From b00bc91a07b48375ba48c421d44a197b59d2c3eb Mon Sep 17 00:00:00 2001
From: Tim Sutton <tim@linfiniti.com>
Date: Tue, 5 Aug 2014 10:45:28 +0200
Subject: [PATCH] Woohoo simple setup of container (less suing to postgres) and
 run container as user postgres and support for ssl now works out the box

---
 Dockerfile       |  4 +--
 setup.sh         | 28 +++++++++++++++++++++
 start-postgis.sh | 63 ++++++++++++++----------------------------------
 3 files changed, 48 insertions(+), 47 deletions(-)
 mode change 100644 => 100755 setup.sh

diff --git a/Dockerfile b/Dockerfile
index dda535d..14004c2 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -25,9 +25,8 @@ RUN service postgresql start && /bin/su postgres -c "createuser -d -s -r -l dock
 # Start with supervisor
 ADD postgres.conf /etc/supervisor/conf.d/postgres.conf
 
-# Open port 5432 and 22 so linked containers can see them
+# Open port 5432 so linked containers can see them
 EXPOSE 5432
-EXPOSE 22
 
 # Run any additional tasks here that are too tedious to put in
 # this dockerfile directly.
@@ -39,4 +38,5 @@ RUN /setup.sh
 ADD start-postgis.sh /start-postgis.sh
 RUN chmod 0755 /start-postgis.sh
 
+USER postgres
 CMD /start-postgis.sh
diff --git a/setup.sh b/setup.sh
old mode 100644
new mode 100755
index 58932f6..aa3554a
--- a/setup.sh
+++ b/setup.sh
@@ -1 +1,29 @@
 # Add any additional setup tasks here
+
+# These tasks are run as root
+CONF="/etc/postgresql/9.3/main/postgresql.conf"
+
+# /etc/ssl/private can't be accessed from within container for some reason
+# (@andrewgodwin says it's something AUFS related)  - taken from https://github.com/orchardup/docker-postgresql/blob/master/Dockerfile
+mkdir -p /etc/ssl/private-copy
+mv /etc/ssl/private/* /etc/ssl/private-copy/
+rm -r /etc/ssl/private
+mv /etc/ssl/private-copy /etc/ssl/private
+chmod -R 0700 /etc/ssl/private
+chown -R postgres /etc/ssl/private
+
+# Restrict subnet to docker private network
+echo "host    all             all             172.17.0.0/16               md5" >> /etc/postgresql/9.3/main/pg_hba.conf
+# Listen on all ip addresses
+echo "listen_addresses = '*'" >> /etc/postgresql/9.3/main/postgresql.conf
+echo "port = 5432" >> /etc/postgresql/9.3/main/postgresql.conf
+
+# Enable ssl
+
+echo "ssl = true" >> $CONF
+#echo "ssl_ciphers = 'DEFAULT:!LOW:!EXP:!MD5:@STRENGTH' " >> $CONF
+#echo "ssl_renegotiation_limit = 512MB "  >> $CONF 
+echo "ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'" >> $CONF 
+echo "ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'" >> $CONF 
+#echo "ssl_ca_file = ''                       # (change requires restart)" >> $CONF 
+#echo "ssl_crl_file = ''" >> $CONF 
diff --git a/start-postgis.sh b/start-postgis.sh
index a714639..2000b96 100644
--- a/start-postgis.sh
+++ b/start-postgis.sh
@@ -1,5 +1,7 @@
 #!/bin/bash
 
+# This script will run as the postgres user due to the Dockerfile USER directive
+
 DATADIR="/var/lib/postgresql/9.3/main"
 CONF="/etc/postgresql/9.3/main/postgresql.conf"
 POSTGRES="/usr/lib/postgresql/9.3/bin/postgres"
@@ -25,37 +27,10 @@ fi
 if [ ! "$(ls -A $DATADIR)" ]; then
 
