pgadmin4/pkg/docker/entrypoint.sh

#!/bin/sh

# Fixup the passwd file, in case we're on OpenShift
if ! whoami > /dev/null 2>&1; then
  if [ "$(id -u)" -ne 5050 ]; then
    if [ -w /etc/passwd ]; then
      echo "${USER_NAME:-pgadminr}:x:$(id -u):0:${USER_NAME:-pgadminr} user:${HOME}:/sbin/nologin" >> /etc/passwd
    fi
  fi
fi

# Populate config_distro.py. This has some default config, as well as anything
# provided by the user through the PGADMIN_CONFIG_* environment variables.
# Only update the file on first launch. The empty file is created during the
# container build so it can have the required ownership.
if [ "$(wc -m /pgadmin4/config_distro.py | awk '{ print $1 }')" = "0" ]; then
    cat << EOF > /pgadmin4/config_distro.py
CA_FILE = '/etc/ssl/certs/ca-certificates.crt'
LOG_FILE = '/dev/null'
HELP_PATH = '../../docs'
DEFAULT_BINARY_PATHS = {
        'pg': '/usr/local/pgsql-16',
        'pg-16': '/usr/local/pgsql-16',
        'pg-15': '/usr/local/pgsql-15',
        'pg-14': '/usr/local/pgsql-14',
        'pg-13': '/usr/local/pgsql-13',
        'pg-12': '/usr/local/pgsql-12'
}
EOF

    # This is a bit kludgy, but necessary as the container uses BusyBox/ash as
    # it's shell and not bash which would allow a much cleaner implementation
    for var in $(env | grep "^PGADMIN_CONFIG_" | cut -d "=" -f 1); do
        # shellcheck disable=SC2086
        # shellcheck disable=SC2046
        echo ${var#PGADMIN_CONFIG_} = $(eval "echo \$$var") >> /pgadmin4/config_distro.py
    done
fi

if [ ! -f /var/lib/pgadmin/pgadmin4.db ]; then
    if [ -z "${PGADMIN_DEFAULT_EMAIL}" ] || { [ -z "${PGADMIN_DEFAULT_PASSWORD}" ] && [ -z "${PGADMIN_DEFAULT_PASSWORD_FILE}" ]; }; then
        echo 'You need to define the PGADMIN_DEFAULT_EMAIL and PGADMIN_DEFAULT_PASSWORD or PGADMIN_DEFAULT_PASSWORD_FILE environment variables.'
        exit 1
    fi

    if ! echo "${PGADMIN_DEFAULT_EMAIL}" | grep -E "^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}$" > /dev/null; then
        echo "'${PGADMIN_DEFAULT_EMAIL}' does not appear to be a valid email address. Please reset the PGADMIN_DEFAULT_EMAIL environment variable and try again."
        exit 1
    fi

    # Read secret contents
    if [ -n "${PGADMIN_DEFAULT_PASSWORD_FILE}" ]; then
        PGADMIN_DEFAULT_PASSWORD=$(cat "${PGADMIN_DEFAULT_PASSWORD_FILE}")
        export PGADMIN_DEFAULT_PASSWORD
    fi

    # Set the default username and password in a
    # backwards compatible way
    export PGADMIN_SETUP_EMAIL="${PGADMIN_DEFAULT_EMAIL}"
    export PGADMIN_SETUP_PASSWORD="${PGADMIN_DEFAULT_PASSWORD}"

    # Initialize DB before starting Gunicorn
    # Importing pgadmin4 (from this script) is enough
    /venv/bin/python3 run_pgadmin.py

    export PGADMIN_SERVER_JSON_FILE="${PGADMIN_SERVER_JSON_FILE:-/pgadmin4/servers.json}"

    # Pre-load any required servers
    if [ -f "${PGADMIN_SERVER_JSON_FILE}" ]; then
        # When running in Desktop mode, no user is created
        # so we have to import servers anonymously
        if [ "${PGADMIN_CONFIG_SERVER_MODE}" = "False" ]; then
            /venv/bin/python3 /pgadmin4/setup.py load-servers "${PGADMIN_SERVER_JSON_FILE}"
        else
            /venv/bin/python3 /pgadmin4/setup.py load-servers "${PGADMIN_SERVER_JSON_FILE}" --user "${PGADMIN_DEFAULT_EMAIL}"
        fi
    fi
fi

