Updated for pg_stat extension and 18-trixie

djthorpe · djthorpe · commit 92a7c20f9d52 · 2025-12-15T20:50:21.000+01:00
diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
@@ -1,21 +1,21 @@
 name: Build Containers
 on:
   release:
-    types: [ created, edited ]
+    types: [created, edited]
   workflow_dispatch:
     inputs:
       tag:
-        description: 'tag'
+        description: "tag"
         required: true
-        default: 'latest'
+        default: "latest"
         type: string
 jobs:
   build:
     name: Build
     strategy:
       matrix:
-        arch: [ amd64, arm64 ]
-        version: [ 17-bookworm ]
+        arch: [amd64, arm64]
+        version: [17-bookworm, 18-trixie]
     runs-on:
       - ${{ matrix.arch == 'amd64' && 'ubuntu-latest' || matrix.arch }}
     env:
@@ -28,7 +28,7 @@ jobs:
         run: |
           sudo apt -y update
           sudo apt -y install build-essential git
-          git config --global advice.detachedHead false    
+          git config --global advice.detachedHead false
       - name: Checkout
         uses: actions/checkout@v4
         with:
@@ -40,15 +40,15 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build and Push
-        id: build      
+        id: build
         run: |
           make docker && make docker-push
   manifest:
     name: Manifest
     needs: build
     strategy:
       matrix:
-        version: [ 17-bookworm ]
+        version: [17-bookworm, 18-trixie]
     runs-on: ubuntu-latest
     steps:
       - name: Login
diff --git a/Dockerfile b/Dockerfile
@@ -4,22 +4,24 @@ ARG VERSION=17-bookworm
 FROM postgres:${VERSION}
 ARG VERSION
 LABEL org.opencontainers.image.description="PostgreSQL image with primary/replica support" \
-      org.opencontainers.image.version="$VERSION"
+  org.opencontainers.image.version="$VERSION"
 
 # Install packages postgis and pgvector
 ENV POSTGIS_MAJOR=3
 RUN apt-get update && apt-get upgrade -y && apt-get install -y \
-    ca-certificates \
-    postgresql-$PG_MAJOR-postgis-$POSTGIS_MAJOR \
-    postgresql-$PG_MAJOR-postgis-$POSTGIS_MAJOR-scripts \
-    postgresql-$PG_MAJOR-pgvector \
+  ca-certificates \
+  postgresql-$PG_MAJOR-postgis-$POSTGIS_MAJOR \
+  postgresql-$PG_MAJOR-postgis-$POSTGIS_MAJOR-scripts \
+  postgresql-$PG_MAJOR-pgvector \
   && rm -rf /var/lib/apt/lists/*    
 
 # Copy scripts
 RUN mkdir -p /docker-entrypoint-initdb.d
 COPY --chmod=755 ./scripts/10_primary.sh /docker-entrypoint-initdb.d
 COPY --chmod=755 ./scripts/20_replica.sh /docker-entrypoint-initdb.d
+COPY --chmod=755 ./scripts/30_ssl.sh /docker-entrypoint-initdb.d
+COPY --chmod=755 ./scripts/40_databases.sh /docker-entrypoint-initdb.d
 
