public
/
pyceo
27
1
Fork 3
Code Issues 25 Pull Requests 5 Projects Releases 1 Wiki Activity

update DB instructions in README
continuous-integration/drone/pr Build is passing Details

This commit is contained in:
Max Erenberg 2021-08-29 16:58:55 +00:00
parent 01b4412b42
commit 76c1082d4c
1 changed files with 42 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
README.md
View File

@ -33,14 +33,32 @@ On phosphoric-acid, you will additionally need to create a principal
called `ceod/admin` (remember to addprinc **and** ktadd). called `ceod/admin` (remember to addprinc **and** ktadd).
#### Database #### Database
create superuser `mysql` with password `mysql` **Note**: The instructions below apply to the dev environment only; in
``` production, the DB superusers should be restricted to the host where
mysql -u root the DB is running.
Attach to the coffee container, run `mysql`, and run the following:
CREATE USER 'mysql'@'localhost' IDENTIFIED BY 'mysql';
GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' WITH GRANT OPTION;
``` ```
modify superuser `postgres` for password authentication and restrict new users CREATE USER 'mysql' IDENTIFIED BY 'mysql';
GRANT ALL PRIVILEGES ON *.* TO 'mysql' WITH GRANT OPTION;
```
(In prod, the superuser should have '@localhost' appended to its name.)
Now open /etc/mysql/mariadb.conf.d/50-server.cnf and comment out the following line:
```
bind-address = 127.0.0.1
```
Then restart MariaDB:
```
systemctl restart mariadb
```
Install PostgreSQL in the container:
```
apt install -y postgresql
```
Modify the superuser `postgres` for password authentication and restrict new users:
``` ```
su postgres su postgres
psql psql
@ -49,7 +67,7 @@ ALTER USER postgres WITH PASSWORD 'postgres';
REVOKE ALL ON SCHEMA public FROM public; REVOKE ALL ON SCHEMA public FROM public;
GRANT ALL ON SCHEMA public TO postgres; GRANT ALL ON SCHEMA public TO postgres;
``` ```
create a new `pg_hba.conf` to force password authentication Create a new `pg_hba.conf`:
``` ```
cd /etc/postgresql/<version>/<branch>/ cd /etc/postgresql/<version>/<branch>/
mv pg_hba.conf pg_hba.conf.old mv pg_hba.conf pg_hba.conf.old
@ -57,23 +75,33 @@ mv pg_hba.conf pg_hba.conf.old
``` ```
# new pg_hba.conf # new pg_hba.conf
# TYPE DATABASE USER ADDRESS METHOD # TYPE DATABASE USER ADDRESS METHOD
local all postgres peer
host all postgres 0.0.0.0/0 md5
local all all peer
host all all localhost md5
local sameuser all md5
host sameuser all 0.0.0.0/0 md5
```
**Warning**: in prod, the postgres user should only be allowed to connect locally,
so the relevant snippet in pg_hba.conf should look something like
```
local all postgres md5 local all postgres md5
host all postgres localhost md5 host all postgres localhost md5
host all postgres 0.0.0.0/0 reject host all postgres 0.0.0.0/0 reject
host all postgres ::/0 reject host all postgres ::/0 reject
local sameuser all md5
host sameuser all 0.0.0.0/0 md5
host sameuser all ::/0 md5
``` ```
Add the following to postgresql.conf:
``` ```
# modified postgresql.conf listen_addresses = '*'
# listen_addresses = 'localhost'
listen_address = '*'
``` ```
Now restart PostgreSQL:
``` ```
systemctl restart postgresql systemctl restart postgresql
``` ```
users can login remotely but superusers (`postgres` and `mysql`) are only allowed to login from the database host **In prod**, users can login remotely but superusers (`postgres` and `mysql`) are only
allowed to login from the database host.
#### Mailman #### Mailman
You should create the following mailing lists from the mail container: You should create the following mailing lists from the mail container: