744c149300
Some checks failed
Build and Deploy Docs / build-and-deploy (push) Has been cancelled
- Created logs/ structure (sessions, operations, incidents) - Added session-start/log/end scripts - Installed Git hooks for auto-logging commits/pushes - Added shell integration for zsh - Created CHANGELOG.md - Documented today's session (2026-01-10)
1.3 KiB
1.3 KiB
Clean PostgreSQL Image
Purpose: Build PostgreSQL from official Debian repositories to avoid compromised Docker Hub images.
Why This Exists
Multiple PostgreSQL images from Docker Hub were found to be compromised with cryptocurrency miners:
postgres:15-alpine- Incident #3postgres:16-alpine- Incident #4postgres:14- Incident #5
This image is built from scratch using only official PostgreSQL APT repositories.
Build
cd docker/postgres-clean
docker build -t daarion-postgres:16-clean .
Verify Build
# Check no suspicious files
docker run --rm daarion-postgres:16-clean find /tmp -type f -executable
# Check process tree during startup
docker run -d --name test-pg -e POSTGRES_PASSWORD=test daarion-postgres:16-clean
sleep 10
docker exec test-pg ps aux
docker stop test-pg && docker rm test-pg
Usage
Replace in docker-compose.db.yml:
db:
# image: postgres:16-alpine # COMPROMISED
image: daarion-postgres:16-clean
# ... rest of config
Security Notes
- Built from Debian official repositories only
- Minimal dependencies
- Simplified entrypoint script (no suspicious code)
- No hidden binaries or scripts
- All code is readable and auditable
Maintenance
To update PostgreSQL version:
- Edit
Dockerfile: UpdatePG_VERSION - Rebuild image
- Test thoroughly before deploying