update DB instructions in README
continuous-integration/drone/pr Build is passing
Details
continuous-integration/drone/pr Build is passing
Details
This commit is contained in:
parent
01b4412b42
commit
76c1082d4c
56
README.md
56
README.md
|
@ -33,14 +33,32 @@ On phosphoric-acid, you will additionally need to create a principal
|
||||||
called `ceod/admin` (remember to addprinc **and** ktadd).
|
called `ceod/admin` (remember to addprinc **and** ktadd).
|
||||||
|
|
||||||
#### Database
|
#### Database
|
||||||
create superuser `mysql` with password `mysql`
|
**Note**: The instructions below apply to the dev environment only; in
|
||||||
```
|
production, the DB superusers should be restricted to the host where
|
||||||
mysql -u root
|
the DB is running.
|
||||||
|
|
||||||
|
Attach to the coffee container, run `mysql`, and run the following:
|
||||||
|
|
||||||
CREATE USER 'mysql'@'localhost' IDENTIFIED BY 'mysql';
|
|
||||||
GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' WITH GRANT OPTION;
|
|
||||||
```
|
```
|
||||||
modify superuser `postgres` for password authentication and restrict new users
|
CREATE USER 'mysql' IDENTIFIED BY 'mysql';
|
||||||
|
GRANT ALL PRIVILEGES ON *.* TO 'mysql' WITH GRANT OPTION;
|
||||||
|
```
|
||||||
|
(In prod, the superuser should have '@localhost' appended to its name.)
|
||||||
|
|
||||||
|
Now open /etc/mysql/mariadb.conf.d/50-server.cnf and comment out the following line:
|
||||||
|
```
|
||||||
|
bind-address = 127.0.0.1
|
||||||
|
```
|
||||||
|
Then restart MariaDB:
|
||||||
|
```
|
||||||
|
systemctl restart mariadb
|
||||||
|
```
|
||||||
|
|
||||||
|
Install PostgreSQL in the container:
|
||||||
|
```
|
||||||
|
apt install -y postgresql
|
||||||
|
```
|
||||||
|
Modify the superuser `postgres` for password authentication and restrict new users:
|
||||||
```
|
```
|
||||||
su postgres
|
su postgres
|
||||||
psql
|
psql
|
||||||
|
@ -49,7 +67,7 @@ ALTER USER postgres WITH PASSWORD 'postgres';
|
||||||
REVOKE ALL ON SCHEMA public FROM public;
|
REVOKE ALL ON SCHEMA public FROM public;
|
||||||
GRANT ALL ON SCHEMA public TO postgres;
|
GRANT ALL ON SCHEMA public TO postgres;
|
||||||
```
|
```
|
||||||
create a new `pg_hba.conf` to force password authentication
|
Create a new `pg_hba.conf`:
|
||||||
```
|
```
|
||||||
cd /etc/postgresql/<version>/<branch>/
|
cd /etc/postgresql/<version>/<branch>/
|
||||||
mv pg_hba.conf pg_hba.conf.old
|
mv pg_hba.conf pg_hba.conf.old
|
||||||
|
@ -57,23 +75,33 @@ mv pg_hba.conf pg_hba.conf.old
|
||||||
```
|
```
|
||||||
# new pg_hba.conf
|
# new pg_hba.conf
|
||||||
# TYPE DATABASE USER ADDRESS METHOD
|
# TYPE DATABASE USER ADDRESS METHOD
|
||||||
|
local all postgres peer
|
||||||
|
host all postgres 0.0.0.0/0 md5
|
||||||
|
|
||||||
|
local all all peer
|
||||||
|
host all all localhost md5
|
||||||
|
|
||||||
|
local sameuser all md5
|
||||||
|
host sameuser all 0.0.0.0/0 md5
|
||||||
|
```
|
||||||
|
**Warning**: in prod, the postgres user should only be allowed to connect locally,
|
||||||
|
so the relevant snippet in pg_hba.conf should look something like
|
||||||
|
```
|
||||||
local all postgres md5
|
local all postgres md5
|
||||||
host all postgres localhost md5
|
host all postgres localhost md5
|
||||||
host all postgres 0.0.0.0/0 reject
|
host all postgres 0.0.0.0/0 reject
|
||||||
host all postgres ::/0 reject
|
host all postgres ::/0 reject
|
||||||
local sameuser all md5
|
|
||||||
host sameuser all 0.0.0.0/0 md5
|
|
||||||
host sameuser all ::/0 md5
|
|
||||||
```
|
```
|
||||||
|
Add the following to postgresql.conf:
|
||||||
```
|
```
|
||||||
# modified postgresql.conf
|
listen_addresses = '*'
|
||||||
# listen_addresses = 'localhost'
|
|
||||||
listen_address = '*'
|
|
||||||
```
|
```
|
||||||
|
Now restart PostgreSQL:
|
||||||
```
|
```
|
||||||
systemctl restart postgresql
|
systemctl restart postgresql
|
||||||
```
|
```
|
||||||
users can login remotely but superusers (`postgres` and `mysql`) are only allowed to login from the database host
|
**In prod**, users can login remotely but superusers (`postgres` and `mysql`) are only
|
||||||
|
allowed to login from the database host.
|
||||||
|
|
||||||
#### Mailman
|
#### Mailman
|
||||||
You should create the following mailing lists from the mail container:
|
You should create the following mailing lists from the mail container:
|
||||||
|
|
Loading…
Reference in New Issue