Allow setting the pg_user in Docker image for timescale container

Question

Allow setting the pg_user in Docker image for timescale container

Opened this issue 10 days ago · 2 comments

Is your feature request related to a problem? Please describe.
We have to use the postgres user for the db since the Docker image doesn't allow setting the user.

Describe the solution you'd like
In https://github.com/orchestracities/ngsi-timeseries-api/blob/master/timescale-container/quantumleap-db-setup.py#L133 the python script has the option of setting the user, it would just need to pass this parameter as env. variable in the Dockerfile like --pg-user "$PG_USER"

Describe alternatives you've considered
We will use the postgres user for now but since we have multiple tenants in one external db, it would be more secure and nicer to have dedicated users.

Additional context
The user specified in PG_USER would need elevated rights like CREATE_DATABASE, as I would guess. Please correct me if this is not a viable solution, I would just assume it's a simple option considering that it's implemented in the python script setting up the database.

Answer 1 · 2024-09-19T15:27:05.000Z

hi @valluwtf :-)

the Docker image doesn't allow setting the user

You referring to the images we use in our docker compose files, I'd guess? It looks like you could actually whip together your own Docker Compose file with a recent Postgres image and specify the Postgres user through the POSTGRES_USER env var:

https://hub.docker.com/_/postgres

the python script has the option of setting the user, it would just need to pass this parameter as env. variable in the Dockerfile like

Not sure I understand what you're suggesting---old age, don't judge :-) Can you give me a bit more context? Are you trying to use the QuantumLeap Postgres init container? If so, is this the Docker file you're referring to:

https://github.com/orchestracities/ngsi-timeseries-api/blob/master/timescale-container/Dockerfile

Yes, there's no option for the user there, but keep in mind you could easily override the default Docker command in the Docker file with e.g. this one

python quantumleap-db-setup.py \
        --ql-db-pass "$QL_DB_PASS" \
        --ql-db-init-dir "$QL_DB_INIT_DIR" \
        --pg-host "$PG_HOST" \
        --pg-pass "$PG_PASS" \
        --pg-username "$PG_USER"

Surely, it'd be nicer to add that option to the Docker file, but it'd need to be done in a backward compatible way. That is, if the PG_USER env var is unset or empty, then don't add the --pg-username "$PG_USER" to the command.

Anyhoo, we welcome pull requests!

Answer 2 · 2024-09-19T15:32:20.000Z

@valluwtf forgot to mention. If all you need to do is create the QuantumLeap DB, then you may be better off not using the init container. In fact, all that the script inside the container does is run this SQL code

https://github.com/orchestracities/ngsi-timeseries-api/blob/master/timescale-container/quantumleap-db-setup.py#L201C1-L211C52

which you could actually easily do yourself, e.g. by asking psql to evaluate this SQL

CREATE ROLE quantumleap
    LOGIN PASSWORD changeme;

CREATE DATABASE quantumleap
    OWNER quantumleap
    ENCODING 'UTF8';

\connect quantumleap

CREATE EXTENSION IF NOT EXISTS postgis CASCADE;
CREATE EXTENSION IF NOT EXISTS timescaledb CASCADE;