1

The PostgreSQL database is just installed directly into the linux host machine (not as docker container).

In a docker container (built with docker compose) I have an application that needs to connect to the database.

The client container needs to be on a docker bridge network and cannot be on the host network directly because it needs to reach other containers on the bridge network.

I connect to the Postgres database using the host.docker.internal hostname as described here.

From within that container I can reach the database no problem that way. But PostgreSQL needs to allow this connection in pg_hba.conf or else I get the error:

no pg_hba.conf entry for host "172.22.0.3"

Of course I can add that IP address to pg_hba.conf like done here but that won't give me a very stable solution because the IP address will not always be the same.

What would be the best practice? Allow all connection from 172...* ? Or...?

Sebastian
  • 5,471
  • 5
  • 35
  • 53

3 Answers3

0

I'm pretty sure, docker has some dns service by default, and you can write hostname to pg_hba.conf instead of ip address. postgres tries to resolve those name, but maybe only when readin' the conf, so you may need to run pg_ctlcluster reload frequently, like on replacing the client container.

It's cleaner and more secure, if you open the postgres only for those containers who's actually need to connect. On the other hand, if the open port is ssl only and password protected, and your other containers can be considered as trusted, allowing all of them to connect is not something i would call high risk.

n3ko
  • 377
  • 3
  • 8
  • 1
    The DNS features are for sure available when you are on the bridge network, but how do you get it to work from the host? I have the network for the container configured as: `services: app: networks: net: aliases: - backend` And then on the bottom of the yaml file: `networks: net: external: true name: my_network` – Sebastian Nov 10 '22 at 16:28
  • You are right, me somehow missed the first paragraph. So will you move the db to a container? I think i would do that. – n3ko Nov 10 '22 at 16:50
0

The only good practice is to move postgreSQL in a container as if you follow other good practice ( like running docker rootless-mode ) your container app is not suppose to access to any of you host interface.

Inopsek
  • 1
  • 2
  • Thanks for you answer. As far as I can google, opinions differ regarding running databases in dockers for production. Anyhow, that's not relevant here but just wanted to mention it. – Sebastian Nov 10 '22 at 15:57
  • Regarding the topic of postgres itself on docker also this could be an interesting read: https://www.docker.com/blog/how-to-use-the-postgres-docker-official-image/ check the section `Can you deploy Postgres containers in production?` – Sebastian Nov 11 '22 at 19:16
0

For now I have gone with adding a samenet entry in the pg_hba.conf file. I am not sure if this is the best approach so I am happy to receive more suggestions.

# to enable local docker connections:
host    all             all             samenet         md5
Sebastian
  • 5,471
  • 5
  • 35
  • 53