   # No content yet - first time pg is being run!
-
-
-  # /etc/ssl/private can't be accessed from within container for some reason
-  # (@andrewgodwin says it's something AUFS related)  - taken from https://github.com/orchardup/docker-postgresql/blob/master/Dockerfile
-  mkdir /etc/ssl/private-copy
-  mv /etc/ssl/private/* /etc/ssl/private-copy/
-  rm -r /etc/ssl/private
-  mv /etc/ssl/private-copy /etc/ssl/private
-  chmod -R 0700 /etc/ssl/private 
-  chown -R postgres /etc/ssl/private
- 
-  echo "host    all             all             172.17.0.0/16               md5" >> /etc/postgresql/9.3/main/pg_hba.conf
-  # Listen on all ip addresses
-  echo "listen_addresses = '*'" >> /etc/postgresql/9.3/main/postgresql.conf
-  echo "port = 5432" >> /etc/postgresql/9.3/main/postgresql.conf
-
-  # Enable ssl
-
-  echo "ssl = true" >> $CONF
-  #echo "ssl_ciphers = 'DEFAULT:!LOW:!EXP:!MD5:@STRENGTH' " >> $CONF
-  #echo "ssl_renegotiation_limit = 512MB "  >> $CONF 
-  echo "ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'" >> $CONF 
-  echo "ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'" >> $CONF 
-  #echo "ssl_ca_file = ''                       # (change requires restart)" >> $CONF 
-  #echo "ssl_crl_file = ''" >> $CONF 
-
   # Initialise db
-
   echo "Initializing Postgres Database at $DATADIR"
-  chown -R postgres $DATADIR
-  su postgres sh -c "$INITDB $DATADIR"
+  #chown -R postgres $DATADIR
+  $INITDB $DATADIR
 fi
 
 # Make sure we have a user set up
@@ -69,19 +44,19 @@ fi
 # redirect user/pass into a file so we can echo it into
 # docker logs when container starts
 # so that we can tell user their password
-echo "postgresql user: $USERNAME" > /PGPASSWORD.txt
-echo "postgresql password: $PASS" >> /PGPASSWORD.txt
-su postgres sh -c "$POSTGRES --single -D $DATADIR -c config_file=$CONF" <<< "CREATE USER $USERNAME WITH SUPERUSER ENCRYPTED PASSWORD '$PASS';"
+echo "postgresql user: $USERNAME" > /tmp/PGPASSWORD.txt
+echo "postgresql password: $PASS" >> /tmp/PGPASSWORD.txt
+$POSTGRES --single -D $DATADIR -c config_file=$CONF" <<< "CREATE USER $USERNAME WITH SUPERUSER ENCRYPTED PASSWORD '$PASS';
 
 trap "echo \"Sending SIGTERM to postgres\"; killall -s SIGTERM postgres" SIGTERM
 
-su postgres sh -c "$POSTGRES -D $DATADIR -c config_file=$CONF" &
+$POSTGRES -D $DATADIR -c config_file=$CONF &
 
 # Wait for the db to start up before trying to use it....
 
 sleep 10
 
-RESULT=`su postgres sh -c "psql -l" | grep postgis | wc -l`
+RESULT=`psql -l | grep postgis | wc -l`
 if [[ $RESULT == '1' ]]
 then
     echo 'Postgis Already There'
@@ -90,27 +65,25 @@ else
     # Note the dockerfile must have put the postgis.sql and spatialrefsys.sql scripts into /root/
     # We use template0 since we want t different encoding to template1
     echo "Creating template postgis"
-    su postgres sh -c "createdb template_postgis -E UTF8 -T template0"
-    set -x
+    createdb template_postgis -E UTF8 -T template0
     echo "Enabling template_postgis as a template"
-    su postgres sh -c "psql template0 -c 'UPDATE pg_database SET datistemplate = TRUE WHERE datname = \'template_postgis\';'"
+    psql template1 -c "UPDATE pg_database SET datistemplate = TRUE WHERE datname = 'template_postgis';"
     echo "Loading postgis.sql"
-    su postgres sh -c "psql template_postgis -f $SQLDIR/postgis.sql"
-    set +x
+    psql template_postgis -f $SQLDIR/postgis.sql
     echo "Loading spatial_ref_sys.sql"
-    su postgres sh -c "psql template_postgis -f $SQLDIR/spatial_ref_sys.sql"
+    psql template_postgis -f $SQLDIR/spatial_ref_sys.sql
 
     # Needed when importing old dumps using e.g ndims for constraints
     echo "Loading legacy sql"
-    su postgres sh -c "psql template_postgis -f $SQLDIR/legacy_minimal.sql"
+    psql template_postgis -f $SQLDIR/legacy_minimal.sql
     echo "Granting on geometry columns"
-    su postgres sh -c "psql template_postgis -c 'GRANT ALL ON geometry_columns TO PUBLIC;'"
+    psql template_postgis -c 'GRANT ALL ON geometry_columns TO PUBLIC;'
     echo "Granting on geography columns"
-    su postgres sh -c "psql template_postgis -c 'GRANT ALL ON geography_columns TO PUBLIC;'"
+    psql template_postgis -c 'GRANT ALL ON geography_columns TO PUBLIC;'
     echo "Granting on spatial ref sys"
-    su postgres sh -c "psql template_postgis -c 'GRANT ALL ON spatial_ref_sys TO PUBLIC;'"
+    psql template_postgis -c 'GRANT ALL ON spatial_ref_sys TO PUBLIC;'
     # This should show up in docker logs afterwards
 fi
-su postgres sh -c "psql -l"
+psql -l
 
 wait $!