commit b1502ceeb5ce5f7b0577489a4025157adf449a09 Author: Philipp Kolberg Date: Sun Jun 6 15:49:19 2021 +0200 Intial commit. diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..7bfd345 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,22 @@ +FROM --platform=${TARGETPLATFORM} alpine:3.13 + +ARG TARGETPLATFORM +ARG BUILDPLATFORM + +RUN apk --update add libevent openssl c-ares gettext ca-certificates pgbouncer + +WORKDIR / + +RUN addgroup -S pgbouncer \ + && adduser -S pgbouncer \ + && mkdir -p /etc/pgbouncer /var/log/pgbouncer /var/run/pgbouncer + +COPY pgbouncer.ini.tmpl /etc/pgbouncer/ +COPY auth_file.txt.tmpl /etc/pgbouncer/ +COPY entrypoint.sh / + +RUN chown -R pgbouncer:pgbouncer /var/log/pgbouncer /var/run/pgbouncer /etc/pgbouncer /etc/ssl/certs \ + && chmod +x /entrypoint.sh + +USER pgbouncer:pgbouncer +ENTRYPOINT ["/bin/sh", "/entrypoint.sh"] diff --git a/auth_file.txt.tmpl b/auth_file.txt.tmpl new file mode 100644 index 0000000..2492d24 --- /dev/null +++ b/auth_file.txt.tmpl @@ -0,0 +1,2 @@ +"$PGUSER" "$PGPASSWORD" +"$STATS_USER" "$STATS_PASSWORD" diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100644 index 0000000..d18b425 --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +set -ex + +if [ "$PGUSER" = "postgres" ]; then + echo "WARNING: pgbouncer will connect with a superuser privileges!" + echo "You need to fix this as soon as possible." +fi + +openssl req -nodes -new -x509 -subj /CN=spilo.dummy.org \ + -keyout /etc/ssl/certs/pgbouncer.key \ + -out /etc/ssl/certs/pgbouncer.crt + +envsubst < /etc/pgbouncer/pgbouncer.ini.tmpl > /etc/pgbouncer/pgbouncer.ini +envsubst < /etc/pgbouncer/auth_file.txt.tmpl > /etc/pgbouncer/auth_file.txt + +exec /usr/bin/pgbouncer /etc/pgbouncer/pgbouncer.ini diff --git a/pgbouncer.ini.tmpl b/pgbouncer.ini.tmpl new file mode 100644 index 0000000..c57857f --- /dev/null +++ b/pgbouncer.ini.tmpl @@ -0,0 +1,57 @@ +# vim: set ft=dosini: + +[databases] +* = host=$PGHOST port=$PGPORT auth_user=$PGUSER + +[pgbouncer] +pool_mode = $CONNECTION_POOLER_MODE +listen_port = $CONNECTION_POOLER_PORT +listen_addr = * +auth_type = plain +auth_file = /etc/pgbouncer/auth_file.txt +admin_users = $PGUSER +stats_users = $STATS_USER +auth_query = SELECT * FROM $PGSCHEMA.user_lookup($1) +logfile = /var/log/pgbouncer/pgbouncer.log +pidfile = /var/run/pgbouncer/pgbouncer.pid + +server_tls_sslmode = require +server_tls_ca_file = /etc/ssl/certs/pgbouncer.crt +server_tls_protocols = secure +client_tls_sslmode = require +client_tls_key_file = /etc/ssl/certs/pgbouncer.key +client_tls_cert_file = /etc/ssl/certs/pgbouncer.crt + +log_connections = 0 +log_disconnections = 0 + +# How many server connections to allow per user/database pair. +default_pool_size = $CONNECTION_POOLER_DEFAULT_SIZE + +# Add more server connections to pool if below this number. Improves behavior +# when usual load comes suddenly back after period of total inactivity. +min_pool_size = $CONNECTION_POOLER_MIN_SIZE + +# How many additional connections to allow to a pool +reserve_pool_size = $CONNECTION_POOLER_RESERVE_SIZE + +# Maximum number of client connections allowed. +max_client_conn = $CONNECTION_POOLER_MAX_CLIENT_CONN + +# Do not allow more than this many connections per database (regardless of +# pool, i.e. user) +max_db_connections = $CONNECTION_POOLER_MAX_DB_CONN + +# If a client has been in "idle in transaction" state longer, it will be +# disconnected. [seconds] +idle_transaction_timeout = 600 + +# If login failed, because of failure from connect() or authentication that +# pooler waits this much before retrying to connect. Default is 15. [seconds] +server_login_retry = 5 + +# To ignore extra parameter in startup packet. By default only 'database' and +# 'user' are allowed, all others raise error. This is needed to tolerate +# overenthusiastic JDBC wanting to unconditionally set 'extra_float_digits=2' +# in startup packet. +ignore_startup_parameters = extra_float_digits,options