[doc] workers need access to the database

This commit is contained in:
Nico Schottelius 2020-12-26 13:42:20 +01:00
parent e51edab2f5
commit 18d4c99571

View file

@ -32,6 +32,8 @@ pip install -r requirements.txt
The database can run on the same host as uncloud, but can also run
a different server. Consult the usual postgresql documentation for
a secure configuration.
The database needs to be accessible from all worker nodes.
**** Alpine
#+BEGIN_SRC sh
apk add postgresql-server
@ -60,6 +62,67 @@ postgres=# create database uncloud owner nico;
python manage.py migrate
#+END_SRC
*** Configuring remote access
- Get a letsencrypt certificate
- Expose SSL ports
- Create a user
#+BEGIN_SRC sh
certbot certonly --standalone \
-d <yourdbhostname> -m your@email.come \
--agree-tos --no-eff-email
#+END_SRC
- Configuring postgresql.conf:
#+BEGIN_SRC sh
listen_addresses = '*' # what IP address(es) to listen on;
ssl = on
ssl_cert_file = '/etc/postgresql/server.crt'
ssl_key_file = '/etc/postgresql/server.key'
#+END_SRC
- Cannot load directly due to permission error:
2020-12-26 13:01:55.235 CET [27805] FATAL: could not load server
certificate file
"/etc/letsencrypt/live/2a0a-e5c0-0013-0000-9f4b-e619-efe5-a4ac.has-a.name/fullchain.pem":
Permission denied
- hook
#+BEGIN_SRC sh
bridge:/etc/letsencrypt/renewal-hooks/deploy# cat /etc/letsencrypt/renewal-hooks/deploy/postgresql
#!/bin/sh
umask 0177
export DOMAIN=2a0a-e5c0-0013-0000-9f4b-e619-efe5-a4ac.has-a.name
export DATA_DIR=/etc/postgresql
cp /etc/letsencrypt/live/$DOMAIN/fullchain.pem $DATA_DIR/server.crt
cp /etc/letsencrypt/live/$DOMAIN/privkey.pem $DATA_DIR/server.key
chown postgres:postgres $DATA_DIR/server.crt $DATA_DIR/server.key
#+END_SRC
- Allowing access with md5 encrypted password encrypted via TLS
#+BEGIN_SRC sh
hostssl all all ::/0 md5
#+END_SRC
#+BEGIN_SRC sh
postgres=# create role uncloud password '...';
CREATE ROLE
postgres=# alter role uncloud login ;
ALTER ROLE
#+END_SRC
Testing the connection:
#+BEGIN_SRC sh
psql postgresql://uncloud@2a0a-e5c0-0013-0000-9f4b-e619-efe5-a4ac.has-a.name/uncloud?sslmode
=require
#+END_SRC
** Bootstrap
- Login via a user so that the user object gets created
- Run the following (replace nicocustomer with the username)