postgres

Data

docker pull reg.mini.dev/postgres

Data

Updated 2 days ago

docker pull reg.mini.dev/postgres

Postgres Overview

Secure your stack with a hardened Postgres image freshly-built by Minimus. Minimus images always include the most up-to-date package version for all packages and dependencies.

Use this Postgres image to set up a database server to store and retrieve data securely whenever an extensible, object-relational database is needed. Deploy Postgres with TLS enabled using our guide.

Try It Out

Take the Minimus Postgres image for a test run. The following command will set the superuser password to Minimus! but you can set any password you want:

docker run --rm -d --name my-minimus-postgres \
-e POSTGRES_PASSWORD=Minimus! \
reg.mini.dev/postgres

The environment variable POSTGRES_PASSWORD is required, as it sets the password. Note that this test container will not persist the data so as soon as the container stops, the data will be lost.

Ready to mount a persistent data volume?

In your host's project directory, mount a new data directory to the default data directory in the container /var/lib/postgresql/data. To do this run the following command:

docker run -d --name my-minimus-postgres \
    -e POSTGRES_PASSWORD=Minimus! \
    -v $(pwd)/data:/var/lib/postgresql/data \
    reg.mini.dev/postgres

Note: the data directory will consequently be owned by UID 10001.

Postgres will now automatically store its data in the target directory on your host so it won't be lost when you restart the container.

Open an interactive shell in your running container.

docker exec -it my-minimus-postgres sh

Switch from the root user to the postgres user and access the shell:

su postgres
psql

Ready to interact with your Postgres database?

For our example, we will pass a command to create a database:

CREATE DATABASE minimus_test;

Next, we will list all databases:

\l

Postgres will print database metadata. For example:

postgres=# \l
                                                       List of databases
     Name     |  Owner   | Encoding | Locale Provider |   Collate   |    Ctype    | Locale | ICU Rules |   Access privileges   
--------------+----------+----------+-----------------+-------------+-------------+--------+-----------+-----------------------
 minimus_test | postgres | UTF8     | libc            | en_US.UTF-8 | en_US.UTF-8 |        |           | 
 postgres     | postgres | UTF8     | libc            | en_US.UTF-8 | en_US.UTF-8 |        |           | 
 template0    | postgres | UTF8     | libc            | en_US.UTF-8 | en_US.UTF-8 |        |           | =c/postgres          +
              |          |          |                 |             |             |        |           | postgres=CTc/postgres
 template1    | postgres | UTF8     | libc            | en_US.UTF-8 | en_US.UTF-8 |        |           | =c/postgres          +
              |          |          |                 |             |             |        |           | postgres=CTc/postgres
(4 rows)

Next, connect to the database you just created:

\c minimus_test

Once connected, create a table:

CREATE TABLE users (
    id SERIAL PRIMARY KEY,
    name VARCHAR(100),
    email VARCHAR(100)
);

Now insert rows to create new users:

INSERT INTO users (name, email) VALUES ('John Doe', 'john@example.com');
INSERT INTO users (name, email) VALUES ('Jane Smith', 'jane@example.com');

Review the users just created:

SELECT * FROM users;

You should see a table such as:

minimus_test=# select * from users;
 id |    name    |      email       
----+------------+------------------
  1 | John Doe   | john@example.com
  2 | Jane Smith | jane@example.com
(2 rows)

Technical Considerations

The Postgres image provided by Minimus is a slim, security-hardened alternative to the public image from Docker Hub. The images are largely interchangeable, with a few differences as noted below.

Postgres built by Minimus:

The Postgres process runs as nonroot as user 10001 (postgres). However, the entrypoint script runs as root for permissions to set up the environment, hence the compliance report shows that the image runs as root.
Listens by default on port 5432/TCP without exposing it. The public image listens on and exposes port 5432/TCP by default.
The entrypoint script is located at /usr/bin/docker-entrypoint.sh. The public image entrypoint script is directly under the root directory.
The image does not have a default volume. The public image defaults to /var/lib/postgresql/data.
The default working directory is /home/postgres. The public image working directory defaults to the root directory.
Drill down on the version specification tab to see the default user, listening ports, entrypoint, volumes, environment variables, etc.

The Payoff

A hardened, minimal image that will remain more secure for the long run and accrue vulnerabilities at a slower rate.

See the risk reduction dashboard for a detailed CVE comparison over the past 30 days.
Review the compliance report to see the default hardening and security configurations for the image.