diff --git a/Makefile.common b/Makefile.common index 54b73e6..a4405cf 100644 --- a/Makefile.common +++ b/Makefile.common @@ -1,5 +1,5 @@ .PHONY: all install install-etc install-var uninstall pre-requisites clean dryrun -.PHONY: tail-logs butane help fcos-vm clean-vm console +.PHONY: tail-logs butane help fcos-vm clean-vm console units units-pre .PHONY: clean-pre clean-post install-pre install-post uninstall-pre uninstall-post all: help @@ -40,6 +40,8 @@ TARGET_SYSCTLD_FILES = $(patsubst sysctl.d/%, $(TARGET_CHROOT)/etc/sysctl.d/%, $ DEPENDENCIES ?= I_KNOW_WHAT_I_AM_DOING ?= DEPENDENCIES_IGNITION_FILES = $(shell for dep in $(DEPENDENCIES); do echo $(TOP_LEVEL_DIR)/$$dep/$$dep.ign; done) +PROJECT_UID ?= 0 +PROJECT_GID ?= 0 pre-requisites: @if [ -z "$(TOP_LEVEL_DIR)" ]; then \ @@ -61,7 +63,7 @@ $(TARGET_CHROOT)/etc/systemd/system: install -D -d -m 0755 -o root -g root $@ $(TARGET_CHROOT)/etc/quadlets/$(PROJECT_NAME): - install -D -d -m 0755 -o root -g root $@ + install -D -d -m 0755 -o $(PROJECT_UID) -g $(PROJECT_GID) $@ $(TARGET_CHROOT)/etc/tmpfiles.d: install -D -d -m 0755 -o root -g root $@ @@ -78,13 +80,13 @@ $(TARGET_CHROOT)/etc/systemd/system/%: % $(TARGET_CHROOT)/etc/systemd/system $(TARGET_CHROOT)/etc/quadlets/$(PROJECT_NAME)/%: config/% $(TARGET_CHROOT)/etc/quadlets/$(PROJECT_NAME) @run() { echo $$*; "$$@"; }; \ if [ -x $< ]; then \ - run install -D -m 0755 -o root -g root $< $@; \ + run install -D -m 0755 -o $(PROJECT_UID) -g $(PROJECT_GID) $< $@; \ else \ - run install -D -m 0644 -o root -g root $< $@; \ + run install -D -m 0644 -o $(PROJECT_UID) -g $(PROJECT_GID) $< $@; \ fi $(TARGET_CHROOT)/var/lib/quadlets/$(PROJECT_NAME): - install -d -m 0755 -o root -g root $@ + install -d -m 0755 -o $(PROJECT_UID) -g $(PROJECT_GID) $@ $(TARGET_CHROOT)/etc/tmpfiles.d/%: tmpfiles.d/% $(TARGET_CHROOT)/etc/tmpfiles.d install -D -m 0644 -o root -g root $< $@ @@ -137,7 +139,7 @@ uninstall: pre-requisites uninstall-pre tail-logs: pre-requisites @run() { echo $$*; "$$@"; }; \ declare -a journalctl_args=( -f ); \ - for unit in $(SYSTEMD_UNIT_NAMES) $(QUADLET_UNIT_NAMES); do \ + for unit in $$($(MAKE) -s units 2>/dev/null | sort -u); do \ journalctl_args+=( -u "$$unit" ); \ done; \ run journalctl "$${journalctl_args[@]}" @@ -212,12 +214,20 @@ clean-vm: pre-requisites console: pre-requisites @while sleep 2; do virsh console fcos-$(PROJECT_NAME); echo -e "Disconnected. Reconnecting in 2 seconds...\nPress Ctrl-C to abort.\n"; done +units-pre:: + @for dep in $(DEPENDENCIES); do \ + $(MAKE) -s -C $(TOP_LEVEL_DIR)/$$dep units 2>/dev/null; \ + done +units: units-pre + @for unit in $(SYSTEMD_UNIT_NAMES) $(QUADLET_UNIT_NAMES); do echo "$$unit"; done + clean-pre:: @run() { echo $$*; "$$@"; }; \ for dep in $(DEPENDENCIES); do \ run $(MAKE) -C $(TOP_LEVEL_DIR)/$$dep clean; \ done + clean-post:: clean: clean-pre pre-requisites rm -f *.butane diff --git a/nextcloud/Makefile b/nextcloud/Makefile index a06d381..a33125a 100644 --- a/nextcloud/Makefile +++ b/nextcloud/Makefile @@ -1,6 +1,14 @@ -# Also depends on virtiofs for data storage but is a transitive dependency via postgresql +## +## Makefile for PostgreSQL quadlet +## + +# Project dependencies: Nextcloud also depends on virtiofs for data storage but is a transitive dependency via postgresql DEPENDENCIES = postgresql +# Nextcloud quadlet is mapped to the 10008 user (nextcloud) and 10000 group (itix-svc) +PROJECT_UID = 10008 +PROJECT_GID = 10000 + TOP_LEVEL_DIR := .. include $(TOP_LEVEL_DIR)/Makefile.common @@ -12,17 +20,17 @@ test-set-nextcloud-major: sed -i 's/^NEXTCLOUD_MAJOR=.