 # Set the environment
-ENV POSTGRES_REPLICATION_USER=replication \
-    POSTGRES_REPLICATION_SLOT=replica1
+ENV POSTGRES_REPLICATION_USER=replicator \
+  POSTGRES_REPLICATION_SLOT=replica1
diff --git a/README.md b/README.md
@@ -18,20 +18,21 @@ docker command line:
   to connect to the primary, in the form `host=<hostname> port=5432`. When not set,
   the instance role is a primary.
 * `POSTGRES_REPLICATION_PASSWORD`: **Required**: The password for the `POSTGRES_REPLICATION_USER`.
-* `POSTGRES_REPLICATION_USER`: **Default is `replicator`**: The user that the primary will use to connect
-  to the replica.  
-* `POSTGRES_REPLICATION_SLOT`: **Default is `replica1`** The replication slot for each replica.
+* `POSTGRES_REPLICATION_USER`: **Default is `replicator`**: The user that the replica will use to connect to the primary.
+* `POSTGRES_REPLICATION_SLOT`: **Default is `replica1`**: The replication slot for each replica.
   On the primary, this is a comma-separated list of replication slots. On a replica, this is the name
-  of the replication slot used for syncronization.
+  of the replication slot used for synchronization.
 * `POSTGRES_DATABASES`: **Optional**: A comma-separated list of databases (and associated owner role,
   which has the same name as the database), in addition to the main database.
 * `POSTGRES_PASSWORD_<role>`: **Optional**: For any database which is created, you can enable
   login and set the password for the database owner role by setting this environment variable. Without
   this environment variable, the role will not be able to login.
 * `POSTGRES_SSL_CERT`: **Optional**: The SSL certificate file location for the server, within the container.
+  Requires `POSTGRES_SSL_KEY` to also be set.
 * `POSTGRES_SSL_KEY`: **Optional**: The SSL private key file location for the server, within the container.
-* `POSTGRES_SSL_CA`: **Optional**: The SSL authority certificate file location for the server, within the 
-  container.
+  Requires `POSTGRES_SSL_CERT` to also be set.
+* `POSTGRES_SSL_CA`: **Optional**: The SSL CA certificate file location for client certificate verification.
+  Only used when `POSTGRES_SSL_CERT` and `POSTGRES_SSL_KEY` are set.
 
 ## Running a Primary server
 
@@ -79,12 +80,17 @@ the replica.
 
 ## Extensions
 
-The docker images also contain [PostGIS](https://postgis.net/) and
-[pgvector](https://github.com/pgvector/pgvector) extensions.
+The docker images include the following extensions:
+
+* [pg_stat_statements](https://www.postgresql.org/docs/current/pgstatstatements.html) - Pre-loaded for query
+  performance monitoring. Create the extension with `CREATE EXTENSION pg_stat_statements;` to start collecting
+  statistics.
+* [PostGIS](https://postgis.net/) - Spatial database extender.
+* [pgvector](https://github.com/pgvector/pgvector) - Vector similarity search.
 
 ## Bugs, feature requests and contributions
 
-You can raise issues and feature requests using 
+You can raise issues and feature requests using
 the [GitHub issue tracker](https://github.com/mutablelogic/docker-postgres/issues)
 or send pull requests. The image is built from
 the [Official Docker image](https://hub.docker.com/_/postgres).
diff --git a/scripts/10_primary.sh b/scripts/10_primary.sh
@@ -9,33 +9,54 @@ if [ ! -z "${POSTGRES_REPLICATION_PRIMARY}" ]; then
     exit 0
 fi
 
-# If there is no replication password, then quit
+# Validate required environment variables
 if [ -z "${POSTGRES_REPLICATION_PASSWORD}" ]; then
     echo "POSTGRES_REPLICATION_PASSWORD needs to be set."
     exit 1
 fi
 
+if [ -z "${POSTGRES_REPLICATION_USER}" ]; then
+    echo "POSTGRES_REPLICATION_USER needs to be set."
+    exit 1
+fi
+
+if [ -z "${POSTGRES_REPLICATION_SLOT}" ]; then
+    echo "POSTGRES_REPLICATION_SLOT needs to be set."
+    exit 1
+fi
+
 # Make the data directory
 install -d "${PGDATA}" -o postgres -g postgres -m 700
 
-# Create the replication user
+# Create the replication user (idempotent)
 psql -v ON_ERROR_STOP=1 --username "${POSTGRES_USER}" --dbname "${POSTGRES_DB}" <<-EOSQL
-    CREATE USER ${POSTGRES_REPLICATION_USER} WITH REPLICATION ENCRYPTED PASSWORD '${POSTGRES_REPLICATION_PASSWORD}';
+    DO \$\$
+    BEGIN
+        IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = '${POSTGRES_REPLICATION_USER}') THEN
+            CREATE USER ${POSTGRES_REPLICATION_USER} WITH REPLICATION ENCRYPTED PASSWORD '${POSTGRES_REPLICATION_PASSWORD}';
+        END IF;
+    END
+    \$\$;
 EOSQL
 