# Start Postfix to handle password resets etc.
if [ -z "${PGADMIN_DISABLE_POSTFIX}" ]; then
    sudo /usr/sbin/postfix start
fi

# Get the session timeout from the pgAdmin config. We'll use this (in seconds)
# to define the Gunicorn worker timeout
TIMEOUT=$(cd /pgadmin4 && /venv/bin/python3 -c 'import config; print(config.SESSION_EXPIRATION_TIME * 60 * 60 * 24)')

# NOTE: currently pgadmin can run only with 1 worker due to sessions implementation
# Using --threads to have multi-threaded single-process worker

if [ -n "${PGADMIN_ENABLE_TLS}" ]; then
    exec /venv/bin/gunicorn --limit-request-line "${GUNICORN_LIMIT_REQUEST_LINE:-8190}" --timeout "${TIMEOUT}" --bind "${PGADMIN_LISTEN_ADDRESS:-[::]}:${PGADMIN_LISTEN_PORT:-443}" -w 1 --threads "${GUNICORN_THREADS:-25}" --access-logfile "${GUNICORN_ACCESS_LOGFILE:--}" --keyfile /certs/server.key --certfile /certs/server.cert -c gunicorn_config.py run_pgadmin:app
else
    exec /venv/bin/gunicorn --limit-request-line "${GUNICORN_LIMIT_REQUEST_LINE:-8190}" --timeout "${TIMEOUT}" --bind "${PGADMIN_LISTEN_ADDRESS:-[::]}:${PGADMIN_LISTEN_PORT:-80}" -w 1 --threads "${GUNICORN_THREADS:-25}" --access-logfile "${GUNICORN_ACCESS_LOGFILE:--}" -c gunicorn_config.py run_pgadmin:app
fi
Update container build to use Alpine Linux and Gunicorn instead of CentOS and Apache. Fixes #3246 This results in a much more slim-line container, requiring fewer resources to run. In addition, the majority of the build is now done using the Docker infrastructure, allowing for quicker rebuilds and better use of layers. 2018-04-04 16:18:17 +01:00			`#!/bin/sh`

Support running the container under OpenShift with alternate UIDs. Fixes #7257 2022-03-21 11:19:33 +00:00			`# Fixup the passwd file, in case we're on OpenShift`
Sonarqube fixes for Docker. 2022-08-11 09:30:36 +01:00			`if ! whoami > /dev/null 2>&1; then`
			`if [ "$(id -u)" -ne 5050 ]; then`
Support running the container under OpenShift with alternate UIDs. Fixes #7257 2022-03-21 11:19:33 +00:00			`if [ -w /etc/passwd ]; then`
			`echo "${USER_NAME:-pgadminr}:x:$(id -u):0:${USER_NAME:-pgadminr} user:${HOME}:/sbin/nologin" >> /etc/passwd`
			`fi`
			`fi`
			`fi`

Run pgAdmin in the container as a non-root user (pgadmin, UID: 5050). Fixes #4939. 2019-12-09 11:09:46 +05:30			`# Populate config_distro.py. This has some default config, as well as anything`
Allow configuration options to be set from the environment in the container distribution. Fixes #4651 2019-08-22 15:24:04 +01:00			`# provided by the user through the PGADMIN_CONFIG_* environment variables.`
Run pgAdmin in the container as a non-root user (pgadmin, UID: 5050). Fixes #4939. 2019-12-09 11:09:46 +05:30			`# Only update the file on first launch. The empty file is created during the`
			`# container build so it can have the required ownership.`
Sonarqube fixes for Docker. 2022-08-11 09:30:36 +01:00			`if [ "$(wc -m /pgadmin4/config_distro.py \| awk '{ print $1 }')" = "0" ]; then`
Allow configuration options to be set from the environment in the container distribution. Fixes #4651 2019-08-22 15:24:04 +01:00			`cat << EOF > /pgadmin4/config_distro.py`
Make sure pgAdmin can find the root certificates for upgrade checks. 2021-02-01 17:26:39 +00:00			`CA_FILE = '/etc/ssl/certs/ca-certificates.crt'`
Instead of rotating logs, don't write them to the container in the first place. This is inline with container best practices (logs go to the container console). Fixes #6170 2021-02-02 13:45:49 +00:00			`LOG_FILE = '/dev/null'`
Allow configuration options to be set from the environment in the container distribution. Fixes #4651 2019-08-22 15:24:04 +01:00			`HELP_PATH = '../../docs'`
			`DEFAULT_BINARY_PATHS = {`
1) Fixed an issue where PG 16 binaries not getting copied into the docker container. 2) Remove support for PostgreSQL 11. 2023-09-26 13:45:08 +05:30			`'pg': '/usr/local/pgsql-16',`
			`'pg-16': '/usr/local/pgsql-16',`
Support PostgreSQL 15. 2022-10-17 10:02:45 +01:00			`'pg-15': '/usr/local/pgsql-15',`
Updated PostgreSQL version from 13 to 14, to get the latest utility files. 2021-10-04 16:12:45 +05:30			`'pg-14': '/usr/local/pgsql-14',`
Fix dict definition. 2021-06-15 14:19:31 +01:00			`'pg-13': '/usr/local/pgsql-13',`
1) Fixed an issue where PG 16 binaries not getting copied into the docker container. 2) Remove support for PostgreSQL 11. 2023-09-26 13:45:08 +05:30			`'pg-12': '/usr/local/pgsql-12'`
Allow configuration options to be set from the environment in the container distribution. Fixes #4651 2019-08-22 15:24:04 +01:00			`}`
			`EOF`

			`# This is a bit kludgy, but necessary as the container uses BusyBox/ash as`
			`# it's shell and not bash which would allow a much cleaner implementation`
Change grep regex in the docker's entrypoint to find env variables starting with PGADMIN_CONFIG_ only. 2023-09-04 09:36:15 +02:00			`for var in $(env \| grep "^PGADMIN_CONFIG_" \| cut -d "=" -f 1); do`
Sonarqube fixes for Docker. 2022-08-11 09:30:36 +01:00			`# shellcheck disable=SC2086`
			`# shellcheck disable=SC2046`
Allow configuration options to be set from the environment in the container distribution. Fixes #4651 2019-08-22 15:24:04 +01:00			`echo ${var#PGADMIN_CONFIG_} = $(eval "echo \$$var") >> /pgadmin4/config_distro.py`
			`done`
			`fi`

Update container build to use Alpine Linux and Gunicorn instead of CentOS and Apache. Fixes #3246 This results in a much more slim-line container, requiring fewer resources to run. In addition, the majority of the build is now done using the Docker infrastructure, allowing for quicker rebuilds and better use of layers. 2018-04-04 16:18:17 +01:00			`if [ ! -f /var/lib/pgadmin/pgadmin4.db ]; then`
Sonarqube fixes for Docker. 2022-08-11 09:30:36 +01:00			`if [ -z "${PGADMIN_DEFAULT_EMAIL}" ] \|\| { [ -z "${PGADMIN_DEFAULT_PASSWORD}" ] && [ -z "${PGADMIN_DEFAULT_PASSWORD_FILE}" ]; }; then`
Added support for passing password using Docker Secret to Docker images. Fixes #7332 2022-06-15 11:07:56 +05:30			`echo 'You need to define the PGADMIN_DEFAULT_EMAIL and PGADMIN_DEFAULT_PASSWORD or PGADMIN_DEFAULT_PASSWORD_FILE environment variables.'`
Ensure PGADMIN_DEFAULT_EMAIL looks sane when initialising a container deployment. Fixes #6227 2021-02-26 16:57:03 +00:00			`exit 1`
			`fi`

Sonarqube fixes for Docker. 2022-08-11 09:30:36 +01:00			`if ! echo "${PGADMIN_DEFAULT_EMAIL}" \| grep -E "^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}$" > /dev/null; then`
Ensure PGADMIN_DEFAULT_EMAIL looks sane when initialising a container deployment. Fixes #6227 2021-02-26 16:57:03 +00:00			`echo "'${PGADMIN_DEFAULT_EMAIL}' does not appear to be a valid email address. Please reset the PGADMIN_DEFAULT_EMAIL environment variable and try again."`
Update container build to use Alpine Linux and Gunicorn instead of CentOS and Apache. Fixes #3246 This results in a much more slim-line container, requiring fewer resources to run. In addition, the majority of the build is now done using the Docker infrastructure, allowing for quicker rebuilds and better use of layers. 2018-04-04 16:18:17 +01:00			`exit 1`
			`fi`