*/NEXTCLOUD_MAJOR=$(NEXTCLOUD_MAJOR_START)/' config/config.env $(TARGET_CHROOT)/var/lib/quadlets/nextcloud/redis: - install -m 0700 -o 0 -g 0 -d $@ + install -m 0700 -o 10008 -g 10000 -d $@ $(TARGET_CHROOT)/var/lib/quadlets/nextcloud/data $(TARGET_CHROOT)/var/lib/quadlets/nextcloud/config: - install -m 0700 -o 82 -g 82 -d $@ + install -m 0700 -o 10008 -g 10000 -d $@ $(TARGET_CHROOT)/etc/quadlets/nextcloud/www.conf: config/www.conf - install -m 0755 -o 82 -g 82 -D $< $@ + install -m 0755 -o 10008 -g 10000 -D $< $@ install-var: $(TARGET_CHROOT)/var/lib/quadlets/nextcloud/redis $(TARGET_CHROOT)/var/lib/quadlets/nextcloud/data $(TARGET_CHROOT)/var/lib/quadlets/nextcloud/config -test: uninstall clean test-set-nextcloud-major install +test: @run() { echo $$*; "$$@"; }; \ echo "Running Nextcloud upgrade test..."; \ set -Eeuo pipefail; \ @@ -39,10 +47,12 @@ test: uninstall clean test-set-nextcloud-major install run curl -X GET -sSf -u "$${NEXTCLOUD_ADMIN_USER}:$${NEXTCLOUD_ADMIN_PASSWORD}" "$${OVERWRITECLIURL}/remote.php/webdav/witness.txt" -o /tmp/witness.txt; \ if run cmp -s tests/witness.txt /tmp/witness.txt ; then \ echo "File upload verified successfully!"; \ + rm -f /tmp/witness.txt; \ else \ echo "File upload verification failed!"; \ exit 1; \ fi; \ + exit 1; \ sleep 2; \ for (( ver=$(NEXTCLOUD_MAJOR_START); ver<$(NEXTCLOUD_MAJOR_LAST); ver++ )); do \ nextver=$$(($$ver + 1)); \ @@ -61,6 +71,7 @@ test: uninstall clean test-set-nextcloud-major install run curl -X GET -sSf -u "$${NEXTCLOUD_ADMIN_USER}:$${NEXTCLOUD_ADMIN_PASSWORD}" "$${OVERWRITECLIURL}/remote.php/webdav/witness.txt" -o /tmp/witness.txt; \ if run cmp -s tests/witness.txt /tmp/witness.txt ; then \ echo "File upload verified successfully after upgrade!"; \ + rm -f /tmp/witness.txt; \ else \ echo "File upload verification failed after upgrade!"; \ exit 1; \ diff --git a/nextcloud/config/config.env b/nextcloud/config/config.env index c6770d5..a7774d3 100644 --- a/nextcloud/config/config.env +++ b/nextcloud/config/config.env @@ -2,8 +2,10 @@ ## Nextcloud Configuration Environment Variables ## -# Nextcloud version +# Major versions of all components NEXTCLOUD_MAJOR=31 +REDIS_MAJOR=8 +NGINX_MAJOR=1.20 # Nextcloud domain configuration NEXTCLOUD_TRUSTED_DOMAINS=localhost diff --git a/nextcloud/config/nginx.conf b/nextcloud/config/nginx.conf index 4034c3f..54fb0eb 100644 --- a/nextcloud/config/nginx.conf +++ b/nextcloud/config/nginx.conf @@ -41,7 +41,7 @@ http { } server { - listen 80; + listen 8080; # set max upload size client_max_body_size 10G; diff --git a/nextcloud/fcos.bu b/nextcloud/fcos.bu index 3cfaabb..62fafa6 100644 --- a/nextcloud/fcos.bu +++ b/nextcloud/fcos.bu @@ -3,6 +3,7 @@ version: 1.4.0 ignition: config: merge: + - local: virtiofs.ign - local: nextcloud.ign - local: postgresql.ign - local: local.ign diff --git a/nextcloud/nextcloud-app.container b/nextcloud/nextcloud-app.container index c09423c..97ef6c2 100644 --- a/nextcloud/nextcloud-app.container +++ b/nextcloud/nextcloud-app.container @@ -1,13 +1,13 @@ [Unit] Description=Nextcloud