Menu
I’m trying to set a POSTGRES_USER & POSTGRES_PASSWORD with a docker postgres configuration using pg_hba.conf & postgresql.conf files:
docker run --name pg \
-e POSTGRES_USER=myUser \
-e POSTGRES_PASSWORD=myPassword \
-e POSTGRES_DB=myDb \
-v $PWD/pg_hba.conf:/etc/postgresql/pg_hba.conf \
-v $PWD/postgresql.conf:/etc/postgresql/postgresql.conf \
--network data-talk \
-d postgres \
-c config_file=/etc/postgresql/postgresql.conf \
-c hba_file=/etc/postgresql/pg_hba.conf
pg_hba.conf
# "local" is for Unix domain socket connections only
local all all scram-sha-256
# IPv4 local connections:
host all all 127.0.0.1/32 scram-sha-256
host all all 172.19.0.0/16 scram-sha-256
# IPv6 local connections:
host all all ::1/128 scram-sha-256
# Allow replication connections from localhost, by a user with the
# replication privilege.
local replication all scram-sha-256
host replication all 127.0.0.1/32 scram-sha-256
host replication all ::1/128 scram-sha-256
postgresql.conf
listen_addresses = '*'
password_encryption = 'scram-sha-256' # md5 or scram-sha-256
From here https://hub.docker.com/_/postgres
Note 1: The PostgreSQL image sets up
trustauthentication locally so you may notice a password is not required when connecting fromlocalhost(inside the same container). However, a password will be required if connecting from a different host/container.
I want to require a password on any/every connection including local. By changing the pg_hba.conf I thought I could fulfill this request. I am using 172.19.0.0/16 as this is the subnet for the docker network.
When I run the above docker command I check the logs to find this psql: error: could not connect to server: FATAL: password authentication failed for user “myUser”.
Any idea on how to get this to work? I’ve also tried
docker run --name pg \
-e POSTGRES_PASSWORD=password \
-v $PWD/pg_hba.conf:/etc/postgresql/pg_hba.conf \
-v $PWD/postgresql.conf:/etc/postgresql/postgresql.conf \
--network data-talk \
-d postgres \
-c config_file=/etc/postgresql/postgresql.conf \
-c hba_file=/etc/postgresql/pg_hba.conf
which runs to completion but errors when I try to login locally:
$ docker exec -it pg sh
psql -U postgres
Password for user postgres:
psql: error: could not connect to server: FATAL: password authentication failed for user "postgres"
842
The method scram-sha-256 performs SCRAM-SHA-256 authentication, as described in RFC 7677. It is a challenge-response scheme that prevents password sniffing on untrusted connections and supports storing passwords on the server in a cryptographically hashed form that is thought to be secure.
The containers in the network can reach Postgres using the postgres hostname, as this is the name assigned to the Postgres container. Use port 5432 to complete the connection. You can pass PostgreSQL server options using -c flags after the image name in your docker run command:
currently, PostgreSQL only supports SCRAM using SHA-256 For these reasons, in PostgreSQL, the scram-sha-256 password auth method is strongly recommended over md5 or password. The first part of this tutorial can be used to set up SCRAM even if you don't use channel binding. Channel Binding with SCRAM
There are two problems that make it hard to switch over from MD5 to scram-sha-256: Since PostgreSQL does not know the original clear text password, the user has to set the password again, after you change the password encryption method to scram-sha-256.
Edit data/postgresql.conf and add the line password_encryption = scram-sha-256 at the bottom. Edit data/pg_hba.conf to set at least one authentication method to safely use for an initial superuser connection. This is needed to set up at least one user with a SCRAM password, see pg_hba.conf documentation to see the options.
Following along here https://github.com/docker-library/postgres/blob/master/12/docker-entrypoint.sh#L202 I assume that on first run and setting up the database the authentication method is md5 , and when it is done the pg_hba.conf file sets it to scram-sha-256 making it unable to authenticate.
By setting the POSTGRES_INITDB_ARGS and passing along the params to set the initial auth method to scram-sha-256 the password is set with scram-sha-256 for the initialization of the db, and just works.
docker run --name pg \
-e POSTGRES_USER=myUser \
-e POSTGRES_PASSWORD=myPassword \
-e POSTGRES_DB=myDb \
-e POSTGRES_INITDB_ARGS="--auth-host=scram-sha-256 --auth-local=scram-sha-256" \
-v $PWD/pg_hba.conf:/etc/postgresql/pg_hba.conf \
-v $PWD/postgresql.conf:/etc/postgresql/postgresql.conf \
--network data-talk \
-d postgres \
-c config_file=/etc/postgresql/postgresql.conf \
-c hba_file=/etc/postgresql/pg_hba.conf
POSTGRES_INITDB_ARGSThis optional environment variable can be used to send arguments to
postgres initdb. The value is a space separated string of arguments as postgres initdb would expect them. This is useful for adding functionality like data page checksums: -e POSTGRES_INITDB_ARGS="--data-checksums"
The key here is on initdb
198
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With