IMPORTANT: As of January 2025, we have transitioned to a new image build process (see issue #132 for details). Previously, the images were based on the Official Postgres image, maintained by the PostgreSQL Docker Community, and included Barman Cloud built from source. This legacy approach, referred to as
system
images, will remain available for backward compatibility but is planned for a future deprecation.
This repository provides maintenance scripts for generating immutable application containers for all supported PostgreSQL versions (13 to 17). These containers are designed to serve as operands for the CloudNativePG (CNPG) operator in Kubernetes environments.
The CNPG PostgreSQL Container Images:
- Are based on Debian Linux
stable
andoldstable
- Support multi-architecture builds, including
linux/amd64
andlinux/arm64
. - Include build attestations, such as Software Bills of Materials (SBOMs) and provenance metadata.
- Are published on the CloudNativePG GitHub Container Registry.
- Are automatically rebuilt weekly (every Monday) to ensure they remain up-to-date.
We currently build and support two primary types of PostgreSQL images:
Both minimal
and standard
images are intended to be used with backup
plugins, such as Barman Cloud.
Note: for backward compatibility, we also maintain the
system
image type. Switching fromsystem
images tominimal
orstandard
images on an existing cluster is not supported.
Minimal images are lightweight and built on top of the official Debian images. They use the APT PostgreSQL packages maintained by the PostgreSQL Global Development Group (PGDG).
These images are identified by the inclusion of minimal
in their tag names,
for example: 17.2-minimal-bookworm
.
Standard images are an extension of the minimal
images, enhanced with the
following additional features:
- PGAudit
- Postgres Failover Slots
- pgvector
- All Locales
Standard images are identifiable by the standard
tag in their names, such as:
17.2-standard-bookworm
.
Note: Standard images are designed to offer functionality equivalent to the legacy
system
images when used with CloudNativePG. To achieve parity, you must use the Barman Cloud Plugin as a replacement for the native Barman Cloud support insystem
images.
System images are based on the Official Postgres image, maintained by the PostgreSQL Docker Community. These images include additional software to extend PostgreSQL functionality:
- Barman Cloud
- PGAudit
- Postgres Failover Slots
- pgvector
The Debian
folder contains image catalogs, which can be used as:
Deprecation Notice: System images and the associated Debian-based image catalogs will be deprecated in future releases of CloudNativePG and eventually removed. Users are encouraged to migrate to
minimal
orstandard
images for new clusters as soon as feasible.
CNPG PostgreSQL Container Images are built with the following attestations to ensure transparency and traceability:
-
Software Bill of Materials (SBOM): A comprehensive list of software artifacts included in the image or used during its build process, formatted using the in-toto SPDX predicate standard.
-
Provenance: Metadata detailing how the image was built, following the SLSA Provenance framework.
For example, you can retrieve the SBOM for a specific image using the following command:
docker buildx imagetools inspect <IMAGE> --format "{{ json .SBOM.SPDX }}"
This command outputs the SBOM in JSON format, providing a detailed view of the software components and build dependencies.
CloudNativePG container images are securely signed using cosign, a tool within the Sigstore ecosystem. This signing process is automated via GitHub Actions and leverages short-lived tokens issued through OpenID Connect.
The token issuer is https://token.actions.githubusercontent.com
, and the
signing identity corresponds to a GitHub workflow executed under the
cloudnative-pg/postgres-containers
repository. This workflow uses the
cosign-installer
action
to facilitate the signing process.
To verify the authenticity of an image using its digest, you can run the
following cosign
command:
cosign verify IMAGE \
--certificate-identity-regexp="^https://github.com/cloudnative-pg/postgres-containers/" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com"
For detailed instructions on building PostgreSQL container images, refer to the BUILD.md file.
This software is available under Apache License 2.0.
Copyright The CloudNativePG Contributors.
Barman Cloud is distributed by EnterpriseDB under the GNU GPL 3 License.
PGAudit is distributed under the PostgreSQL License.
Postgres Failover Slots is distributed by EnterpriseDB under the PostgreSQL License.
pgvector is distributed under the PostgreSQL License.
Postgres, PostgreSQL and the Slonik Logo are trademarks or registered trademarks of the PostgreSQL Community Association of Canada, and used with their permission.