/citus.gpg.asc ; \
apt-remove.sh ${pkg}
COPY /apt/sources.pgdg /etc/apt/sources.list.d/pgdg.sources
COPY /apt/sources.citus /etc/apt/sources.list.d/citus.sources
## verify sources!
RUN apt-env.sh apt-get update ; \
apt-clean.sh
## ---
FROM base AS patroni
SHELL [ "/bin/sh", "-ec" ]
COPY /scripts/* /usr/local/sbin/
COPY --from=certs /etc/ssl/certs/ca-certificates.* /etc/ssl/certs/
COPY --from=apt-gpg /etc/apt/keyrings/ /etc/apt/keyrings/
COPY /apt/sources.pgdg /etc/apt/sources.list.d/pgdg.sources
COPY /apt/preferences.pgdg /etc/apt/preferences.d/pgdg
ENV DEV_PACKAGES='libffi-dev libpq-dev libyaml-dev'
# psutil
ENV CIBUILDWHEEL=1
# pyyaml
ENV PYYAML_FORCE_CYTHON=1
COPY /requirements.txt /tmp/
RUN w=$(mktemp -d) ; : "${w:?}" ; \
{ apt-mark showauto ; apt-mark showmanual ; } | sort -uV > "$w/t0" ; \
printf '%s\n' ${DEV_PACKAGES} | sort -uV > "$w/t1" ; \
apt-install.sh ${DEV_PACKAGES} ; \
{ apt-mark showauto ; apt-mark showmanual ; } | sort -uV > "$w/t2" ; \
set +e ; \
grep -Fxv -f "$w/t0" "$w/t2" > "$w/t3" ; \
grep -Fxv -f "$w/t1" "$w/t3" > "$w/t4" ; \
grep -Ev -e '-(dev|doc)$' "$w/t4" > "${PYTHON_SITE_PACKAGES}/apt-deps.txt" ; \
set -e ; \
rm -rf "$w/" ; unset w ; \
apt-install.sh build-essential ; \
pip-env.sh pip install 'cython' ; \
pip-env.sh pip install \
--no-binary 'cffi,psutil,pyyaml' \
-r /tmp/requirements.txt \
; \
pip-env.sh pip uninstall -y 'cython' ; \
python-rm-cache.sh "${PYTHON_SITE_PACKAGES}" ; \
rm -rf \
"${PYTHON_SITE_PACKAGES}/etcd/tests" \
"${PYTHON_SITE_PACKAGES}/psutil/tests" \
; \
find "${PYTHON_SITE_PACKAGES}/" -type f -name '*.so*' -exec ls -l {} + ; \
echo ; \
find "${PYTHON_SITE_PACKAGES}/" -type f -name '*.so*' -printf '%p\0' \
| sed -zE '/rust/d' \
| xargs -0r strip --verbose --strip-debug ; \
echo ; \
find "${PYTHON_SITE_PACKAGES}/" -type f -name '*.so*' -exec ls -l {} + ; \
apt-remove.sh build-essential ; \
apt-clean.sh
## ---
FROM base
SHELL [ "/bin/sh", "-ec" ]
COPY /Dockerfile.deps /usr/local/share/
COPY /scripts/* /usr/local/sbin/
COPY --from=certs /etc/ssl/certs/ca-certificates.* /etc/ssl/certs/
COPY --from=apt-gpg /etc/apt/keyrings/ /etc/apt/keyrings/
COPY /apt/sources.pgdg /etc/apt/sources.list.d/pgdg.sources
COPY /apt/preferences.pgdg /etc/apt/preferences.d/pgdg
COPY --from=patroni /usr/local/bin/ /usr/local/bin/
COPY --from=patroni /${PYTHON_SITE_PACKAGES}/ /${PYTHON_SITE_PACKAGES}/
## install missing dependencies for Python site-packages
RUN f="${PYTHON_SITE_PACKAGES}/apt-deps.txt" ; \
[ -s "$f" ] || exit 0 ; \
xargs -a "$f" apt-install.sh ; \
apt-clean.sh
RUN apt-install.sh \
brotli \
curl \
dumb-init \
file \
gettext-base \
gnupg \
iproute2 \
iputils-ping \
jq \
less \
libnss-wrapper \
lsof \
ncurses-base \
netbase \
netcat-openbsd \
openssl \
procps \
psmisc \
tzdata \
vim \
xxd \
xz-utils \
zstd \
; \
apt-clean.sh
## set up locales!
RUN _lang=en_US.UTF8 ; \
{ \
echo "locales locales/default_environment_locale select ${LANG}" ; \
echo "locales locales/locales_to_be_generated multiselect ${LANG} UTF-8" ; \
} | debconf-set-selections ; \
f=/etc/dpkg/dpkg.cfg.d/docker ; \
if [ -f "$f" ] ; then \
sed -Ei '/\/usr\/share\/locale/d' "$f" ; \
fi ; \
echo "LANG=${_lang}" > /etc/default/locale ; \
apt-install.sh locales ; apt-clean.sh ; \
grep -Fixq "${_lang} UTF-8" /etc/locale.gen || { \
echo "${_lang} UTF-8" >> /etc/locale.gen ; \
locale-gen ; \
} ; \
locale -a | grep -Fixq "${_lang}"
ENV LANG=en_US.UTF8
RUN find /usr/local/sbin/ ! -type d -ls -delete

2
apt/preferences.pgdg
View File

@@ -1,3 +1,3 @@
Package: *
Pin: release a=bookworm-pgdg
Pin: release a=trixie-pgdg
Pin-Priority: 600

2
apt/preferences.pgdg-ver.in
View File

@@ -1,3 +1,3 @@
Package: src:postgresql-%{PG_MAJOR}
Pin: release a=bookworm-pgdg
Pin: release a=trixie-pgdg
Pin-Priority: 650

2
apt/sources.citus
View File

@@ -1,5 +1,5 @@
Types: deb
URIs: https://packagecloud.io/citusdata/community/debian/
Suites: bookworm
Suites: trixie
Components: main
Signed-By: /etc/apt/keyrings/citus.gpg.asc

8
apt/sources.debian
View File

@@ -1,11 +1,11 @@
Types: deb
URIs: http://deb.debian.org/debian
Suites: bookworm bookworm-updates bookworm-proposed-updates
Components: main contrib non-free
Suites: trixie trixie-updates trixie-proposed-updates trixie-backports
Components: main
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
Types: deb
URIs: http://deb.debian.org/debian-security
Suites: bookworm-security
Components: main contrib non-free
Suites: trixie-security
Components: main
Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg

2
apt/sources.pgdg
View File

@@ -1,5 +1,5 @@
Types: deb
URIs: http://apt.postgresql.org/pub/repos/apt/
Suites: bookworm-pgdg
Suites: trixie-pgdg
Components: main
Signed-By: /etc/apt/keyrings/pgdg.gpg.asc

2
apt/sources.pgdg-ver.in
View File

@@ -1,5 +1,5 @@
Types: deb
URIs: http://apt.postgresql.org/pub/repos/apt/
Suites: bookworm-pgdg
Suites: trixie-pgdg
Components: %{PG_MAJOR}
Signed-By: /etc/apt/keyrings/pgdg.gpg.asc

8
build-scripts/image-base.sh
View File

@@ -8,7 +8,7 @@ BUILDAH_ISOLATION="${BUILDAH_ISOLATION:-chroot}"
BUILDAH_NETWORK="${BUILDAH_NETWORK:-host}"
set +a
PYTHONTAG="${PYTHONTAG:-3.11.9-slim-bookworm}"
PYTHONTAG="${PYTHONTAG:-3.12.11-slim-trixie}"
grab_site_packages() {
podman run \
@@ -27,7 +27,7 @@ grab_site_packages() {
PYTHON_SITE_PACKAGES=$(grab_site_packages "docker.io/python:${PYTHONTAG}")
[ -n "${PYTHON_SITE_PACKAGES:?}" ]
img="docker.io/rockdrilla/postgresql:base-v1"
img="docker.io/rockdrilla/postgresql:base-v7"
buildah bud \
-f ./Dockerfile.base \
@@ -36,10 +36,6 @@ buildah bud \
--build-arg "PYTHONTAG=${PYTHONTAG}" \
--env "PYTHON_SITE_PACKAGES=${PYTHON_SITE_PACKAGES}" \
--unsetenv GPG_KEY \
--unsetenv PYTHON_PIP_VERSION \
--unsetenv PYTHON_SETUPTOOLS_VERSION \
--unsetenv PYTHON_GET_PIP_SHA256 \
--unsetenv PYTHON_GET_PIP_URL \
c=$(buildah from --pull=never "${img}") || true

16
build-scripts/image-deps.sh
View File

@@ -1,16 +0,0 @@
#!/bin/sh
set -ef
cd "$(dirname "$0")/.."
set -a
BUILDAH_FORMAT="${BUILDAH_FORMAT:-docker}"
BUILDAH_ISOLATION="${BUILDAH_ISOLATION:-chroot}"
BUILDAH_NETWORK="${BUILDAH_NETWORK:-host}"
set +a
img="docker.io/rockdrilla/postgresql:deps-v1"
exec buildah bud \
-f ./Dockerfile.deps \
-t "${img}" \
--pull=missing --no-cache

15
build-scripts/image.sh
View File

@@ -8,24 +8,25 @@ BUILDAH_ISOLATION="${BUILDAH_ISOLATION:-chroot}"
BUILDAH_NETWORK="${BUILDAH_NETWORK:-host}"
set +a
POSTGRESQL_VERSION="${1:-16.4}"
POSTGRESQL_VERSION="${1:-17.6}"
PG_MAJOR="${POSTGRESQL_VERSION%%.*}"
img="docker.io/rockdrilla/postgresql:${POSTGRESQL_VERSION}"
deps="docker.io/rockdrilla/postgresql:deps-v1"
img="docker.io/rockdrilla/postgresql:${POSTGRESQL_VERSION}$2"
orig_base="docker.io/rockdrilla/postgresql:base-v7"
base="${orig_base}-${POSTGRESQL_VERSION}-env"
c=$(buildah from --pull=missing "${deps}")
c=$(buildah from --pull=missing "${orig_base}")
[ -n "${c:?}" ]
buildah config --env "POSTGRESQL_VERSION=${POSTGRESQL_VERSION}" "$c"
buildah config --env "PG_MAJOR=${PG_MAJOR}" "$c"
buildah commit --rm "$c" "${img}-env"
buildah commit --rm "$c" "${base}"
unset c
buildah bud \
-f ./Dockerfile \
-t "${img}" \
--pull=missing --no-cache \
--build-arg "DEPS_IMAGE=${img}-env" \
--build-arg "BASE_IMAGE=${base}" \
--build-arg "UPSTREAM_IMAGE_VERSION=${POSTGRESQL_VERSION}" \
podman image rm "${img}-env"
podman image rm "${base}"

6
ep.sh
View File

@@ -47,11 +47,11 @@ chown -h postgres:postgres "${PGDATA}"
set -e
if [ "$c" = postgres ] ; then
exec dumb-init docker-entrypoint.sh "$@"
exec catatonit -- docker-entrypoint.sh "$@"
fi
if [ "$(id -u)" != 0 ] ; then
exec dumb-init "$@"
exec catatonit -- "$@"
fi
exec dumb-run-as.sh postgres dumb-init "$@"
exec dumb-run-as.sh postgres catatonit -- "$@"

