9

I'm trying to allow a connection from one Docker container to a postgres container by specifying the host name of the client container in the server's pg_hba.conf file. Postgres's documentation indicates that a host name can be specified, rather than an IP address. Since I'm using Docker Compose to start the two containers, they should be accessible to each other by container name using Docker Compose's DNS. I don't want to open up all IP addresses for security reasons, and when I eventually add access for additional containers, it will be much easier to just specify the container name in the pg_hba.conf file rather than assign static IP addresses to each of them. However, when I attempt to do this, it fails with a message such as this:

psql: FATAL: no pg_hba.conf entry for host "192.168.208.3", user "postgres", database "postgres", SSL off

Here's a minimum reproducible example of what I'm trying to do:

I use the following Docker Compose file:

version: '3'
services:
  postgresdb:
    image: postgres:9.4
    container_name: postgres-server
    ports:
      - "5432:5432"
    volumes:
      - "postgres-data:/var/lib/postgresql/data"
  postgres-client:
    image: postgres:9.4
    container_name: postgres-client
    depends_on:
      - postgres-server

volumes:
  postgres-data:

After running docker-compose up, I exec into the server container and modify the pg_hba.conf file in /var/lib/postgresql/data to look like this:

host all postgres postgres-client trust

I then restart the postgres server (docker-compose down then docker-compose up) and it loads the modified pg_hba.conf from the mounted volume.

I exec into the client container and attempt to connect to the postgres server:

docker exec -it postgres-client /bin/bash
psql -U postgres -h postgres-server postgres

This is where I get an error such as the following: 

psql: FATAL:  no pg_hba.conf entry for host "192.168.208.3", user "postgres", database "postgres", SSL off

I can't seem to find anything online that shows how to get this working. I've found examples where they just open up all or a range of IP addresses, but none where they get the use of a host name working. Here are some related questions and information:

Any ideas on how to get this working the way I would expect it to work using Docker Compose?

lightningWhite
  • 118
  • 1
  • 7
  • does the hostname `postgres-client` actually resolve in your container's DNS lookup? – richyen Feb 11 '20 at 19:11
  • @richyen Yes, it does: `# ping postgres-client PING postgres-client (172.25.0.3) 56(84) bytes of data. 64 bytes from postgres-client.postgreshostresolution_default (172.25.0.3): icmp_seq=1 ttl=64 time=0.128 ms` – lightningWhite Feb 11 '20 at 19:46

1 Answers1

9

You need to add the full qualified host name of the client container in pg_hba.conf.

host all postgres postgres-client.<network_name> trust

e.g:

host all postgres postgres-client.postgreshostresolution_default trust

If no network has been defined, network_name is <project_name>_default. By default project_name is the folder the docker-compose.yml resides.

To get the network names you may also call

docker inspect postgres-client | grep Networks -A1

or

docker network ls

to get a list of all docker networks currently defined on your docker host

Jan Dev
  • 141
  • 4
  • 3
    Nice! This works. ```your_container_name.your_network_name``` – RicHincapie Feb 11 '21 at 16:04
  • Not working for me. I get `Client IP address resolved to "my-container.my-network", forward lookup not checked`. And then get `no pg_hba.conf entry for host "192.168.112.3", user "myuser", database "postgres", SSL off`. The only way it works, if I add `192.168.0.0/16` and explicitly specify it to allow connecting from. Which is not as nice. – Andrius Mar 26 '23 at 08:04
  • @Andrius in your example the `pg_hba.conf` file must look like `host all myuser my-container.my-network trust` Does it look like that? – Jan Dev Mar 31 '23 at 21:25
  • @JanDev yes. It looks like that – Andrius Apr 01 '23 at 12:10