Skip to content

Support PGPASSFILE in docker container #2149

Description

@gnomed

OS
Your OS: Ubuntu

Versions
The db-sync version (eg cardano-db-sync --version): 13.7.2.1
PostgreSQL version: N/A

Build/Install Method
The method you use to build or install cardano-db-sync: docker

Run method
The method you used to run cardano-db-sync (eg Nix/Docker/systemd/none): docker

Problem Report
I am trying to set PGPASSFILE when running the db-sync docker container, but this setting is not being respected.

Honestly the documentation around how to configure docker seems very incomplete. The docs expect me to set a plain text password in an environment variable (no thanks) and don't actually mention support for PGPASSFILE, but other sections of the docs make vague references to it

I need to be able to set my postgres password as a file in order to utilize secure docker secrets.

When running db_sync it clearly ignores the PGPASSFILE environment variable and tries to build its own which also fails because I'm not allowing the container to run as root (will be submitting a separate ticket for that issue).

docker inspect output:

        "Env": [
                        "NETWORK=preview",
                        "PGPASSFILE=/run/secrets/pgpassfile"
                    ],

db-sync log output from docker container, this is the complete output from start to finish since the container is bootlooping due to the root user issue:

mkdir: cannot create directory '/configuration': Permission denied
/run/secrets
Generating PGPASS file
/nix/store/4vdxsjc244jam629fs1h3a288fibzrf0-gen-pgpass: line 11: /run/secrets/postgres_db: No such file or directory
/nix/store/4vdxsjc244jam629fs1h3a288fibzrf0-gen-pgpass: line 12: /run/secrets/postgres_user: No such file or directory
/nix/store/4vdxsjc244jam629fs1h3a288fibzrf0-gen-pgpass: line 13: /run/secrets/postgres_password: No such file or directory
/nix/store/4vdxsjc244jam629fs1h3a288fibzrf0-gen-pgpass: line 14: /configuration/pgpass: No such file or directory
chmod: cannot access '/configuration/pgpass': No such file or directory
Connecting to network: preview
mkdir: cannot create directory 'log-dir': Permission denied

So thanks to the log output I can now see a way to provide the postgres password via file. No idea if this approach for docker secrets can be combined with using environment variables to specify the db name and username.

Overall I think the documentation leaves it pretty much impossible to setup a secure postgres connection via docker without a significant amount of frustration.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions