Chainguard Image now available for Postgres

Dan Lorenc, CEO
  •  
March 6, 2023

Today we’re excited to announce that Postgres is available as a Chainguard Image, because you should need a database for your data, not your vulnerabilities. Postgres is one of the most popular, versatile, and scalable open source databases available today, and now you can run it as a hardened container image built on Wolfi.

The full documentation is available here, or you can follow these steps to get started. You will need to specify a database password as an environment variable.

-- CODE language-bash -- % docker run -e POSTGRES_PASSWORD=wolfirocks cgr.dev/chainguard/postgres The files belonging to this database system will be owned by user "postgres". This user must also own the server process. The database cluster will be initialized with locale "C". The default database encoding has accordingly been set to "SQL_ASCII". The default text search configuration will be set to "english". Data page checksums are disabled. fixing permissions on existing directory /var/lib/postgresql/data ... ok creating subdirectories ... ok selecting dynamic shared memory implementation ... posix selecting default max_connections ... 100 selecting default shared_buffers ... 128MB selecting default time zone ... UTC creating configuration files ... ok running bootstrap script ... ok performing post-bootstrap initialization ... sh: locale: not found 2023-02-27 21:05:02.518 UTC [31] WARNING: no usable system locales were found ok syncing data to disk ... ok Success. You can now start the database server using: pg_ctl -D /var/lib/postgresql/data -l logfile start initdb: warning: enabling "trust" authentication for local connections initdb: hint: You can change this by editing pg_hba.conf or using the option -A, or --auth-local and --auth-host, the next time you run initdb. waiting for server to start....2023-02-27 21:05:03.284 UTC [37] LOG: starting PostgreSQL 15.2 on aarch64-unknown-linux-gnu, compiled by gcc (GCC) 12.2.0, 64-bit 2023-02-27 21:05:03.285 UTC [37] LOG: listening on Unix socket "/tmp/.s.PGSQL.5432" 2023-02-27 21:05:03.287 UTC [40] LOG: database system was shut down at 2023-02-27 21:05:02 UTC 2023-02-27 21:05:03.290 UTC [37] LOG: database system is ready to accept connections done server started /var/lib/postgres/initdb/postgresql-entrypoint.sh: running /var/lib/postgres/initdb/postgresql-entrypoint.sh

For hardening, the Postgres Chainguard Image runs as a non-root user (named postgres) by default. Because we build Postgres from source, you also benefit from our compiler hardening and memory safety features

Our Postgres Image build comes in at just 43MB, up to 90% smaller than comparable images. Our Postgres Image also comes with fewer CVEs (aiming for zero-known CVEs), which helps  you save time triaging noise. Other available images can contain up to 100 CVEs on a regular basis.

As always, the binaries in our Chainguard Images are built from source and come with comprehensive and SBOMs from the start. These SBOMs contain the package metadata for everything in the Image and can be used for vulnerability scanning or license compliance. You can download the SBOMs for these containers with cosign:

-- CODE language-bash -- $ cosign download sbom --platform=linux/amd64 cgr.dev/chainguard/postgres Found SBOM of media type: text/spdx+json { "SPDXID": "SPDXRef-DOCUMENT", "name": "sbom-sha256:1015c29a289cbaf4864d2bf942a216046403f89d8f73ac594449edb7a13ce809", "spdxVersion": "SPDX-2.3", "creationInfo": { "created": "2023-02-27T00:12:11Z", "creators": [ "Tool: apko (v0.7.1-4-ge6dcd4b)", "Organization: Chainguard, Inc" ], "licenseListVersion": "3.16" }, "dataLicense": "CC0-1.0", "documentNamespace": "https://spdx.org/spdxdocs/apko/", "documentDescribes": [ "SPDXRef-Package-sha256-06ce3979eda716cf7869d352c97891f172473dc8472a40b558e10fb03e725559" ], "packages": [ { "SPDXID": "SPDXRef-Package-sha256-06ce3979eda716cf7869d352c97891f172473dc8472a40b558e10fb03e725559", "name": "sha256:06ce3979eda716cf7869d352c97891f172473dc8472a40b558e10fb03e725559", "filesAnalyzed": false, "description": "apko container image", "downloadLocation": "NOASSERTION", "primaryPackagePurpose": "CONTAINER", "checksums": [ { "algorithm": "SHA256", "checksumValue": "06ce3979eda716cf7869d352c97891f172473dc8472a40b558e10fb03e725559" }

If you want to see upwards of a 90% reduction in your Postgres image sizes with more security built in by default, start using Chainguard’s Postgres Image today at github.com/chainguard-images, or get started using documentation in Chainguard Academy. Chainguard Images are now available for Bazel, curl, Git, Go, Jenkins, Kubectl, Ko, Ruby and more. We currently offer our public Chainguard Images catalog for no cost to users, which includes features like SBOMs, signatures and SLSA Build Level 2 provenance information. If your organization requires patching SLAs, older version support or Images for compliance requirements, we offer Standard and Custom subscription tiers. Contact our team to learn more.

We are always looking for ways to improve our end user experience. If you have feedback or would like to submit a support issue you can reach out to us directly or file it here.

Update on our Chainguard Images Catalog: On August 16, 2023, we will be making changes to how Chainguard Image tags are pulled. Please see this announcement for further details about accessing our free, public Image catalog. 

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

Don’t break the chain – secure your supply chain today!

Product

Chainguard Image now available for Postgres

Dan Lorenc, CEO
March 6, 2023
copied

Today we’re excited to announce that Postgres is available as a Chainguard Image, because you should need a database for your data, not your vulnerabilities. Postgres is one of the most popular, versatile, and scalable open source databases available today, and now you can run it as a hardened container image built on Wolfi.

The full documentation is available here, or you can follow these steps to get started. You will need to specify a database password as an environment variable.

-- CODE language-bash -- % docker run -e POSTGRES_PASSWORD=wolfirocks cgr.dev/chainguard/postgres The files belonging to this database system will be owned by user "postgres". This user must also own the server process. The database cluster will be initialized with locale "C". The default database encoding has accordingly been set to "SQL_ASCII". The default text search configuration will be set to "english". Data page checksums are disabled. fixing permissions on existing directory /var/lib/postgresql/data ... ok creating subdirectories ... ok selecting dynamic shared memory implementation ... posix selecting default max_connections ... 100 selecting default shared_buffers ... 128MB selecting default time zone ... UTC creating configuration files ... ok running bootstrap script ... ok performing post-bootstrap initialization ... sh: locale: not found 2023-02-27 21:05:02.518 UTC [31] WARNING: no usable system locales were found ok syncing data to disk ... ok Success. You can now start the database server using: pg_ctl -D /var/lib/postgresql/data -l logfile start initdb: warning: enabling "trust" authentication for local connections initdb: hint: You can change this by editing pg_hba.conf or using the option -A, or --auth-local and --auth-host, the next time you run initdb. waiting for server to start....2023-02-27 21:05:03.284 UTC [37] LOG: starting PostgreSQL 15.2 on aarch64-unknown-linux-gnu, compiled by gcc (GCC) 12.2.0, 64-bit 2023-02-27 21:05:03.285 UTC [37] LOG: listening on Unix socket "/tmp/.s.PGSQL.5432" 2023-02-27 21:05:03.287 UTC [40] LOG: database system was shut down at 2023-02-27 21:05:02 UTC 2023-02-27 21:05:03.290 UTC [37] LOG: database system is ready to accept connections done server started /var/lib/postgres/initdb/postgresql-entrypoint.sh: running /var/lib/postgres/initdb/postgresql-entrypoint.sh

For hardening, the Postgres Chainguard Image runs as a non-root user (named postgres) by default. Because we build Postgres from source, you also benefit from our compiler hardening and memory safety features

Our Postgres Image build comes in at just 43MB, up to 90% smaller than comparable images. Our Postgres Image also comes with fewer CVEs (aiming for zero-known CVEs), which helps  you save time triaging noise. Other available images can contain up to 100 CVEs on a regular basis.

As always, the binaries in our Chainguard Images are built from source and come with comprehensive and SBOMs from the start. These SBOMs contain the package metadata for everything in the Image and can be used for vulnerability scanning or license compliance. You can download the SBOMs for these containers with cosign:

-- CODE language-bash -- $ cosign download sbom --platform=linux/amd64 cgr.dev/chainguard/postgres Found SBOM of media type: text/spdx+json { "SPDXID": "SPDXRef-DOCUMENT", "name": "sbom-sha256:1015c29a289cbaf4864d2bf942a216046403f89d8f73ac594449edb7a13ce809", "spdxVersion": "SPDX-2.3", "creationInfo": { "created": "2023-02-27T00:12:11Z", "creators": [ "Tool: apko (v0.7.1-4-ge6dcd4b)", "Organization: Chainguard, Inc" ], "licenseListVersion": "3.16" }, "dataLicense": "CC0-1.0", "documentNamespace": "https://spdx.org/spdxdocs/apko/", "documentDescribes": [ "SPDXRef-Package-sha256-06ce3979eda716cf7869d352c97891f172473dc8472a40b558e10fb03e725559" ], "packages": [ { "SPDXID": "SPDXRef-Package-sha256-06ce3979eda716cf7869d352c97891f172473dc8472a40b558e10fb03e725559", "name": "sha256:06ce3979eda716cf7869d352c97891f172473dc8472a40b558e10fb03e725559", "filesAnalyzed": false, "description": "apko container image", "downloadLocation": "NOASSERTION", "primaryPackagePurpose": "CONTAINER", "checksums": [ { "algorithm": "SHA256", "checksumValue": "06ce3979eda716cf7869d352c97891f172473dc8472a40b558e10fb03e725559" }

If you want to see upwards of a 90% reduction in your Postgres image sizes with more security built in by default, start using Chainguard’s Postgres Image today at github.com/chainguard-images, or get started using documentation in Chainguard Academy. Chainguard Images are now available for Bazel, curl, Git, Go, Jenkins, Kubectl, Ko, Ruby and more. We currently offer our public Chainguard Images catalog for no cost to users, which includes features like SBOMs, signatures and SLSA Build Level 2 provenance information. If your organization requires patching SLAs, older version support or Images for compliance requirements, we offer Standard and Custom subscription tiers. Contact our team to learn more.

We are always looking for ways to improve our end user experience. If you have feedback or would like to submit a support issue you can reach out to us directly or file it here.

Update on our Chainguard Images Catalog: On August 16, 2023, we will be making changes to how Chainguard Image tags are pulled. Please see this announcement for further details about accessing our free, public Image catalog. 

Related articles

Ready to lock down your supply chain?

Talk to our customer obsessed, community-driven team.