chore: add blog post about building images with bake

[sxd]

No description provided.

[jsilvela]

Great content.
Some of the paragraphs are rather complicated.
I've made some grammar fixes.
And, on line length: very far from 80, though that is a conversation I always wonder if we're having.

[Javex]

Unfortunately I got stuck on the step to actually build the image so I wasn't able to review the rest of the instructions yet. Thank you for writing it up so quickly! If I understanding everything correctly so far it should be pretty straightforward to based my custom bake file on your upstream one, that's pretty awesome.

[jsilvela]

Made a bunch of corrections, and have been breaking up paragraphs with lots of commas to use stops instead.
I think it looks OK, but probably worth another round of simplification.

[smiyc]

did anybody manage to "ADD" files in the dockerfil-inline

  dockerfile-inline = <<EOT
ARG BASEIMAGE="ghcr.io/cloudnative-pg/postgresql:16.9-standard-bookworm"
FROM $BASEIMAGE AS myimage
ARG EXTENSIONS
USER root
RUN apt-get update && \
    apt-get install -y --no-install-recommends $EXTENSIONS \
    ldap-utils ca-certificates openssl procps \
    postgresql-plpython3-"${getMajor(pgVersion)}" \
    python3-psutil \
    pgtop \
    pg-activity \
    nmon \
    libsybdb5 \
    freetds-dev \
    freetds-common && \
    apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false && \
    rm -rf /var/lib/apt/lists/* /var/cache/* /var/log/*
RUN sed -i -e 's/# de_AT.UTF-8 UTF-8/de_AT.UTF-8 UTF-8/' /etc/locale.gen && \
        locale-gen
ADD files/.psqlrc /var/lib/postgresql/
ADD files/etc/ldap/ldap.conf /etc/ldap/
ADD files/usr/local/share/ca-certificates/XXX.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates
USER 26
EOT

the local file is not found

Dockerfile:20
--------------------
  18 |     RUN sed -i -e 's/# de_AT.UTF-8 UTF-8/de_AT.UTF-8 UTF-8/' /etc/locale.gen && \
  19 |             locale-gen
  20 | >>> ADD files/.psqlrc /var/lib/postgresql/
  21 |     #ADD files/etc/ldap/ldap.conf /etc/ldap/
  22 |     #ADD files/usr/local/share/ca-certificates/EuropeanSSLServerCA2.crt /usr/local/share/ca-certificates/
--------------------
ERROR: failed to solve: failed to compute cache key: failed to calculate checksum of ref vgst2lntgdpy28wq01ah1qmve::xyrmvcki8qkbr6a3m34u86qrt: "/files/.psqlrc": not found

the files directory is located in the directory where I run the bake cmd.
also fully-qualified path is not working :-(

[smiyc]

did anybody manage to "ADD" files in the dockerfil-inline

  dockerfile-inline = <<EOT
ARG BASEIMAGE="ghcr.io/cloudnative-pg/postgresql:16.9-standard-bookworm"
FROM $BASEIMAGE AS myimage
ARG EXTENSIONS
USER root
RUN apt-get update && \
    apt-get install -y --no-install-recommends $EXTENSIONS \
    ldap-utils ca-certificates openssl procps \
    postgresql-plpython3-"${getMajor(pgVersion)}" \
    python3-psutil \
    pgtop \
    pg-activity \
    nmon \
    libsybdb5 \
    freetds-dev \
    freetds-common && \
    apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false && \
    rm -rf /var/lib/apt/lists/* /var/cache/* /var/log/*
RUN sed -i -e 's/# de_AT.UTF-8 UTF-8/de_AT.UTF-8 UTF-8/' /etc/locale.gen && \
        locale-gen
ADD files/.psqlrc /var/lib/postgresql/
ADD files/etc/ldap/ldap.conf /etc/ldap/
ADD files/usr/local/share/ca-certificates/XXX.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates
USER 26
EOT

the local file is not found

Dockerfile:20
--------------------
  18 |     RUN sed -i -e 's/# de_AT.UTF-8 UTF-8/de_AT.UTF-8 UTF-8/' /etc/locale.gen && \
  19 |             locale-gen
  20 | >>> ADD files/.psqlrc /var/lib/postgresql/
  21 |     #ADD files/etc/ldap/ldap.conf /etc/ldap/
  22 |     #ADD files/usr/local/share/ca-certificates/EuropeanSSLServerCA2.crt /usr/local/share/ca-certificates/
--------------------
ERROR: failed to solve: failed to compute cache key: failed to calculate checksum of ref vgst2lntgdpy28wq01ah1qmve::xyrmvcki8qkbr6a3m34u86qrt: "/files/.psqlrc": not found

the files directory is located in the directory where I run the bake cmd. also fully-qualified path is not working :-(

using ADD https://xxx.gitlab/xxx/.psqlrc /var/lib/postgresql/
works and putting the file in a repo is probably better than having them on a nfs share...

[jsilvela]

OK, the post is IMO still not ready.
Still grammar issues and clunky wording. Here are a bunch of suggestions.

[Javex]

Thank you again for writing this up. I managed to get it worked and understood the instructions in the remainder of the post. Unfortunately, I discovered that renovate doesn't support bake yet (renovatebot/renovate#33463) which means I couldn't automate creating a fresh docker image whenever you release a new one upstream. For now I think I'll stick with my current solution of just inheriting using FROM. I really appreciate your effort and how quickly you wrote this up!

[sxd]

did anybody manage to "ADD" files in the dockerfil-inline

  dockerfile-inline = <<EOT
ARG BASEIMAGE="ghcr.io/cloudnative-pg/postgresql:16.9-standard-bookworm"
FROM $BASEIMAGE AS myimage
ARG EXTENSIONS
USER root
RUN apt-get update && \
    apt-get install -y --no-install-recommends $EXTENSIONS \
    ldap-utils ca-certificates openssl procps \
    postgresql-plpython3-"${getMajor(pgVersion)}" \
    python3-psutil \
    pgtop \
    pg-activity \
    nmon \
    libsybdb5 \
    freetds-dev \
    freetds-common && \
    apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false && \
    rm -rf /var/lib/apt/lists/* /var/cache/* /var/log/*
RUN sed -i -e 's/# de_AT.UTF-8 UTF-8/de_AT.UTF-8 UTF-8/' /etc/locale.gen && \
        locale-gen
ADD files/.psqlrc /var/lib/postgresql/
ADD files/etc/ldap/ldap.conf /etc/ldap/
ADD files/usr/local/share/ca-certificates/XXX.crt /usr/local/share/ca-certificates/
RUN update-ca-certificates
USER 26
EOT

the local file is not found

Dockerfile:20
--------------------
  18 |     RUN sed -i -e 's/# de_AT.UTF-8 UTF-8/de_AT.UTF-8 UTF-8/' /etc/locale.gen && \
  19 |             locale-gen
  20 | >>> ADD files/.psqlrc /var/lib/postgresql/
  21 |     #ADD files/etc/ldap/ldap.conf /etc/ldap/
  22 |     #ADD files/usr/local/share/ca-certificates/EuropeanSSLServerCA2.crt /usr/local/share/ca-certificates/
--------------------
ERROR: failed to solve: failed to compute cache key: failed to calculate checksum of ref vgst2lntgdpy28wq01ah1qmve::xyrmvcki8qkbr6a3m34u86qrt: "/files/.psqlrc": not found

the files directory is located in the directory where I run the bake cmd. also fully-qualified path is not working :-(

using ADD https://xxx.gitlab/xxx/.psqlrc /var/lib/postgresql/ works and putting the file in a repo is probably better than having them on a nfs share...

That will not work indeed, since the problem is that inline is a temporary context. My advice will be create another target and do the inheritance from that and use that in a local context to build the container, meaning that first target will be remote and the final one will be local

[smiyc]

When updating from an old school built 17.4 image to the bake 17.5 I receive this error

postgres {"level":"info","ts":"2025-06-23T14:48:52.773817737+02:00","logger":"postgres","msg":"2025-06-23 12:48:52.773 GMT [22] LOG:  unrecognized configuration parameter \"allow_alter_system\" in file \"/var/lib/postgresql/data/pgdata/custom.conf\" line 1","pipe":"stderr","log │
│ ging_pod":"xxx-1"} 

when I fenced the instance and had a look into /usr/lib/postgresql there are binaries for versions 16 and 17.
I guess the version 16 comes from the baseimage used in the dockerfile-inline.
And if allow_alter_system is an unrecogniced parameter, the instance is using the version 16 binaries I guess.

