Skip to content

Support custom PGPASSFILE in docker#2156

Open
gnomed wants to merge 3 commits into
IntersectMBO:masterfrom
gnomed:fix/pgpassfile-respect
Open

Support custom PGPASSFILE in docker#2156
gnomed wants to merge 3 commits into
IntersectMBO:masterfrom
gnomed:fix/pgpassfile-respect

Conversation

@gnomed

@gnomed gnomed commented Jul 5, 2026

Copy link
Copy Markdown

Description

PR for Issue #2149
Update Docker configuration to allow PostgreSQL connection details to be provided via Docker secrets or a .pgpass file using the PGPASSFILE environment variable. This makes the individual POSTGRES_* variables optional.

Checklist

  • Commit sequence broadly makes sense
  • Commits have useful messages
  • New tests are added if needed and existing tests are updated
  • Any changes are noted in the changelog
  • Code is formatted with fourmolu on version 0.17.0.0 (which can be run with scripts/fourmolize.sh)
  • Self-reviewed the diff

Migrations

  • The pr causes a breaking change of type a,b or c
  • If there is a breaking change, the pr includes a database migration and/or a fix process for old values, so that upgrade is possible
  • Resyncing and running the migrations provided will result in the same database semantically

If there is a breaking change, especially a big one, please add a justification here. Please elaborate
more what the migration achieves, what it cannot achieve or why a migration is not possible.

@gnomed gnomed requested a review from a team as a code owner July 5, 2026 07:37
@gnomed gnomed changed the title Fix/pgpassfile respect Support custom PGPASSFILE in docker Jul 5, 2026
@gnomed

gnomed commented Jul 6, 2026

Copy link
Copy Markdown
Author

Ok I've verified the changes to the best of my ability.

Running the new code with PGPASSFILE bypasses all pgpassfile logic (errors due to not running as root).

~$ docker logs 302f98a0561d
Connecting to network: preview
mkdir: cannot create directory 'log-dir': Permission denied

Running without a PGPASSFILE set falls through to the old logic (which now has improved documentation)

~$ docker logs f7f0bd741481
mkdir: cannot create directory '/configuration': Permission denied
/run/secrets
Generating PGPASS file
/nix/store/whviccwvhgj9877wc7yw3ka1lamf9zgy-gen-pgpass: line 14: /run/secrets/postgres_db: No such file or directory
/nix/store/whviccwvhgj9877wc7yw3ka1lamf9zgy-gen-pgpass: line 15: /run/secrets/postgres_user: No such file or directory
/nix/store/whviccwvhgj9877wc7yw3ka1lamf9zgy-gen-pgpass: line 16: /run/secrets/postgres_password: No such file or directory
/nix/store/whviccwvhgj9877wc7yw3ka1lamf9zgy-gen-pgpass: line 17: /configuration/pgpass: No such file or directory
chmod: cannot access '/configuration/pgpass': No such file or directory
Connecting to network: preview
mkdir: cannot create directory 'log-dir': Permission denied

@gnomed

gnomed commented Jul 6, 2026

Copy link
Copy Markdown
Author

pinging @sgillespie since thats the username I see on most of these files. Sorry about the extra review/noise.

I wasn't able to figure out how to run the nix tests. This test file seemed relevant, but I couldn't figure out the syntax to run it which meant I also didn't feel safe updating it.

@sgillespie sgillespie left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution! This is a great addition, I have nothing further to add.

@sgillespie

Copy link
Copy Markdown
Contributor

@kderme Are you okay to go ahead and merge this? Can we also go ahead and include it in the next release?

@gnomed

gnomed commented Jul 6, 2026

Copy link
Copy Markdown
Author

Just noticed it needs a verified signature. Should I set that up or is a codeowner allowed to co-author/co-sign?

Just let me know. Thanks.

@sgillespie

Copy link
Copy Markdown
Contributor

I wasn't able to figure out how to run the nix tests. This test file seemed relevant, but I couldn't figure out the syntax to run it which meant I also didn't feel safe updating it.

You don't need to worry about this, it's basically dead. It doesn't run in CI and doesn't have enough to be useful anyways.

Just noticed it needs a verified signature. Should I set that up or is a codeowner allowed to co-author/co-sign?

I could always co-author by rebasing. Either way, I would recommend adding a GPG signing to Git and your GitHub profile anyways, especially if you want to keep contributing to the Cardano ecosystem. Otherwise, you'll always be fighting conventions.

@gnomed gnomed force-pushed the fix/pgpassfile-respect branch from f497b78 to 5ca4182 Compare July 7, 2026 03:01
@gnomed

gnomed commented Jul 7, 2026

Copy link
Copy Markdown
Author

thanks @sgillespie

commits signed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants