Cleanup the setup from the database related bits

.github/workflows/build_containers.yml

@@ -283,3 +283,34 @@ jobs:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
+
+  build-and-push-postgresql-image:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}/ci-postgresql
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v5
+        with:
+          context: ./testsuite/dockerfiles/postgresql/
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

containers/doc/rds.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# Prepare the internal database
+echo "CREATE DATABASE $MANAGER_DB_NAME ENCODING = UTF8 ;" | ( export PGPASSWORD=$EXTERNALDB_ADMIN_PASS; exec psql -h $MANAGER_DB_HOST -U $EXTERNALDB_ADMIN_USER)
+echo "CREATE ROLE $MANAGER_USER PASSWORD '$MANAGER_PASS'  NOCREATEDB NOCREATEROLE INHERIT LOGIN;" | ( export PGPASSWORD=$EXTERNALDB_ADMIN_PASS; exec psql -h $MANAGER_DB_HOST -U $EXTERNALDB_ADMIN_USER)
+echo "GRANT rds_superuser to $MANAGER_USER;" | ( export PGPASSWORD=$EXTERNALDB_ADMIN_PASS; exec psql -h $MANAGER_DB_HOST -U $EXTERNALDB_ADMIN_USER)
+echo "GRANT create on database $MANAGER_DB_NAME to $MANAGER_USER;" | ( export PGPASSWORD=$EXTERNALDB_ADMIN_PASS; exec psql -h $MANAGER_DB_HOST -U $EXTERNALDB_ADMIN_USER)
+
+# Prepare the report database
+echo "CREATE DATABASE $PGNAME ENCODING = UTF8 ;" | ( export PGPASSWORD=$EXTERNALDB_ADMIN_PASS; exec psql -h $HOST -U $EXTERNALDB_ADMIN_USER)
+echo "CREATE EXTENSION IF NOT EXISTS plpgsql;"  | ( export PGPASSWORD=$EXTERNALDB_ADMIN_PASS; exec psql -h $HOST -U $EXTERNALDB_ADMIN_USER -d $PGNAME)
+echo "CREATE ROLE $PGUSER PASSWORD '$PGPASSWORD' NOCREATEDB NOCREATEROLE INHERIT LOGIN;" | ( export PGPASSWORD=$EXTERNALDB_ADMIN_PASS; exec psql -h $HOST -U $EXTERNALDB_ADMIN_USER)
+echo "GRANT rds_superuser to $PGUSER;" | ( export PGPASSWORD=$EXTERNALDB_ADMIN_PASS; exec psql -h $HOST -U $EXTERNALDB_ADMIN_USER)
+echo "GRANT create on database $PGNAME to $PGUSER;" | ( export PGPASSWORD=$EXTERNALDB_ADMIN_PASS; exec psql -h $HOST -U $EXTERNALDB_ADMIN_USER)

containers/server-image/Dockerfile

@@ -20,8 +20,6 @@ RUN echo "rpm.install.excludedocs = yes" >>/etc/zypp/zypp.conf && \
         ${PRODUCT_PATTERN_PREFIX}_retail \
         spacewalk-backend-sql-postgresql \
         spacewalk-java-postgresql \
-        postgresql16-contrib \
-        postgresql16-server \
         postgresql16 \
         billing-data-service \
         grub2-x86_64-efi \

containers/server-image/server-image.changes.cbosdo.postgresql

@@ -0,0 +1 @@
+- Move the database to a separate container

containers/server-postgresql-image/Dockerfile

@@ -0,0 +1,31 @@
+# SPDX-License-Identifier: MIT
+#!BuildTag: uyuni/server-postgresql:latest
+
+ARG PG_BASE=registry.opensuse.org/opensuse/postgres:16
+# or ARG BASE=registry.suse.com/suse/postgres:16
+FROM $PG_BASE
+
+ADD --chown=root:root root.tar.gz /
+
+# LABELs
+ARG PRODUCT=Uyuni
+ARG VENDOR="Uyuni project"
+ARG URL="https://www.uyuni-project.org/"
+ARG REFERENCE_PREFIX="registry.opensuse.org/uyuni"
+
+# Build Service required labels
+# labelprefix=org.opensuse.uyuni.server-postgresql
+LABEL org.opencontainers.image.name=server-postgresql-image
+LABEL org.opencontainers.image.title="${PRODUCT} PostgreSQL container image"
+LABEL org.opencontainers.image.description="${PRODUCT} PostgreSQL container image"
+LABEL org.opencontainers.image.created="%BUILDTIME%"
+LABEL org.opencontainers.image.vendor="${VENDOR}"
+LABEL org.opencontainers.image.url="${URL}"
+LABEL org.opencontainers.image.version=5.1.0
+LABEL org.openbuildservice.disturl="%DISTURL%"
+LABEL org.opensuse.reference="${REFERENCE_PREFIX}/server-postgresql:${PRODUCT_VERSION}.%RELEASE%"
+# endlabelprefix
+LABEL org.uyuni.version="${PRODUCT_VERSION}"
+
+ENTRYPOINT ["/usr/local/bin/uyuni-entrypoint.sh"]
+CMD ["postgres"]

containers/server-postgresql-image/_service

@@ -0,0 +1,4 @@
+<services>
+  <service mode="buildtime" name="kiwi_metainfo_helper"/>
+  <service mode="buildtime" name="docker_label_helper"/>
+</services>

containers/server-postgresql-image/root/docker-entrypoint-initdb.d/create-db.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+MANAGER_DB_NAME=susemanager
+
+run_sql() {
+    PGHOST= PGHOSTADDR= psql -v ON_ERROR_STOP=1 -U "$POSTGRES_USER" --no-password --no-psqlrc "$@"
+}
+
+echo "CREATE DATABASE $MANAGER_DB_NAME ENCODING = UTF8 ;" | run_sql
+echo "CREATE EXTENSION IF NOT EXISTS plpgsql;"  | run_sql
+echo "CREATE ROLE $MANAGER_USER PASSWORD '$MANAGER_PASSWORD' SUPERUSER NOCREATEDB NOCREATEROLE INHERIT LOGIN;" | run_sql

containers/server-postgresql-image/root/docker-entrypoint-initdb.d/create-reportdb.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+REPORTDB_NAME=reportdb
+
+run_sql() {
+    PGHOST= PGHOSTADDR= psql -v ON_ERROR_STOP=1 -U "$POSTGRES_USER" --no-password --no-psqlrc "$@"
+}
+
+echo "CREATE DATABASE $REPORTDB_NAME ENCODING = UTF8 ;" | run_sql
+echo "CREATE EXTENSION IF NOT EXISTS plpgsql;"  | run_sql
+echo "CREATE ROLE $REPORTDB_USER PASSWORD '$REPORTDB_PASSWORD' SUPERUSER NOCREATEDB NOCREATEROLE INHERIT LOGIN;" | run_sql

containers/server-postgresql-image/root/docker-entrypoint-initdb.d/uyuni-postgres-config.sh

@@ -0,0 +1,100 @@
+#!/bin/bash
+# Adjust postgresql.conf for Uyuni
+# This is run automatically at the first start of the container
+# or it can be run manually later.
+
+POSTGRESQL=/var/lib/pgsql/data/postgresql.conf
+SSL_CERT=/etc/pki/tls/certs/spacewalk.crt
+SSL_KEY=/etc/pki/tls/private/pg-spacewalk.key
+
+postgres_reconfig() {
+    echo "Setting $1 = $2"
+    if test $(sed -n "/^$1[[:space:]]*=/p" $POSTGRESQL | wc -l) -ne 0; then
+        sed -i "s|^$1[[:space:]]*=.*|$1 = $2|" $POSTGRESQL
+    else
+        echo "$1 = $2" >> $POSTGRESQL
+    fi
+}
+
+# Get total memory in KB
+TOTAL_MEM_KB=$(sed -n -e '/MemTotal:/{s|MemTotal:[[:space:]]*\([0-9]*\).*|\1| p}' /proc/meminfo)
+
+# Check minimum memory requirement (255KB)
+if [ "$TOTAL_MEM_KB" -lt $((0xff * 1024)) ]; then
+    echo "WARNING: low memory: $TOTAL_MEM_KB"
+    TOTAL_MEM_KB=$((0xff * 1024))
+fi
+
+# Binary rounding function
+bin_rnd() {
+    local value=$1
+    local mbt=1
+    while [ $value -gt 16 ]; do
+        value=$((value / 2))
+        mbt=$((mbt * 2))
+    done
+    echo $((mbt * value))
+}
+
+# Convert to MB
+to_mb() {
+    echo "$(($1 / 1024))MB"
+}
+
+# Get max_connections from current postgresql.conf
+MAX_CONNECTIONS=$(sed -n -e '/^max_connections[[:space:]]*=/{s/.*=[[:space:]]*\([0-9]*\).*/\1/ p}' $POSTGRESQL)
+[ -z "$MAX_CONNECTIONS" -o "$MAX_CONNECTIONS" -lt 400 ] && MAX_CONNECTIONS=500
+
+EFFECTIVE_IO_CONCURRENCY=$(sed -n -e '/^effective_io_concurrency[[:space:]]*=/{s/.*=[[:space:]]*\([0-9]*\).*/\1/ p}' $POSTGRESQL)
+
+if [ "$1" == "--hdd" ] ; then
+    echo "Configuring for rotational HDD"
+    IS_SSD=0
+elif [ "$1" == "--ssd" ] ; then
+    echo "Configuring for SSD"
+    IS_SSD=1
+elif [ "$EFFECTIVE_IO_CONCURRENCY" == 2 ] ; then
+    echo "Rotational HDD is already configured"
+    IS_SSD=0
+else
+    echo "Configuring for SSD"
+    IS_SSD=1
+fi
+
+# Calculate values
+SHARED_BUFFERS=$(bin_rnd $((TOTAL_MEM_KB / 4)))
+EFFECTIVE_CACHE_SIZE=$(bin_rnd $((TOTAL_MEM_KB * 3 / 4)))
+WORK_MEM=$(bin_rnd $(((TOTAL_MEM_KB - SHARED_BUFFERS) / (3 * MAX_CONNECTIONS))))
+MAINTENANCE_WORK_MEM=$(bin_rnd $(( TOTAL_MEM_KB / 16 < 1048576 ? TOTAL_MEM_KB / 16 : 1048576 ))) # 1GB
+
+# Apply configurations
+postgres_reconfig "shared_buffers" "$(to_mb $SHARED_BUFFERS)"
+postgres_reconfig "effective_cache_size" "$(to_mb $EFFECTIVE_CACHE_SIZE)"
+postgres_reconfig "work_mem" "$(to_mb $WORK_MEM)"
+postgres_reconfig "maintenance_work_mem" "$(to_mb $MAINTENANCE_WORK_MEM)"
+postgres_reconfig "max_wal_size" "4096MB"
+postgres_reconfig "min_wal_size" "1024MB"
+postgres_reconfig "checkpoint_completion_target" "0.9"
+postgres_reconfig "wal_buffers" "16MB"
+postgres_reconfig "constraint_exclusion" "off"
+postgres_reconfig "max_connections" "$MAX_CONNECTIONS"
+
+if [ "$IS_SSD" -eq 1 ]; then
+    postgres_reconfig "random_page_cost" "1.1"
+    postgres_reconfig "effective_io_concurrency" "200"
+else
+    postgres_reconfig "random_page_cost" "4"
+    postgres_reconfig "effective_io_concurrency" "2"
+fi
+
+postgres_reconfig jit off
+
+if [ -f $SSL_KEY ] ; then
+    chown postgres $SSL_KEY
+    chmod 400 $SSL_KEY
+    postgres_reconfig "ssl" "on"
+    postgres_reconfig "ssl_cert_file" "'$SSL_CERT'"
+    postgres_reconfig "ssl_key_file" "'$SSL_KEY'"
+fi
+
+echo "postgresql.conf updated"

containers/server-postgresql-image/root/usr/local/bin/uyuni-entrypoint.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+set -e
+
+chown postgres /etc/pki/tls/private/pg-spacewalk.key
+
+/usr/local/bin/docker-entrypoint.sh "$@"

containers/server-postgresql-image/server-postgresql-image.changes

@@ -0,0 +1 @@
+- Initial release of PostgreSQL container image

containers/server-postgresql-image/tito.props

@@ -0,0 +1,3 @@
+[buildconfig]
+tagger = tito.tagger.SUSEContainerTagger
+builder = custom.ContainerBuilder

