Docker image for PostgreSQL support

Docker image for PostgreSQL support

The ibmcom/verify-access-postgresql image extends the official postgres Docker image by adding SSL support and the ISAM schema to the image. This image can be used to quickly deploy a database for use with the Federation and Advanced Access Control offerings of ISAM.
Instructions on the use of the official postgres Docker image can be found at: Docker Hub.
Additional environment variables

In addition to the standard postgres environment variables, the ibmcom/verify-access-postgresql Docker image defines the following environment variables:

Name Description

POSTGRES_SSL_KEYDB The name of the SSL file that contains both the SSL server certificate and key (the key should not be protected by a password). This key file must be made available to the Docker container at start-up. This is usually achieved by placing the key file in a Docker volume and making this volume available to the container.

POSTGRES_UNSECURE By default unsecure communication with the database server is disabled. If set to the value of 'true', this environment variable will enable unsecure communications with the PostgreSQL server.

POSTGRES_SSL_CN If a CN value is supplied, a self-signed certificate for the server will be automatically created when the container first starts. The public key will be available from the '${PGDATA}/public.pem' file of the running container.

Usage

Quick start
To start a container with the defaults, execute the command:
docker run --name isva-postgresql --detach ibmcom/verify-access-postgresql:latest

However, a more complete command, which would specify the volumes, ports and standard environment variables, could be:
docker run --hostname isva.postgresql --name isva.postgresql \ --detach \ --publish 5432:5432 \ --volume /var/lib/postgresql/data \ --env POSTGRES_USER=postgres \ --env POSTGRES_PASSWORD=passw0rd \ --env POSTGRES_DB=isva \ --env POSTGRES_SSL_CN=isva.postgresql \ ibmcom/verify-access-postgresql:latest

Security
By default the image will automatically generate a TLS certificate when the container is first started. The CN for the certificate is obtained from the POSTGRES_SSL_CN environment variable (if defined), otherwise it will be obtained from the container hostname. The generated public key will be saved to the '${PGDATA}/public.pem' file within the container.
To enable unsecure communication with the database server the POSTGRES_UNSECURE environment variable should be set to 'true'.
To provide our own certificate the public certificate and private key should be placed into a single file (without password protection) and made available to the container during initialization. The location of the key file within the container is defined by the POSTGRES_SSL_KEYDB environment variable.
To create our own self-signed server certificate, we can do so using OpenSSL. For example:
openssl req -x509 -newkey rsa:4096 \ -keyout postgres.key -out postgres.crt \ -days 365 -nodes \ -subj "/C=AU/ST=Queensland/L=Gold Coast/O=IBM/CN=isva-postgresql" cat postgres.key postgres.crt > container.pem

User ID
By default the container runs as the 'postgres' (uid: 70) user. If a volume is being used to persist the database, the 'postgres' user must be granted write permission to the volume. In a Kubernetes environment this can be achieved by setting the fsGroup field in the deployment yaml file.
License

The Dockerfile and associated scripts are licensed under the Apache License 2.0 license.
Supported Docker versions

This image is officially supported on Docker version v17 and later.
Support for older versions is provided on a best-effort basis.

Community support

If we are a licensed IBM customer, we can request support through the official IBM support channel. However, IBM does not provide support for the official postgres Docker image.
Community support is also available for this image via the DeveloperWorks communities. Both DeveloperWorks Answers and the DeveloperWorks IBM Security Identity and Access Management Forum are vibrant communities.
Supported tags

Tag Purpose

latest The latest stable version.

V.R.M.F A particular release, of the format: {version}.{release}.{modfication}.{fixpack}. For example, 10.0.0.0

Parent topic: Docker support
Related information

https://hub.docker.com/

Name	Description
POSTGRES_SSL_KEYDB	The name of the SSL file that contains both the SSL server certificate and key (the key should not be protected by a password). This key file must be made available to the Docker container at start-up. This is usually achieved by placing the key file in a Docker volume and making this volume available to the container.
POSTGRES_UNSECURE	By default unsecure communication with the database server is disabled. If set to the value of 'true', this environment variable will enable unsecure communications with the PostgreSQL server.
POSTGRES_SSL_CN	If a CN value is supplied, a self-signed certificate for the server will be automatically created when the container first starts. The public key will be available from the '${PGDATA}/public.pem' file of the running container.

Tag	Purpose
latest	The latest stable version.
V.R.M.F	A particular release, of the format: {version}.{release}.{modfication}.{fixpack}. For example, 10.0.0.0