PHP-FPM Application Documentation=https://hub.docker.com/_/nextcloud/ -After=network.target nextcloud-redis.service postgresql-server.service nextcloud-upgrade.service -Requires=nextcloud-redis.service postgresql-server.service nextcloud-upgrade.service +After=network.target nextcloud-redis.service postgresql-server.service nextcloud-init.service nextcloud-upgrade.service var-lib-virtiofs-data.mount +Requires=nextcloud-redis.service postgresql-server.service nextcloud-init.service nextcloud-upgrade.service var-lib-virtiofs-data.mount # Only start if Nextcloud has been configured ConditionPathExists=/etc/quadlets/nextcloud/config.env # and initialized (config.php exists) -ConditionPathExists=/var/lib/quadlets/nextcloud/data/config/config.php +ConditionPathExists=/var/lib/virtiofs/data/nextcloud/config/config.php # Start/stop this unit when the target is started/stopped PartOf=nextcloud.target @@ -16,8 +16,17 @@ PartOf=nextcloud.target ContainerName=nextcloud-app Image=docker.io/library/nextcloud:${NEXTCLOUD_MAJOR}-fpm-alpine -# Fix the UID/GID of the PHP-FPM daemon -User=82:82 +# No need for root privileges +User=www-data +Group=www-data + +# UID/GID mapping to map the www-data (82) user inside the container to arbitrary user 10008 / group 10000 on the host +UIDMap=0:1000000:82 +UIDMap=82:10008:1 +UIDMap=83:1000083:65453 +GIDMap=0:1000000:82 +GIDMap=82:10000:1 +GIDMap=83:1000083:65453 # Network configuration Network=host @@ -27,8 +36,7 @@ AddCapability=CAP_NET_BIND_SERVICE EnvironmentFile=/etc/quadlets/nextcloud/config.env # Volume mounts -Volume=/var/lib/quadlets/nextcloud/data:/var/www/html:z -Volume=/var/lib/virtiofs/data/nextcloud:/var/www/html/data:z +Volume=/var/lib/virtiofs/data/nextcloud:/var/www/html:z Volume=/etc/quadlets/nextcloud/www.conf:/usr/local/etc/php-fpm.d/www.conf:Z Volume=/run/quadlets/nextcloud/redis-session.ini:/usr/local/etc/php/conf.d/redis-session.ini:Z Volume=/etc/quadlets/nextcloud/custom-noinit.sh:/docker-entrypoint-hooks.d/pre-installation/custom.sh:z,ro diff --git a/nextcloud/nextcloud-cron.container b/nextcloud/nextcloud-cron.container index f40fdb6..fc79503 100644 --- a/nextcloud/nextcloud-cron.container +++ b/nextcloud/nextcloud-cron.container @@ -1,20 +1,29 @@ [Unit] Description=Nextcloud Application - Cron Job Documentation=https://hub.docker.com/_/nextcloud/ -After=nextcloud-redis.service postgresql-server.service -Requires=nextcloud-redis.service postgresql-server.service +After=nextcloud-redis.service postgresql-server.service var-lib-virtiofs-data.mount +Requires=nextcloud-redis.service postgresql-server.service var-lib-virtiofs-data.mount # Only start if Nextcloud has been configured ConditionPathExists=/etc/quadlets/nextcloud/config.env # and initialized (config.php exists) -ConditionPathExists=/var/lib/quadlets/nextcloud/data/config/config.php +ConditionPathExists=/var/lib/virtiofs/data/nextcloud/config/config.php [Container] ContainerName=nextcloud-cron-job Image=docker.io/library/nextcloud:${NEXTCLOUD_MAJOR}-fpm-alpine -# Fix the UID/GID of the PHP-FPM daemon -User=82:82 +# No need for root privileges +User=www-data +Group=www-data + +# UID/GID mapping to map the www-data (82) user inside the container to arbitrary user 10008 / group 10000 on the host +UIDMap=0:1000000:82 +UIDMap=82:10008:1 +UIDMap=83:1000083:65453 +GIDMap=0:1000000:82 +GIDMap=82:10000:1 +GIDMap=83:1000083:65453 # Network configuration Network=host @@ -27,7 +36,7 @@ Entrypoint=php Exec=-f /var/www/html/cron.php # Volume mounts -Volume=/var/lib/quadlets/nextcloud/data:/var/www/html:z +Volume=/var/lib/virtiofs/data/nextcloud:/var/www/html:z Volume=/etc/quadlets/nextcloud/www.conf:/usr/local/etc/php-fpm.d/www.conf:Z Volume=/run/quadlets/nextcloud/redis-session.ini:/usr/local/etc/php/conf.d/redis-session.ini:Z diff --git a/nextcloud/nextcloud-init.container b/nextcloud/nextcloud-init.container index 013ddec..94e40d8 100644 --- a/nextcloud/nextcloud-init.container +++ b/nextcloud/nextcloud-init.container @@ -1,24 +1,33 @@ [Unit] Description=Nextcloud Application - Initialization Documentation=https://hub.docker.com/_/nextcloud/ -After=network.target nextcloud-redis.service postgresql-server.service +After=network.target nextcloud-redis.service postgresql-server.service var-lib-virtiofs-data.mount Before=nextcloud-app.service -Requires=nextcloud-redis.service postgresql-server.service +Requires=nextcloud-redis.service postgresql-server.service var-lib-virtiofs-data.mount # Only start if Nextcloud has been configured ConditionPathExists=/etc/quadlets/nextcloud/config.env # and NOT initialized (config.php does NOT exist) -ConditionPathExists=!/var/lib/quadlets/nextcloud/data/config/config.php +ConditionPathExists=!/var/lib/virtiofs/data/nextcloud/config/config.php # Start/stop this unit when the target is started/stopped -#PartOf=nextcloud.target +PartOf=nextcloud.target [Container] ContainerName=nextcloud-init-job Image=docker.io/library/nextcloud:${NEXTCLOUD_MAJOR}-fpm-alpine -# Fix the UID/GID of the PHP-FPM daemon -User=82:82 +# No need for root privileges +User=www-data +Group=www-data + +# UID/GID mapping to map the www-data (82) user inside the container to arbitrary user 10008 / group 10000 on the host +UIDMap=0:1000000:82 +UIDMap=82:10008:1 +UIDMap=83:1000083:65453 +GIDMap=0:1000000:82 +GIDMap=82:10000:1 +GIDMap=83:1000083:65453 # Network configuration Network=host @@ -31,7 +40,7 @@ Environment=NEXTCLOUD_UPDATE=1 Exec=/bin/true # Volume mounts -Volume=/var/lib/quadlets/nextcloud/data:/var/www/html:z +Volume=/var/lib/virtiofs/data/nextcloud:/var/www/html:z Volume=/etc/quadlets/nextcloud/www.conf:/usr/local/etc/php-fpm.d/www.conf:Z Volume=/run/quadlets/nextcloud/redis-session.ini:/usr/local/etc/php/conf.d/redis-session.ini:Z diff --git a/nextcloud/nextcloud-nginx.container b/nextcloud/nextcloud-nginx.container index f45c4c2..ca5e936 100644 --- a/nextcloud/nextcloud-nginx.container +++ b/nextcloud/nextcloud-nginx.container @@ -1,8 +1,8 @@ [Unit] Description=Nextcloud Nginx Reverse Proxy Documentation=https://hub.docker.com/r/nginxinc/nginx-unprivileged/ -After=network.target nextcloud-app.service -Requires=nextcloud-app.service +After=network.target nextcloud-app.service var-lib-virtiofs-data.mount +Requires=nextcloud-app.service var-lib-virtiofs-data.mount # Only start if Nextcloud has been configured ConditionPathExists=/etc/quadlets/nextcloud/config.env @@ -12,17 +12,26 @@ PartOf=nextcloud.target [Container] ContainerName=nextcloud-nginx -Image=docker.io/nginxinc/nginx-unprivileged:1.20-alpine +Image=docker.io/nginxinc/nginx-unprivileged:${NGINX_MAJOR}-alpine # Network configuration Network=host AddCapability=CAP_NET_BIND_SERVICE -# Run with the same UID/GID as PHP-FPM -User=82:82 +# No need for root privileges +User=nginx +Group=nginx + +# UID/GID mapping to map the nginx (101) user inside the container to arbitrary user 10008 / group 10000 on the host +UIDMap=0:1000000:101 +UIDMap=101:10008:1 +UIDMap=102:1000102:65434 +GIDMap=0:1000000:101 +GIDMap=101:10000:1 +GIDMap=102:1000102:65434 # Volume mounts -Volume=/var/lib/quadlets/nextcloud/data:/var/www/html:z +Volume=/var/lib/virtiofs/data/nextcloud:/var/www/html:z Volume=/etc/quadlets/nextcloud/nginx.conf:/etc/nginx/nginx.conf:ro # Health check (equivalent to readiness probe) @@ -38,5 +47,8 @@ RestartSec=5 TimeoutStartSec=300 TimeoutStopSec=30 +# These environment variables are sourced to be used by systemd in the Exec* commands +EnvironmentFile=/etc/quadlets/nextcloud/config.env + [Install] WantedBy=nextcloud.target diff --git a/nextcloud/nextcloud-redis.container b/nextcloud/nextcloud-redis.container index ce40344..5555166 100644 --- a/nextcloud/nextcloud-redis.container +++ b/nextcloud/nextcloud-redis.container @@ -11,7 +11,7 @@ PartOf=nextcloud.target [Container] ContainerName=nextcloud-redis -Image=docker.io/library/redis:8-alpine +Image=docker.io/library/redis:${REDIS_MAJOR}-alpine # Network configuration Network=host @@ -19,6 +19,18 @@ Network=host # Redis configuration with authentication Exec=redis-server /usr/local/etc/redis/redis.conf +# No need for root privileges +User=redis +Group=redis + +# UID/GID mapping to map the redis (999) user / redis (1000) group inside the container to arbitrary user 10008 / group 10000 on the host +UIDMap=0:1000000:999 +UIDMap=999:10008:1 +UIDMap=1000:1001000:64536 +GIDMap=0:1000000:1000 +GIDMap=1000:10000:1 +GIDMap=1001:1001001:64535 + # Environment variables Environment=REDISCLI_AUTH=${REDIS_HOST_PASSWORD} diff --git a/nextcloud/nextcloud-upgrade.container b/nextcloud/nextcloud-upgrade.container index deb2fe6..b12d35b 100644 --- a/nextcloud/nextcloud-upgrade.container +++ b/nextcloud/nextcloud-upgrade.container @@ -8,7 +8,7 @@ Requires=nextcloud-redis.service postgresql-server.service # Only start if Nextcloud has been configured ConditionPathExists=/etc/quadlets/nextcloud/config.env # and initialized (config.php exists) -ConditionPathExists=/var/lib/quadlets/nextcloud/data/config/config.php +ConditionPathExists=/var/lib/virtiofs/data/nextcloud/config/config.php # Start/stop this unit when the target is started/stopped PartOf=nextcloud.target @@ -17,8 +17,17 @@ PartOf=nextcloud.target ContainerName=nextcloud-upgrade-to-${NEXTCLOUD_MAJOR}-job Image=docker.io/library/nextcloud:${NEXTCLOUD_MAJOR}-fpm-alpine -# Fix the UID/GID of the PHP-FPM daemon -User=82:82 +# No need for root privileges +User=www-data +Group=www-data + +# UID/GID mapping to map the www-data (82) user inside the container to arbitrary user 10008 / group 10000 on the host +UIDMap=0:1000000:82 +UIDMap=82:10008:1 +UIDMap=83:1000083:65453 +GIDMap=0:1000000:82 +GIDMap=82:10000:1 +GIDMap=83:1000083:65453 # Network configuration Network=host @@ -33,7 +42,7 @@ Volume=/etc/quadlets/nextcloud/custom-pre.sh:/docker-entrypoint-hooks.d/pre-upgr Volume=/etc/quadlets/nextcloud/custom-post.sh:/docker-entrypoint-hooks.d/post-upgrade/custom.sh:z,ro # Volume mounts -Volume=/var/lib/quadlets/nextcloud/data:/var/www/html:z +Volume=/var/lib/virtiofs/data/nextcloud:/var/www/html:z Volume=/etc/quadlets/nextcloud/www.conf:/usr/local/etc/php-fpm.d/www.conf:Z Volume=/run/quadlets/nextcloud/redis-session.ini:/usr/local/etc/php/conf.d/redis-session.ini:Z diff --git a/nextcloud/nextcloud.target b/nextcloud/nextcloud.target index d1bc80b..1e16e8c 100644 --- a/nextcloud/nextcloud.target +++ b/nextcloud/nextcloud.target @@ -1,8 +1,8 @@ [Unit] Description=Nextcloud Service Target Documentation=man:systemd.target(5) -Requires=postgresql.target nextcloud-redis.service nextcloud-nginx.service nextcloud-app.service nextcloud-upgrade.service nextcloud-cron.timer -After=postgresql.target nextcloud-redis.service nextcloud-nginx.service nextcloud-app.service nextcloud-upgrade.service +Requires=postgresql.target nextcloud-redis.service nextcloud-nginx.service nextcloud-app.service nextcloud-init.service nextcloud-upgrade.service nextcloud-cron.timer +After=postgresql.target nextcloud-redis.service nextcloud-nginx.service nextcloud-app.service nextcloud-init.service nextcloud-upgrade.service Before=nextcloud-cron.timer # Allow isolation - can stop/start this target independently diff --git a/nextcloud/tmpfiles.d/nextcloud.conf b/nextcloud/tmpfiles.d/nextcloud.conf index 18fff00..de3ed4e 100644 --- a/nextcloud/tmpfiles.d/nextcloud.conf +++ b/nextcloud/tmpfiles.d/nextcloud.conf @@ -1,2 +1,3 @@ -d$ /run/quadlets/nextcloud 0700 82 82 - -f+$ /run/quadlets/nextcloud/redis-session.ini 0600 82 82 - +d$ /run/quadlets/nextcloud 0700 10008 10000 - +f+$ /run/quadlets/nextcloud/redis-session.ini 0600 10008 10000 - +d$ /var/lib/virtiofs/data/nextcloud 0700 10008 10000 - diff --git a/postgresql/Makefile b/postgresql/Makefile index f806f34..d5839af 100644 --- a/postgresql/Makefile +++ b/postgresql/Makefile @@ -1,5 +1,15 @@ +## +## Makefile for PostgreSQL quadlet +## + +# Project dependencies DEPENDENCIES = virtiofs +# PostgreSQL quadlet is mapped to the 10004 user (postgres) and 10000 group (itix-svc) +PROJECT_UID = 10004 +PROJECT_GID = 10000 + +# Include common Makefile TOP_LEVEL_DIR := .. include $(TOP_LEVEL_DIR)/Makefile.common @@ -10,19 +20,15 @@ PG_MAJOR_LAST ?= 18 test-set-pgmajor: sed -i 's/^PG_MAJOR=.*/PG_MAJOR=$(PG_MAJOR_START)/' config/config.env -$(TARGET_CHROOT)/var/lib/quadlets/postgresql: - install -m 0700 -o 70 -g 70 -d $@ - -install-var: $(TARGET_CHROOT)/var/lib/quadlets/postgresql - +# Integration tests for PostgreSQL quadlet: backup, restore + major version upgrade (14 to 18) test: uninstall clean test-set-pgmajor install @echo "Running PostgreSQL integration tests..."; \ set -Eeuo pipefail; \ sleep 2; \ echo "Creating a test database and a witness table..."; \ - podman exec postgresql-server su postgres -c "createdb test"; \ - podman exec postgresql-server su postgres -c "psql -U postgres -d test -c \"CREATE TABLE witness (id SERIAL PRIMARY KEY, version VARCHAR); INSERT INTO witness (version) SELECT version();\""; \ - podman exec postgresql-server su postgres -c "psql -U postgres -d test -c \"SELECT * FROM witness;\""; \ + podman exec postgresql-server createdb test; \ + podman exec postgresql-server psql -U postgres -d test -c "CREATE TABLE witness (id SERIAL PRIMARY KEY, version VARCHAR); INSERT INTO witness (version) SELECT version();"; \ + podman exec postgresql-server psql -U postgres -d test -c "SELECT * FROM witness;"; \ for (( ver=$(PG_MAJOR_START); ver<$(PG_MAJOR_LAST); ver++ )); do \ echo "Running a backup..."; \ nextver=$$(($$ver + 1)); \ @@ -32,15 +38,15 @@ test: uninstall clean test-set-pgmajor install rm -rf /var/lib/quadlets/postgresql/{$$ver,$$nextver,data,latest,.initialized}; \ echo "Restoring the backup to PostgreSQL $$ver..."; \ systemctl start postgresql.target; \ - sleep 2; \ - podman exec postgresql-server su postgres -c "psql -U postgres -d test -c \"SELECT * FROM witness;\""; \ + sleep 5; \ + podman exec postgresql-server psql -U postgres -d test -c "SELECT * FROM witness;"; \ echo "Testing upgrade from PostgreSQL $$ver to $$nextver..."; \ systemctl stop postgresql.target; \ sed -i "s/^PG_MAJOR=.*/PG_MAJOR=$$nextver/" /etc/quadlets/postgresql/config.env; \ systemctl start postgresql.target; \ - sleep 2; \ + sleep 5; \ echo "Inserting line into the witness table..."; \ - podman exec postgresql-server su postgres -c "psql -U postgres -d test -c \"INSERT INTO witness (version) SELECT version();\""; \ + podman exec postgresql-server psql -U postgres -d test -c "INSERT INTO witness (version) SELECT version();"; \ done; \ - podman exec postgresql-server su postgres -c "psql -U postgres -d test -c \"SELECT * FROM witness;\""; \ + podman exec postgresql-server psql -U postgres -d test -c "SELECT * FROM witness;"; \ echo "PostgreSQL upgrade tests completed." diff --git a/postgresql/config/config.env b/postgresql/config/config.env index 9b7f360..e90fe35 100644 --- a/postgresql/config/config.env +++ b/postgresql/config/config.env @@ -5,5 +5,5 @@ POSTGRES_HOST_AUTH_METHOD=scram-sha-256 POSTGRES_INITDB_ARGS=--auth-host=scram-sha-256 POSTGRES_ARGS=-h 127.0.0.1 PGPORT=5432 -PG_MAJOR=17 +PG_MAJOR=14 POSTGRES_BACKUP_RETENTION=7 diff --git a/postgresql/fcos.bu b/postgresql/fcos.bu index 49b81ab..9f8bc5a 100644 --- a/postgresql/fcos.bu +++ b/postgresql/fcos.bu @@ -3,5 +3,6 @@ version: 1.4.0 ignition: config: merge: + - local: virtiofs.ign - local: postgresql.ign - local: local.ign diff --git a/postgresql/postgresql-backup.container b/postgresql/postgresql-backup.container index 6e2f565..7e183ad 100644 --- a/postgresql/postgresql-backup.container +++ b/postgresql/postgresql-backup.container @@ -1,8 +1,8 @@ [Unit] Description=PostgreSQL Database Server - Backup Documentation=https://hub.docker.com/_/postgres/ -After=network.target postgresql-server.service -Requires=postgresql-server.service +After=network.target postgresql-server.service var-lib-virtiofs-data.mount +Requires=postgresql-server.service var-lib-virtiofs-data.mount # Start/stop this unit when the target is started/stopped PartOf=postgresql.target @@ -22,6 +22,18 @@ Entrypoint=/usr/local/bin/backup.sh # No need for root privileges User=postgres +Group=postgres + +# UID/GID mapping to map the postgres (70) user inside the container to arbitrary user 10004 / group 10000 on the host +UIDMap=0:1000000:70 +UIDMap=70:10004:1 +UIDMap=71:1000071:65465 +GIDMap=0:1000000:70 +GIDMap=70:10000:1 +GIDMap=71:1000071:65465 + +# Avoid issues with built-in volumes being created by root +PodmanArgs=--image-volume=ignore # Volume mounts Volume=/var/lib/quadlets/postgresql:/var/lib/postgresql:z diff --git a/postgresql/postgresql-init.container