java/code/src/com/suse/manager/utils/SaltUtils.java

@@ -1117,10 +1117,8 @@ private void handleImageBuildData(ServerAction serverAction, JsonElement jsonRes
                     List<List<Object>> files = new ArrayList<>();
                     String imageDir = info.getName() + "-" + info.getVersion() + "-" + info.getRevisionNumber() + "/";
                     if (!buildInfo.getBundles().isEmpty()) {
-                        buildInfo.getBundles().forEach(bundle -> {
-                            files.add(List.of(bundle.getFilepath(),
-                                    imageDir + bundle.getFilename(), "bundle", bundle.getChecksum()));
-                        });
+                        buildInfo.getBundles().forEach(bundle -> files.add(List.of(bundle.getFilepath(),
+                                    imageDir + bundle.getFilename(), "bundle", bundle.getChecksum())));
                     }
                     else {
                         files.add(List.of(buildInfo.getImage().getFilepath(),
@@ -1721,12 +1719,11 @@ public static String packageToKey(InstalledPackage p) {
         // name and EVR are never null due to DB constraints
         // see schema/spacewalk/common/tables/rhnServerPackage.sql
 
-        String sb = p.getName().getName() +
+        return p.getName().getName() +
                 "-" +
                 p.getEvr().toUniversalEvrString() +
                 "." +
                 Optional.ofNullable(p.getArch()).map(PackageArch::toUniversalArchString).orElse("unknown");
-        return sb;
     }
 
     /**

rel-eng/packages/server-postgresql-image

@@ -0,0 +1 @@
+5.1.0 containers/server-postgresql-image/

spacewalk/admin/spacewalk-startup-helper

@@ -114,26 +114,6 @@ check_database() {
     # Check, if the report DB was already setup
     if egrep -m1 "^report_db_host[[:space:]]*=[[:space:]]*[a-zA-Z0-9_-]+" /etc/rhn/rhn.conf; then
         REPORTDB_EXISTS='y'
-    else
-        # Check, if the DB is local and we should setup the reporting DB automated
-	if egrep -m1 "^db_host[[:space:]]*=[[:space:]]*localhost" /etc/rhn/rhn.conf; then
-            # Do not use 'md5' auth anymore, migrate to 'scram-sha-256' if needed
-            db_migrate_md5_to_scram
-
-            # if the main database is local, we setup the report DB automatically
-            /usr/bin/uyuni-setup-reportdb create --db reportdb --user pythia_susemanager --autogenpw \
-                                          --address '*' --remote '0.0.0.0/0,::/0' && {
-                REPORTDB_EXISTS='y'
-            }
-
-            if [ $? -ne 0 ]; then
-                echo "Report Database creation has failed. Please check the logs."
-                exit 1
-            fi
-
-        else
-            logger -p user.notice "Database not local - skipping setup of report database"
-        fi
     fi
 
     if [ $REPORTDB_EXISTS == 'y' ]; then

spacewalk/certs-tools/mgr_ssl_cert_setup.py

@@ -558,23 +558,6 @@ def deployApache(apache_cert_content, server_key_content):
     )
 
 
-# pylint: disable-next=invalid-name
-def deployPg(server_key_content):
-    pg_uid, pg_gid = getUidGid("postgres", "postgres")
-    if pg_uid and pg_gid:
-        # deploy only the key with different permissions
-        # the certificate is the same as for apache
-        if os.path.exists(PG_KEY_FILE):
-            os.remove(PG_KEY_FILE)
-        # pylint: disable-next=unspecified-encoding
-        with open(PG_KEY_FILE, "w", encoding="utf-8") as f:
-            f.write(server_key_content)
-        os.chmod(PG_KEY_FILE, int("0600", 8))
-        os.chown(PG_KEY_FILE, pg_uid, pg_gid)
-
-        log("""$> systemctl restart postgresql.service """)
-
-
 # pylint: disable-next=invalid-name
 def deployCAInDB(certData):
     if not os.path.exists("/usr/bin/rhn-ssl-dbstore"):
@@ -716,7 +699,6 @@ def _main():
         sys.exit(1)
 
     deployApache(apache_cert_content, files_content.server_key)
-    deployPg(files_content.server_key)
     deployCAUyuni(certData)
     if not options.skip_db:
         deployCAInDB(certData)