70
extra-scripts/certifi-extras.sh
View File

@@ -1,89 +1,41 @@
#!/bin/sh
set -ef
certifi_uri="https://raw.githubusercontent.com/certifi/python-certifi/${CERTIFI_COMMIT:?}/certifi/cacert.pem"
dst_dir=/usr/local/share/ca-certificates
w=$(mktemp -d) ; : "${w:?}"
w_cleanup() {
[ -z "$w" ] || ls -lA "$w/"
[ -z "$w" ] || ls -lA "$w/" >&2
[ -z "$w" ] || rm -rf "$w"
unset w
exit "${1:-0}"
}
curl -sSL "${certifi_uri}" > "$w/certifi.crt"
def_bundle='/etc/ssl/certs/ca-certificates.crt'
openssl-cert-auto-pem.sh "${def_bundle}" > "$w/cacert.pem"
openssl-cert-auto-pem.sh "$w/certifi.crt" > "$w/certifi.pem"
openssl-cert-auto-pem.sh "${def_bundle}" "$w/cacert.pem" "$w/cacert.fp"
[ -s "$w/cacert.pem" ] || w_cleanup 1
[ -s "$w/cacert.fp" ] || w_cleanup 1
openssl-cert-auto-pem.sh "$1" "$w/certifi.pem" "$w/certifi.fp" "$w/certifi.off"
[ -s "$w/certifi.pem" ] || w_cleanup 1
bundle_offsets() {
awk '
BEGIN {
OFS = ","
m_begin="-----BEGIN CERTIFICATE-----"
m_end="-----END CERTIFICATE-----"
i_begin = 0
}
$0 == m_begin { i_begin = NR ; }
$0 == m_end {
if (i_begin > 0) {
print i_begin,NR
i_begin = 0
}
}
' "$1"
}
bundle_offsets "$w/cacert.pem" > "$w/cacert.off"
bundle_offsets "$w/certifi.pem" > "$w/certifi.off"
[ -s "$w/cacert.off" ] || w_cleanup 1
[ -s "$w/certifi.fp" ] || w_cleanup 1
[ -s "$w/certifi.off" ] || w_cleanup 1
bundle_fingerprints() {
local a
while read -r a ; do
[ -n "$a" ] || continue
{
sed -ne "${a}p" "$1" | openssl x509 -noout -fingerprint -sha256 \
|| \
sed -ne "${a}p" "$1" | openssl x509 -noout -fingerprint
} | tr '[:upper:]' '[:lower:]'
done < "$2"
}
bundle_fingerprints "$w/cacert.pem" "$w/cacert.off" | sort -uV > "$w/cacert.fp"
bundle_fingerprints "$w/certifi.pem" "$w/certifi.off" | sort -uV > "$w/certifi.fp"
[ -s "$w/cacert.fp" ] || w_cleanup 1
[ -s "$w/certifi.fp" ] || w_cleanup 1
set +e
grep -Fxv -f "$w/cacert.fp" "$w/certifi.fp" > "$w/diff.fp"
grep -Fxnv -f "$w/cacert.fp" "$w/certifi.fp" | cut -d : -f 1 > "$w/diff.ln"
set -e
if [ -s "$w/diff.fp" ] ; then
set +e
grep -Fxn -f "$w/diff.fp" "$w/certifi.fp" | cut -d : -f 1 > "$w/records.diff"
set -e
terse_fingerprint() {
cut -d = -f 2- | tr -cd '[:alnum:]'
}
mkdir "$w/extras"
if [ -s "$w/diff.ln" ] ; then
terse_fingerprint() { cut -d = -f 2- | tr -cd '[:alnum:]' ; }
while read -r n ; do
[ -n "$n" ] || continue
fp=$(sed -ne "${n}p" "$w/certifi.fp" | terse_fingerprint)
off=$(sed -ne "${n}p" "$w/certifi.off")
sed -ne "${off}p" "$w/certifi.pem" | openssl x509 > "${dst_dir}/certifi-${fp}.crt"
done < "$w/records.diff"
sed -ne "${off}p" "$w/certifi.pem" > "${dst_dir}/certifi-${fp}.crt"
done < "$w/diff.ln"
fi
rm -rf "$w" ; unset w

29
requirements.txt
View File

@@ -1,27 +1,28 @@
## psycopg[c,pool]
psycopg-c==3.2.1
typing_extensions==4.12.2
psycopg-pool==3.2.2
psycopg[c,pool]==3.2.1
psycopg-c==3.2.9
typing_extensions==4.15.0
psycopg-pool==3.2.6
psycopg[c,pool]==3.2.9
## patroni[etcd3,kubernetes]
click==8.1.7
click==8.2.1
wcwidth==0.2.13
prettytable==3.11.0
psutil==6.0.0
six==1.16.0
prettytable==3.16.0
psutil==7.0.0
six==1.17.0
python-dateutil==2.9.0.post0
PyYAML==6.0.2
urllib3==2.2.2
ydiff==1.3
dnspython==2.6.1
urllib3==2.5.0
ydiff==1.4.2
dnspython==2.7.0
python-etcd==0.4.5
patroni[etcd3,kubernetes]==3.3.2
patroni[etcd3,kubernetes]==4.0.6
## misc
cdiff==1.0
pycparser==2.22
cffi==1.17.0
cryptography==43.0.0
cffi==1.17.1
cryptography==45.0.6
netaddr==1.3.0

