Skip to content

[Fixes #13894] Expose PostgreSQL configuration files on host for tuning in GeoNode Docker setup #13886

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
brynsofz wants to merge 7 commits into
base: master
Choose a base branch
from
+77 −5
Open

[Fixes #13894] Expose PostgreSQL configuration files on host for tuning in GeoNode Docker setup #13886

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
15be0aa
feat: expose posegresql configuration
brynsofz Jan 14, 2026
d279916
fix: fix EOF
brynsofz Jan 15, 2026
4c35843
fix: remove test config
brynsofz Jan 15, 2026
947e0b6
fix: add default configuration for max_connections
brynsofz Jan 21, 2026
2151ece
Add 'brynsofz' to the list in .clabot
giohappy Jan 22, 2026
691ce39
fix: update PostgreSQL configuration to explicitly deny all other con…
brynsofz Jan 22, 2026
070e8f7
fix: update docker-compose files for other environments
brynsofz Jan 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -131,13 +131,19 @@ services:
db:
# use geonode official postgis 15 image
image: geonode/postgis:15-3.5-latest
command: postgres -c "max_connections=${POSTGRESQL_MAX_CONNECTIONS}"
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The POSTGRESQL_MAX_CONNECTIONS environment variable, which was used here to configure max_connections, is no longer effective with the new configuration approach. This is a potentially breaking change for users who were relying on it. It would be helpful to document this change and provide instructions for setting max_connections via the new conf.d directory mechanism.

command:
- postgres
- -c
- config_file=/etc/postgresql/postgresql.conf
container_name: db4${COMPOSE_PROJECT_NAME}
env_file:
- .env
volumes:
- dbdata:/var/lib/postgresql/data
- dbbackups:/pg_backups
- ./docker/postgresql/postgresql.conf:/etc/postgresql/postgresql.conf:ro
- ./docker/postgresql/conf.d:/etc/postgresql/conf.d:ro
- ./docker/postgresql/pg_hba.conf:/etc/postgresql/pg_hba.conf:ro
restart: unless-stopped
healthcheck:
test: "pg_isready -d postgres -U postgres"
Expand Down
39 changes: 39 additions & 0 deletions docker/postgresql/pg_hba.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,39 @@
# Local Unix socket connections - trust for local admin access
local all postgres trust

# Localhost connections - trust for container internal access
host all postgres 127.0.0.1/32 trust
host all postgres ::1/128 trust

# Allow replication connections from localhost
local replication all trust
host replication all 127.0.0.1/32 trust
host replication all ::1/128 trust

# =============================================================================
# Application-specific rules (evaluated in order)
# =============================================================================

# GeoNode database - require SCRAM-SHA-256 authentication
# This matches connections from Django/Celery containers
host geonode geonode 172.19.0.0/16 scram-sha-256

# GeoNode geodatabase - require SCRAM-SHA-256 authentication
# This matches connections from GeoServer
host geonode_data geonode_data 172.19.0.0/16 scram-sha-256

# Template databases - no external access allowed
host template0 all all reject
host template1 all all reject

# Postgres database - admin only, require password
host postgres postgres 172.19.0.0/16 scram-sha-256

# =============================================================================
# Default catch-all rule - deny all other connections
# =============================================================================
# Uncomment to explicitly deny all other connections:
# host all all all reject

# Or allow with password (current default):
host all all all scram-sha-256
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-medium medium

For better security, it's recommended to follow the principle of least privilege by denying all connections by default. The current configuration allows any connection that provides a valid password. Consider changing this catch-all rule to reject to ensure only explicitly authorized connections are permitted. An example of this is already commented out on line 36.

host    all             all             all                     reject

13 changes: 13 additions & 0 deletions docker/postgresql/postgresql.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
# Data Directory (managed by Docker)
data_directory = '/var/lib/postgresql/data'

# Connection Settings
listen_addresses = '*' # Listen on all network interfaces

# Authentication Configuration File
hba_file = '/etc/postgresql/pg_hba.conf'

# Include additional configuration files from conf.d directory
# All .conf files in this directory will be processed
include_dir = 'conf.d'