From bb7244439e90ff5511f587efaa93eb5bedb6441a Mon Sep 17 00:00:00 2001 From: Adam Brightwell Date: Thu, 12 Mar 2026 13:04:03 -0400 Subject: [PATCH] Fix some `devcontainer` issues. While working on #2510 I encountered some issues with devcontainer that were introduced by `9b5e030e`: * Unsupported client encoding for CRDB. * SSL command-line flags cause the temp server to fail before initdb has copied the certs. * `:whoami` user creation, when the user already exists. * Postgres instances sharing `/var/run/postgresql` race on the default socket port. These changes should resolve each. --- .devcontainer/docker-compose.yml | 21 ++++++++++++++++----- testsetup/pg_ssl_init.sh | 11 +++++++++-- testsetup/postgresql_setup.sql | 9 +++++++-- 3 files changed, 32 insertions(+), 9 deletions(-) diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml index 8b0778ea4..a9b4b75dd 100644 --- a/.devcontainer/docker-compose.yml +++ b/.devcontainer/docker-compose.yml @@ -21,6 +21,8 @@ services: PGPASSWORD: postgres PGDATABASE: pgx_test PGHOST: localhost + PGCLIENTENCODING: utf8 + # PGX test env vars target PG18 (port 5432) by default. # test.sh overrides these per-target. PGX_TEST_DATABASE: "host=localhost port=5432 user=postgres password=postgres dbname=pgx_test" @@ -45,6 +47,7 @@ services: - ../testsetup/pg_ssl_init.sh:/docker-entrypoint-initdb.d/02-ssl-init.sh:ro - ../testsetup/pg_hba_devcontainer.conf:/etc/postgresql/pg_hba.conf:ro - ../testsetup/certs:/etc/postgresql/ssl:ro + - ../testsetup/postgresql_ssl.conf:/etc/postgresql/postgresql_ssl.conf:ro - pg-sockets:/var/run/postgresql network_mode: service:app environment: @@ -52,7 +55,8 @@ services: POSTGRES_PASSWORD: postgres POSTGRES_DB: pgx_test POSTGRES_HOSTNAME: localhost - command: postgres -c port=5414 -c hba_file=/etc/postgresql/pg_hba.conf -c ssl=on -c ssl_cert_file=server.crt -c ssl_key_file=server.key -c ssl_ca_file=root.crt -c unix_socket_directories=/var/run/postgresql + PGPORT: 5414 + command: postgres -c port=5414 -c hba_file=/etc/postgresql/pg_hba.conf -c unix_socket_directories=/var/run/postgresql postgres-15: image: postgres:15 @@ -63,6 +67,7 @@ services: - ../testsetup/pg_ssl_init.sh:/docker-entrypoint-initdb.d/02-ssl-init.sh:ro - ../testsetup/pg_hba_devcontainer.conf:/etc/postgresql/pg_hba.conf:ro - ../testsetup/certs:/etc/postgresql/ssl:ro + - ../testsetup/postgresql_ssl.conf:/etc/postgresql/postgresql_ssl.conf:ro - pg-sockets:/var/run/postgresql network_mode: service:app environment: @@ -70,7 +75,8 @@ services: POSTGRES_PASSWORD: postgres POSTGRES_DB: pgx_test POSTGRES_HOSTNAME: localhost - command: postgres -c port=5415 -c hba_file=/etc/postgresql/pg_hba.conf -c ssl=on -c ssl_cert_file=server.crt -c ssl_key_file=server.key -c ssl_ca_file=root.crt -c unix_socket_directories=/var/run/postgresql + PGPORT: 5415 + command: postgres -c port=5415 -c hba_file=/etc/postgresql/pg_hba.conf -c unix_socket_directories=/var/run/postgresql postgres-16: image: postgres:16 @@ -81,6 +87,7 @@ services: - ../testsetup/pg_ssl_init.sh:/docker-entrypoint-initdb.d/02-ssl-init.sh:ro - ../testsetup/pg_hba_devcontainer.conf:/etc/postgresql/pg_hba.conf:ro - ../testsetup/certs:/etc/postgresql/ssl:ro + - ../testsetup/postgresql_ssl.conf:/etc/postgresql/postgresql_ssl.conf:ro - pg-sockets:/var/run/postgresql network_mode: service:app environment: @@ -88,7 +95,8 @@ services: POSTGRES_PASSWORD: postgres POSTGRES_DB: pgx_test POSTGRES_HOSTNAME: localhost - command: postgres -c port=5416 -c hba_file=/etc/postgresql/pg_hba.conf -c ssl=on -c ssl_cert_file=server.crt -c ssl_key_file=server.key -c ssl_ca_file=root.crt -c unix_socket_directories=/var/run/postgresql + PGPORT: 5416 + command: postgres -c port=5416 -c hba_file=/etc/postgresql/pg_hba.conf -c unix_socket_directories=/var/run/postgresql postgres-17: image: postgres:17 @@ -99,6 +107,7 @@ services: - ../testsetup/pg_ssl_init.sh:/docker-entrypoint-initdb.d/02-ssl-init.sh:ro - ../testsetup/pg_hba_devcontainer.conf:/etc/postgresql/pg_hba.conf:ro - ../testsetup/certs:/etc/postgresql/ssl:ro + - ../testsetup/postgresql_ssl.conf:/etc/postgresql/postgresql_ssl.conf:ro - pg-sockets:/var/run/postgresql network_mode: service:app environment: @@ -106,7 +115,8 @@ services: POSTGRES_PASSWORD: postgres POSTGRES_DB: pgx_test POSTGRES_HOSTNAME: localhost - command: postgres -c port=5417 -c hba_file=/etc/postgresql/pg_hba.conf -c ssl=on -c ssl_cert_file=server.crt -c ssl_key_file=server.key -c ssl_ca_file=root.crt -c unix_socket_directories=/var/run/postgresql + PGPORT: 5417 + command: postgres -c port=5417 -c hba_file=/etc/postgresql/pg_hba.conf -c unix_socket_directories=/var/run/postgresql postgres-18: image: postgres:18 @@ -117,6 +127,7 @@ services: - ../testsetup/pg_ssl_init.sh:/docker-entrypoint-initdb.d/02-ssl-init.sh:ro - ../testsetup/pg_hba_devcontainer.conf:/etc/postgresql/pg_hba.conf:ro - ../testsetup/certs:/etc/postgresql/ssl:ro + - ../testsetup/postgresql_ssl.conf:/etc/postgresql/postgresql_ssl.conf:ro - pg-sockets:/var/run/postgresql network_mode: service:app environment: @@ -124,7 +135,7 @@ services: POSTGRES_PASSWORD: postgres POSTGRES_DB: pgx_test POSTGRES_HOSTNAME: localhost - command: postgres -c hba_file=/etc/postgresql/pg_hba.conf -c ssl=on -c ssl_cert_file=server.crt -c ssl_key_file=server.key -c ssl_ca_file=root.crt -c unix_socket_directories=/var/run/postgresql + command: postgres -c hba_file=/etc/postgresql/pg_hba.conf -c unix_socket_directories=/var/run/postgresql cockroachdb: image: cockroachdb/cockroach:v25.4.4 diff --git a/testsetup/pg_ssl_init.sh b/testsetup/pg_ssl_init.sh index 0701d8dcb..1b3ba6be2 100755 --- a/testsetup/pg_ssl_init.sh +++ b/testsetup/pg_ssl_init.sh @@ -1,7 +1,14 @@ #!/bin/bash -# Docker initdb script: copies SSL certificates to PGDATA with correct permissions. -# Runs as the postgres user during container initialization. +# Docker initdb script: copies SSL certificates to PGDATA with correct +# permissions and enables SSL. Runs as the postgres user during container +# initialization. base64 -d /etc/postgresql/ssl/localhost.crt.b64 > "$PGDATA/server.crt" base64 -d /etc/postgresql/ssl/localhost.key.b64 > "$PGDATA/server.key" base64 -d /etc/postgresql/ssl/ca.pem.b64 > "$PGDATA/root.crt" chmod 600 "$PGDATA/server.key" + +# Append SSL config to postgresql.conf rather than using command-line flags, +# because the docker entrypoint passes command-line args to the temporary server +# it starts before initdb scripts run. That temp server would fail with ssl=on +# since the cert files don't exist yet. +cat /etc/postgresql/postgresql_ssl.conf >> "$PGDATA/postgresql.conf" diff --git a/testsetup/postgresql_setup.sql b/testsetup/postgresql_setup.sql index b71909ecb..77186efd1 100644 --- a/testsetup/postgresql_setup.sql +++ b/testsetup/postgresql_setup.sql @@ -12,9 +12,14 @@ set password_encryption = 'scram-sha-256'; create user pgx_pw with superuser PASSWORD 'secret'; create user pgx_scram with superuser PASSWORD 'secret'; create user pgx_oauth with superuser; -\set whoami `whoami` -create user :whoami with superuser; -- unix domain socket user +-- When running in devcontainers, `whoami` will be `postgres`. Since the +-- `postgres` user already exists, attempting to recreate it will fail. +-- Therefore, we'll guard against that by no-op'ing if/when the user already +-- exists and thereby not aborting the remaining setup. +\set whoami `whoami` +select format('create user %I with superuser', :'whoami') +where not exists (select from pg_roles where rolname = :'whoami') \gexec -- The tricky test user, below, has to actually exist so that it can be used in a test -- of aclitem formatting. It turns out aclitems cannot contain non-existing users/roles.