fix postgres-dev to only listen on localhost #3403
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I missed the |
dnephin
force-pushed
the
dnephin/postgres-dev-listen-addr
branch
from
4d61085
to
d1c06eb
Compare
dnephin
commented
Oct 6, 2022
| postgres:14-alpine -c fsync=off -c full_page_writes=off | ||
| -p 127.0.0.1:15432:5432 \ | ||
| postgres:14-alpine -c fsync=off -c full_page_writes=off \ | ||
| -c listen_addresses=127.0.0.1 -c max_connections=100 |
There was a problem hiding this comment.
These are the default settings, but I'd like to include them here to make it easier to change them.
On linux setting listen_addresses to 0.0.0.0 allows tests to bypass the port mapping proxy and connect directly to the container. Setting max_connections can be useful when testing concurrency.
dnephin
force-pushed
the
dnephin/postgres-dev-listen-addr
branch
from
d1c06eb
to
a8925de
Compare
dnephin
commented
Oct 6, 2022
| @@ -48,7 +48,7 @@ jobs: | |||
| --health-interval 10s | |||
| --health-timeout 5s | |||
| --health-retries 5 | |||
| ports: ["5432:5432"] | |||
| ports: ["127.0.0.1:5432:5432"] | |||
There was a problem hiding this comment.
Not sure if this will work, let's see if CI tests pass.
BruceMacD
approved these changes
Oct 7, 2022
|
Thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
The default for docker port mapping is
0.0.0.0(all interfaces), which can be a security risk. If a developer laptop is ever connected to an untrusted network, someone on that network could connect to the database and useCOPYand other postgres operations to read files or even run processes on the laptop.By mapping the host port to 127.0.0.1 we ensure that no one can connect to the dev database except for the processes on the local host.
If you are using Docker for Mac I could use your help to confirm this works with that setup.