"/var/lib/postgresql/data/postgresql.conf" contains errors after apt-get update && apt-get upgrade

[nwoodr94]

I'm creating a dockerized application and noticed that beginning today, the postgres:latest image cannot start.

Dockerfile:

FROM postgres:latest

RUN apt-get update && apt-get -y upgrade

Version:

docker --version
Docker version 20.10.14, build a224086

Build and run the container.

Output:

db_1  | The files belonging to this database system will be owned by user "postgres".
db_1  | This user must also own the server process.
db_1  |
db_1  | initdb: error: invalid locale settings; check LANG and LC_* environment variables

If I remove the command RUN apt-get update && apt-get -y upgrade from the Dockerfile, the container starts as expected

[agroebe]

getting the same thing, also just started happening to me today.

[tianon]

The images we publish are designed to run as-is and to be upgraded by replacing the image with a new image in a new deployment, not by updating packages within the image.

[nwoodr94]

The images we publish are designed to run as-is and to be upgraded by replacing the image with a new image in a new deployment, not by updating packages within the image.

The latest Postgres image still frequently contains vulnerabilities in the underlying OS binaries. This has really thrown a wrench into our deployments, as we now have to programmatically shell into our production containers and run apt-get -y upgrade in order to pass cybersecurity scans.

Please reconsider reversing this code change: https://github.com/inmanta/postgresql/pull/252

[yosifkit]

The postgres images are rebuilt fairly often.

Background:

Tags in the [official-images] library file[s] are only built through an update to that library file or as a result of its base image being updated (ie, an image FROM debian:bookworm would be rebuilt when debian:bookworm is built).

-https://github.com/docker-library/official-images/tree/2f086314307c04e1de77f0a515f20671e60d40bb#library-definition-files

Official Images FAQ:

Though not every CVE is removed from the images, we take CVEs seriously and try to ensure that images contain the most up-to-date packages available within a reasonable time frame

- https://github.com/docker-library/faq/tree/0ad5fd60288109c875a54a37f6581b2deaa836db#why-does-my-security-scanner-show-that-an-image-has-cves

To ensure that we don't push contentless image changes, we rely on periodic base image updates.

We strive to publish updated images at least monthly for Debian. We also rebuild earlier if there is a critical security need. Many Official Images are maintained by the community or their respective upstream projects, like Ubuntu, Alpine, and Oracle Linux, and are subject to their own maintenance schedule.

- from the same FAQ link

[nwoodr94]

Right now postgres:latest has 4 High vulnerabilities.

They are resolved by a simple apt-get update && apt-get -y upgrade, as expected. However, adding this simple, and very much standard code block in our Dockerfile, breaks the Postgres installation.

Importantly, this was not always the case

Expected behavior, based on all other Dockerfiles, is that the out-of-date packages should be updated. Actual behavior, is that Postgres fails to start.

We are eagerly awaiting your resolution on the current CVEs! Thanks

[yosifkit]

Like I mentioned, they are rebuilt often and thus get CVE updates. The postgres images were rebuilt yesterday and currently have no package updates available:

$ docker pull postgres
Using default tag: latest
latest: Pulling from library/postgres
Digest: sha256:2fae04c445a6301d9bd5681c289ee26f62db66824a0e057e609c049a07331e4d
Status: Downloaded newer image for postgres:latest
docker.io/library/postgres:latest
$ docker run -it --rm postgres bash
root@63b8a72421bd:/# apt update
Get:1 http://deb.debian.org/debian bookworm InRelease [151 kB]
Get:2 http://deb.debian.org/debian bookworm-updates InRelease [52.1 kB]
Get:3 http://deb.debian.org/debian-security bookworm-security InRelease [48.0 kB]
Get:4 http://deb.debian.org/debian bookworm/main amd64 Packages [8,780 kB]
Get:5 http://deb.debian.org/debian bookworm-updates/main amd64 Packages [6,408 B]
Get:6 http://deb.debian.org/debian-security bookworm-security/main amd64 Packages [79.7 kB]
Get:7 http://apt.postgresql.org/pub/repos/apt bookworm-pgdg InRelease [123 kB]
Get:8 http://apt.postgresql.org/pub/repos/apt bookworm-pgdg/main amd64 Packages [296 kB]
Fetched 9,536 kB in 1s (6,723 kB/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.
root@63b8a72421bd:/# apt list --upgradeable
Listing... Done
root@63b8a72421bd:/#

If you are confused as to why the image says 4 weeks old, that is because we set SOURCE_DATE_EPOCH when building to the timestamp of the commit of its source, the Dockerfile and script, and those haven't changed since then.

$ docker images postgres
REPOSITORY   TAG       IMAGE ID       CREATED       SIZE
postgres     16        f7d9a0d4223b   4 weeks ago   417MB
postgres     latest    f7d9a0d4223b   4 weeks ago   417MB