chore(sdk): use PostgreSQL's Docker Hardened Image

endersonmaia · endersonmaia · commit 3fc5f8633f9c · 2026-01-15T15:05:22.000-03:00
Using trivy to scan vulnerabilities in Docker images, we found that:

BEFORE    : Total: 139  (UNKNOWN: 4, LOW: 99, MEDIUM: 31, HIGH: 5, CRITICAL: 0)
AFTER     : Total: 78   (UNKNOWN: 5, LOW: 69, MEDIUM:  3, HIGH: 1, CRITICAL: 0)
diff --git a/packages/sdk/Dockerfile b/packages/sdk/Dockerfile
@@ -1,6 +1,7 @@
 # syntax=docker.io/docker/dockerfile:1
 ARG CARTESI_BASE_IMAGE
-ARG POSTGRES_BASE_IMAGE
+ARG POSTGRES_BASE_BUILD_IMAGE
+ARG POSTGRES_BASE_RUNTIME_IMAGE
 ARG NODE_VERSION
 
 ################################################################################
@@ -169,7 +170,7 @@ USER cartesi
 
 ################################################################################
 # postgresql initdb
-FROM ${POSTGRES_BASE_IMAGE} AS postgresql-initdb
+FROM ${POSTGRES_BASE_BUILD_IMAGE} AS postgresql-initdb
 
 ARG DEBIAN_FRONTEND=noninteractive
 RUN <<EOF
@@ -202,8 +203,12 @@ RUN /usr/local/bin/docker-ensure-initdb.sh postgres
 
 ################################################################################
 # rollups-database image
-FROM ${POSTGRES_BASE_IMAGE} AS rollups-database
-COPY --from=postgresql-initdb /var/lib/postgresql/data /var/lib/postgresql/data
+FROM ${POSTGRES_BASE_RUNTIME_IMAGE} AS rollups-database
+ARG POSTGRES_MAJOR_VERSION
+COPY --from=postgresql-initdb \
+    --chown=postgres:postgres \
+    --chmod=750 \
+    /var/lib/postgresql/data /var/lib/postgresql/${POSTGRES_MAJOR_VERSION}/data
 
 ################################################################################
 # alto build
diff --git a/packages/sdk/docker-bake.hcl b/packages/sdk/docker-bake.hcl
@@ -20,7 +20,9 @@ target "default" {
     NITRO_VERSION                     = "8c376d4a5baa7f32999620f9fe3eb51ca8e0dcbc" # v0.5
     NODE_VERSION                      = "24.12.0"
     NVM_VERSION                       = "977563e97ddc66facf3a8e31c6cff01d236f09bd" # 0.40.3
-    POSTGRES_BASE_IMAGE               = "docker.io/library/postgres:17-trixie@sha256:4ad49a4ba70130eab1de69bdd7a212d9c711e7410f10e1a23aae41a325b95093"
+    POSTGRES_MAJOR_VERSION            = "17"
+    POSTGRES_BASE_BUILD_IMAGE         = "docker.io/library/postgres:17-trixie@sha256:4ad49a4ba70130eab1de69bdd7a212d9c711e7410f10e1a23aae41a325b95093"
+    POSTGRES_BASE_RUNTIME_IMAGE       = "dhi.io/postgres:17-debian13@sha256:26f948cfcce91d18beef8193e61fdae529650b462e644916e9ab433261602cef"
     SQUASHFS_TOOLS_VERSION            = "bad1d213ab6df587d6fa0ef7286180fbf7b86167" # 4.7.4
     SU_EXEC_VERSION                   = "0.3"
     XGENEXT2_VERSION                  = "1.5.6"
