Access to database via SSH tunnel

[ni-ka]

Hi @remi-filament,

Welcome back and thanks for updating the repos and ansible-galaxy. I would like to suggest another change:

I have seen the parameter odoo_remote_db_access , however, when this parameter is not set, what do you think about publishing the port to the local interface only? This way you can use a SSH tunnel to access the database, which is well supported by many tools.

        ports:
            - "127.0.0.1:5432:5432"

Cheers

[remi-filament]

Hi @ni-ka, I will for sure not allow this kind of port forwarding on any of the servers we maintain (I am afraid that by getting direct write access to DB from local client, we could cause irreversible injuries to DB). Also this means that I would need to allow TCP forwarding over SSH (which is disabled by default here : https://github.com/lefilament/ansible_role_init_server/blob/9282a6c20cb57337167a3a034f6c9dac200cb67d/templates/sshd_config.j2#L3)

This also raises a number of extra questions : should we modify pg_hba.conf to increase security ?
When you have more than one Odoo instance running (prod, test, and sometimes preprod, validation), should be expose all of them ? On which ports (we would need separate ports on host) ?

I believe that if you do not disable TCP forwarding in sshd config you can already connect to your DB using IP address of DB container in your local forwarding command no ?
For instance :
ssh -L 5432:172.29.0.2:5432 user@server

Let me know your thoughts !

[ni-ka]

Hi @remi-filament, thanks for the detailed answer! Yeah, I see now how this does not make much sense given the different instances and its much better to use your suggestion.

One thing I will note, i didn't have to change any SSH forwarding and was able to create ssh tunnels, so not sure that is working as supposed or its something different on my setup.

Thanks again!