kopia lustrzana https://github.com/kartoza/docker-postgis
update readme and expose ssl certificates to be used with docker secrets
rodzic
c07305b85c
commit
d64d2dcff0
71
README.md
71
README.md
|
@ -9,15 +9,17 @@ Visit our page on the docker hub at: https://hub.docker.com/r/kartoza/postgis/
|
|||
There are a number of other docker postgis containers out there. This one
|
||||
differentiates itself by:
|
||||
|
||||
* provides ssl support out of the box
|
||||
* provides ssl support out of the box and enforces ssl client connections
|
||||
* connections are restricted to the docker subnet
|
||||
* a default database 'gis' is created for you so you can use this container 'out of the
|
||||
box' when it runs with e.g. QGIS
|
||||
* replication support included
|
||||
* Streaming replication and logical replication support included (turned off by default)
|
||||
* Ability to create multiple database when you spin the database.
|
||||
* Enable multiple extensions in the database when setting it up
|
||||
* Gdal drivers automatically registered for pg raster
|
||||
* Support for out-of-db rasters
|
||||
* Ability to create multiple schemas when spinning the database.
|
||||
* Enable multiple extensions in the database when setting it up.
|
||||
* Gdal drivers automatically registered for pg raster.
|
||||
* Support for out-of-db rasters.
|
||||
|
||||
|
||||
We will work to add more security features to this container in the future with
|
||||
the aim of making a PostGIS image that is ready to be used in a production
|
||||
|
@ -90,20 +92,28 @@ and `IMAGE_VARIANT` (=slim) which can be used to control the base image used
|
|||
(but it still needs to be Debian based and have PostgreSQL official apt repo).
|
||||
|
||||
For example making Ubuntu 20.04 based build (for better arm64 support)
|
||||
First build the base image using instructions in the folder `base_build` using the
|
||||
build script from [Kartoza base image builds](https://github.com/kartoza/docker-postgis/blob/develop/base_build/build.sh)
|
||||
|
||||
Then build the `PostGIS Image` to match the base build
|
||||
Edit the `.env` file to change the build arguments
|
||||
|
||||
```
|
||||
docker build --build-arg DISTRO=ubuntu --build-arg IMAGE_VERSION=focal --build-arg IMAGE_VARIANT="" -t kartoza/postgis .
|
||||
DISTRO=ubuntu
|
||||
IMAGE_VERSION=focal
|
||||
IMAGE_VARIANT=""
|
||||
```
|
||||
|
||||
Then run the script
|
||||
|
||||
```
|
||||
./build.sh
|
||||
```
|
||||
|
||||
|
||||
#### Locales
|
||||
|
||||
By default, the image build will include **all** `locales` to cover any value for `locale` settings such as `DEFAULT_COLLATION`, `DEFAULT_CTYPE` or `DEFAULT_ENCODING`.
|
||||
|
||||
You can safely delete all `locales` except for the ones you need in `scripts/locale.gen`. This will speed up the build considerably.
|
||||
You can use the build argument: `GENERATE_ALL_LOCALE=0`
|
||||
|
||||
This will build with the default locate and speed up the build considerably.
|
||||
|
||||
### Environment variables
|
||||
|
||||
|
@ -126,7 +136,7 @@ You need to specify different empty directory, like this
|
|||
-e DEFAULT_ENCODING="UTF8" \
|
||||
-e DEFAULT_COLLATION="id_ID.utf8" \
|
||||
-e DEFAULT_CTYPE="id_ID.utf8" \
|
||||
-e --auth="md5" \
|
||||
-e PASSWORD_AUTHENTICATION="md5" \
|
||||
-e INITDB_EXTRA_ARGS="<some more initdb command args>"
|
||||
```
|
||||
|
||||
|
@ -140,7 +150,7 @@ If the container uses an existing cluster, it is ignored (for example, when the
|
|||
* `DEFAULT_COLLATION`: cluster collation
|
||||
* `DEFAULT_CTYPE`: cluster ctype
|
||||
* `WAL_SEGSIZE`: WAL segsize option
|
||||
* `--auth` : PASSWORD AUTHENTICATION
|
||||
* `PASSWORD_AUTHENTICATION` : PASSWORD AUTHENTICATION
|
||||
* `INITDB_EXTRA_ARGS`: extra parameter that will be passed down to `initdb` command
|
||||
|
||||
In addition to that, we have another parameter: `RECREATE_DATADIR` that can be used to force database reinitializations.
|
||||
|
@ -282,7 +292,8 @@ in conjunction with Docker secrets, as passwords can be loaded from `/run/secret
|
|||
|
||||
For more information see [https://docs.docker.com/engine/swarm/secrets/](https://docs.docker.com/engine/swarm/secrets/).
|
||||
|
||||
Currently, `POSTGRES_PASS`, `POSTGRES_USER` and `POSTGRES_DB` are supported.
|
||||
Currently, `POSTGRES_PASS`, `POSTGRES_USER`, `POSTGRES_DB`, `SSL_CERT_FILE`,
|
||||
`SSL_KEY_FILE`, `SSL_CA_FILE` are supported.
|
||||
|
||||
|
||||
## Running the container
|
||||
|
@ -297,7 +308,7 @@ docker run --name "postgis" -p 25432:5432 -d -t kartoza/postgis
|
|||
|
||||
## Convenience docker-compose.yml
|
||||
|
||||
For convenience we have provided a ``docker-compose.yml`` that will run a
|
||||
For convenience, we provide a ``docker-compose.yml`` that will run a
|
||||
copy of the database image and also our related database backup image (see
|
||||
[https://github.com/kartoza/docker-pg-backup](https://github.com/kartoza/docker-pg-backup)).
|
||||
|
||||
|
@ -337,11 +348,13 @@ sudo apt-get install postgresql-client-12
|
|||
|
||||
|
||||
In some instances users want to run some SQL scripts to populate the
|
||||
database. Since the environment variable POSTGRES_DB allows
|
||||
database. The environment variable POSTGRES_DB allows
|
||||
us to specify multiple database that can be created on startup.
|
||||
When running scripts they will only be executed against the
|
||||
first database ie POSTGRES_DB=gis,data,sample
|
||||
The SQL script will be executed against the gis database. Additionally, a lock file is generated in `/docker-entrypoint-initdb.d`, which will prevent the scripts from getting executed after the first container startup. Provide `IGNORE_INIT_HOOK_LOCKFILE=true` to execute the scripts on _every_ container start.
|
||||
The SQL script will be executed against the `gis` database. Additionally, a lock file is generated in
|
||||
`/docker-entrypoint-initdb.d`, which will prevent the scripts from getting executed after the first
|
||||
container startup. Provide `IGNORE_INIT_HOOK_LOCKFILE=true` to execute the scripts on _every_ container start.
|
||||
|
||||
Currently, you can pass `.sql` , `.sql.gz` and `.sh` files as mounted volumes.
|
||||
|
||||
|
@ -408,6 +421,14 @@ If you are using the default certificates provided by the image when connecting
|
|||
to the database you will need to set `SSL Mode` to any value besides
|
||||
`verify-full` or `verify-ca`
|
||||
|
||||
The pg_hba.con will have entries like:
|
||||
```
|
||||
hostssl all all 0.0.0.0/0 scram-sha-256 clientcert=0
|
||||
```
|
||||
|
||||
where `PASSWORD_AUTHENTICATION=scram-sha-256` and `ALLOW_IP_RANGE=0.0.0.0/0`
|
||||
|
||||
|
||||
### Forced SSL with Certificate Exchange: using SSL certificates signed by a certificate authority
|
||||
|
||||
When setting up the database you need to define the following environment variables.
|
||||
|
@ -428,6 +449,14 @@ need to copy the `SSL_CA_FILE` file to the location `/home/$user/.postgresql/roo
|
|||
or define an environment variable pointing to location of the `SSL_CA_FILE`
|
||||
example: `PGSSLROOTCERT=/etc/letsencrypt/root.crt`
|
||||
|
||||
The pg_hba.con will have entries like:
|
||||
```
|
||||
hostssl all all 0.0.0.0/0 cert
|
||||
```
|
||||
|
||||
where `ALLOW_IP_RANGE=0.0.0.0/0`
|
||||
|
||||
|
||||
#### SSL connection inside the docker container using openssl certificates
|
||||
|
||||
|
||||
|
@ -485,7 +514,7 @@ categorize an instance of the container as `master` or `replicant`. A `master`
|
|||
instance means that a particular container has a role as a single point of
|
||||
database write. A `replicant` instance means that a particular container will
|
||||
mirror database content from a designated master. This replication scheme allows
|
||||
us to sync databases. However a `replicant` is only for read-only transaction, thus
|
||||
us to sync databases. However, a `replicant` is only for read-only transaction, thus
|
||||
we can't write new data to it. The whole database cluster will be replicated.
|
||||
|
||||
#### Database permissions
|
||||
|
@ -497,7 +526,7 @@ with the following SQL assuming the ${REPLICATION_USER} is called replicator
|
|||
ALTER DEFAULT PRIVILEGES IN SCHEMA data GRANT SELECT ON TABLES TO replicator;
|
||||
|
||||
|
||||
**NB** You need to setup a strong password for replication otherwise the
|
||||
**NB** You need to set up a strong password for replication otherwise the
|
||||
default password for ${REPLICATION_USER} will default to `replicator`
|
||||
|
||||
To experiment with the replication abilities, you can see a [docker-compose.yml](sample/replication/docker-compose.yml)
|
||||
|
@ -544,7 +573,7 @@ command to run both master and slave services.
|
|||
make up
|
||||
```
|
||||
|
||||
To shutdown services, execute:
|
||||
To shut down services, execute:
|
||||
|
||||
```
|
||||
make down
|
||||
|
@ -621,7 +650,7 @@ Other docker images might have a few missing features than the ones in the
|
|||
latest image. We mainly do not back port changes to current stable images that are being
|
||||
used in production. However, if you feel that some changes included
|
||||
in the latest tagged version of the image are essential for the previous image
|
||||
you can cherry pick the changes against that specific branch and we will
|
||||
you can cherry-pick the changes against that specific branch and we will
|
||||
test and merge.
|
||||
|
||||
### Support
|
||||
|
|
|
@ -22,6 +22,10 @@ create_dir ${SSL_DIR}
|
|||
chmod -R 0700 ${SSL_DIR}
|
||||
chown -R postgres ${SSL_DIR}
|
||||
|
||||
# Docker secrets for certificates
|
||||
file_env 'SSL_CERT_FILE'
|
||||
file_env 'SSL_KEY_FILE'
|
||||
file_env 'SSL_CA_FILE'
|
||||
|
||||
# Needed under debian, wasn't needed under ubuntu
|
||||
mkdir -p ${PGSTAT_TMP}
|
||||
|
|
Ładowanie…
Reference in New Issue