The PostgreSQL database is just installed directly into the linux host machine (not as docker container).
In a docker container (built with docker compose) I have an application that needs to connect to the database.
The client container needs to be on a docker bridge network and cannot be on the host network directly because it needs to reach other containers on the bridge network.
I connect to the Postgres database using the
host.docker.internal
hostname as described here.
From within that container I can reach the database no problem that way. But PostgreSQL needs to allow this connection in pg_hba.conf
or else I get the error:
no pg_hba.conf entry for host "172.22.0.3"
Of course I can add that IP address to pg_hba.conf
like done here but that won’t give me a very stable solution because the IP address will not always be the same.
What would be the best practice?
Allow all connection from 172...* ?
Or…?
3
Answers
For now I have gone with adding a
samenet
entry in the pg_hba.conf file. I am not sure if this is the best approach so I am happy to receive more suggestions.I’m pretty sure, docker has some dns service by default, and you can write hostname to pg_hba.conf instead of ip address. postgres tries to resolve those name, but maybe only when readin’ the conf, so you may need to run
pg_ctlcluster reload
frequently, like on replacing the client container.It’s cleaner and more secure, if you open the postgres only for those containers who’s actually need to connect. On the other hand, if the open port is ssl only and password protected, and your other containers can be considered as trusted, allowing all of them to connect is not something i would call high risk.
The only good practice is to move postgreSQL in a container as if you follow other good practice ( like running docker rootless-mode ) your container app is not suppose to access to any of you host interface.