Revert "chore: remove pgbouncer from docker aio image [GEN-8039]" (#912)

* Revert "chore: remove pgbouncer from docker aio image (#907)" This reverts commit d0bca07. * fix: bump version to 15.1.1.27 as .26 was disabled due to Fly issues with docker aio * Update common.vars.pkr.hcl --------- Co-authored-by: Div Arora <[email protected]>
supabase · Mar 21, 2024 · 33c7533 · 33c7533
1 parent 34281ed
commit 33c7533
Show file tree

Hide file tree

Showing 21 changed files with 547 additions and 28 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -927,6 +927,7 @@ RUN sed -i \
 
 # Include schema migrations
 COPY migrations/db /docker-entrypoint-initdb.d/
+COPY ansible/files/pgbouncer_config/pgbouncer_auth_schema.sql /docker-entrypoint-initdb.d/init-scripts/00-schema.sql
 COPY ansible/files/stat_extension.sql /docker-entrypoint-initdb.d/migrations/00-extension.sql
 
 # Add upstream entrypoint script

diff --git a/common.vars.pkr.hcl b/common.vars.pkr.hcl
@@ -1 +1 @@
-postgres-version = "15.1.1.27"
+postgres-version = "15.1.1.28"
diff --git a/docker/all-in-one/Dockerfile b/docker/all-in-one/Dockerfile
@@ -1,5 +1,6 @@
 ARG postgres_version=15.1.1.24
 
+ARG pgbouncer_release=1.18.0
 ARG postgrest_release=10.1.2
 ARG gotrue_release=2.130.0
 ARG adminapi_release=0.62.0
@@ -25,6 +26,33 @@ RUN apt-get update && apt-get install -y \
     cmake \
     && rm -rf /var/lib/apt/lists/*
 
+####################
+# Install pgbouncer
+####################
+FROM builder as pgbouncer-source
+# Download and extract
+ARG pgbouncer_release
+ADD "https://www.pgbouncer.org/downloads/files/${pgbouncer_release}/pgbouncer-${pgbouncer_release}.tar.gz" /tmp/pgbouncer.tar.gz
+RUN tar -xvf /tmp/pgbouncer.tar.gz -C /tmp && \
+    rm -rf /tmp/pgbouncer.tar.gz
+# Install build dependencies
+RUN apt-get update && apt-get install -y \
+    libevent-dev \
+    && rm -rf /var/lib/apt/lists/*
+# Build from source
+WORKDIR /tmp/pgbouncer-${pgbouncer_release}
+RUN ./configure --prefix=/usr/local
+RUN make -j$(nproc)
+# Create debian package
+RUN checkinstall -D --install=no --fstrans=no --backup=no --pakdir=/tmp --requires=libevent-2.1-7 --nodoc
+
+FROM base as pgbouncer
+# Download pre-built packages
+RUN apt-get update && apt-get install -y --no-install-recommends --download-only \
+    pgbouncer \
+    && rm -rf /var/lib/apt/lists/*
+RUN mv /var/cache/apt/archives/*.deb /tmp/
+
 ####################
 # Install PostgREST
 ####################
@@ -98,6 +126,7 @@ RUN mv /var/cache/apt/archives/*.deb /tmp/
 FROM base as production
 
 # Copy dependencies from previous build stages
+COPY --from=pgbouncer /tmp/*.deb /tmp/
 COPY --from=vector /tmp/*.deb /tmp/
 COPY --from=kong /tmp/*.deb /tmp/
 COPY --from=supervisor /tmp/*.deb /tmp/
@@ -148,6 +177,11 @@ COPY docker/all-in-one/etc/sudoers.d /etc/sudoers.d/
 # Script for pg_egress_collect
 COPY --chown=adminapi:adminapi docker/all-in-one/opt/pg_egress_collect /opt/pg_egress_collect
 
+# Customizations for pgbouncer
+COPY docker/all-in-one/etc/pgbouncer /etc/pgbouncer
+COPY docker/all-in-one/etc/pgbouncer-custom /etc/pgbouncer-custom
+COPY docker/all-in-one/etc/tmpfiles.d /etc/tmpfiles.d
+
 # Customizations for postgres
 COPY --chown=postgres:postgres docker/all-in-one/etc/postgresql/pg_hba.conf /etc/postgresql/
 COPY --chown=postgres:postgres docker/all-in-one/etc/postgresql/logging.conf /etc/postgresql/
@@ -216,6 +250,9 @@ ENV ADMIN_API_CERT_DIR=/etc/ssl/adminapi
 ENV ADMIN_API_PORT=8085
 EXPOSE ${ADMIN_API_PORT}
 
+ENV PGBOUNCER_PORT=6543
+EXPOSE ${PGBOUNCER_PORT}
+
 ENV PGEXPORTER_PORT=9187
 EXPOSE ${PGEXPORTER_PORT}
 
@@ -225,7 +262,8 @@ ENV VECTOR_API_PORT=9001
 RUN useradd --create-home --shell /bin/bash postgrest && \
     useradd --create-home --shell /bin/bash gotrue && \
     useradd --create-home --shell /bin/bash envoy && \
-    useradd --create-home --shell /bin/bash adminapi -G root,envoy,kong,postgres,postgrest,wal-g && \
+    useradd --create-home --shell /bin/bash pgbouncer -G postgres,ssl-cert && \
+    useradd --create-home --shell /bin/bash adminapi -G root,envoy,kong,pgbouncer,postgres,postgrest,wal-g && \
     usermod --append --shell /bin/bash -G postgres vector
 RUN mkdir -p /etc/wal-g && \
     chown -R adminapi:adminapi /etc/wal-g && \

diff --git a/docker/all-in-one/entrypoint.sh b/docker/all-in-one/entrypoint.sh
@@ -84,17 +84,6 @@ function disable_fail2ban {
   sed -i "s/autorestart=.*/autorestart=false/" /etc/supervisor/services/fail2ban.conf
 }
 
-function disable_gotrue {
-  sed -i "s/autostart=.*/autostart=false/" /etc/supervisor/services/gotrue.conf
-  sed -i "s/autorestart=.*/autorestart=false/" /etc/supervisor/services/gotrue.conf
-}
-
-function replace_kong_envoy {
-  sed -i "s/autostart=.*/autostart=true/" /etc/supervisor/services/envoy.conf
-  sed -i "s/autostart=.*/autostart=false/" /etc/supervisor/services/kong.conf
-  sed -i "s/kong/envoy/" /etc/supervisor/services/group.conf
-}
-
 function setup_postgres {
   tar -xzvf "$INIT_PAYLOAD_PATH" -C / ./etc/postgresql.schema.sql
   mv /etc/postgresql.schema.sql /docker-entrypoint-initdb.d/migrations/99-schema.sql
@@ -285,18 +274,19 @@ if [ "${AUTOSHUTDOWN_ENABLED:-}" == "true" ]; then
   enable_autoshutdown
 fi
 
-
 if [ "${ENVOY_ENABLED:-}" == "true" ]; then
-  replace_kong_envoy
+  sed -i "s/autostart=.*/autostart=true/" /etc/supervisor/services/envoy.conf
+  sed -i "s/autostart=.*/autostart=false/" /etc/supervisor/services/kong.conf
+  sed -i "s/kong/envoy/" /etc/supervisor/services/group.conf
 fi
 
 if [ "${FAIL2BAN_DISABLED:-}" == "true" ]; then
   disable_fail2ban
 fi
 
-
 if [ "${GOTRUE_DISABLED:-}" == "true" ]; then
-  disable_gotrue
+  sed -i "s/autostart=.*/autostart=false/" /etc/supervisor/services/gotrue.conf
+  sed -i "s/autorestart=.*/autorestart=false/" /etc/supervisor/services/gotrue.conf
 fi
 
 if [ "${PLATFORM_DEPLOYMENT:-}" == "true" ]; then

diff --git a/docker/all-in-one/etc/adminapi/adminapi.yaml b/docker/all-in-one/etc/adminapi/adminapi.yaml
@@ -16,6 +16,8 @@ node_exporter_additional_args:
 # cert_path: /etc/ssl/adminapi/server.crt
 # key_path: /etc/ssl/adminapi/server.key
 upstream_metrics_refresh_duration: 60s
+pgbouncer_endpoints:
+  - "postgres://pgbouncer:{{ .PgbouncerPassword }}@localhost:6543/pgbouncer"
 fail2ban_socket: /var/run/fail2ban/fail2ban.sock
 upstream_metrics_sources:
   - name: system
@@ -60,6 +62,7 @@ firewall:
     - 0.0.0.0/0
   filtered_ports:
     - 5432
+    - 6543
   unfiltered_ports:
     - 80
     - 443

diff --git a/docker/all-in-one/etc/fail2ban/filter.d/postgresql.conf b/docker/all-in-one/etc/fail2ban/filter.d/postgresql.conf
@@ -5,3 +5,4 @@ ignoreregex = ^.*,.*,.*,.*,"127\.0\.0\.1.*password authentication failed for use
               ^.*,.*,.*,.*,"<HOST>:.*password authentication failed for user ""supabase_auth_admin".*$
               ^.*,.*,.*,.*,"<HOST>:.*password authentication failed for user ""supabase_storage_admin".*$
               ^.*,.*,.*,.*,"<HOST>:.*password authentication failed for user ""authenticator".*$
+              ^.*,.*,.*,.*,"<HOST>:.*password authentication failed for user ""pgbouncer".*$
diff --git a/docker/all-in-one/etc/fail2ban/jail.d/pgbouncer.conf b/docker/all-in-one/etc/fail2ban/jail.d/pgbouncer.conf
@@ -0,0 +1,7 @@
+[pgbouncer]
+enabled  = true
+port     = 6543
+protocol = tcp
+filter   = pgbouncer
+logpath  = /var/log/services/pgbouncer.log
+maxretry = 3