In progress ssl support

71-apt-cacher-ng

@@ -3,5 +3,5 @@
 # use apt-cacher in your image build out (and the 
 # Subsequent running container.
 
-#Acquire::http { Proxy "http://192.168.2.9:3142"; };
+Acquire::http { Proxy "http://192.168.2.9:3142"; };
 #Acquire::http { Proxy "http://192.168.1.13:3142"; };

Dockerfile

@@ -20,11 +20,7 @@ RUN apt-get -y install ca-certificates rpl pwgen
 
 # Next line a workaround for https://github.com/dotcloud/docker/issues/963
 RUN apt-get install -y postgresql-9.3-postgis-2.1
-RUN echo "host    all             all             172.17.0.0/16               md5" >> /etc/postgresql/9.3/main/pg_hba.conf
 RUN service postgresql start && /bin/su postgres -c "createuser -d -s -r -l docker" && /bin/su postgres -c "psql postgres -c \"ALTER USER docker WITH ENCRYPTED PASSWORD 'docker'\"" && service postgresql stop
-# Listen on all ip addresses
-RUN echo "listen_addresses = '*'" >> /etc/postgresql/9.3/main/postgresql.conf
-RUN echo "port = 5432" >> /etc/postgresql/9.3/main/postgresql.conf
 
 # Start with supervisor
 ADD postgres.conf /etc/supervisor/conf.d/postgres.conf

start-postgis.sh

@@ -23,6 +23,36 @@ fi
 
 # test if DATADIR has content
 if [ ! "$(ls -A $DATADIR)" ]; then
+
+  # No content yet - first time pg is being run!
+
+
+  # /etc/ssl/private can't be accessed from within container for some reason
+  # (@andrewgodwin says it's something AUFS related)  - taken from https://github.com/orchardup/docker-postgresql/blob/master/Dockerfile
+  mkdir /etc/ssl/private-copy
+  mv /etc/ssl/private/* /etc/ssl/private-copy/
+  rm -r /etc/ssl/private
+  mv /etc/ssl/private-copy /etc/ssl/private
+  chmod -R 0700 /etc/ssl/private 
+  chown -R postgres /etc/ssl/private
+ 
+  echo "host    all             all             172.17.0.0/16               md5" >> /etc/postgresql/9.3/main/pg_hba.conf
+  # Listen on all ip addresses
+  echo "listen_addresses = '*'" >> /etc/postgresql/9.3/main/postgresql.conf
+  echo "port = 5432" >> /etc/postgresql/9.3/main/postgresql.conf
+
+  # Enable ssl
+
+  echo "ssl = true" >> $CONF
+  #echo "ssl_ciphers = 'DEFAULT:!LOW:!EXP:!MD5:@STRENGTH' " >> $CONF
+  #echo "ssl_renegotiation_limit = 512MB "  >> $CONF 
+  echo "ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'" >> $CONF 
+  echo "ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'" >> $CONF 
+  #echo "ssl_ca_file = ''                       # (change requires restart)" >> $CONF 
+  #echo "ssl_crl_file = ''" >> $CONF 
+
+  # Initialise db
+
   echo "Initializing Postgres Database at $DATADIR"
   chown -R postgres $DATADIR
   su postgres sh -c "$INITDB $DATADIR"
@@ -59,14 +89,25 @@ else
     echo "Postgis is missing, installing now"
     # Note the dockerfile must have put the postgis.sql and spatialrefsys.sql scripts into /root/
     # We use template0 since we want t different encoding to template1
+    echo "Creating template postgis"
     su postgres sh -c "createdb template_postgis -E UTF8 -T template0"
+    set -x
+    echo "Enabling template_postgis as a template"
     su postgres sh -c "psql template0 -c 'UPDATE pg_database SET datistemplate = TRUE WHERE datname = \'template_postgis\';'"
+    echo "Loading postgis.sql"
     su postgres sh -c "psql template_postgis -f $SQLDIR/postgis.sql"
+    set +x
+    echo "Loading spatial_ref_sys.sql"
     su postgres sh -c "psql template_postgis -f $SQLDIR/spatial_ref_sys.sql"
+
     # Needed when importing old dumps using e.g ndims for constraints
+    echo "Loading legacy sql"
     su postgres sh -c "psql template_postgis -f $SQLDIR/legacy_minimal.sql"
+    echo "Granting on geometry columns"
     su postgres sh -c "psql template_postgis -c 'GRANT ALL ON geometry_columns TO PUBLIC;'"
+    echo "Granting on geography columns"
     su postgres sh -c "psql template_postgis -c 'GRANT ALL ON geography_columns TO PUBLIC;'"
+    echo "Granting on spatial ref sys"
     su postgres sh -c "psql template_postgis -c 'GRANT ALL ON spatial_ref_sys TO PUBLIC;'"
     # This should show up in docker logs afterwards
 fi