b/postgresql/postgresql-init.container index 9126b5c..1636881 100644 --- a/postgresql/postgresql-init.container +++ b/postgresql/postgresql-init.container @@ -34,9 +34,22 @@ Exec=${POSTGRES_ARGS} # No need for root privileges User=postgres +Group=postgres + +# UID/GID mapping to map the postgres (70) user inside the container to arbitrary user 10004 / group 10000 on the host +UIDMap=0:1000000:70 +UIDMap=70:10004:1 +UIDMap=71:1000071:65465 +GIDMap=0:1000000:70 +GIDMap=70:10000:1 +GIDMap=71:1000071:65465 + +# Avoid issues with built-in volumes being created by root +PodmanArgs=--image-volume=ignore # Volume mounts Volume=/var/lib/quadlets/postgresql:/var/lib/postgresql:z +Volume=/var/lib/virtiofs/data/postgresql/backup:/var/lib/postgresql/backup:z Volume=/etc/quadlets/postgresql/init.sh:/usr/local/bin/init.sh:z,ro Volume=/etc/quadlets/postgresql/init.sql:/docker-entrypoint-initdb.d/init.sql:z,ro diff --git a/postgresql/postgresql-server.container b/postgresql/postgresql-server.container index e3bd68f..d8f5408 100644 --- a/postgresql/postgresql-server.container +++ b/postgresql/postgresql-server.container @@ -39,6 +39,18 @@ Exec=${POSTGRES_ARGS} # No need for root privileges User=postgres +Group=postgres + +# UID/GID mapping to map the postgres (70) user inside the container to arbitrary user 10004 / group 10000 on the host +UIDMap=0:1000000:70 +UIDMap=70:10004:1 +UIDMap=71:1000071:65465 +GIDMap=0:1000000:70 +GIDMap=70:10000:1 +GIDMap=71:1000071:65465 + +# Avoid issues with built-in volumes being created by root +PodmanArgs=--image-volume=ignore # Health check HealthCmd=pg_isready -U $POSTGRES_USER -d $POSTGRES_DB -p $PGPORT diff --git a/postgresql/postgresql-upgrade.container b/postgresql/postgresql-upgrade.container index 70e4295..753c784 100644 --- a/postgresql/postgresql-upgrade.container +++ b/postgresql/postgresql-upgrade.container @@ -30,6 +30,18 @@ Entrypoint=/usr/local/bin/upgrade.sh # No need for root privileges User=postgres +Group=postgres + +# UID/GID mapping to map the postgres (70) user inside the container to arbitrary user 10004 / group 10000 on the host +UIDMap=0:1000000:70 +UIDMap=70:10004:1 +UIDMap=71:1000071:65465 +GIDMap=0:1000000:70 +GIDMap=70:10000:1 +GIDMap=71:1000071:65465 + +# Avoid issues with built-in volumes being created by root +PodmanArgs=--image-volume=ignore # Set PostgreSQL command line arguments Exec=${POSTGRES_ARGS} diff --git a/postgresql/tmpfiles.d/postgresql.conf b/postgresql/tmpfiles.d/postgresql.conf index 344ba16..e47684d 100644 --- a/postgresql/tmpfiles.d/postgresql.conf +++ b/postgresql/tmpfiles.d/postgresql.conf @@ -1,3 +1,3 @@ -d$ /run/quadlets/postgresql 0700 70 70 - -d$ /var/lib/virtiofs/data/postgresql 0700 70 70 - -d$ /var/lib/virtiofs/data/postgresql/backup 0700 70 70 - +d$ /run/quadlets/postgresql 0700 10004 10000 - +d$ /var/lib/virtiofs/data/postgresql 0700 10004 10000 - +d$ /var/lib/virtiofs/data/postgresql/backup 0700 10004 10000 - diff --git a/virtiofs/fcos.bu b/virtiofs/fcos.bu new file mode 100644 index 0000000..c3c9691 --- /dev/null +++ b/virtiofs/fcos.bu @@ -0,0 +1,14 @@ +variant: fcos +version: 1.4.0 +ignition: + config: + merge: + - local: virtiofs.ign + - local: local.ign +storage: + files: + - path: "/var/lib/virtiofs/data/witness.txt" + mode: 0644 + contents: + inline: | + Hello, World!