744c149300
Some checks failed
Build and Deploy Docs / build-and-deploy (push) Has been cancelled
- Created logs/ structure (sessions, operations, incidents) - Added session-start/log/end scripts - Installed Git hooks for auto-logging commits/pushes - Added shell integration for zsh - Created CHANGELOG.md - Documented today's session (2026-01-10)
59 lines
1.3 KiB
Markdown
59 lines
1.3 KiB
Markdown
# Clean PostgreSQL Image
|
|
|
|
**Purpose**: Build PostgreSQL from official Debian repositories to avoid compromised Docker Hub images.
|
|
|
|
## Why This Exists
|
|
|
|
Multiple PostgreSQL images from Docker Hub were found to be compromised with cryptocurrency miners:
|
|
- `postgres:15-alpine` - Incident #3
|
|
- `postgres:16-alpine` - Incident #4
|
|
- `postgres:14` - Incident #5
|
|
|
|
This image is built from scratch using only official PostgreSQL APT repositories.
|
|
|
|
## Build
|
|
|
|
```bash
|
|
cd docker/postgres-clean
|
|
docker build -t daarion-postgres:16-clean .
|
|
```
|
|
|
|
## Verify Build
|
|
|
|
```bash
|
|
# Check no suspicious files
|
|
docker run --rm daarion-postgres:16-clean find /tmp -type f -executable
|
|
|
|
# Check process tree during startup
|
|
docker run -d --name test-pg -e POSTGRES_PASSWORD=test daarion-postgres:16-clean
|
|
sleep 10
|
|
docker exec test-pg ps aux
|
|
docker stop test-pg && docker rm test-pg
|
|
```
|
|
|
|
## Usage
|
|
|
|
Replace in `docker-compose.db.yml`:
|
|
|
|
```yaml
|
|
db:
|
|
# image: postgres:16-alpine # COMPROMISED
|
|
image: daarion-postgres:16-clean
|
|
# ... rest of config
|
|
```
|
|
|
|
## Security Notes
|
|
|
|
- Built from Debian official repositories only
|
|
- Minimal dependencies
|
|
- Simplified entrypoint script (no suspicious code)
|
|
- No hidden binaries or scripts
|
|
- All code is readable and auditable
|
|
|
|
## Maintenance
|
|
|
|
To update PostgreSQL version:
|
|
1. Edit `Dockerfile`: Update `PG_VERSION`
|
|
2. Rebuild image
|
|
3. Test thoroughly before deploying
|