-# Create the replication slots
+# Create the replication slots (idempotent)
 IFS=',' read -r -a array <<< "${POSTGRES_REPLICATION_SLOT}"
 for SLOT in "${array[@]}"; do
     psql -v ON_ERROR_STOP=1 --username "${POSTGRES_USER}" --dbname "${POSTGRES_DB}" <<-EOSQL
-        SELECT pg_create_physical_replication_slot('${SLOT}');
+        SELECT pg_create_physical_replication_slot('${SLOT}')
+        WHERE NOT EXISTS (SELECT 1 FROM pg_replication_slots WHERE slot_name = '${SLOT}');
 EOSQL
 done
 
 # Set configuration for replication
 CONF="${PGDATA}/postgresql.conf"
-sed -i -e"s/^#wal_level.*$/wal_level=replica/" ${CONF}
-sed -i -e"s/^#max_wal_senders.*$/max_wal_senders=10/" ${CONF}
-sed -i -e"s/^#max_replication_slots.*$/max_replication_slots=10/" ${CONF}
+sed -i -e"s/^#wal_level.*$/wal_level = replica/" ${CONF}
+sed -i -e"s/^#max_wal_senders.*$/max_wal_senders = 10/" ${CONF}
+sed -i -e"s/^#max_replication_slots.*$/max_replication_slots = 10/" ${CONF}
+
+# Enable pg_stat_statements extension
+sed -i -e"s/^#shared_preload_libraries.*$/shared_preload_libraries = 'pg_stat_statements'/" ${CONF}
+echo "pg_stat_statements.max = 1000" >> ${CONF}
 
 # Add a replication user to pg_hba.conf
 echo "host replication ${POSTGRES_REPLICATION_USER} all scram-sha-256" >> "${PGDATA}/pg_hba.conf"
diff --git a/scripts/20_replica.sh b/scripts/20_replica.sh
@@ -3,27 +3,41 @@
 # The primary instance should be running before starting the replica
 set -e
 
-# Script should only run on the primary node
+# Script should only run on a replica node
 if [ -z "${POSTGRES_REPLICATION_PRIMARY}" ]; then
     echo "Skipping replica initialisation on a primary."
     exit 0
 fi
 
-# If there is no replication password, then quit
+# Validate required environment variables
 if [ -z "${POSTGRES_REPLICATION_PASSWORD}" ]; then
     echo "POSTGRES_REPLICATION_PASSWORD needs to be set."
     exit 1
 fi
 
+if [ -z "${POSTGRES_REPLICATION_USER}" ]; then
+    echo "POSTGRES_REPLICATION_USER needs to be set."
+    exit 1
+fi
+
+if [ -z "${POSTGRES_REPLICATION_SLOT}" ]; then
+    echo "POSTGRES_REPLICATION_SLOT needs to be set."
+    exit 1
+fi
+
 # Make the data directory
 install -d "${PGDATA}" -o postgres -g postgres -m 700
 
-# Set password for replication user
-echo "*:*:*:${POSTGRES_REPLICATION_USER}:${POSTGRES_REPLICATION_PASSWORD}" >> /var/lib/postgresql/.pgpass
-chmod 600 /var/lib/postgresql/.pgpass
+# Set password for replication user (idempotent)
+PGPASS_FILE="/var/lib/postgresql/.pgpass"
+PGPASS_ENTRY="*:*:*:${POSTGRES_REPLICATION_USER}:${POSTGRES_REPLICATION_PASSWORD}"
+if [ ! -f "${PGPASS_FILE}" ] || ! grep -qF "${PGPASS_ENTRY}" "${PGPASS_FILE}"; then
+    echo "${PGPASS_ENTRY}" >> "${PGPASS_FILE}"
+    chmod 600 "${PGPASS_FILE}"
+fi
 
-# Stop the server
-pg_ctl -D "${PGDATA}" stop -m fast
+# Stop the server if running
+pg_ctl -D "${PGDATA}" stop -m fast 2>/dev/null || true
 
 # Perform the backup
 rm -fr ${PGDATA}/*
@@ -33,13 +47,12 @@ pg_basebackup -v --pgdata="${PGDATA}" \
   --dbname="${POSTGRES_REPLICATION_PRIMARY}" --username="${POSTGRES_REPLICATION_USER}" --no-password
 
 # Set configuration for replication
+# Note: pg_basebackup --write-recovery-conf already sets primary_conninfo and primary_slot_name
 CONF="${PGDATA}/postgresql.conf"
-sed -i -e"s/^#max_wal_senders.*$/max_wal_senders=10/" ${CONF}
-sed -i -e"s/^#max_replication_slots.*$/max_replication_slots=10/" ${CONF}
-sed -i -e"s/^#primary_conninfo.*$/primary_conninfo='user=${POSTGRES_REPLICATION_USER} ${POSTGRES_REPLICATION_PRIMARY}'/" ${CONF}
-sed -i -e"s/^#primary_slot_name.*$/primary_slot_name='${POSTGRES_REPLICATION_SLOT}'/" ${CONF}
-sed -i -e"s/^#hot_standby.*$/hot_standby=on/" ${CONF}
-sed -i -e"s/^#hot_standby_feedback.*$/hot_standby_feedback=on/" ${CONF}
+sed -i -e"s/^#*max_wal_senders.*$/max_wal_senders = 10/" ${CONF}
+sed -i -e"s/^#*max_replication_slots.*$/max_replication_slots = 10/" ${CONF}
+sed -i -e"s/^#*hot_standby.*$/hot_standby = on/" ${CONF}
+sed -i -e"s/^#*hot_standby_feedback.*$/hot_standby_feedback = on/" ${CONF}
 
 # Start the server
 pg_ctl -D "${PGDATA}" start
diff --git a/scripts/30_ssl.sh b/scripts/30_ssl.sh
@@ -3,29 +3,42 @@
 # https://www.postgresql.org/docs/current/ssl-tcp.html#SSL-OPENSSL-CONFIG
 set -e
 
-# Set configuration for replication
-CONF="${PGDATA}/postgresql.conf"
+# Skip if no SSL cert configured
+if [ -z "${POSTGRES_SSL_CERT}" ]; then
+    echo "No SSL certificate configured, skipping SSL setup."
+    exit 0
+fi
 
-if [ ! -z "${POSTGRES_SSL_CERT}" ]; then
-    if [ ! -f "${POSTGRES_SSL_CERT}" ]; then
-        echo "POSTGRES_SSL_CERT file not found."
-        exit 1
-    fi
-    sed -i -e"s/^#ssl_cert_file.*$/ssl_cert_file=${POSTGRES_SSL_CERT}/" ${CONF}
+# Both cert and key are required
+if [ -z "${POSTGRES_SSL_KEY}" ]; then
+    echo "POSTGRES_SSL_KEY must be set when POSTGRES_SSL_CERT is set."
+    exit 1
 fi
 
-if [ ! -z "${POSTGRES_SSL_KEY}" ]; then
-    if [ ! -f "${POSTGRES_SSL_KEY}" ]; then
-        echo "POSTGRES_SSL_KEY file not found."
-        exit 1
-    fi
-    sed -i -e"s/^#ssl_key_file.*$/ssl_key_file=${POSTGRES_SSL_KEY}/" ${CONF}
+if [ ! -f "${POSTGRES_SSL_CERT}" ]; then
+    echo "POSTGRES_SSL_CERT file not found: ${POSTGRES_SSL_CERT}"
+    exit 1
 fi
 
+if [ ! -f "${POSTGRES_SSL_KEY}" ]; then
+    echo "POSTGRES_SSL_KEY file not found: ${POSTGRES_SSL_KEY}"
+    exit 1
+fi
+
+# Set configuration for SSL
+CONF="${PGDATA}/postgresql.conf"
+
+sed -i -e"s|^#ssl = .*$|ssl = on|" ${CONF}
+sed -i -e"s|^#ssl_cert_file.*$|ssl_cert_file = '${POSTGRES_SSL_CERT}'|" ${CONF}
+sed -i -e"s|^#ssl_key_file.*$|ssl_key_file = '${POSTGRES_SSL_KEY}'|" ${CONF}
+
+# Optional CA file for client certificate verification
 if [ ! -z "${POSTGRES_SSL_CA}" ]; then
     if [ ! -f "${POSTGRES_SSL_CA}" ]; then
-        echo "POSTGRES_SSL_CA file not found."
+        echo "POSTGRES_SSL_CA file not found: ${POSTGRES_SSL_CA}"
         exit 1
     fi
-    sed -i -e"s/^#ssl_ca_file.*$/ssl_ca_file=${POSTGRES_SSL_CA}/" ${CONF}
+    sed -i -e"s|^#ssl_ca_file.*$|ssl_ca_file = '${POSTGRES_SSL_CA}'|" ${CONF}
 fi
+
+echo "SSL configured successfully."
diff --git a/scripts/40_databases.sh b/scripts/40_databases.sh
@@ -8,31 +8,48 @@ if [ ! -z "${POSTGRES_REPLICATION_PRIMARY}" ]; then
     exit 0
 fi
 
+# Skip if no databases configured
+if [ -z "${POSTGRES_DATABASES}" ]; then
+    echo "No additional databases configured, skipping."
+    exit 0
+fi
+
 # Create the databases
 IFS=',' read -r -a array <<< "${POSTGRES_DATABASES}"
 for NAME in "${array[@]}"; do
-    # if there is an environment variable called POSTGRES_PASSWORD_<NAME>, then use that password
-    if [ ! -z "${!POSTGRES_PASSWORD_${NAME}}" ]; then
-        ALTER_ROLE="ALTER ROLE ${NAME} WITH PASSWORD ${!POSTGRES_PASSWORD_${NAME}}"
-    else
-        ALTER_ROLE="ALTER ROLE ${NAME} WITH NOLOGIN"
-    fi
-    # Execute SQL to create the database and role
+    # Build the password variable name and get its value
+    PASSWORD_VAR="POSTGRES_PASSWORD_${NAME}"
+    PASSWORD="${!PASSWORD_VAR}"
+
+    echo "Creating database and role: ${NAME}"
+
+    # Create role if it doesn't exist
     psql -v ON_ERROR_STOP=1 --username "${POSTGRES_USER}" --dbname "${POSTGRES_DB}" <<-EOSQL
-        DO $$ BEGIN
-            -- Create database
-            CREATE EXTENSION IF NOT EXISTS dblink;
-            IF NOT EXISTS (
-                SELECT 1 FROM pg_database WHERE datname = '${NAME}'
-            ) THEN
-                PERFORM dblink_exec('dbname=${POSTGRES_DB}', 'CREATE DATABASE ${NAME}');
+        DO \$\$
+        BEGIN
+            IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = '${NAME}') THEN
+                CREATE ROLE ${NAME};
             END IF;
+        END
+        \$\$;
+EOSQL
 
-            -- Create role
-            CREATE ROLE ${NAME};
-            ${ALTER_ROLE};
-            ALTER DATABASE ${NAME} OWNER TO ${NAME};
-            EXCEPTION WHEN duplicate_object THEN RAISE NOTICE '%, skipping', SQLERRM USING ERRCODE = SQLSTATE;
-        END $$;
+    # Set password or NOLOGIN
+    if [ ! -z "${PASSWORD}" ]; then
+        psql -v ON_ERROR_STOP=1 --username "${POSTGRES_USER}" --dbname "${POSTGRES_DB}" <<-EOSQL
+            ALTER ROLE ${NAME} WITH LOGIN PASSWORD '${PASSWORD}';
 EOSQL
+    else
+        psql -v ON_ERROR_STOP=1 --username "${POSTGRES_USER}" --dbname "${POSTGRES_DB}" <<-EOSQL
+            ALTER ROLE ${NAME} WITH NOLOGIN;
+EOSQL
+    fi
+
+    # Create database if it doesn't exist
+    psql -v ON_ERROR_STOP=1 --username "${POSTGRES_USER}" --dbname "${POSTGRES_DB}" <<-EOSQL
+        SELECT 'CREATE DATABASE ${NAME} OWNER ${NAME}'
+        WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname = '${NAME}')\gexec
+EOSQL
+
+    echo "Created database and role: ${NAME}"
 done