Added support for passing password using Docker Secret to Docker images. Fixes #7332 2022-06-15 11:07:56 +05:30			`# Read secret contents`
			`if [ -n "${PGADMIN_DEFAULT_PASSWORD_FILE}" ]; then`
Sonarqube fixes for Docker. 2022-08-11 09:30:36 +01:00			`PGADMIN_DEFAULT_PASSWORD=$(cat "${PGADMIN_DEFAULT_PASSWORD_FILE}")`
			`export PGADMIN_DEFAULT_PASSWORD`
Added support for passing password using Docker Secret to Docker images. Fixes #7332 2022-06-15 11:07:56 +05:30			`fi`

Update container build to use Alpine Linux and Gunicorn instead of CentOS and Apache. Fixes #3246 This results in a much more slim-line container, requiring fewer resources to run. In addition, the majority of the build is now done using the Docker infrastructure, allowing for quicker rebuilds and better use of layers. 2018-04-04 16:18:17 +01:00			`# Set the default username and password in a`
			`# backwards compatible way`
Sonarqube fixes for Docker. 2022-08-11 09:30:36 +01:00			`export PGADMIN_SETUP_EMAIL="${PGADMIN_DEFAULT_EMAIL}"`
			`export PGADMIN_SETUP_PASSWORD="${PGADMIN_DEFAULT_PASSWORD}"`
Update container build to use Alpine Linux and Gunicorn instead of CentOS and Apache. Fixes #3246 This results in a much more slim-line container, requiring fewer resources to run. In addition, the majority of the build is now done using the Docker infrastructure, allowing for quicker rebuilds and better use of layers. 2018-04-04 16:18:17 +01:00
			`# Initialize DB before starting Gunicorn`
			`# Importing pgadmin4 (from this script) is enough`
A bunch of size optimisation for the container. The new Rust requirement for the Cryptography module bloated it significantly. 2021-02-09 13:12:19 +00:00			`/venv/bin/python3 run_pgadmin.py`
Allow servers to be pre-loaded into container deployments. Fixes #3801 2018-12-05 17:16:46 +00:00
Sonarqube fixes for Docker. 2022-08-11 09:30:36 +01:00			`export PGADMIN_SERVER_JSON_FILE="${PGADMIN_SERVER_JSON_FILE:-/pgadmin4/servers.json}"`

Allow servers to be pre-loaded into container deployments. Fixes #3801 2018-12-05 17:16:46 +00:00			`# Pre-load any required servers`
Allow the path to /pgadmin4/servers.json to be overridden in the container distribution. Fixes #4400 2019-06-27 10:56:37 -04:00			`if [ -f "${PGADMIN_SERVER_JSON_FILE}" ]; then`
Fix an issue where servers.json import fails when running in desktop mode. 2019-12-17 13:15:04 +05:30			`# When running in Desktop mode, no user is created`
			`# so we have to import servers anonymously`
			`if [ "${PGADMIN_CONFIG_SERVER_MODE}" = "False" ]; then`
Administer pgAdmin Users and Preferences Using the Command Line Interface (CLI). #2483 2023-12-21 12:07:26 +05:30			`/venv/bin/python3 /pgadmin4/setup.py load-servers "${PGADMIN_SERVER_JSON_FILE}"`
Fix an issue where servers.json import fails when running in desktop mode. 2019-12-17 13:15:04 +05:30			`else`
Administer pgAdmin Users and Preferences Using the Command Line Interface (CLI). #2483 2023-12-21 12:07:26 +05:30			`/venv/bin/python3 /pgadmin4/setup.py load-servers "${PGADMIN_SERVER_JSON_FILE}" --user "${PGADMIN_DEFAULT_EMAIL}"`
Fix an issue where servers.json import fails when running in desktop mode. 2019-12-17 13:15:04 +05:30			`fi`
Allow servers to be pre-loaded into container deployments. Fixes #3801 2018-12-05 17:16:46 +00:00			`fi`
Update container build to use Alpine Linux and Gunicorn instead of CentOS and Apache. Fixes #3246 This results in a much more slim-line container, requiring fewer resources to run. In addition, the majority of the build is now done using the Docker infrastructure, allowing for quicker rebuilds and better use of layers. 2018-04-04 16:18:17 +01:00			`fi`

