OS
Your OS: Ubuntu
Versions
The db-sync version (eg cardano-db-sync --version): 13.7.2.1
PostgreSQL version: N/A
Build/Install Method
The method you use to build or install cardano-db-sync: docker
Run method
The method you used to run cardano-db-sync (eg Nix/Docker/systemd/none): docker
Problem Report
I am trying to set PGPASSFILE when running the db-sync docker container, but this setting is not being respected.
Honestly the documentation around how to configure docker seems very incomplete. The docs expect me to set a plain text password in an environment variable (no thanks) and don't actually mention support for PGPASSFILE, but other sections of the docs make vague references to it
I need to be able to set my postgres password as a file in order to utilize secure docker secrets.
When running db_sync it clearly ignores the PGPASSFILE environment variable and tries to build its own which also fails because I'm not allowing the container to run as root (will be submitting a separate ticket for that issue).
docker inspect output:
"Env": [
"NETWORK=preview",
"PGPASSFILE=/run/secrets/pgpassfile"
],
db-sync log output from docker container, this is the complete output from start to finish since the container is bootlooping due to the root user issue:
mkdir: cannot create directory '/configuration': Permission denied
/run/secrets
Generating PGPASS file
/nix/store/4vdxsjc244jam629fs1h3a288fibzrf0-gen-pgpass: line 11: /run/secrets/postgres_db: No such file or directory
/nix/store/4vdxsjc244jam629fs1h3a288fibzrf0-gen-pgpass: line 12: /run/secrets/postgres_user: No such file or directory
/nix/store/4vdxsjc244jam629fs1h3a288fibzrf0-gen-pgpass: line 13: /run/secrets/postgres_password: No such file or directory
/nix/store/4vdxsjc244jam629fs1h3a288fibzrf0-gen-pgpass: line 14: /configuration/pgpass: No such file or directory
chmod: cannot access '/configuration/pgpass': No such file or directory
Connecting to network: preview
mkdir: cannot create directory 'log-dir': Permission denied
So thanks to the log output I can now see a way to provide the postgres password via file. No idea if this approach for docker secrets can be combined with using environment variables to specify the db name and username.
Overall I think the documentation leaves it pretty much impossible to setup a secure postgres connection via docker without a significant amount of frustration.
OS
Your OS: Ubuntu
Versions
The
db-syncversion (egcardano-db-sync --version): 13.7.2.1PostgreSQL version: N/A
Build/Install Method
The method you use to build or install
cardano-db-sync: dockerRun method
The method you used to run
cardano-db-sync(eg Nix/Docker/systemd/none): dockerProblem Report
I am trying to set PGPASSFILE when running the db-sync docker container, but this setting is not being respected.
Honestly the documentation around how to configure docker seems very incomplete. The docs expect me to set a plain text password in an environment variable (no thanks) and don't actually mention support for PGPASSFILE, but other sections of the docs make vague references to it
I need to be able to set my postgres password as a file in order to utilize secure docker secrets.
When running db_sync it clearly ignores the PGPASSFILE environment variable and tries to build its own which also fails because I'm not allowing the container to run as root (will be submitting a separate ticket for that issue).
docker inspect output:
db-sync log output from docker container, this is the complete output from start to finish since the container is bootlooping due to the root user issue:
So thanks to the log output I can now see a way to provide the postgres password via file. No idea if this approach for docker secrets can be combined with using environment variables to specify the db name and username.
Overall I think the documentation leaves it pretty much impossible to setup a secure postgres connection via docker without a significant amount of frustration.