postgres-hardened
Postgres-Hardened Overview
Secure your stack with a Postgres-Hardened image freshly-built by Minimus. Minimus images always include the most up-to-date package version for all packages and dependencies.
Use this Postgres image to set up a database server to store and retrieve data securely whenever an extensible, object-relational database is needed. Deploy Postgres with TLS enabled using our guide.
About Minimus Hardened Images
Minimus Hardened images provide secure by default configurations that comply with CIS Benchmarks. The CIS Benchmark for PostgreSQL 17 is a consensus-based security hardening guide that is aligned with industry standards and defines recommended configuration settings, access controls, and operational practices to reduce the attack surface. Review the compliance report to see the special audit report.
Notes:
- The image’s default configuration file enforces many CIS PostgreSQL hardening controls. Exercise caution when overriding this file, as custom configurations may inadvertently weaken or negate CIS compliance.
- Full CIS benchmark compliance requires additional post-deployment runtime validations that are out of scope for Minimus.
Try It Out
Take the Minimus Postgres image for a test run. The following command will set the superuser password to Minimus! but you can set any password you want:
docker run --rm -d --name my-minimus-postgres \
-e POSTGRES_PASSWORD=Minimus! \
reg.mini.dev/postgres-hardenedThe environment variable POSTGRES_PASSWORD is required, as it sets the password. Note that this test container will not persist the data so as soon as the container stops, the data will be lost.
Ready to mount a persistent data volume?
In your host's project directory, mount a new data directory to the default data directory in the container /var/lib/postgresql/data. To do this run the following command:
docker run -d --name my-minimus-postgres \
-e POSTGRES_PASSWORD=Minimus! \
-v $(pwd)/data:/var/lib/postgresql/data \
reg.mini.dev/postgres-hardenedNote: the data directory will consequently be owned by UID 10001.
Postgres will now automatically store its data in the target directory on your host so it won't be lost when you restart the container.
Open an interactive shell in your running container.
docker exec -it my-minimus-postgres shSwitch from the root user to the postgres user and access the shell:
su postgres
psqlReady to interact with your Postgres database?
For our example, we will pass a command to create a database:
CREATE DATABASE minimus_test;Next, we will list all databases:
\lPostgres will print database metadata. For example:
postgres=# \l
List of databases
Name | Owner | Encoding | Locale Provider | Collate | Ctype | Locale | ICU Rules | Access privileges
--------------+----------+----------+-----------------+-------------+-------------+--------+-----------+-----------------------
minimus_test | postgres | UTF8 | libc | en_US.UTF-8 | en_US.UTF-8 | | |
postgres | postgres | UTF8 | libc | en_US.UTF-8 | en_US.UTF-8 | | |
template0 | postgres | UTF8 | libc | en_US.UTF-8 | en_US.UTF-8 | | | =c/postgres +
| | | | | | | | postgres=CTc/postgres
template1 | postgres | UTF8 | libc | en_US.UTF-8 | en_US.UTF-8 | | | =c/postgres +
| | | | | | | | postgres=CTc/postgres
(4 rows)Next, connect to the database you just created:
\c minimus_testOnce connected, create a table:
CREATE TABLE users (
id SERIAL PRIMARY KEY,
name VARCHAR(100),
email VARCHAR(100)
);Insert rows to create new users:
INSERT INTO users (name, email) VALUES ('John Doe', 'john@example.com');
INSERT INTO users (name, email) VALUES ('Jane Smith', 'jane@example.com');Review the users just created:
SELECT * FROM users;You should see a table such as:
minimus_test=# select * from users;
id | name | email
----+------------+------------------
1 | John Doe | john@example.com
2 | Jane Smith | jane@example.com
(2 rows)Technical Considerations
The Postgres-Hardened image provided by Minimus is a slim, security-hardened alternative to the public image from Docker Hub. The images are largely interchangeable, with a few differences as noted below.
Postgres-Hardened built by Minimus:
- The Postgres process runs as nonroot as user 10001 (postgres). However, the entrypoint script runs as root for permissions to set up the environment, hence the compliance report shows that the image runs as root.
- The entrypoint script is located at
/usr/bin/docker-entrypoint.sh. The public image entrypoint script is directly under the root directory. - The image does not have a default volume. The public image defaults to
/var/lib/postgresql/data. - The default working directory is
/home/postgres. The public image working directory defaults to the root directory. - Drill down on the version specification tab to see the default user, listening ports, entrypoint, volumes, environment variables, etc.
The Payoff
A hardened, minimal image that will remain more secure for the long run and accrue vulnerabilities at a slower rate.
- See the risk reduction dashboard for a detailed CVE comparison over the past 30 days.
- Review the compliance report to see the default hardening and security configurations for the image.
Terms & Info
Trademark
This catalog is published by Minimus. All product names, logos, and marks, other than those belonging to Minimus, shown are owned by their respective rights holders and appear here only to identify the open source software each image contains. Minimus claims no ownership of those marks and implies no affiliation with, endorsement by, certification by, or sponsorship by any rights holder.
Disclaimer
Images are provided "as-is" without warranty of any kind. "Hardened" refers to the security configuration applied at the time of build and does not constitute a guarantee of ongoing security or absence of vulnerabilities. The free tier is provided without support, SLA, or guaranteed patching timelines. Security updates may be applied to paid subscriptions before or instead of free tier images. By pulling or using any image you agree to our Terms of Use.