34 lines
1.3 KiB
Markdown
34 lines
1.3 KiB
Markdown
# Postgres
|
|
## Set up non-root user for container
|
|
We are providing a non-root user to the container to limit the attack surface for privilege escalations. In order for this to work in our setup, please make sure to check if you have a user called `postgres` set up.
|
|
|
|
1. Check if user `postgres` exists
|
|
|
|
```
|
|
cat /etc/passwd | grep postgres
|
|
```
|
|
In case the `postgres` user doesn't exist, please create the user by running
|
|
```
|
|
sudo useradd postgres
|
|
```
|
|
2. `data` folder ownership
|
|
Also you need to make sure that the `postgres` owner owns the volumes mounted for docker
|
|
```
|
|
sudo chown -R postgres:postgres data
|
|
sudo chmod 770 data
|
|
```
|
|
|
|
3. Adjust compose.yml
|
|
Within `services > postgres > user`, make sure to replare `postgres` with the UID of the user on your machine
|
|
```
|
|
cat /etc/passwd | grep postgres
|
|
```
|
|
|
|
## About secrets
|
|
In order to manage secrets centrally in 1Password and due to the need for secrets in Postgres, using `docker compose` directly in the terminal does not work.
|
|
|
|
## Bring up/tear down container
|
|
Please use the `start.sh` to spin up the container
|
|
### Prerequisites start.sh
|
|
- User executing the script is part of the `docker` group
|
|
- Environment variable `OP_SERVICE_ACCOUNT_TOKEN` is set up \[check out top-level README.md for more information on how to set this up\] |