update DB instructions in README
continuous-integration/drone/pr Build is passing Details

This commit is contained in:
Max Erenberg 2021-08-29 16:58:55 +00:00
parent 01b4412b42
commit 76c1082d4c
1 changed files with 42 additions and 14 deletions

View File

@ -33,14 +33,32 @@ On phosphoric-acid, you will additionally need to create a principal
called `ceod/admin` (remember to addprinc **and** ktadd).
#### Database
create superuser `mysql` with password `mysql`
```
mysql -u root
**Note**: The instructions below apply to the dev environment only; in
production, the DB superusers should be restricted to the host where
the DB is running.
Attach to the coffee container, run `mysql`, and run the following:
CREATE USER 'mysql'@'localhost' IDENTIFIED BY 'mysql';
GRANT ALL PRIVILEGES ON *.* TO 'mysql'@'localhost' WITH GRANT OPTION;
```
modify superuser `postgres` for password authentication and restrict new users
CREATE USER 'mysql' IDENTIFIED BY 'mysql';
GRANT ALL PRIVILEGES ON *.* TO 'mysql' WITH GRANT OPTION;
```
(In prod, the superuser should have '@localhost' appended to its name.)
Now open /etc/mysql/mariadb.conf.d/50-server.cnf and comment out the following line:
```
bind-address = 127.0.0.1
```
Then restart MariaDB:
```
systemctl restart mariadb
```
Install PostgreSQL in the container:
```
apt install -y postgresql
```
Modify the superuser `postgres` for password authentication and restrict new users:
```
su postgres
psql
@ -49,7 +67,7 @@ ALTER USER postgres WITH PASSWORD 'postgres';
REVOKE ALL ON SCHEMA public FROM public;
GRANT ALL ON SCHEMA public TO postgres;
```
create a new `pg_hba.conf` to force password authentication
Create a new `pg_hba.conf`:
```
cd /etc/postgresql/<version>/<branch>/
mv pg_hba.conf pg_hba.conf.old
@ -57,23 +75,33 @@ mv pg_hba.conf pg_hba.conf.old
```
# new pg_hba.conf
# TYPE DATABASE USER ADDRESS METHOD
local all postgres peer
host all postgres 0.0.0.0/0 md5
local all all peer
host all all localhost md5
local sameuser all md5
host sameuser all 0.0.0.0/0 md5
```
**Warning**: in prod, the postgres user should only be allowed to connect locally,
so the relevant snippet in pg_hba.conf should look something like
```
local all postgres md5
host all postgres localhost md5
host all postgres 0.0.0.0/0 reject
host all postgres ::/0 reject
local sameuser all md5
host sameuser all 0.0.0.0/0 md5
host sameuser all ::/0 md5
```
Add the following to postgresql.conf:
```
# modified postgresql.conf
# listen_addresses = 'localhost'
listen_address = '*'
listen_addresses = '*'
```
Now restart PostgreSQL:
```
systemctl restart postgresql
```
users can login remotely but superusers (`postgres` and `mysql`) are only allowed to login from the database host
**In prod**, users can login remotely but superusers (`postgres` and `mysql`) are only
allowed to login from the database host.
#### Mailman
You should create the following mailing lists from the mail container: