Introduction

Starting from version 1.1, restrictions have been added for connections to the PostgreSQL database from external hosts in high-availability deployments: connections will be allowed only from the addresses on which the NAICE nodes are deployed. In a stand-alone deployment, access to the database from external addresses will be completely blocked.

Authentication of PostgreSQL database clients is controlled by the configuration file named pg_hba.conf, which is located in the database cluster data directory.

HBA stands for host-based authentication.

The pg_hba.conf file defines which addresses are allowed to connect to the database.

General recommendations for the pg_hba.conf contents:

1. Allow local connections inside the container, which may be used for debugging or troubleshooting.
2. Allow connections within the container network so that other containers can connect to the database.
3. Allow external service connections only from the addresses where the NAICE nodes are deployed, in order to ensure normal operation of NAICE in a high-availability deployment.
4. Allow connections with the credentials used for replication between PostgreSQL cluster nodes.
5. Deny connections from any other untrusted addresses.

NAICE 1.0 state

Файл pg_hba.conf содержал универсальную конфигурацию и сразу присутствовал в образе. The pg_hba.conf file contained a universal configuration and was included in the image by default.

During database deployment, the file was not modified in any way.

Путь до файла: File path:

• on the servers used for database cluster deployment /<NAICE installation directory>/postgres/pg_hba.conf
• inside the database container: /bitnami/repmgr/conf/pg_hba.conf

NAICE 1.1 state

The file path inside the container has not changed: /bitnami/repmgr/conf/pg_hba.conf

Deployment of a two-node cluster

The pg_hba.conf file is not included in the image by default.

It is generated during cluster deployment and placed in the following directory: /<NAICE installation directory>/postgres/

At this stage, the current cluster node addresses specified during the NAICE installation are inserted into the file. For more information, refer to: v1.1_3.3 High-availability installation (using VRRP) or v1.1_3.4 High-availability installation (without using VRRP).

Example of the file contents after cluster deployment:

# Passwordless access for the postgres user during authentication only inside the container
# During the first container startup, the postgres user is created without a password the password is assigned later during initialization
local all postgres trust
host all postgres 127.0.0.1/32 trust

# Local connections inside the container using login/password authentication
local all all scram-sha-256
host all all 127.0.0.1/32 scram-sha-256

# External service connections allowed only from the NAICE cluster node addresses and the VIP address
host all all <IP address of the first NAICE node>/32 scram-sha-256
host all all <IP address of the second NAICE node>/32 scram-sha-256
host all all <VIP address used by the VRRP protocol>/32 scram-sha-256 # Added only for high-availability deployment using VRRP.


# External connections for replication
# Access to the replication database – for physical data replication
# Access to the repmgr database – for replication management using repmgr
# Passwordless access is used because repmgr connects using key-based authentication
host repmgr repmgr <IP address of the first PostgreSQL cluster node>/32 trust
host repmgr repmgr <IP address of the second PostgreSQL cluster node>/32 trust
host replication repmgr <IP address of the first PostgreSQL cluster node>/32 trust
host replication repmgr <IP address of the second PostgreSQL cluster node>/32 trust

# Connections for services running on the same host
host repmgr repmgr samenet scram-sha-256
host replication repmgr samenet scram-sha-256
host all all samenet scram-sha-256

# Block all other connections
host    all             all             0.0.0.0/0               reject

In the docker-compose.repmgr.yml file, the file is mounted explicitly as follows:

    volumes:
      - ./postgres/pg_hba.conf:/bitnami/repmgr/conf/pg_hba.conf:ro

Deployment of a four-node cluster

The operation logic remains the same, with the only difference being the addresses used:

• External service connections — a pair of service node addresses;
• External replication connections — a pair of database node addresses.

Deployment of a single-node cluster

The pg_hba.conf file contains a universal configuration and is included in the image by default:

# For DB Init
local all postgres trust
host all postgres 127.0.0.1/32 trust

# Local connections inside the container using login/password authentication
local all all scram-sha-256
host all all 127.0.0.1/32 scram-sha-256

# Connections for services running on the same host
host all all samenet scram-sha-256

# Block all other connections
host    all             all             0.0.0.0/0               reject

Update process from 1.0 to 1.1

If the contents of the pg_hba.conf file were not modified and the file was not mounted explicitly while using version 1.0 or earlier, no action is required.

During Ansible playbook operation, the contents of the docker-compose.repmgr.yml and docker-compose.yml files will be updated automatically to match version 1.1.

If the contents of the pg_hba.conf file were modified and the file was mounted explicitly, it is necessary to save the file outside the NAICE installation directory (default: /etc/docker-naice) before starting the update to version 1.1.

After the update, open the new file: /<NAICE installation directory>/postgres/pg_hba.conf, and reapply the previously made changes, if they are still required.

After that, restart the database containers sequentially: first on the second PostgreSQL cluster node, then on the first node:

sudo docker compose -f docker-compose.repmgr.yml stop && sudo docker compose -f docker-compose.repmgr.yml up -d