diff --git a/Dockerfile b/Dockerfile index 7db0263..20c9001 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,62 +1,80 @@ -FROM golang:1.24-alpine AS builder +# ----------------------------- +# Builder stage +# ----------------------------- +FROM golang:1.22-alpine AS builder ENV WALG_VERSION=v1.1 +ENV GOPATH=/go -ENV _build_deps="wget cmake git build-base bash" - -RUN set -ex \ - && apk add --no-cache $_build_deps \ - && git clone https://github.com/wal-g/wal-g/ $GOPATH/src/wal-g \ - && cd $GOPATH/src/wal-g/ \ - && git checkout $WALG_VERSION \ - # Resolves vulnerability CVE-2021-38561 - Out-of-bounds Read - && go get golang.org/x/text@v0.3.7 \ - # Resolves vulnerabilities CVE-2023-44487, CVE-2021-44716, CVE-2022-41723 & CVE-2022-27664 - Denial of Service (DoS) - # Resolves vulnerability CVE-2023-45288 & CVE-2023-39325- Allocation of Resources Without Limits or Throttling - && go get golang.org/x/net/http2@v0.34.0 \ - # Resolves vulnerability CVE-2023-44487 - Denial of Service (DoS) - && go get google.golang.org/grpc@v1.71.1 \ - # Resolves vulnerability CVE-2025-22868 - Allocation of Resources Without Limits or Throttling - && go get golang.org/x/oauth2@v0.28.0 \ - # Resolves vulnerability CVE-2024-27304 - SQL Injection \ - && go get github.com/dgrijalva/jwt-go/v4@v4.0.0-preview1 \ - # Resolves vulnerability CVE-2024-45337 - Incorrect Implementation of Authentication Algorithm - # Resolves vulnerability CVE-2025-22869 - Allocation of Resources Without Limits or Throttling - # Resolves vulnerability CVE-2020-29652 - NULL Pointer Dereference - # Resolves vulnerability CVE-2021-43565 - Denial of Service (DoS) - && go get -u golang.org/x/crypto@v0.35.0 \ - # Update all dependencies safely - && go mod tidy \ - && go mod download \ - && make install \ - && make deps \ - && make pg_build \ - && install main/pg/wal-g / \ - && /wal-g --help - -FROM postgres:14.19-alpine3.21 - -# Upgrade vulnerable packages libxml2, libxslt, icu-data-full and icu-libs -RUN apk upgrade --no-cache libxml2 libxslt icu-data-full icu-libs - -RUN apk add --update iputils htop curl busybox-suid jq \ - && curl -sOL https://cronitor.io/dl/linux_amd64.tar.gz \ - && tar xvf linux_amd64.tar.gz -C /usr/bin/ \ - && rm linux_amd64.tar.gz - -# Copy compiled wal-g binary from builder -COPY --from=builder /wal-g /usr/local/bin +RUN set -eux; \ + apk add --no-cache \ + git \ + make \ + bash \ + build-base \ + cmake +# Fetch WAL-G source +RUN git clone https://github.com/wal-g/wal-g.git $GOPATH/src/wal-g + +WORKDIR $GOPATH/src/wal-g + +RUN set -eux; \ + git checkout $WALG_VERSION; \ + \ + # Deterministic dependency resolution (modern Go approach) + go mod download; \ + go mod tidy; \ + \ + # Build WAL-G + make install; \ + make deps; \ + make pg_build; \ + \ + install main/pg/wal-g /wal-g; \ + /wal-g --help + + +# ----------------------------- +# Runtime stage (Postgres) +# ----------------------------- +FROM postgres:14.22-alpine3.23 + +# Security: apply OS-level fixes only (not Go-level hacks) +RUN apk upgrade --no-cache + +# Minimal runtime tools (keep attack surface small) +RUN apk add --no-cache \ + iputils \ + curl \ + jq \ + busybox-suid \ + htop + +# Install cronitor (pinned external binary source) +RUN curl -sSL https://cronitor.io/dl/linux_amd64.tar.gz -o /tmp/cronitor.tar.gz \ + && tar xvf /tmp/cronitor.tar.gz -C /usr/bin/ \ + && rm -f /tmp/cronitor.tar.gz + +# WAL-G binary +COPY --from=builder /wal-g /usr/local/bin/wal-g + +# ----------------------------- +# Scripts +# ----------------------------- # Add replication and WAL-G backup scripts RUN mkdir -p /usr/local/scripts + COPY scripts/setup-master.sh /docker-entrypoint-initdb.d/ COPY scripts/setup-slave.sh /docker-entrypoint-initdb.d/ + RUN chown -R root:postgres /docker-entrypoint-initdb.d/ \ && chmod -R 775 /docker-entrypoint-initdb.d # Add WAL-G backup script COPY scripts/walg_caller.sh /usr/local/scripts/ COPY scripts/base_backup.sh /usr/local/scripts/ + RUN chown -R root:postgres /usr/local/scripts \ && chmod -R 775 /usr/local/scripts @@ -64,11 +82,11 @@ RUN chown -R root:postgres /usr/local/scripts \ COPY scripts/entrypoint.sh / RUN chmod +x /entrypoint.sh -# Add cron permissions to postgres user +# Cron permissions RUN chown -R root:postgres /etc/crontabs/root \ && chmod g+rw /etc/crontabs/root ENTRYPOINT ["/bin/bash", "/entrypoint.sh"] CMD ["postgres"] -VOLUME ["/var/run/postgresql", "/usr/share/postgresql/", "/var/lib/postgresql/data", "/tmp"] +VOLUME ["/var/run/postgresql", "/usr/share/postgresql/", "/var/lib/postgresql/data", "/tmp"] \ No newline at end of file