diff --git a/postgres/content.md b/postgres/content.md index 60d61c4f8c35..577483485059 100644 --- a/postgres/content.md +++ b/postgres/content.md @@ -53,11 +53,11 @@ The PostgreSQL image uses several environment variables which are easy to miss. ### `POSTGRES_PASSWORD` -This environment variable is recommended for you to use the PostgreSQL image. This environment variable sets the superuser password for PostgreSQL. The default superuser is defined by the `POSTGRES_USER` environment variable. +This environment variable is normally required for you to use the PostgreSQL image. This environment variable sets the superuser password for PostgreSQL. The default superuser is defined by the `POSTGRES_USER` environment variable. Note 1: The PostgreSQL image sets up `trust` authentication locally so you may notice a password is not required when connecting from `localhost` (inside the same container). However, a password will be required if connecting from a different host/container. -Note 2: This variable defines the superuser password in the PostgreSQL instance, as set by the `initdb` script during inital container startup. It has no effect on the `PGPASSWORD` environment variable that may be used by the `psql` client at runtime, as described at [https://www.postgresql.org/docs/10/static/libpq-envars.html](https://www.postgresql.org/docs/10/static/libpq-envars.html). `PGPASSWORD`, if used, will be specified as a separate environment variable. +Note 2: This variable defines the superuser password in the PostgreSQL instance, as set by the `initdb` script during initial container startup. It has no effect on the `PGPASSWORD` environment variable that may be used by the `psql` client at runtime, as described at [https://www.postgresql.org/docs/10/static/libpq-envars.html](https://www.postgresql.org/docs/10/static/libpq-envars.html). `PGPASSWORD`, if used, will be specified as a separate environment variable. ### `POSTGRES_USER` @@ -77,6 +77,18 @@ This optional environment variable can be used to define another location for th **Note:** on PostgreSQL 9.x, this variable is `POSTGRES_INITDB_XLOGDIR` (reflecting [the changed name of the `--xlogdir` flag to `--waldir` in PostgreSQL 10+](https://wiki.postgresql.org/wiki/New_in_postgres_10#Renaming_of_.22xlog.22_to_.22wal.22_Globally_.28and_location.2Flsn.29)). +### `POSTGRES_HOST_AUTH_METHOD` + +This optional variable can be used to control the `auth-method` for `host` connections for `all` databases, `all` users, and `all` addresses. If unspecified then [`md5` password authentication](https://www.postgresql.org/docs/current/auth-password.html) is used. On an uninitialized database, this will populate `pg_hba.conf` via this approximate line: + +```console +echo "host all all all $POSTGRES_HOST_AUTH_METHOD" >> pg_hba.conf +``` + +It is not recommended to use [`trust`](https://www.postgresql.org/docs/current/auth-trust.html) since it allows anyone to connect without a password, even if one is set (like via `POSTGRES_PASSWORD`). + +See the PostgreSQL documentation on [`pg_hba.conf`](https://www.postgresql.org/docs/current/auth-pg-hba-conf.html) for more information about possible values and their meanings. + ### `PGDATA` This optional variable can be used to define another location - like a subdirectory - for the database files. The default is `/var/lib/postgresql/data`, but if the data volume you're using is a filesystem mountpoint (like with GCE persistent disks), Postgres `initdb` recommends a subdirectory (for example `/var/lib/postgresql/data/pgdata` ) be created to contain the data. @@ -131,13 +143,13 @@ There are many ways to set PostgreSQL server configuration. For information on w $ # customize the config $ # run postgres with custom config - $ docker run -d --name some-postgres -v "$PWD/my-postgres.conf":/etc/postgresql/postgresql.conf %%IMAGE%% -c 'config_file=/etc/postgresql/postgresql.conf' + $ docker run -d --name some-postgres -v "$PWD/my-postgres.conf":/etc/postgresql/postgresql.conf -e POSTGRES_PASSWORD=mysecretpassword %%IMAGE%% -c 'config_file=/etc/postgresql/postgresql.conf' ``` - Set options directly on the run line. The entrypoint script is made so that any options passed to the docker command will be passed along to the `postgres` server daemon. From the [docs](https://www.postgresql.org/docs/current/static/app-postgres.html) we see that any option available in a `.conf` file can be set via `-c`. ```console - $ docker run -d --name some-postgres %%IMAGE%% -c 'shared_buffers=256MB' -c 'max_connections=200' + $ docker run -d --name some-postgres -e POSTGRES_PASSWORD=mysecretpassword %%IMAGE%% -c 'shared_buffers=256MB' -c 'max_connections=200' ``` ## Locale Customization @@ -165,11 +177,11 @@ As of [docker-library/postgres#253](https://github.com/docker-library/postgres/p The main caveat to note is that `postgres` doesn't care what UID it runs as (as long as the owner of `/var/lib/postgresql/data` matches), but `initdb` *does* care (and needs the user to exist in `/etc/passwd`): ```console -$ docker run -it --rm --user www-data %%IMAGE%% +$ docker run -it --rm --user www-data -e POSTGRES_PASSWORD=mysecretpassword %%IMAGE%% The files belonging to this database system will be owned by user "www-data". ... -$ docker run -it --rm --user 1000:1000 %%IMAGE%% +$ docker run -it --rm --user 1000:1000 -e POSTGRES_PASSWORD=mysecretpassword %%IMAGE%% initdb: could not look up effective user ID 1000: user does not exist ``` @@ -180,7 +192,7 @@ The three easiest ways to get around this: 2. bind-mount `/etc/passwd` read-only from the host (if the UID you desire is a valid user on your host): ```console - $ docker run -it --rm --user "$(id -u):$(id -g)" -v /etc/passwd:/etc/passwd:ro %%IMAGE%% + $ docker run -it --rm --user "$(id -u):$(id -g)" -v /etc/passwd:/etc/passwd:ro -e POSTGRES_PASSWORD=mysecretpassword %%IMAGE%% The files belonging to this database system will be owned by user "jsmith". ... ``` @@ -189,7 +201,7 @@ The three easiest ways to get around this: ```console $ docker volume create pgdata - $ docker run -it --rm -v pgdata:/var/lib/postgresql/data %%IMAGE%% + $ docker run -it --rm -v pgdata:/var/lib/postgresql/data -e POSTGRES_PASSWORD=mysecretpassword %%IMAGE%% The files belonging to this database system will be owned by user "postgres". ... ( once it's finished initializing successfully and is waiting for connections, stop it ) @@ -222,7 +234,7 @@ The Docker documentation is a good starting point for understanding the differen 2. Start your `%%IMAGE%%` container like this: ```console - $ docker run --name some-%%REPO%% -v /my/own/datadir:/var/lib/postgresql/data -d %%IMAGE%%:tag + $ docker run --name some-%%REPO%% -v /my/own/datadir:/var/lib/postgresql/data -e POSTGRES_PASSWORD=mysecretpassword -d %%IMAGE%%:tag ``` The `-v /my/own/datadir:/var/lib/postgresql/data` part of the command mounts the `/my/own/datadir` directory from the underlying host system as `/var/lib/postgresql/data` inside the container, where PostgreSQL by default will write its data files.