diff --git a/.github/workflows/bake.yml b/.github/workflows/bake.yml new file mode 100644 index 00000000..8109eea6 --- /dev/null +++ b/.github/workflows/bake.yml @@ -0,0 +1,53 @@ +name: Bake Images + +on: + schedule: + # Build images once a week, on Mondays + - cron: 0 8 * * 1 + workflow_dispatch: + inputs: + environment: + type: choice + options: + - testing + - production + default: testing + description: "Choose the environment to bake the target for" + +permissions: {} + +jobs: + get_versions: + name: Get PostgreSQL versions + runs-on: ubuntu-24.04 + permissions: + contents: read + outputs: + versions: ${{ steps.get_versions.outputs.versions }} + steps: + - name: Checkout Code + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + + - name: Get supported PostgreSQL versions + id: get_versions + run: | + VERSIONS="$(sed -n '/postgreSQLVersions = \[/,/\]/ s/.*"\(.*\)\..*".*/\"\1\"/p' docker-bake.hcl | xargs echo | tr ' ' ',')" + echo "PostgreSQL versions: [$VERSIONS]" + echo "versions=[$VERSIONS]" >> "$GITHUB_OUTPUT" + + Bake: + name: Bake + needs: get_versions + permissions: + packages: write + contents: read + id-token: write + security-events: write + strategy: + fail-fast: false + matrix: + version: ${{ fromJson(needs.get_versions.outputs.versions) }} + uses: ./.github/workflows/bake_targets.yml + with: + environment: ${{ github.event.inputs.environment }} + postgresql_version: ${{ matrix.version }} diff --git a/.github/workflows/bake.yaml b/.github/workflows/bake_targets.yml similarity index 79% rename from .github/workflows/bake.yaml rename to .github/workflows/bake_targets.yml index 9791421d..cdadfdff 100644 --- a/.github/workflows/bake.yaml +++ b/.github/workflows/bake_targets.yml @@ -1,33 +1,28 @@ -name: Bake images +name: Build target images on: - schedule: - - cron: 0 8 * * 1 - workflow_dispatch: + workflow_call: inputs: environment: - type: choice - options: - - testing - - production - default: testing - description: "Choose the environment to bake the images for" - target: + description: "The environment to build for" + required: true + type: string + default: "testing" + postgresql_version: + description: "The PostgreSQL major version to bake" + required: true type: string - default: "" - description: "A comma separated list of targets to build. If empty, all targets will be built." -permissions: read-all +permissions: {} jobs: - # Start by building images for testing. We want to run security checks before pushing those to production. testbuild: - name: Build for testing - runs-on: ubuntu-latest + # Start by building images for testing. We want to run security checks before pushing those to production. + name: PostgreSQL ${{ inputs.postgresql_version }} + runs-on: ubuntu-24.04 permissions: contents: read packages: write - security-events: write # Required by the cosign step id-token: write outputs: @@ -37,6 +32,19 @@ jobs: - name: Checkout Code uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 + - name: List targets + id: targets + uses: docker/bake-action/subaction/matrix@v6 + with: + target: "default" + + - name: Filter by versions + id: extract_targets + run: | + target=$(echo '${{ steps.targets.outputs.matrix }}' | jq -r '.[] | .[] | select(match("${{ inputs.postgresql_version }}"))' | xargs echo | sed 's/ /,/g') + echo "Targets for PostgreSQL ${{ inputs.postgresql_version }}: $target" + echo "filtered_targets=$target" >> "$GITHUB_OUTPUT" + - name: Log in to the GitHub Container registry uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3 with: @@ -63,7 +71,7 @@ jobs: revision: ${{ github.sha }} with: push: true - targets: ${{ github.event.inputs.target }} + targets: ${{ steps.extract_targets.outputs.filtered_targets }} # Get a list of the images that were built and pushed. We only care about a single tag for each image. - name: Generated images @@ -86,6 +94,10 @@ jobs: security: name: Security checks runs-on: ubuntu-latest + permissions: + contents: read + packages: read + security-events: write needs: - testbuild strategy: @@ -107,6 +119,9 @@ jobs: with: image: ${{ matrix.image }} exit-code: '1' + failure-threshold: WARN + accept-keywords: key + accept-filenames: usr/share/postgresql-common/pgdg/apt.postgresql.org.asc,etc/ssl/private/ssl-cert-snakeoil.key,usr/local/lib/python3.9/dist-packages/azure/core/settings.py,usr/local/lib/python3.11/dist-packages/azure/core/settings.py,usr/local/lib/python3.13/dist-packages/azure/core/settings.py - name: Snyk uses: snyk/actions/docker@master diff --git a/BUILD.md b/BUILD.md index 722c82a0..d83e6e04 100644 --- a/BUILD.md +++ b/BUILD.md @@ -73,10 +73,10 @@ docker buildx bake --push If you want to limit the build to a specific combination, you can specify the target in the `VERSION-TYPE-BASE` format. For example, to build an image for -PostgreSQL 17 with the `minimal` format on the `bookworm` base image: +PostgreSQL 17 with the `minimal` format on the `trixie` base image: ```bash -docker buildx bake --push postgresql-17-minimal-bookworm +docker buildx bake --push postgresql-17-minimal-trixie ``` You can also limit the build to a single platform, for example AMD64, with: @@ -90,7 +90,7 @@ The two can be mixed as well: ```bash docker buildx bake --push \ --set "*.platform=linux/amd64" \ - postgresql-17-minimal-bookworm + postgresql-17-minimal-trixie ``` ## The Distribution Registry diff --git a/Dockerfile b/Dockerfile index a2ef41f5..2a9c90a2 100644 --- a/Dockerfile +++ b/Dockerfile @@ -29,3 +29,25 @@ RUN apt-get update && \ rm -rf /var/lib/apt/lists/* /var/cache/* /var/log/* USER 26 + +FROM standard AS system +ARG BARMAN_VERSION + +# We need to break the system packages to install barman-cloud in bookworm and later +ENV PIP_BREAK_SYSTEM_PACKAGES=1 + +USER root +RUN apt-get update && \ + apt-get install -y --no-install-recommends \ + # We require build-essential and python3-dev to build lz4 on arm64 since there isn't a pre-compiled wheel available + build-essential python3-dev \ + python3-pip \ + python3-psycopg2 \ + python3-setuptools \ + && \ + pip3 install --no-cache-dir barman[cloud,azure,snappy,google,zstandard,lz4]==${BARMAN_VERSION} && \ + apt-get remove -y --purge --autoremove build-essential python3-dev && \ + apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false && \ + rm -rf /var/lib/apt/lists/* /var/cache/* /var/log/* + +USER 26 diff --git a/README.md b/README.md index 92a278fd..653da7ae 100644 --- a/README.md +++ b/README.md @@ -1,13 +1,12 @@ [![CloudNativePG](./logo/cloudnativepg.png)](https://cloudnative-pg.io/) -> **IMPORTANT:** As of January 2025, we have transitioned to a new image build -> process (see issue [#132](https://github.com/cloudnative-pg/postgres-containers/issues/132) -> for details). Previously, the images were based on the -> [Official Postgres image](https://hub.docker.com/_/postgres), maintained by the -> [PostgreSQL Docker Community](https://github.com/docker-library/postgres), -> and included Barman Cloud built from source. -> This legacy approach, referred to as `system` images, will remain available -> for backward compatibility but is planned for a future deprecation. +> **IMPORTANT:** Starting in August 2025, the [Official Postgres Image](https://hub.docker.com/_/postgres), +> maintained by the [PostgreSQL Docker Community](https://github.com/docker-library/postgres), +> has discontinued support for Debian `bullseye`. +> In response, the CloudNativePG project has completed the transition to the +> new `bake`-based build process for all `system` images. We now build directly +> on top of the official Debian slim images, fully detaching from the official +> Postgres image. Additional changes are planned as part of epic #287. --- @@ -23,31 +22,52 @@ within Kubernetes environments. ## Key Features -The CNPG PostgreSQL Container Images: +CloudNativePG PostgreSQL container images: -- Are based on Debian Linux `stable` and `oldstable` -- Support **multi-architecture builds**, including `linux/amd64` and +- Are built on top of **Debian Linux** (`stable` and `oldstable`). +- Provide **multi-architecture support**, including `linux/amd64` and `linux/arm64`. -- Include **build attestations**, such as Software Bills of Materials (SBOMs) +- Ship with **build attestations**, such as Software Bills of Materials (SBOMs) and provenance metadata. -- Are published on the - [CloudNativePG GitHub Container Registry](https://github.com/cloudnative-pg/postgres-containers/pkgs/container/postgresql). -- Are **automatically rebuilt weekly** (every Monday) to ensure they remain - up-to-date. +- Are published in the [CloudNativePG GitHub Container Registry](https://github.com/cloudnative-pg/postgres-containers/pkgs/container/postgresql). +- Are **automatically rebuilt every week** (on Mondays) to remain up to date + with the latest upstream security and bug fixes. + +## Debian Releases + +CloudNativePG PostgreSQL container images are based on the official `stable` +and `oldstable` Debian releases, maintained and supported by the +[Debian Project](https://www.debian.org/releases/). + +The table below summarises the support lifecycle of relevant Debian versions, +including End-of-Life (EOL) and Long-Term Support (LTS) dates. + +| Name | Version | Release Date | EOL | LTS | Status | +| ------------------------- | :-----: | :----------: | :--------: | :--------: | :--------- | +| Trixie (`stable`) | 13 | 2025-08-09 | 2028-08-09 | 2030-06-30 | Supported | +| Bookworm (`oldstable`) | 12 | 2023-06-10 | 2026-06-10 | 2028-06-30 | Supported | +| Bullseye (`oldoldstable`) | 11 | 2021-08-14 | 2024-08-14 | 2026-08-31 | Deprecated | + +> **IMPORTANT:** The CloudNativePG project provides full support for +> Debian-based images until each release reaches its official End-of-Life +> (EOL). After EOL and until the start of Long-Term Support (LTS), images for the +> deprecated releases, such as `oldoldstable`, are maintained on a +> **best-effort basis**. If discontinuation becomes necessary before the LTS +> date, a minimum **three-month advance notice** will be posted on this page. ## Image Types -We currently build and support two primary types of PostgreSQL images: +We currently provide and maintain three main types of PostgreSQL images: -- [`minimal`](#minimal-images) -- [`standard`](#standard-images) +* [`minimal`](#minimal-images) +* [`standard`](#standard-images) +* [`system`](#system-images) (*deprecated*) -Both `minimal` and `standard` images are intended to be used with backup -plugins, such as [Barman Cloud](https://github.com/cloudnative-pg/plugin-barman-cloud). +Both `minimal` and `standard` images are designed to work with backup plugins +such as [Barman Cloud](https://github.com/cloudnative-pg/plugin-barman-cloud). -> **Note:** for backward compatibility, we also maintain the -> [`system`](#system-images) image type. Switching from `system` images to -> `minimal` or `standard` images on an existing cluster is not supported. +The `system` images, built on top of the `standard` ones, also include the +Barman Cloud binaries. ### Minimal Images @@ -57,7 +77,7 @@ They use the [APT PostgreSQL packages](https://wiki.postgresql.org/wiki/Apt) maintained by the PostgreSQL Global Development Group (PGDG). These images are identified by the inclusion of `minimal` in their tag names, -for example: `17.2-minimal-bookworm`. +for example: `17.6-minimal-trixie`. ### Standard Images @@ -70,33 +90,23 @@ following additional features: - All Locales Standard images are identifiable by the `standard` tag in their names, such as: -`17.2-standard-bookworm`. +`17.6-standard-trixie`. > **Note:** Standard images are designed to offer functionality equivalent to > the legacy `system` images when used with CloudNativePG. To achieve parity, > you must use the [Barman Cloud Plugin](https://github.com/cloudnative-pg/plugin-barman-cloud) > as a replacement for the native Barman Cloud support in `system` images. -### System Images +### System Images (deprecated) -System images are based on the [Official Postgres image](https://hub.docker.com/_/postgres), -maintained by the -[PostgreSQL Docker Community](https://github.com/docker-library/postgres). -These images include additional software to extend PostgreSQL functionality: +Starting from September 2025, system images are based on the `standard` image +and include Barman Cloud binaries. -- Barman Cloud -- PGAudit -- Postgres Failover Slots -- pgvector - -The [`Debian`](Debian) folder contains image catalogs, which can be used as: -- [`ClusterImageCatalog`](https://cloudnative-pg.io/documentation/current/image_catalog/) -- [`ImageCatalog`](https://cloudnative-pg.io/documentation/current/image_catalog/) - -> **Deprecation Notice:** System images and the associated Debian-based image -> catalogs will be deprecated in future releases of CloudNativePG and -> eventually removed. Users are encouraged to migrate to `minimal` or -> `standard` images for new clusters as soon as feasible. +> **IMPORTANT:** The `system` images are deprecated and will be removed once +> in-core support for Barman Cloud in CloudNativePG is phased out. While you +> can still use them as long as in-core Barman Cloud remains available, you +> should plan to migrate to either a `minimal` or `standard` image together +> with the Barman Cloud plugin—or adopt another supported backup solution. ## Build Attestations diff --git a/docker-bake.hcl b/docker-bake.hcl index fdcfd024..4ed5790e 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -29,6 +29,10 @@ postgreSQLVersions = [ "17.6" ] +// Barman version to build +# renovate: datasource=github-releases depName=EnterpriseDB/barman versioning=loose +barmanVersion = "3.14.0" + extensions = [ "pgaudit", "pgvector", @@ -39,7 +43,8 @@ target "default" { matrix = { tgt = [ "minimal", - "standard" + "standard", + "system" ] pgVersion = postgreSQLVersions base = [ @@ -69,6 +74,7 @@ target "default" { PG_MAJOR = "${getMajor(pgVersion)}" BASE = "${base}" EXTENSIONS = "${getExtensionsString(pgVersion, extensions)}" + BARMAN_VERSION = "${barmanVersion}" } attest = [ "type=provenance,mode=max",