Container image for PostgreSQL support

Edit online

The icr.io/ivia/ivia-postgresql image extends the official postgres container image by adding SSL support and the Verify Identity Access schema to the image. This image can be used to quickly deploy a database for use with the Federation and Advanced Access Control offerings of Verify Identity Access.

Instructions on the use of the official postgres container image can be found at: Docker Hub.

Extra environment variables

In addition to the standard postgres environment variables, the icr.io/ivia/ivia-postgresql container image defines the following environment variables:

Table 1. Extra environment variables of the icr.io/ivia/ivia-postgresql image
Name Description
POSTGRES_SSL_KEYDB The name of the SSL file that contains both the SSL server certificate and key (the key must not be protected by a password). This key file must be made available to the container at start-up. This availability is usually achieved by placing the key file in a container volume and making this volume available to the container.
POSTGRES_UNSECURE By default unsecure communication with the database server is unavailable. If set to the value of 'true', this environment variable enables unsecure communications with the PostgreSQL server.
POSTGRES_SSL_CN If a CN value is supplied, a self-signed certificate for the server is automatically created when the container first starts. The public key is available from the '${PGDATA}/public.pem' file of the running container.

Usage

Quick start

To start a container with the defaults, run the command:

podman run --name ivia-postgresql --detach icr.io/ivia/ivia-postgresql:latest

However, the following example shows a complete command that specifies the volumes, ports, and standard environment variables.

podman run --hostname isva.postgresql --name isva.postgresql \
--detach \
--publish 5432:5432 \
--volume /var/lib/postgresql/data \
--env POSTGRES_USER=postgres \
--env POSTGRES_PASSWORD=passw0rd \
--env POSTGRES_DB=isva \
--env POSTGRES_SSL_CN=isva.postgresql \
icr.io/ivia/ivia-postgresql:latest

Security

By default the image automatically generates a TLS certificate when the container is first started. The CN for the certificate is obtained from the POSTGRES_SSL_CN environment variable (if defined), otherwise it is obtained from the container hostname. The generated public key is saved to the '${PGDATA}/public.pem' file within the container.

If you want to enable unsecure communication with the database server, the POSTGRES_UNSECURE environment variable must be set to 'true'.

If you want to provide your own certificate, the public certificate and private key must be placed into a single file (without password protection) and made available to the container during initialization. The location of the key file within the container is defined by the POSTGRES_SSL_KEYDB environment variable.

If you want to create your own self-signed server certificate, you can do so by using OpenSSL. For example,

openssl req -x509 -newkey rsa:4096 \
-keyout postgres.key -out postgres.crt \
-days 365 -nodes \
-subj "/C=AU/ST=Queensland/L=Gold Coast/O=IBM/CN=isva-postgresql"
cat postgres.key postgres.crt > container.pem

User ID

By default the container runs as the 'postgres' (uid: 70) user. If a volume is being used to persist the database, the 'postgres' user must be granted write permission to the volume. In a Kubernetes environment, this action can be achieved by setting the fsGroup field in the deployment yaml file.

License

The Dockerfile and associated scripts are licensed under the Apache License 2.0 license.

Supported Docker versions

  • This image is officially supported on Docker version v17 and later.
  • Support for older versions is provided on a best-effort basis.

Community support

If you are a licensed IBM customer, you can request support through the official IBM support channel. However, IBM does not support the official postgres container image.

Community support is also available for this image from the DeveloperWorks communities. Both DeveloperWorks Answers and the DeveloperWorks IBM Security Identity and Access Management Forum are vibrant communities.

Supported tags

Table 2. Supported tags
Tag Purpose
latest The newest stable version.
V.R.M.F A particular release, of the format {version}.{release}.{modfication}.{fixpack}. For example, 11.0.0.0.