Run Postfix in the container build so passwords can be reset etc. Fixes #3599 2018-12-05 14:44:23 +00:00			`# Start Postfix to handle password resets etc.`
Sonarqube fixes for Docker. 2022-08-11 09:30:36 +01:00			`if [ -z "${PGADMIN_DISABLE_POSTFIX}" ]; then`
Add a container option (PGADMIN_DISABLE_POSTFIX) to disable the Postfix server. 2021-01-20 11:50:05 +00:00			`sudo /usr/sbin/postfix start`
			`fi`
Run Postfix in the container build so passwords can be reset etc. Fixes #3599 2018-12-05 14:44:23 +00:00
Set the Gunicorn worker timeout to match the configured session expiry. Partially fixes #3656 2019-03-01 11:55:17 +00:00			`# Get the session timeout from the pgAdmin config. We'll use this (in seconds)`
			`# to define the Gunicorn worker timeout`
A bunch of size optimisation for the container. The new Rust requirement for the Cryptography module bloated it significantly. 2021-02-09 13:12:19 +00:00			`TIMEOUT=$(cd /pgadmin4 && /venv/bin/python3 -c 'import config; print(config.SESSION_EXPIRATION_TIME * 60 * 60 * 24)')`
Set the Gunicorn worker timeout to match the configured session expiry. Partially fixes #3656 2019-03-01 11:55:17 +00:00
Update container build to use Alpine Linux and Gunicorn instead of CentOS and Apache. Fixes #3246 This results in a much more slim-line container, requiring fewer resources to run. In addition, the majority of the build is now done using the Docker infrastructure, allowing for quicker rebuilds and better use of layers. 2018-04-04 16:18:17 +01:00			`# NOTE: currently pgadmin can run only with 1 worker due to sessions implementation`
			`# Using --threads to have multi-threaded single-process worker`

Sonarqube fixes for Docker. 2022-08-11 09:30:36 +01:00			`if [ -n "${PGADMIN_ENABLE_TLS}" ]; then`
Expose the Gunicorn limit_request_line parameter in the container, with the default set to the maximum 8190. See #5390. 2022-10-03 14:09:25 +01:00			`exec /venv/bin/gunicorn --limit-request-line "${GUNICORN_LIMIT_REQUEST_LINE:-8190}" --timeout "${TIMEOUT}" --bind "${PGADMIN_LISTEN_ADDRESS:-[::]}:${PGADMIN_LISTEN_PORT:-443}" -w 1 --threads "${GUNICORN_THREADS:-25}" --access-logfile "${GUNICORN_ACCESS_LOGFILE:--}" --keyfile /certs/server.key --certfile /certs/server.cert -c gunicorn_config.py run_pgadmin:app`
Update container build to use Alpine Linux and Gunicorn instead of CentOS and Apache. Fixes #3246 This results in a much more slim-line container, requiring fewer resources to run. In addition, the majority of the build is now done using the Docker infrastructure, allowing for quicker rebuilds and better use of layers. 2018-04-04 16:18:17 +01:00			`else`
Expose the Gunicorn limit_request_line parameter in the container, with the default set to the maximum 8190. See #5390. 2022-10-03 14:09:25 +01:00			`exec /venv/bin/gunicorn --limit-request-line "${GUNICORN_LIMIT_REQUEST_LINE:-8190}" --timeout "${TIMEOUT}" --bind "${PGADMIN_LISTEN_ADDRESS:-[::]}:${PGADMIN_LISTEN_PORT:-80}" -w 1 --threads "${GUNICORN_THREADS:-25}" --access-logfile "${GUNICORN_ACCESS_LOGFILE:--}" -c gunicorn_config.py run_pgadmin:app`
Update container build to use Alpine Linux and Gunicorn instead of CentOS and Apache. Fixes #3246 This results in a much more slim-line container, requiring fewer resources to run. In addition, the majority of the build is now done using the Docker infrastructure, allowing for quicker rebuilds and better use of layers. 2018-04-04 16:18:17 +01:00			`fi`