this is the bake.hcl file

variable "environment" {
  default = "production"
}

variable "registry" {
  default = "xxx/xx/xxx-xxx/cnpg"
}

extensions = [
  "pgvector","dbgsym","partman","oracle-fdw","squeeze","show-plans","cron","tds-fdw",
]
target "myimage" {
  dockerfile-inline = <<EOT
ARG BASEIMAGE="ghcr.io/cloudnative-pg/postgresql:16.9-standard-bookworm"
FROM $BASEIMAGE AS myimage
ARG EXTENSIONS
USER root
RUN apt-get update && \
    apt-get install -y --no-install-recommends $EXTENSIONS \
    ldap-utils ca-certificates openssl procps \
    postgresql-plpython3-"${getMajor(pgVersion)}" \
    python3-psutil \
    pgtop \
    pg-activity \
    nmon \
    libsybdb5 \
    freetds-dev \
    freetds-common && \
    apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false && \
    rm -rf /var/lib/apt/lists/* /var/cache/* /var/log/*
RUN sed -i -e 's/# de_AT.UTF-8 UTF-8/de_AT.UTF-8 UTF-8/' /etc/locale.gen && \
        locale-gen
ADD https://xxx//.psqlrc?ref_type=heads /var/lib/postgresql/
ADD https://repo.wienit.at/gitlab/wienit-dba/cloudnativepg/-/blob/main/bake/files/etc/ldap/ldap.conf?ref_type=heads /etc/ldap/
ADD https://xxx/EuropeanSSLServerCA2.crt?ref_type=heads /usr/local/share/ca-certificates/
RUN update-ca-certificates 
USER 26
EOT
  matrix = {
    tgt = [
      "myimage"
    ]
    pgVersion = [
      "13.21",
      "14.18",
      "15.13",
      "16.9",
      "17.5",
    ]
  }
  name = "postgresql-${index(split(".",cleanVersion(pgVersion)),0)}-standard-bookworm"
  target = "${tgt}"
  args = {
    BASE_IMAGE = "ghcr.io/cloudnative-pg/postgresql:${cleanVersion(pgVersion)}-standard-bookworm",
    EXTENSIONS = "${getExtensionsString(pgVersion, extensions)}",
  }
}

When I spin up a fresh cluster with the bake built 17.5 image, I receive an error that the pg_cron file is missing.

initdb {"level":"info","ts":"2025-06-23T16:26:06.804597515+02:00","msg":"Starting up instance","logging_pod":"xxx-1-initdb","pgdata":"/var/lib/postgresql/data/pgdata","options":["start","-w","-D","/var/lib/postgresql/data/pgdata","-o","-c port=5432 -c unix_socket_directories=/controller/run","-t 40000000","-o","-c listen_addresses='127.0.0.1'"]}                                                                                                             
initdb {"level":"info","ts":"2025-06-23T16:26:06.856623015+02:00","logger":"pg_ctl","msg":"waiting for server to start....2025-06-23 16:26:06.856 CEST [2[] @ []FATAL:  could not access file \"pg_cron\": No such file or directory","pipe":"stdout","logging_pod":"xxx-1-initdb"}
initdb {"level":"info","ts":"2025-06-23T16:26:06.856767241+02:00","logger":"pg_ctl","msg":"2025-06-23 16:26:06.856 CEST [29] @ []LOG:  database system is shut down","pipe":"stdout","logging_pod":"xxx-1-initdb"}                                                                                              
initdb {"level":"info","ts":"2025-06-23T16:26:06.932423735+02:00","logger":"pg_ctl","msg":"pg_ctl: could not start server","pipe":"stderr","logging_pod": "xxx-1-initdb"}                                                                                                                                        
initdb {"level":"info","ts":"2025-06-23T16:26:06.932816885+02:00","logger":"pg_ctl","msg":"Examine the log output.","pipe":"stderr","logging_pod":"xxx-1-initdb"}

looking inside the image, pg_cron is there

postgres@xxx-1:/usr/lib/postgresql/17/lib$ ls -la *cron*
-rw-r--r-- 1 root root 76072 Dec 17  2024 pg_cron.so

not sure how to continue troubleshooting this?

[jsilvela]

Just read this again, and I have more comments.

[FloorD]

I've not applied the 80 characters-thing, let's do that once we're happy with the text?

[FloorD]

By default, images are built for both amd64 and arm64 architectures, which is the recommended setup for most users. However, if you want to target a specific architecture and reduce image size, you can override the platforms variable in your local Bake file.

[sxd]

allow_alter_system

@smiyc This is totally unrelated, this sounds more like an issue that pg_cron is never installed either in the base or the new layer, but if you want send me a message on Slack and we do the troubleshooting there if you don't fix it already, sorry this was a blog post didn't saw this :D thank to @FloorD for telling me to look into this :D

[jsilvela]

OK, this passes muster.
I have left a few optional comments ... well the last one is a little less optional. Anyway.
And, on the 80 columns limit.
Let's be consistent about it. I'd be open to abandoning that. Formatting for 80 col does get a bit silly.