From 1b0356fd954e33cb2577bdfe65b690b6ebf8fa72 Mon Sep 17 00:00:00 2001 From: Mats Kindahl Date: Thu, 21 May 2026 21:58:53 +0200 Subject: [PATCH 1/3] Unset bootstrap credentials before exec-ing the server POSTGRES_PASSWORD (and related vars) are only needed during initdb and the temporary-server initialisation phase. After that they serve no purpose, but remain in the process environment for the entire lifetime of the container, where any loaded C extension can read them via environ. Unsetting them immediately before the final exec ensures the running PostgreSQL server process starts with a clean environment. --- docker-entrypoint.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index d4442d8a52..5f939f4a0d 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -379,6 +379,7 @@ _main() { fi fi + unset POSTGRES_PASSWORD POSTGRES_USER POSTGRES_DB POSTGRES_INITDB_ARGS exec "$@" } From a2144eda18d7fd890c8beeb13c63765d977135bc Mon Sep 17 00:00:00 2001 From: Mats Kindahl Date: Thu, 28 May 2026 07:22:50 +0200 Subject: [PATCH 2/3] Update docker-entrypoint.sh Co-authored-by: Tianon Gravi --- docker-entrypoint.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 5f939f4a0d..8d507bc407 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -377,9 +377,10 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi - unset POSTGRES_PASSWORD POSTGRES_USER POSTGRES_DB POSTGRES_INITDB_ARGS exec "$@" } From 347a0a904516b26dc6030c46c3d610bb148cb1b8 Mon Sep 17 00:00:00 2001 From: Mats Kindahl Date: Thu, 28 May 2026 07:42:18 +0200 Subject: [PATCH 3/3] Run apply-template.sh --- 14/alpine3.22/docker-entrypoint.sh | 2 ++ 14/alpine3.23/docker-entrypoint.sh | 2 ++ 14/bookworm/docker-entrypoint.sh | 2 ++ 14/trixie/docker-entrypoint.sh | 2 ++ 15/alpine3.22/docker-entrypoint.sh | 2 ++ 15/alpine3.23/docker-entrypoint.sh | 2 ++ 15/bookworm/docker-entrypoint.sh | 2 ++ 15/trixie/docker-entrypoint.sh | 2 ++ 16/alpine3.22/docker-entrypoint.sh | 2 ++ 16/alpine3.23/docker-entrypoint.sh | 2 ++ 16/bookworm/docker-entrypoint.sh | 2 ++ 16/trixie/docker-entrypoint.sh | 2 ++ 17/alpine3.22/docker-entrypoint.sh | 2 ++ 17/alpine3.23/docker-entrypoint.sh | 2 ++ 17/bookworm/docker-entrypoint.sh | 2 ++ 17/trixie/docker-entrypoint.sh | 2 ++ 18/alpine3.22/docker-entrypoint.sh | 2 ++ 18/alpine3.23/docker-entrypoint.sh | 2 ++ 18/bookworm/docker-entrypoint.sh | 2 ++ 18/trixie/docker-entrypoint.sh | 2 ++ 20 files changed, 40 insertions(+) diff --git a/14/alpine3.22/docker-entrypoint.sh b/14/alpine3.22/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/14/alpine3.22/docker-entrypoint.sh +++ b/14/alpine3.22/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/14/alpine3.23/docker-entrypoint.sh b/14/alpine3.23/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/14/alpine3.23/docker-entrypoint.sh +++ b/14/alpine3.23/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/14/bookworm/docker-entrypoint.sh b/14/bookworm/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/14/bookworm/docker-entrypoint.sh +++ b/14/bookworm/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/14/trixie/docker-entrypoint.sh b/14/trixie/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/14/trixie/docker-entrypoint.sh +++ b/14/trixie/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/15/alpine3.22/docker-entrypoint.sh b/15/alpine3.22/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/15/alpine3.22/docker-entrypoint.sh +++ b/15/alpine3.22/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/15/alpine3.23/docker-entrypoint.sh b/15/alpine3.23/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/15/alpine3.23/docker-entrypoint.sh +++ b/15/alpine3.23/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/15/bookworm/docker-entrypoint.sh b/15/bookworm/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/15/bookworm/docker-entrypoint.sh +++ b/15/bookworm/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/15/trixie/docker-entrypoint.sh b/15/trixie/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/15/trixie/docker-entrypoint.sh +++ b/15/trixie/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/16/alpine3.22/docker-entrypoint.sh b/16/alpine3.22/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/16/alpine3.22/docker-entrypoint.sh +++ b/16/alpine3.22/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/16/alpine3.23/docker-entrypoint.sh b/16/alpine3.23/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/16/alpine3.23/docker-entrypoint.sh +++ b/16/alpine3.23/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/16/bookworm/docker-entrypoint.sh b/16/bookworm/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/16/bookworm/docker-entrypoint.sh +++ b/16/bookworm/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/16/trixie/docker-entrypoint.sh b/16/trixie/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/16/trixie/docker-entrypoint.sh +++ b/16/trixie/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/17/alpine3.22/docker-entrypoint.sh b/17/alpine3.22/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/17/alpine3.22/docker-entrypoint.sh +++ b/17/alpine3.22/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/17/alpine3.23/docker-entrypoint.sh b/17/alpine3.23/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/17/alpine3.23/docker-entrypoint.sh +++ b/17/alpine3.23/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/17/bookworm/docker-entrypoint.sh b/17/bookworm/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/17/bookworm/docker-entrypoint.sh +++ b/17/bookworm/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/17/trixie/docker-entrypoint.sh b/17/trixie/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/17/trixie/docker-entrypoint.sh +++ b/17/trixie/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/18/alpine3.22/docker-entrypoint.sh b/18/alpine3.22/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/18/alpine3.22/docker-entrypoint.sh +++ b/18/alpine3.22/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/18/alpine3.23/docker-entrypoint.sh b/18/alpine3.23/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/18/alpine3.23/docker-entrypoint.sh +++ b/18/alpine3.23/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/18/bookworm/docker-entrypoint.sh b/18/bookworm/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/18/bookworm/docker-entrypoint.sh +++ b/18/bookworm/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@" diff --git a/18/trixie/docker-entrypoint.sh b/18/trixie/docker-entrypoint.sh index d4442d8a52..8d507bc407 100755 --- a/18/trixie/docker-entrypoint.sh +++ b/18/trixie/docker-entrypoint.sh @@ -377,6 +377,8 @@ _main() { EOM fi + + unset "${!POSTGRES_@}" fi exec "$@"