12
scripts/apt-clean.sh
View File

@@ -23,11 +23,15 @@ find /var/cache/debconf/ ! -type d -wholename '/var/cache/debconf/*-old' -delete
__t=$(mktemp) ; : "${__t:?}"
debconf_trim_i18n() {
mawk 'BEGIN { m = 0 }
$0 == "" { print }
mawk 'BEGIN { m = 0; }
$0 == "" { print; }
/^[^[:space:]]/ {
if ($1 ~ "\.[Uu][Tt][Ff]-?8:") { m = 1; next; }
m = 0; print $0;
if ($1 ~ "\.[Uu][Tt][Ff]-?8:") {
m = 1;
next;
}
m = 0;
print $0;
}
/^[[:space:]]/ {
if (m == 1) next;

5
scripts/apt-install.sh
View File

@@ -22,8 +22,9 @@ _apt_update() {
}
_dpkg_avail_hack() {
: "${DPKG_ADMINDIR:=/var/lib/dpkg}"
VERSION_CODENAME=$(. /etc/os-release ; printf '%s' "${VERSION_CODENAME}") || :
f="${DPKG_ADMINDIR:-/var/lib/dpkg}/available"
f="${DPKG_ADMINDIR}/available"
# if ${VERSION_CODENAME} is empty then we're on Debian sid or so :)
case "${VERSION_CODENAME}" in
stretch | buster | bionic | focal )
@@ -31,7 +32,7 @@ _dpkg_avail_hack() {
if [ -s "$f" ] ; then
return
fi
/usr/lib/dpkg/methods/apt/update "${DPKG_ADMINDIR:-/var/lib/dpkg}" apt apt
/usr/lib/dpkg/methods/apt/update "${DPKG_ADMINDIR}" apt apt
;;
* )
touch "$f"

24
scripts/dpkg-search.sh Executable file
View File

@@ -0,0 +1,24 @@
#!/bin/sh
set -ef
: "${1:?}"
if dpkg-query --search "$1" ; then
exit 0
fi
case "$1" in
*\** | *\?* )
env printf '%s does not support globs: %q\n' "${0##*/}" "$1" >&2
exit 1
;;
esac
while read -r f ; do
[ -n "$f" ] || continue
dpkg-query --search "$f" || continue
exit 0
done <<EOF
$(set +e ; find / -xdev -follow -samefile "$1" 2>/dev/null | grep -Fxv -e "$1")
EOF
exit 1

92
scripts/openssl-cert-auto-pem.sh
View File

@@ -13,38 +13,88 @@ me=${0##*/}
w=$(mktemp -d) || exit 1
w_cleanup() {
[ -z "$w" ] || ls -lA "$w/"
[ -z "$w" ] || ls -lA "$w/" >&2
[ -z "$w" ] || rm -rf "$w"
unset w
exit "${1:-0}"
}
bundle_offsets() {
mawk 'BEGIN { OFS = ","; i_begin = 0; }
$0 == "-----BEGIN CERTIFICATE-----" {
i_begin = NR;
}
$0 == "-----END CERTIFICATE-----" {
if (i_begin > 0) {
print i_begin, NR;
i_begin = 0;
}
}' "$1"
}
bundle_fingerprints() {
local x f
while read -r x ; do
[ -n "$x" ] || continue
f=$(sed -ne "${x}p" "$1" | openssl x509 -noout -fingerprint -sha256)
[ -n "$f" ] || f=$(sed -ne "${x}p" "$1" | openssl x509 -noout -fingerprint)
[ -n "$f" ] || continue
printf '%s\n' "$f" | tr '[:upper:]' '[:lower:]'
done < "$2"
}
openssl storeutl -certs "$1" > "$w/cert.pem" || w_cleanup 1
[ -s "$w/cert.pem" ] || w_cleanup 1
tr -s '\r\n' '\n' < "$w/cert.pem" > "$w/cert.txt"
[ -s "$w/cert.txt" ] || w_cleanup 1
rm -f "$w/cert.pem"
awk '
BEGIN {
OFS = ","
m_begin="-----BEGIN CERTIFICATE-----"
m_end="-----END CERTIFICATE-----"
i_begin = 0
}
$0 == m_begin { i_begin = NR ; }
$0 == m_end {
if (i_begin > 0) {
print i_begin,NR
i_begin = 0
}
}
' "$w/cert.txt" > "$w/cert.offsets"
[ -s "$w/cert.offsets" ] || w_cleanup 1
bundle_offsets "$w/cert.txt" > "$w/cert.off"
[ -s "$w/cert.off" ] || w_cleanup 1
while read -r a ; do
[ -n "$a" ] || continue
bundle_fingerprints "$w/cert.txt" "$w/cert.off" > "$w/cert.fp.all"
[ -s "$w/cert.fp.all" ] || w_cleanup 1
sed -ne "${a}p" "$w/cert.txt"
done < "$w/cert.offsets"
sort -uV < "$w/cert.fp.all" > "$w/cert.fp"
while read -r fp ; do
[ -n "${fp}" ] || continue
n=$(grep -m1 -Fxn -e "${fp}" "$w/cert.fp.all" | cut -d : -f 1)
[ -n "$n" ] || continue
off=$(sed -ne "${n}p" "$w/cert.off")
[ -n "${off}" ] || continue
sed -ne "${off}p" "$w/cert.txt"
done < "$w/cert.fp" > "$w/cert.pem"
[ -s "$w/cert.pem" ] || w_cleanup 1
rm -f "$w/cert.txt" "$w/cert.off" "$w/cert.fp.all"
if [ -n "$2" ] ; then
while : ; do
if [ -e "$2" ] ; then
[ -f "$2" ] || break
fi
cat > "$2"
break ; done
else
cat
fi < "$w/cert.pem"
while [ -n "$3" ] ; do
if [ -e "$3" ] ; then
[ -f "$3" ] || break
fi
cat "$w/cert.fp" > "$3"
break ; done
while [ -n "$4" ] ; do
if [ -e "$4" ] ; then
[ -f "$4" ] || break
fi
bundle_offsets "$w/cert.pem" > "$4"
break ; done
rm -rf "$w" ; unset w

52
scripts/openssl-cert-fingerprint.sh
View File

@@ -1,52 +0,0 @@
#!/bin/sh
set -f
[ $# -gt 0 ] || exit 0
me=${0##*/}
[ -n "$1" ] || exit 1
[ -f "$1" ] || {
env printf '%s: not a file or does not exist: %q\n' "${me}" "$1" >&2
exit 1
}
[ -s "$1" ] || exit 0
w=$(mktemp -d) || exit 1
w_cleanup() {
[ -z "$w" ] || ls -lA "$w/"
[ -z "$w" ] || rm -rf "$w"
unset w
exit "${1:-0}"
}
openssl-cert-auto-pem.sh "$1" > "$w/cert.pem" || w_cleanup 1
[ -s "$w/cert.pem" ] || w_cleanup 1
awk '
BEGIN {
OFS = ","
m_begin="-----BEGIN CERTIFICATE-----"
m_end="-----END CERTIFICATE-----"
i_begin = 0
}
$0 == m_begin { i_begin = NR ; }
$0 == m_end {
if (i_begin > 0) {
print i_begin,NR
i_begin = 0
}
}
' "$w/cert.pem" > "$w/cert.off"
[ -s "$w/cert.off" ] || w_cleanup 1
while read -r a ; do
[ -n "$a" ] || continue
{
sed -ne "${a}p" "$w/cert.pem" | openssl x509 -noout -fingerprint -sha256 \
|| \
sed -ne "${a}p" "$w/cert.pem" | openssl x509 -noout -fingerprint
} | tr '[:upper:]' '[:lower:]'
done < "$w/cert.off"
w_cleanup 0

2
scripts/python-rm-cache.sh
View File

@@ -1,6 +1,8 @@
#!/bin/sh
set -f
for i ; do
[ -n "$i" ] || continue
[ -d "$i" ] || continue
find "$i/" -name __pycache__ -exec rm -rf {} +
find "$i/" ! -type d -name '*.py[co]' -exec rm -f {} +
done