From c349443dc4e5e370171856ce6e73e911df65f898 Mon Sep 17 00:00:00 2001 From: titanz Date: Fri, 7 Feb 2025 09:28:07 +0100 Subject: [PATCH] Initial commit --- .gitea/workflows/build-13.yml | 109 ++++++++++++++++++ .gitea/workflows/build-14.yml | 109 ++++++++++++++++++ .gitea/workflows/build-15.yml | 109 ++++++++++++++++++ .gitea/workflows/build-16.yml | 109 ++++++++++++++++++ .gitea/workflows/build-17.yml | 110 +++++++++++++++++++ 13/Dockerfile | 26 +++++ 14/Dockerfile | 26 +++++ 15/Dockerfile | 26 +++++ 16/Dockerfile | 26 +++++ 17/Dockerfile | 26 +++++ LICENSE | 201 ++++++++++++++++++++++++++++++++++ README.md | 43 ++++++++ 12 files changed, 920 insertions(+) create mode 100644 .gitea/workflows/build-13.yml create mode 100644 .gitea/workflows/build-14.yml create mode 100644 .gitea/workflows/build-15.yml create mode 100644 .gitea/workflows/build-16.yml create mode 100644 .gitea/workflows/build-17.yml create mode 100644 13/Dockerfile create mode 100644 14/Dockerfile create mode 100644 15/Dockerfile create mode 100644 16/Dockerfile create mode 100644 17/Dockerfile create mode 100644 LICENSE create mode 100644 README.md diff --git a/.gitea/workflows/build-13.yml b/.gitea/workflows/build-13.yml new file mode 100644 index 0000000..4edbca2 --- /dev/null +++ b/.gitea/workflows/build-13.yml @@ -0,0 +1,109 @@ +name: Build 13 + +on: + workflow_dispatch: + push: + branches: + - development + paths: + - '.github/workflows/build-13.yml' + - '13/**' + schedule: + # Build the image daily + - cron: '15 0 * * *' + +env: + REGISTRY: git.conorz.at + IMAGE_NAME: titanz-containers/postgres + TAG: 13 + +jobs: + build: + name: Build & push new image + permissions: + contents: read + packages: write + timeout-minutes: 10 + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + # Add support for more platforms with QEMU + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to registry + if: github.event_name != 'pull_request' + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.repository_owner }} + password: ${{ secrets.ACTIONS_TOKEN }} + + - name: Set Docker metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + ${{ env.TAG }} + + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@v6 + with: + context: ${{ env.TAG }} + platforms: linux/amd64,linux/arm64 + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + +# trivy: +# name: Scan current image with Trivy +# needs: build +# permissions: +# security-events: write +# timeout-minutes: 10 +# runs-on: ubuntu-24.04 +# steps: +# - name: Run Trivy vulnerability scanner +# uses: aquasecurity/trivy-action@master +# with: +# image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TAG }} +# format: template +# template: '@/contrib/sarif.tpl' +# output: trivy-results.sarif +# severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL +# vuln-type: os,library + +# - name: Upload Trivy scan results to GitHub Security tab +# uses: github/codeql-action/upload-sarif@v3 +# with: +# sarif_file: trivy-results.sarif +# category: trivy-${{ env.TAG }} + +# grype: +# name: Scan current image with Grype +# needs: build +# permissions: +# security-events: write +# timeout-minutes: 10 +# runs-on: ubuntu-24.04 +# steps: +# - name: Run Grype vulnerability scanner +# uses: anchore/scan-action@v6 +# id: grype +# with: +# image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TAG }} +# fail-build: false + +# - name: Upload Grype scan results to GitHub Security tab +# uses: github/codeql-action/upload-sarif@v3 +# with: +# sarif_file: ${{ steps.grype.outputs.sarif }} +# category: grype-${{ env.TAG }} diff --git a/.gitea/workflows/build-14.yml b/.gitea/workflows/build-14.yml new file mode 100644 index 0000000..bd61820 --- /dev/null +++ b/.gitea/workflows/build-14.yml @@ -0,0 +1,109 @@ +name: Build 14 + +on: + workflow_dispatch: + push: + branches: + - development + paths: + - '.github/workflows/build-14.yml' + - '14/**' + schedule: + # Build the image daily + - cron: '15 0 * * *' + +env: + REGISTRY: git.conorz.at + IMAGE_NAME: titanz-containers/postgres + TAG: 14 + +jobs: + build: + name: Build & push new image + permissions: + contents: read + packages: write + timeout-minutes: 10 + runs-on: ubuntu-24.04 + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + # Add support for more platforms with QEMU + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to registry + if: github.event_name != 'pull_request' + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.repository_owner }} + password: ${{ secrets.ACTIONS_TOKEN }} + + - name: Set Docker metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + ${{ env.TAG }} + + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@v6 + with: + context: ${{ env.TAG }} + platforms: linux/amd64,linux/arm64 + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + +# trivy: +# name: Scan current image with Trivy +# needs: build +# permissions: +# security-events: write +# timeout-minutes: 10 +# runs-on: ubuntu-24.04 +# steps: +# - name: Run Trivy vulnerability scanner +# uses: aquasecurity/trivy-action@master +# with: +# image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TAG }} +# format: template +# template: '@/contrib/sarif.tpl' +# output: trivy-results.sarif +# severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL +# vuln-type: os,library + +# - name: Upload Trivy scan results to GitHub Security tab +# uses: github/codeql-action/upload-sarif@v3 +# with: +# sarif_file: trivy-results.sarif +# category: trivy-${{ env.TAG }} + +# grype: +# name: Scan current image with Grype +# needs: build +# permissions: +# security-events: write +# timeout-minutes: 10 +# runs-on: ubuntu-24.04 +# steps: +# - name: Run Grype vulnerability scanner +# uses: anchore/scan-action@v6 +# id: grype +# with: +# image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TAG }} +# fail-build: false + +# - name: Upload Grype scan results to GitHub Security tab +# uses: github/codeql-action/upload-sarif@v3 +# with: +# sarif_file: ${{ steps.grype.outputs.sarif }} +# category: grype-${{ env.TAG }} diff --git a/.gitea/workflows/build-15.yml b/.gitea/workflows/build-15.yml new file mode 100644 index 0000000..177e4ba --- /dev/null +++ b/.gitea/workflows/build-15.yml @@ -0,0 +1,109 @@ +name: Build 15 + +on: + workflow_dispatch: + push: + branches: + - development + paths: + - '.github/workflows/build-15.yml' + - '15/**' + schedule: + # Build the image daily + - cron: '15 0 * * *' + +env: + REGISTRY: git.conorz.at + IMAGE_NAME: titanz-containers/postgres + TAG: 15 + +jobs: + build: + name: Build & push new image + permissions: + contents: read + packages: write + timeout-minutes: 10 + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + # Add support for more platforms with QEMU + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to registry + if: github.event_name != 'pull_request' + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.repository_owner }} + password: ${{ secrets.ACTIONS_TOKEN }} + + - name: Set Docker metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + ${{ env.TAG }} + + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@v6 + with: + context: ${{ env.TAG }} + platforms: linux/amd64,linux/arm64 + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + +# trivy: +# name: Scan current image with Trivy +# needs: build +# permissions: +# security-events: write +# timeout-minutes: 10 +# runs-on: ubuntu-24.04 +# steps: +# - name: Run Trivy vulnerability scanner +# uses: aquasecurity/trivy-action@master +# with: +# image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TAG }} +# format: template +# template: '@/contrib/sarif.tpl' +# output: trivy-results.sarif +# severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL +# vuln-type: os,library + +# - name: Upload Trivy scan results to GitHub Security tab +# uses: github/codeql-action/upload-sarif@v3 +# with: +# sarif_file: trivy-results.sarif +# category: trivy-${{ env.TAG }} + +# grype: +# name: Scan current image with Grype +# needs: build +# permissions: +# security-events: write +# timeout-minutes: 10 +# runs-on: ubuntu-24.04 +# steps: +# - name: Run Grype vulnerability scanner +# uses: anchore/scan-action@v6 +# id: grype +# with: +# image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TAG }} +# fail-build: false + +# - name: Upload Grype scan results to GitHub Security tab +# uses: github/codeql-action/upload-sarif@v3 +# with: +# sarif_file: ${{ steps.grype.outputs.sarif }} +# category: grype-${{ env.TAG }} diff --git a/.gitea/workflows/build-16.yml b/.gitea/workflows/build-16.yml new file mode 100644 index 0000000..5542913 --- /dev/null +++ b/.gitea/workflows/build-16.yml @@ -0,0 +1,109 @@ +name: Build 16 + +on: + workflow_dispatch: + push: + branches: + - development + paths: + - '.github/workflows/build-16.yml' + - '16/**' + schedule: + # Build the image daily + - cron: '15 0 * * *' + +env: + REGISTRY: git.conorz.at + IMAGE_NAME: titanz-containers/postgres + TAG: 16 + +jobs: + build: + name: Build & push new image + permissions: + contents: read + packages: write + timeout-minutes: 10 + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + # Add support for more platforms with QEMU + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to registry + if: github.event_name != 'pull_request' + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.repository_owner }} + password: ${{ secrets.ACTIONS_TOKEN }} + + - name: Set Docker metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + ${{ env.TAG }} + + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@v6 + with: + context: ${{ env.TAG }} + platforms: linux/amd64,linux/arm64 + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + +# trivy: +# name: Scan current image with Trivy +# needs: build +# permissions: +# security-events: write +# timeout-minutes: 10 +# runs-on: ubuntu-24.04 +# steps: +# - name: Run Trivy vulnerability scanner +# uses: aquasecurity/trivy-action@master +# with: +# image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TAG }} +# format: template +# template: '@/contrib/sarif.tpl' +# output: trivy-results.sarif +# severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL +# vuln-type: os,library + +# - name: Upload Trivy scan results to GitHub Security tab +# uses: github/codeql-action/upload-sarif@v3 +# with: +# sarif_file: trivy-results.sarif +# category: trivy-${{ env.TAG }} + +# grype: +# name: Scan current image with Grype +# needs: build +# permissions: +# security-events: write +# timeout-minutes: 10 +# runs-on: ubuntu-24.04 +# steps: +# - name: Run Grype vulnerability scanner +# uses: anchore/scan-action@v6 +# id: grype +# with: +# image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TAG }} +# fail-build: false + +# - name: Upload Grype scan results to GitHub Security tab +# uses: github/codeql-action/upload-sarif@v3 +# with: +# sarif_file: ${{ steps.grype.outputs.sarif }} +# category: grype-${{ env.TAG }} diff --git a/.gitea/workflows/build-17.yml b/.gitea/workflows/build-17.yml new file mode 100644 index 0000000..c460fe6 --- /dev/null +++ b/.gitea/workflows/build-17.yml @@ -0,0 +1,110 @@ +name: Build 17 + +on: + workflow_dispatch: + push: + branches: + - development + paths: + - '.github/workflows/build-17.yml' + - '17/**' + schedule: + # Build the image daily + - cron: '15 0 * * *' + +env: + REGISTRY: git.conorz.at + IMAGE_NAME: titanz-containers/postgres + TAG: 17 + +jobs: + build: + name: Build & push new image + permissions: + contents: read + packages: write + timeout-minutes: 10 + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + # Add support for more platforms with QEMU + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to registry + if: github.event_name != 'pull_request' + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.repository_owner }} + password: ${{ secrets.ACTIONS_TOKEN }} + + - name: Set Docker metadata + id: meta + uses: docker/metadata-action@v5 + with: + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + ${{ env.TAG }} + latest + + - name: Build and push Docker image + id: build-and-push + uses: docker/build-push-action@v6 + with: + context: ${{ env.TAG }} + platforms: linux/amd64,linux/arm64 + push: ${{ github.event_name != 'pull_request' }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + +# trivy: +# name: Scan current image with Trivy +# needs: build +# permissions: +# security-events: write +# timeout-minutes: 10 +# runs-on: ubuntu-24.04 +# steps: +# - name: Run Trivy vulnerability scanner +# uses: aquasecurity/trivy-action@master +# with: +# image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TAG }} +# format: template +# template: '@/contrib/sarif.tpl' +# output: trivy-results.sarif +# severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL +# vuln-type: os,library + +# - name: Upload Trivy scan results to GitHub Security tab +# uses: github/codeql-action/upload-sarif@v3 +# with: +# sarif_file: trivy-results.sarif +# category: trivy-${{ env.TAG }} + +# grype: +# name: Scan current image with Grype +# needs: build +# permissions: +# security-events: write +# timeout-minutes: 10 +# runs-on: ubuntu-24.04 +# steps: +# - name: Run Grype vulnerability scanner +# uses: anchore/scan-action@v6 +# id: grype +# with: +# image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TAG }} +# fail-build: false + +# - name: Upload Grype scan results to GitHub Security tab +# uses: github/codeql-action/upload-sarif@v3 +# with: +# sarif_file: ${{ steps.grype.outputs.sarif }} +# category: grype-${{ env.TAG }} diff --git a/13/Dockerfile b/13/Dockerfile new file mode 100644 index 0000000..843f8ab --- /dev/null +++ b/13/Dockerfile @@ -0,0 +1,26 @@ +ARG VERSION=13 +ARG UID=200012 +ARG GID=200012 + +FROM postgres:${VERSION}-alpine +ARG UID +ARG GID + +LABEL maintainer="Lukas Raub titanz@pm.me" + +RUN apk -U upgrade \ + && apk add libstdc++ shadow \ + && rm /usr/local/bin/gosu /usr/local/bin/su-exec + +RUN --network=none \ + usermod -u ${UID} postgres \ + && groupmod -g ${GID} postgres \ + && find / -user 70 -exec chown -h postgres {} \; \ + && find / -group 70 -exec chgrp -h postgres {} \; \ + && apk del shadow \ + && rm -rf /var/cache/apk/* + +COPY --from=git.conorz.at/titanz-containers/hardened_malloc:latest /install /usr/local/lib/ +ENV LD_PRELOAD="/usr/local/lib/libhardened_malloc.so" + +USER postgres diff --git a/14/Dockerfile b/14/Dockerfile new file mode 100644 index 0000000..1dc4268 --- /dev/null +++ b/14/Dockerfile @@ -0,0 +1,26 @@ +ARG VERSION=14 +ARG UID=200012 +ARG GID=200012 + +FROM postgres:${VERSION}-alpine +ARG UID +ARG GID + +LABEL maintainer="Lukas Raub titanz@pm.me" + +RUN apk -U upgrade \ + && apk add libstdc++ shadow \ + && rm /usr/local/bin/gosu /usr/local/bin/su-exec + +RUN --network=none \ + usermod -u ${UID} postgres \ + && groupmod -g ${GID} postgres \ + && find / -user 70 -exec chown -h postgres {} \; \ + && find / -group 70 -exec chgrp -h postgres {} \; \ + && apk del shadow \ + && rm -rf /var/cache/apk/* + +COPY --from=git.conorz.at/titanz-containers/hardened_malloc:latest /install /usr/local/lib/ +ENV LD_PRELOAD="/usr/local/lib/libhardened_malloc.so" + +USER postgres diff --git a/15/Dockerfile b/15/Dockerfile new file mode 100644 index 0000000..a397a02 --- /dev/null +++ b/15/Dockerfile @@ -0,0 +1,26 @@ +ARG VERSION=15 +ARG UID=200012 +ARG GID=200012 + +FROM postgres:${VERSION}-alpine +ARG UID +ARG GID + +LABEL maintainer="Lukas Raub titanz@pm.me" + +RUN apk -U upgrade \ + && apk add libstdc++ shadow \ + && rm /usr/local/bin/gosu /usr/local/bin/su-exec + +RUN --network=none \ + usermod -u ${UID} postgres \ + && groupmod -g ${GID} postgres \ + && find / -user 70 -exec chown -h postgres {} \; \ + && find / -group 70 -exec chgrp -h postgres {} \; \ + && apk del shadow \ + && rm -rf /var/cache/apk/* + +COPY --from=git.conorz.at/titanz-containers/hardened_malloc:latest /install /usr/local/lib/ +ENV LD_PRELOAD="/usr/local/lib/libhardened_malloc.so" + +USER postgres diff --git a/16/Dockerfile b/16/Dockerfile new file mode 100644 index 0000000..96e9857 --- /dev/null +++ b/16/Dockerfile @@ -0,0 +1,26 @@ +ARG VERSION=16 +ARG UID=200012 +ARG GID=200012 + +FROM postgres:${VERSION}-alpine +ARG UID +ARG GID + +LABEL maintainer="Lukas Raub titanz@pm.me" + +RUN apk -U upgrade \ + && apk add libstdc++ shadow \ + && rm /usr/local/bin/gosu /usr/local/bin/su-exec + +RUN --network=none \ + usermod -u ${UID} postgres \ + && groupmod -g ${GID} postgres \ + && find / -user 70 -exec chown -h postgres {} \; \ + && find / -group 70 -exec chgrp -h postgres {} \; \ + && apk del shadow \ + && rm -rf /var/cache/apk/* + +COPY --from=git.conorz.at/titanz-containers/hardened_malloc:latest /install /usr/local/lib/ +ENV LD_PRELOAD="/usr/local/lib/libhardened_malloc.so" + +USER postgres diff --git a/17/Dockerfile b/17/Dockerfile new file mode 100644 index 0000000..9e9babd --- /dev/null +++ b/17/Dockerfile @@ -0,0 +1,26 @@ +ARG VERSION=17 +ARG UID=200012 +ARG GID=200012 + +FROM postgres:${VERSION}-alpine +ARG UID +ARG GID + +LABEL maintainer="Lukas Raub titanz@pm.me" + +RUN apk -U upgrade \ + && apk add libstdc++ shadow \ + && rm /usr/local/bin/gosu + +RUN --network=none \ + usermod -u ${UID} postgres \ + && groupmod -g ${GID} postgres \ + && find / -user 70 -exec chown -h postgres {} \; \ + && find / -group 70 -exec chgrp -h postgres {} \; \ + && apk del shadow \ + && rm -rf /var/cache/apk/* + +COPY --from=git.conorz.at/titanz-containers/hardened_malloc:latest /install /usr/local/lib/ +ENV LD_PRELOAD="/usr/local/lib/libhardened_malloc.so" + +USER postgres diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..261eeb9 --- /dev/null +++ b/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/README.md b/README.md new file mode 100644 index 0000000..c8fdfe8 --- /dev/null +++ b/README.md @@ -0,0 +1,43 @@ +# Postgres + +![Build, scan & push](https://git.conorz.at/titanz-containers/postgres/actions/workflows/build-17.yml/badge.svg) +![Build, scan & push](https://git.conorz.at/titanz-containers/postgres/actions/workflows/build-16.yml/badge.svg) +![Build, scan & push](https://git.conorz.at/titanz-containers/postgres/actions/workflows/build-15.yml/badge.svg) +![Build, scan & push](https://git.conorz.at/titanz-containers/postgres/actions/workflows/build-14.yml/badge.svg) +![Build, scan & push](https://git.conorz.at/titanz-containers/postgres/actions/workflows/build-13.yml/badge.svg) + +### Features & usage +- Built on the [Docker Community's Alpine-based image](https://github.com/docker-library/postgres), to be used as a drop-in replacement. +- Unprivileged image: you should check your volumes' permissions (eg `/var/lib/postgresql/data`), default UID/GID is 70. +- Removes unnecessary gosu SUID binary. + +### Sample Docker Compose config + +``` + postgres: + container_name: postgres + image: git.conorz.at/titanz-containers/postgres:17 + restart: unless-stopped + volumes: + - ./postgres:/var/lib/postgresql/data:Z + environment: + - POSTGRES_USER=${POSTGRES_USER} + - POSTGRES_PASSWORD=${POSTGRES_PASSWORD} + healthcheck: + test: ["CMD", "pg_isready", "-U", "postgres_user"] + interval: 15s + timeout: 5s + user: "200012:200012" + read_only: true + tmpfs: + - /var/run/postgresql:size=50M,mode=0770,uid=200012,gid=200012,noexec,nosuid,nodev + security_opt: + - "no-new-privileges=true" + cap_drop: + - ALL +``` + +### Licensing +- The code in this repository is licensed under the Apache license. 😇 +- The image is built on `docker.io/postgres`, which is under the MIT license. Copyright to the base image belongs to Docker PostgreSQL Authors. +- Any image built by titanz containers is provided under the combination of license terms resulting from the use of individual packages.