Chainguard Image now available for Postgres

Today we’re excited to announce that Postgres is available as a Chainguard Image, because you should need a database for your data, not your vulnerabilities. Postgres is one of the most popular, versatile, and scalable open source databases available today, and now you can run it as a hardened container image built on Wolfi.

‍

The full documentation is available here, or you can follow these steps to get started. You will need to specify a database password as an environment variable.

% docker run -e POSTGRES_PASSWORD=wolfirocks cgr.dev/chainguard/postgres
The files belonging to this database system will be owned by user "postgres".
This user must also own the server process.

The database cluster will be initialized with locale "C".
The default database encoding has accordingly been set to "SQL_ASCII".
The default text search configuration will be set to "english".

Data page checksums are disabled.

fixing permissions on existing directory /var/lib/postgresql/data ... ok
creating subdirectories ... ok
selecting dynamic shared memory implementation ... posix
selecting default max_connections ... 100
selecting default shared_buffers ... 128MB
selecting default time zone ... UTC
creating configuration files ... ok
running bootstrap script ... ok
performing post-bootstrap initialization ... sh: locale: not found
2023-02-27 21:05:02.518 UTC [31] WARNING:  no usable system locales were found
ok
syncing data to disk ... ok

Success. You can now start the database server using:

    pg_ctl -D /var/lib/postgresql/data -l logfile start

initdb: warning: enabling "trust" authentication for local connections
initdb: hint: You can change this by editing pg_hba.conf or using the option -A, or --auth-local and --auth-host, the next time you run initdb.
waiting for server to start....2023-02-27 21:05:03.284 UTC [37] LOG:  starting PostgreSQL 15.2 on aarch64-unknown-linux-gnu, compiled by gcc (GCC) 12.2.0, 64-bit
2023-02-27 21:05:03.285 UTC [37] LOG:  listening on Unix socket "/tmp/.s.PGSQL.5432"
2023-02-27 21:05:03.287 UTC [40] LOG:  database system was shut down at 2023-02-27 21:05:02 UTC
2023-02-27 21:05:03.290 UTC [37] LOG:  database system is ready to accept connections
 done
server started

/var/lib/postgres/initdb/postgresql-entrypoint.sh: running /var/lib/postgres/initdb/postgresql-entrypoint.sh

For hardening, the Postgres Chainguard Image runs as a non-root user (named postgres) by default. Because we build Postgres from source, you also benefit from our compiler hardening and memory safety features.

‍

Our Postgres Image build comes in at just 43MB, up to 90% smaller than comparable images. Our Postgres Image also comes with fewer CVEs (aiming for zero-known CVEs), which helps you save time triaging noise. Other available images can contain up to 100 CVEs on a regular basis.

As always, the binaries in our Chainguard Images are built from source and come with comprehensive and SBOMs from the start. These SBOMs contain the package metadata for everything in the Image and can be used for vulnerability scanning or license compliance. You can download the SBOMs for these containers with cosign:

$ cosign download sbom --platform=linux/amd64 cgr.dev/chainguard/postgres

Found SBOM of media type: text/spdx+json
{
  "SPDXID": "SPDXRef-DOCUMENT",
  "name": "sbom-sha256:1015c29a289cbaf4864d2bf942a216046403f89d8f73ac594449edb7a13ce809",
  "spdxVersion": "SPDX-2.3",
  "creationInfo": {
    "created": "2023-02-27T00:12:11Z",
    "creators": [
      "Tool: apko (v0.7.1-4-ge6dcd4b)",
      "Organization: Chainguard, Inc"
    ],
    "licenseListVersion": "3.16"
  },
  "dataLicense": "CC0-1.0",
  "documentNamespace": "https://spdx.org/spdxdocs/apko/",
  "documentDescribes": [
    "SPDXRef-Package-sha256-06ce3979eda716cf7869d352c97891f172473dc8472a40b558e10fb03e725559"
  ],
  "packages": [
    {
      "SPDXID": "SPDXRef-Package-sha256-06ce3979eda716cf7869d352c97891f172473dc8472a40b558e10fb03e725559",
      "name": "sha256:06ce3979eda716cf7869d352c97891f172473dc8472a40b558e10fb03e725559",
      "filesAnalyzed": false,
      "description": "apko container image",
      "downloadLocation": "NOASSERTION",
      "primaryPackagePurpose": "CONTAINER",
      "checksums": [
        {
          "algorithm": "SHA256",
          "checksumValue": "06ce3979eda716cf7869d352c97891f172473dc8472a40b558e10fb03e725559"
        }

If you want to see upwards of a 90% reduction in your Postgres image sizes with more security built in by default, start using Chainguard’s Postgres Image today at github.com/chainguard-images, or get started using documentation in Chainguard Academy. Chainguard Images are now available for Bazel, curl, Git, Go, Jenkins, Kubectl, Ko, Ruby and more. We currently offer our public Chainguard Images catalog for no cost to users, which includes features like SBOMs, signatures and SLSA Build Level 2 provenance information. If your organization requires patching SLAs, older version support or Images for compliance requirements, we offer Standard and Custom subscription tiers. Contact our team to learn more.

‍

We are always looking for ways to improve our end user experience. If you have feedback or would like to submit a support issue you can reach out to us directly or file it here.

‍

Update on our Chainguard Images Catalog: On August 16, 2023, we will be making changes to how Chainguard Image tags are pulled. Please see this announcement for further details about accessing our free, public Image catalog.