I'm aware of the following solution for the no pg_hba.conf entry for host
error: connect to PostgreSQL server: FATAL: no pg_hba.conf entry for host
But I wonder why this error happens when using Postgres environment variable POSTGRES_PASSWORD_FILE
in Docker, and not when setting the password directly with an environment variable such as POSTGRES_PASSWORD
.
Here are the most useful bits of code. If you want to see a complete example, please take a look at this repository.
This version will trigger the error:
services:
database:
image: postgres:10
volumes:
- ./pass/db/db_pass:/run/secrets/db_pass:ro
- data:/var/lib/postgresql/data
environment:
- POSTGRES_PASSWORD_FILE=/run/secrets/db_pass
While this version will work fine:
services:
database:
image: postgres:10
volumes:
- data:/var/lib/postgresql/data
environment:
- POSTGRES_PASSWORD=db_password
The ./pass/db/db_pass
file contains exactly the same password: db_password
.
Basically, the only thing that changes between the two configuration is that setting the password for the database container is 1) done with an environment variable POSTGRES_PASSWORD
and 2) done reading the file pointed by POSTGRES_PASSWORD_FILE
, file which is bind-mounted inside the container as read-only.
If we look at the Postgres' entrypoint, POSTGRES_PASSWORD_FILE
is used to fill POSTGRES_PASSWORD
: https://github.com/docker-library/postgres/blob/master/10/docker-entrypoint.sh#L8-L24.
# usage: file_env VAR [DEFAULT]
# ie: file_env 'XYZ_DB_PASSWORD' 'example'
# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
file_env() {
local var="$1"
local fileVar="${var}_FILE"
local def="${2:-}"
if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
exit 1
fi
local val="$def"
if [ "${!var:-}" ]; then
val="${!var}"
elif [ "${!fileVar:-}" ]; then
val="$(< "${!fileVar}")"
fi
export "$var"="$val"
unset "$fileVar"
}
I don't get why then Postgres throws this no pg_hba.conf entry for host
error if the database has been correctly created with the given password.
Looking at the entry point, the configuration should be the exact same, but I verified both with the command docker-compose -f no-file.yml run --rm database /bin/bash -c 'cat $PGDATA/pg_hba.conf'
and the line host all all all md5
does not appear in the configuration using POSTGRES_PASSWORD_FILE
.
Why does the default configuration changes when we make use of the POSTGRES_PASSWORD_FILE
variable, and how to fix this elegantly? Do I have to provide a custom Postgres configuration file as described in https://hub.docker.com/_/postgres/, section "Database configuration"?
Best Answer
It was a permission issue.
My password file had
-rw-------
permissions. Since thedocker-entrypoint.sh
script sets the-e
option, it was exiting early, right after this error, preventing to append thehost all all all md5
line topg_hba.conf
.I added
r
for group and others, as well asr-x
for group and others on its parent directory. That fixed the issue.