Open postgres to listen on the network and enforce protection with a random password #15
Conversation
stephdl
changed the title
The create-secrets script has been updated to restrict file permissions to 400, ensuring that the secrets file is only accessible by the owner. This improves the security of the secrets stored in the file.
|
Why this change is required? The hardcoded password seems valid only for connections coming from the pod's private network. What are the benefits of this change? |
|
In fact actually postgresql can be contacted only from the host so I have to install the webserver on the node where is running postgres. I would like to use postgres from any servers inside the cluster
|
|
Isn't user It is the private loopback IP, not the host one. As alternative to the random password approach, please evaluate the IP-based check. From podman-run manpage:
The default of private network should already work |
This commit updates the PostgreSQL configuration to use the `/var/run/postgresql` directory as the location for the socket file. This change ensures that the socket file is accessible for communication with the PostgreSQL server.
There was a problem hiding this comment.
now we use a unix socket to connect to the databse for pgadmin, no need for a password
However the POSTGRES_PASSWORD is the only environment variable needed by the container, we cannot create it without, we cannot ask to the container to make it randomly itself like mariadb container does.
imageroot/bin/create-secrets
Outdated
|
|
||
| if [[ ! -f ~/.config/state/secrets/passwords.secret ]]; then | ||
| password_postgres=$(/usr/bin/openssl rand -hex 20) | ||
| /usr/bin/echo "POSTGRES_PASSWORD=$password_postgres" > ~/.config/state/secrets/passwords.secret |
There was a problem hiding this comment.
It's an environment file syntax
| /usr/bin/echo "POSTGRES_PASSWORD=$password_postgres" > ~/.config/state/secrets/passwords.secret | |
| /usr/bin/echo "POSTGRES_PASSWORD=$password_postgres" > ~/.config/state/secrets/passwords.env |
There was a problem hiding this comment.
Is upgrade necessary? Shouldn't existing installations be already hardened?
There was a problem hiding this comment.
Upgrade is necessary to change the postgres password from Nethesis,1234 to a random one
Else you could connect easily you know it
| `${TCP_PORT_PGSQL} `is set inside the environment of the module | ||
|
|
||
| `IP_of_Node` is the IP running the container, it might be the internal wiregard IP or the external IP of the node | ||
| `IP_of_Node` is the IP running the container, it must be the internal wiregard IP for example 10.5.4.1, the port is not opened in the firewall |
There was a problem hiding this comment.
What is the firewall command required to open that port? Please, make an example.
There was a problem hiding this comment.
Without tls encryption I am not sure to open a tcp port is smart. I can be wrong
Co-authored-by: Davide Principi <davide.principi@nethesis.it>
These changes improve security by avoiding the use of hardcoded passwords in the service configuration files and allow to open the network tcp port inside the trusted zone
This pull request includes changes to the
postgresql-app.serviceandpgadmin-app.servicefiles to update them to use secrets for the database password. It also adds a new script,create-secrets, for module initialization. Thecreate-secretsscript generates a random password for the PostgreSQL user and stores it in a secrets file.pgadmin connects to the databse on a unix socket