From 4ce53d30d05f9df9e2afb05632f6fb25191b2d24 Mon Sep 17 00:00:00 2001 From: daynewlee Date: Tue, 26 Aug 2025 10:36:16 -0500 Subject: [PATCH 1/7] test --- image/db/rhel/Dockerfile | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/image/db/rhel/Dockerfile b/image/db/rhel/Dockerfile index 6e6439705..8908d8336 100644 --- a/image/db/rhel/Dockerfile +++ b/image/db/rhel/Dockerfile @@ -61,20 +61,23 @@ RUN microdnf upgrade -y --nobest && \ if [[ $(awk -F'=' '/VERSION_ID/{ gsub(/"/,""); print substr($2,1,1)}' /etc/os-release) -gt 8 ]]; then \ microdnf install -y uuid; \ fi && \ - rpm -i /tmp/postgres-libs.rpm /tmp/postgres-server.rpm /tmp/postgres.rpm /tmp/postgres-contrib.rpm && \ - # The removal of /usr/share/zoneinfo from UBI minimal images is intentional. - # After building the image, the image is reduced in size as much as possible, - # and the /usr/share/zoneinfo directory is purged as it saves space - # in the final distribution of the image. - # https://access.redhat.com/solutions/5616681 + # Side-load EL9 (OpenSSL 3.0) RPMs in dependency-safe order + rpm -i /tmp/postgresql16-libs-*.el9.*.rpm \ + /tmp/postgresql16-*.el9.*.rpm \ + /tmp/postgresql16-server-*.el9.*.rpm \ + /tmp/postgresql16-contrib-*.el9.*.rpm && \ + # Timezone note unchanged microdnf reinstall -y tzdata && \ microdnf clean all && \ - # (Optional) Remove line below to keep package management utilities - rpm -e --nodeps $(rpm -qa shadow-utils curl '*rpm*' '*dnf*' '*libsolv*' '*hawkey*' 'yum*') && \ - rm -rf /var/cache/dnf /var/cache/yum /tmp/postgres-libs.rpm /tmp/postgres-server.rpm /tmp/postgres.rpm /tmp/postgres-contrib.rpm && \ + rm -rf /var/cache/dnf /var/cache/yum \ + /tmp/postgresql16-libs-*.rpm \ + /tmp/postgresql16-*.rpm \ + /tmp/postgresql16-server-*.rpm \ + /tmp/postgresql16-contrib-*.rpm && \ localedef -f UTF-8 -i en_US en_US.UTF-8 && \ mkdir /docker-entrypoint-initdb.d + # This is equivalent to postgres:postgres. USER 70:70 From 2a625e2f2a9b65b06a12b66f0f57231e85a09afb Mon Sep 17 00:00:00 2001 From: daynewlee Date: Tue, 26 Aug 2025 11:18:52 -0500 Subject: [PATCH 2/7] another test --- image/db/rhel/Dockerfile | 39 ++++++++++++++++++++++++++------------- 1 file changed, 26 insertions(+), 13 deletions(-) diff --git a/image/db/rhel/Dockerfile b/image/db/rhel/Dockerfile index 8908d8336..02fda9825 100644 --- a/image/db/rhel/Dockerfile +++ b/image/db/rhel/Dockerfile @@ -41,6 +41,9 @@ COPY scripts/docker-entrypoint.sh /usr/local/bin/ COPY --from=extracted_bundle /bundle/etc/postgresql.conf /bundle/etc/pg_hba.conf /etc/ COPY --from=postgres_rpms /rpms/postgres.rpm /rpms/postgres-libs.rpm /rpms/postgres-server.rpm /rpms/postgres-contrib.rpm /tmp/ +# set once; bump to 17 later without touching the logic +ARG PG_MAJOR=16 + RUN microdnf upgrade -y --nobest && \ microdnf install -y shadow-utils && \ groupadd -g 70 postgres && \ @@ -56,27 +59,37 @@ RUN microdnf upgrade -y --nobest && \ perl-libs \ python3 \ systemd-sysv \ - zstd \ - && \ + zstd && \ if [[ $(awk -F'=' '/VERSION_ID/{ gsub(/"/,""); print substr($2,1,1)}' /etc/os-release) -gt 8 ]]; then \ microdnf install -y uuid; \ fi && \ - # Side-load EL9 (OpenSSL 3.0) RPMs in dependency-safe order - rpm -i /tmp/postgresql16-libs-*.el9.*.rpm \ - /tmp/postgresql16-*.el9.*.rpm \ - /tmp/postgresql16-server-*.el9.*.rpm \ - /tmp/postgresql16-contrib-*.el9.*.rpm && \ + # detect OS major & arch, then install side-loaded RPMs + RHEL_MAJOR="$(. /etc/os-release; echo ${VERSION_ID%%.*})" && \ + ARCH="$(arch)" && \ + if ls /tmp/postgresql${PG_MAJOR}-libs-*.el${RHEL_MAJOR}.*.${ARCH}.rpm >/dev/null 2>&1; then \ + rpm -i \ + /tmp/postgresql${PG_MAJOR}-libs-*.el${RHEL_MAJOR}.*.${ARCH}.rpm \ + /tmp/postgresql${PG_MAJOR}-*.el${RHEL_MAJOR}.*.${ARCH}.rpm \ + /tmp/postgresql${PG_MAJOR}-server-*.el${RHEL_MAJOR}.*.${ARCH}.rpm \ + /tmp/postgresql${PG_MAJOR}-contrib-*.el${RHEL_MAJOR}.*.${ARCH}.rpm; \ + else \ + # fallback to your original filenames + rpm -i /tmp/postgres-libs.rpm \ + /tmp/postgres.rpm \ + /tmp/postgres-server.rpm \ + /tmp/postgres-contrib.rpm; \ + fi && \ # Timezone note unchanged microdnf reinstall -y tzdata && \ microdnf clean all && \ rm -rf /var/cache/dnf /var/cache/yum \ - /tmp/postgresql16-libs-*.rpm \ - /tmp/postgresql16-*.rpm \ - /tmp/postgresql16-server-*.rpm \ - /tmp/postgresql16-contrib-*.rpm && \ + /tmp/postgresql${PG_MAJOR}-libs-*.rpm \ + /tmp/postgresql${PG_MAJOR}-*.rpm \ + /tmp/postgresql${PG_MAJOR}-server-*.rpm \ + /tmp/postgresql${PG_MAJOR}-contrib-*.rpm \ + /tmp/postgres-*.rpm && \ localedef -f UTF-8 -i en_US en_US.UTF-8 && \ - mkdir /docker-entrypoint-initdb.d - + mkdir -p /docker-entrypoint-initdb.d # This is equivalent to postgres:postgres. USER 70:70 From e9a2e9e64e468efcd6a504af2c2386c0af7f606f Mon Sep 17 00:00:00 2001 From: daynewlee Date: Tue, 26 Aug 2025 11:48:33 -0500 Subject: [PATCH 3/7] test --- image/db/rhel/Dockerfile | 48 ++++++++++++++++++---------------------- 1 file changed, 22 insertions(+), 26 deletions(-) diff --git a/image/db/rhel/Dockerfile b/image/db/rhel/Dockerfile index 02fda9825..c3e6e5d9c 100644 --- a/image/db/rhel/Dockerfile +++ b/image/db/rhel/Dockerfile @@ -41,14 +41,11 @@ COPY scripts/docker-entrypoint.sh /usr/local/bin/ COPY --from=extracted_bundle /bundle/etc/postgresql.conf /bundle/etc/pg_hba.conf /etc/ COPY --from=postgres_rpms /rpms/postgres.rpm /rpms/postgres-libs.rpm /rpms/postgres-server.rpm /rpms/postgres-contrib.rpm /tmp/ -# set once; bump to 17 later without touching the logic -ARG PG_MAJOR=16 - RUN microdnf upgrade -y --nobest && \ microdnf install -y shadow-utils && \ groupadd -g 70 postgres && \ adduser postgres -u 70 -g 70 -d /var/lib/postgresql -s /bin/sh && \ - rpm --import PGDG-RPM-GPG-KEY-RHEL && \ + rpm --import PGDG-RPM-GPG-KEY-RHEL || true && \ microdnf install -y \ ca-certificates \ glibc-langpack-en \ @@ -63,33 +60,32 @@ RUN microdnf upgrade -y --nobest && \ if [[ $(awk -F'=' '/VERSION_ID/{ gsub(/"/,""); print substr($2,1,1)}' /etc/os-release) -gt 8 ]]; then \ microdnf install -y uuid; \ fi && \ - # detect OS major & arch, then install side-loaded RPMs + \ + # ---- minimal guard: ensure the four RPMs match the base OS/arch and don't need OPENSSL_3.4 ---- RHEL_MAJOR="$(. /etc/os-release; echo ${VERSION_ID%%.*})" && \ ARCH="$(arch)" && \ - if ls /tmp/postgresql${PG_MAJOR}-libs-*.el${RHEL_MAJOR}.*.${ARCH}.rpm >/dev/null 2>&1; then \ - rpm -i \ - /tmp/postgresql${PG_MAJOR}-libs-*.el${RHEL_MAJOR}.*.${ARCH}.rpm \ - /tmp/postgresql${PG_MAJOR}-*.el${RHEL_MAJOR}.*.${ARCH}.rpm \ - /tmp/postgresql${PG_MAJOR}-server-*.el${RHEL_MAJOR}.*.${ARCH}.rpm \ - /tmp/postgresql${PG_MAJOR}-contrib-*.el${RHEL_MAJOR}.*.${ARCH}.rpm; \ - else \ - # fallback to your original filenames - rpm -i /tmp/postgres-libs.rpm \ - /tmp/postgres.rpm \ - /tmp/postgres-server.rpm \ - /tmp/postgres-contrib.rpm; \ - fi && \ - # Timezone note unchanged + for p in /tmp/postgres-libs.rpm /tmp/postgres-server.rpm /tmp/postgres.rpm /tmp/postgres-contrib.rpm; do \ + echo "Verifying $p"; \ + test -f "$p" || { echo "ERROR: missing $p"; exit 1; }; \ + rpm -qp --qf '%{NAME} %{VERSION} %{RELEASE} %{ARCH} %{DIST}\n' "$p"; \ + rpm -qp --qf '%{ARCH}\n' "$p" | grep -qx "$ARCH" || { echo "ERROR: $p arch mismatch (want $ARCH)"; exit 1; }; \ + rpm -qp --qf '%{DIST}\n' "$p" | grep -Eq "(\.el${RHEL_MAJOR}|rhel${RHEL_MAJOR})" || { echo "ERROR: $p not built for EL${RHEL_MAJOR}"; exit 1; }; \ + rpm -qpR "$p" | grep -q 'OPENSSL_3\.4' && { echo "ERROR: $p requires OPENSSL_3.4 (EL10/Fedora). Use EL${RHEL_MAJOR} build."; exit 1; }; \ + done && \ + # ----------------------------------------------------------------------------------------------- \ + \ + rpm -i /tmp/postgres-libs.rpm /tmp/postgres-server.rpm /tmp/postgres.rpm /tmp/postgres-contrib.rpm && \ + # The removal of /usr/share/zoneinfo from UBI minimal images is intentional. + # After building the image, the image is reduced in size as much as possible, + # and the /usr/share/zoneinfo directory is purged as it saves space + # in the final distribution of the image. + # https://access.redhat.com/solutions/5616681 microdnf reinstall -y tzdata && \ microdnf clean all && \ - rm -rf /var/cache/dnf /var/cache/yum \ - /tmp/postgresql${PG_MAJOR}-libs-*.rpm \ - /tmp/postgresql${PG_MAJOR}-*.rpm \ - /tmp/postgresql${PG_MAJOR}-server-*.rpm \ - /tmp/postgresql${PG_MAJOR}-contrib-*.rpm \ - /tmp/postgres-*.rpm && \ + rpm -e --nodeps $(rpm -qa shadow-utils curl '*rpm*' '*dnf*' '*libsolv*' '*hawkey*' 'yum*') && \ + rm -rf /var/cache/dnf /var/cache/yum /tmp/postgres-libs.rpm /tmp/postgres-server.rpm /tmp/postgres.rpm /tmp/postgres-contrib.rpm && \ localedef -f UTF-8 -i en_US en_US.UTF-8 && \ - mkdir -p /docker-entrypoint-initdb.d + mkdir /docker-entrypoint-initdb.d # This is equivalent to postgres:postgres. USER 70:70 From 06a8e9bacde0e5af3b8410a04d05b03fed355c81 Mon Sep 17 00:00:00 2001 From: daynewlee Date: Tue, 26 Aug 2025 12:49:20 -0500 Subject: [PATCH 4/7] test --- image/db/rhel/Dockerfile | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/image/db/rhel/Dockerfile b/image/db/rhel/Dockerfile index c3e6e5d9c..27ce9cb34 100644 --- a/image/db/rhel/Dockerfile +++ b/image/db/rhel/Dockerfile @@ -67,13 +67,11 @@ RUN microdnf upgrade -y --nobest && \ for p in /tmp/postgres-libs.rpm /tmp/postgres-server.rpm /tmp/postgres.rpm /tmp/postgres-contrib.rpm; do \ echo "Verifying $p"; \ test -f "$p" || { echo "ERROR: missing $p"; exit 1; }; \ - rpm -qp --qf '%{NAME} %{VERSION} %{RELEASE} %{ARCH} %{DIST}\n' "$p"; \ + rpm -qp --qf '%{NAME} %{VERSION} %{RELEASE} %{ARCH}\n' "$p"; \ rpm -qp --qf '%{ARCH}\n' "$p" | grep -qx "$ARCH" || { echo "ERROR: $p arch mismatch (want $ARCH)"; exit 1; }; \ - rpm -qp --qf '%{DIST}\n' "$p" | grep -Eq "(\.el${RHEL_MAJOR}|rhel${RHEL_MAJOR})" || { echo "ERROR: $p not built for EL${RHEL_MAJOR}"; exit 1; }; \ + rpm -qp --qf '%{RELEASE}\n' "$p" | grep -Eq "(\.el${RHEL_MAJOR}|rhel${RHEL_MAJOR})" || { echo "ERROR: $p not built for EL${RHEL_MAJOR}"; exit 1; }; \ rpm -qpR "$p" | grep -q 'OPENSSL_3\.4' && { echo "ERROR: $p requires OPENSSL_3.4 (EL10/Fedora). Use EL${RHEL_MAJOR} build."; exit 1; }; \ done && \ - # ----------------------------------------------------------------------------------------------- \ - \ rpm -i /tmp/postgres-libs.rpm /tmp/postgres-server.rpm /tmp/postgres.rpm /tmp/postgres-contrib.rpm && \ # The removal of /usr/share/zoneinfo from UBI minimal images is intentional. # After building the image, the image is reduced in size as much as possible, From 7e82be7f161f28751674468d7f5b2131c516cf07 Mon Sep 17 00:00:00 2001 From: daynewlee Date: Tue, 26 Aug 2025 13:30:35 -0500 Subject: [PATCH 5/7] test --- image/db/rhel/Dockerfile | 1 - 1 file changed, 1 deletion(-) diff --git a/image/db/rhel/Dockerfile b/image/db/rhel/Dockerfile index 27ce9cb34..d335132c6 100644 --- a/image/db/rhel/Dockerfile +++ b/image/db/rhel/Dockerfile @@ -45,7 +45,6 @@ RUN microdnf upgrade -y --nobest && \ microdnf install -y shadow-utils && \ groupadd -g 70 postgres && \ adduser postgres -u 70 -g 70 -d /var/lib/postgresql -s /bin/sh && \ - rpm --import PGDG-RPM-GPG-KEY-RHEL || true && \ microdnf install -y \ ca-certificates \ glibc-langpack-en \ From ba1c942acb2983aa5343e4844da0cdb71cf2dd21 Mon Sep 17 00:00:00 2001 From: daynewlee Date: Tue, 26 Aug 2025 14:16:13 -0500 Subject: [PATCH 6/7] test --- image/db/rhel/Dockerfile | 31 +++++++++++++++++-------------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/image/db/rhel/Dockerfile b/image/db/rhel/Dockerfile index d335132c6..ecf4bbe56 100644 --- a/image/db/rhel/Dockerfile +++ b/image/db/rhel/Dockerfile @@ -45,6 +45,7 @@ RUN microdnf upgrade -y --nobest && \ microdnf install -y shadow-utils && \ groupadd -g 70 postgres && \ adduser postgres -u 70 -g 70 -d /var/lib/postgresql -s /bin/sh && \ + rpm --import PGDG-RPM-GPG-KEY-RHEL && \ microdnf install -y \ ca-certificates \ glibc-langpack-en \ @@ -59,24 +60,25 @@ RUN microdnf upgrade -y --nobest && \ if [[ $(awk -F'=' '/VERSION_ID/{ gsub(/"/,""); print substr($2,1,1)}' /etc/os-release) -gt 8 ]]; then \ microdnf install -y uuid; \ fi && \ - \ - # ---- minimal guard: ensure the four RPMs match the base OS/arch and don't need OPENSSL_3.4 ---- + # ---- tiny prechecks: verify /tmp RPMs match OS + don’t require OPENSSL_3.4 ---- RHEL_MAJOR="$(. /etc/os-release; echo ${VERSION_ID%%.*})" && \ ARCH="$(arch)" && \ - for p in /tmp/postgres-libs.rpm /tmp/postgres-server.rpm /tmp/postgres.rpm /tmp/postgres-contrib.rpm; do \ - echo "Verifying $p"; \ - test -f "$p" || { echo "ERROR: missing $p"; exit 1; }; \ - rpm -qp --qf '%{NAME} %{VERSION} %{RELEASE} %{ARCH}\n' "$p"; \ - rpm -qp --qf '%{ARCH}\n' "$p" | grep -qx "$ARCH" || { echo "ERROR: $p arch mismatch (want $ARCH)"; exit 1; }; \ - rpm -qp --qf '%{RELEASE}\n' "$p" | grep -Eq "(\.el${RHEL_MAJOR}|rhel${RHEL_MAJOR})" || { echo "ERROR: $p not built for EL${RHEL_MAJOR}"; exit 1; }; \ - rpm -qpR "$p" | grep -q 'OPENSSL_3\.4' && { echo "ERROR: $p requires OPENSSL_3.4 (EL10/Fedora). Use EL${RHEL_MAJOR} build."; exit 1; }; \ + for p in /tmp/postgres-libs.rpm /tmp/postgres.rpm /tmp/postgres-server.rpm /tmp/postgres-contrib.rpm; do \ + test -e "$p" || { echo "ERROR: Missing $p"; exit 1; }; \ + # dist tag must be .el${RHEL_MAJOR} (or rhel${RHEL_MAJOR}); arch must match + if ! rpm -qp --qf '%{DIST}\n' "$p" | grep -Eq '(\.el'"${RHEL_MAJOR}"'|rhel'"${RHEL_MAJOR}"')'; then \ + echo "ERROR: $p is not an EL${RHEL_MAJOR} build."; exit 1; \ + fi; \ + if ! rpm -qp --qf '%{ARCH}\n' "$p" | grep -qx "${ARCH}"; then \ + echo "ERROR: $p arch does not match ${ARCH}."; exit 1; \ + fi; \ + # must NOT require OPENSSL_3.4 on EL8/EL9 + if [ "${RHEL_MAJOR}" -lt 10 ] && rpm -qpR "$p" | grep -q 'OPENSSL_3\.4'; then \ + echo "ERROR: $p requires OPENSSL_3.4, incompatible with EL${RHEL_MAJOR} (OpenSSL 3.0)."; exit 1; \ + fi; \ done && \ + # ------------------------------------------------------------------------------- \ rpm -i /tmp/postgres-libs.rpm /tmp/postgres-server.rpm /tmp/postgres.rpm /tmp/postgres-contrib.rpm && \ - # The removal of /usr/share/zoneinfo from UBI minimal images is intentional. - # After building the image, the image is reduced in size as much as possible, - # and the /usr/share/zoneinfo directory is purged as it saves space - # in the final distribution of the image. - # https://access.redhat.com/solutions/5616681 microdnf reinstall -y tzdata && \ microdnf clean all && \ rpm -e --nodeps $(rpm -qa shadow-utils curl '*rpm*' '*dnf*' '*libsolv*' '*hawkey*' 'yum*') && \ @@ -84,6 +86,7 @@ RUN microdnf upgrade -y --nobest && \ localedef -f UTF-8 -i en_US en_US.UTF-8 && \ mkdir /docker-entrypoint-initdb.d + # This is equivalent to postgres:postgres. USER 70:70 From d3cf65e3168f1417b844cbcc212a8cf06326388d Mon Sep 17 00:00:00 2001 From: daynewlee Date: Tue, 26 Aug 2025 15:00:15 -0500 Subject: [PATCH 7/7] test --- image/db/rhel/Dockerfile | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/image/db/rhel/Dockerfile b/image/db/rhel/Dockerfile index ecf4bbe56..b5a1b7c01 100644 --- a/image/db/rhel/Dockerfile +++ b/image/db/rhel/Dockerfile @@ -65,13 +65,9 @@ RUN microdnf upgrade -y --nobest && \ ARCH="$(arch)" && \ for p in /tmp/postgres-libs.rpm /tmp/postgres.rpm /tmp/postgres-server.rpm /tmp/postgres-contrib.rpm; do \ test -e "$p" || { echo "ERROR: Missing $p"; exit 1; }; \ - # dist tag must be .el${RHEL_MAJOR} (or rhel${RHEL_MAJOR}); arch must match - if ! rpm -qp --qf '%{DIST}\n' "$p" | grep -Eq '(\.el'"${RHEL_MAJOR}"'|rhel'"${RHEL_MAJOR}"')'; then \ + if ! rpm -qp --qf '%{RELEASE}\n' "$p" | grep -Eq '(\.el'"${RHEL_MAJOR}"'|rhel'"${RHEL_MAJOR}"')'; then \ echo "ERROR: $p is not an EL${RHEL_MAJOR} build."; exit 1; \ fi; \ - if ! rpm -qp --qf '%{ARCH}\n' "$p" | grep -qx "${ARCH}"; then \ - echo "ERROR: $p arch does not match ${ARCH}."; exit 1; \ - fi; \ # must NOT require OPENSSL_3.4 on EL8/EL9 if [ "${RHEL_MAJOR}" -lt 10 ] && rpm -qpR "$p" | grep -q 'OPENSSL_3\.4'; then \ echo "ERROR: $p requires OPENSSL_3.4, incompatible with EL${RHEL_MAJOR} (OpenSSL 3.0)."; exit 1; \