patternsqldockerMinor
docker and postgres: using password_file leads to no pg_hba.conf entry for host
Viewed 0 times
confentrypostgresdockerpg_hbahostusingforandleads
Problem
I'm aware of the following solution for the
But I wonder why this error happens when using Postgres environment variable
Here are the most useful bits of code. If you want to see a complete example, please take a look at this repository.
This version will trigger the error:
While this version will work fine:
The
Basically, the only thing that changes between the two configuration is that setting the password for the database container is 1) done with an environment variable
If we look at the Postgres' entrypoint,
```
# usage: file_env VAR [DEFAULT]
# ie: file_env 'XYZ_DB_PASSWORD' 'example'
# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
file_env() {
local var="$1"
local fileVar="${var}_FILE"
local def="${2:-}"
if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
exit 1
fi
local v
no pg_hba.conf entry for host error: connect to PostgreSQL server: FATAL: no pg_hba.conf entry for hostBut I wonder why this error happens when using Postgres environment variable
POSTGRES_PASSWORD_FILE in Docker, and not when setting the password directly with an environment variable such as POSTGRES_PASSWORD.Here are the most useful bits of code. If you want to see a complete example, please take a look at this repository.
This version will trigger the error:
services:
database:
image: postgres:10
volumes:
- ./pass/db/db_pass:/run/secrets/db_pass:ro
- data:/var/lib/postgresql/data
environment:
- POSTGRES_PASSWORD_FILE=/run/secrets/db_passWhile this version will work fine:
services:
database:
image: postgres:10
volumes:
- data:/var/lib/postgresql/data
environment:
- POSTGRES_PASSWORD=db_passwordThe
./pass/db/db_pass file contains exactly the same password: db_password.Basically, the only thing that changes between the two configuration is that setting the password for the database container is 1) done with an environment variable
POSTGRES_PASSWORD and 2) done reading the file pointed by POSTGRES_PASSWORD_FILE, file which is bind-mounted inside the container as read-only.If we look at the Postgres' entrypoint,
POSTGRES_PASSWORD_FILE is used to fill POSTGRES_PASSWORD: https://github.com/docker-library/postgres/blob/master/10/docker-entrypoint.sh#L8-L24.```
# usage: file_env VAR [DEFAULT]
# ie: file_env 'XYZ_DB_PASSWORD' 'example'
# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
file_env() {
local var="$1"
local fileVar="${var}_FILE"
local def="${2:-}"
if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
exit 1
fi
local v
Solution
It was a permission issue.
My password file had
I added
database_1 | /usr/local/bin/docker-entrypoint.sh: line 19: /run/secrets/db_pass: Permission deniedMy password file had
-rw------- permissions. Since the docker-entrypoint.sh script sets the -e option, it was exiting early, right after this error, preventing to append the host all all all md5 line to pg_hba.conf.I added
r for group and others, as well as r-x for group and others on its parent directory. That fixed the issue.Code Snippets
database_1 | /usr/local/bin/docker-entrypoint.sh: line 19: /run/secrets/db_pass: Permission deniedContext
StackExchange Database Administrators Q#204937, answer score: 3
Revisions (0)
No revisions yet.