Configure ADCM to use an external database

Mikhail Serov

ADCM supports operations with external databases. In particular, PostgreSQL databases are supported. If no external database is specified, the built-in SQlite database is used by default.

IMPRORTANT
PostgreSQL database is recommended for use in the product environment. SQLite database is intended for experimental purposes.

The prerequisites to use the external PostgreSQL database are:

  • The user, the database, and the user password must be created (DATABASE_USERNAME, DATABASE_NAME, DATABASE_USER_PASSWORD in the example below).

  • The user must be the owner of the external PostgreSQL database.

CREATE USER <DATABASE_USERNAME> with encrypted password '<DATABASE_USER_PASSWORD>';
CREATE DATABASE <DATABASE_NAME> OWNER <DATABASE_USERNAME>;

To run ADCM using PostgreSQL as a database, use the following command:

$ sudo docker run -d --restart=always -p 8000:8000 -v /opt/adcm:/adcm/data
  -e DB_HOST="<DATABASE_HOSTNAME_OR_IP_ADDRESS>" -e DB_PORT="<DATABASE_TCP_PORT>"
  -e DB_USER="<DATABASE_USERNAME>" -e DB_NAME="<DATABASE_NAME>"
  -e DB_PASS="<DATABASE_USER_PASSWORD>" --name adcm hub.arenadata.io/adcm/adcm:<version>
  -e DB_OPTIONS="<DATABASE_OPTIONS>"

where <version> is a desired ADCM image version in one of the following formats:

  • <major>.<minor>.<patch> — if you need a specific ADCM patch. For example, 2.0.0.

  • <major>.<minor> — if you need the last patch within the selected ADCM version. For example, 2.0.

You can use DB_OPTIONS to establish an SSL connection to the database. The following parameters are available for DB_OPTIONS.

DB_OPTIONS parameters
Parameter Description

sslmode

A flag that is used for establishing an SSL connection. Possible values:

  • disable — only try a non-SSL connection.

  • allow — first try a non-SSL connection; if that fails, try an SSL connection.

  • prefer (default) — first try an SSL connection; if that fails, try a non-SSL connection.

  • require — only try an SSL connection. If a root certificate authority (CA) file is present, verify the certificate in the same way as if verify-ca was specified.

  • verify-ca — only try an SSL connection, and verify that the server certificate is issued by a trusted CA.

  • verify-full — only try an SSL connection, verify that the server certificate is issued by a trusted CA and that the requested server host name matches that in the certificate.

sslcert

This parameter specifies the file name of the client SSL certificate. This parameter is ignored if an SSL connection is not made

sslkey

This parameter specifies the location for the secret key used for the client certificate. This parameter is ignored if an SSL connection is not made

sslrootcert

This parameter specifies the name of a file containing SSL certificate authority certificate(s). If the file exists, the server’s certificate will be verified to be signed by one of these authorities. The special value system may be specified instead, in which case the system’s trusted CA roots will be loaded. The exact locations of these root certificates differ by SSL implementation and platform

Prepare the SSL certificate and secret key files and place them into <data_volume>/conf/ssl/. Then, list the DB_OPTIONS parameters in JSON format:

DB_OPTIONS='{"sslmode": "verify-full", "sslcert": "/adcm/data/conf/ssl/client.crt", "sslkey": "/adcm/data/conf/ssl/client.key", "sslrootcert": "/adcm/data/conf/ssl/server.crt"}'
IMPORTANT

  • latest was used for earlier versions of ADCM and is no longer supported starting from version 2.0.0.

  • Before ADCM 2.0.0, the following format was used for versioning: YYYY.MM.DD.HH.

Use -v /opt/adcm:/adcm/data:Z for SELinux.

Found a mistake? Seleсt text and press Ctrl+Enter to report it