Single Node Docker Advanced Configuration
Rocky Linux 9
Review the potential impacts of Immuta's Rocky Linux 9 upgrade to your environment before proceeding.
Ensure immuta.toml
is present
Prior to executing any of the snd
commands below, ensure an immuta.toml
configuration file has been created.
If not created, refer to instructions in Single Node Docker Install, Step 1.
Custom pg_hba.conf
Rules
Note
The following set of instructions presume Immuta is running.
To support
Query Engine Authentication,
the Single Node
Docker installation provides a method to configure your own pg_hba.conf
rules. Custom pg_hba.conf
rules are
appended to the top of the default pg_hba.conf
file. pg_hba.conf
rules are evaluated from top to bottom, selecting
the first match. See the instructions below for enabling custom pg_hba.conf
rules:
-
Set
IMMUTA_HOME
and change into it (by default/opt/immuta
):export IMMUTA_HOME="/opt/immuta" cd "${IMMUTA_HOME:?}"
-
Create a text-file containing your
pg_hba.conf
rules at${IMMUTA_HOME}/volumes/immuta-db/custom_pg_hba.conf
.custom_pg_hba.conf
host immuta +<IAMID>_user 0.0.0.0/0 ldap ldapserver="<LDAP SERVER>" ldapbinddb="<BIND DN>" ldapbindpasswd="<BIND PASSWORD>" ldapbasedn="<BASE DN>" ldapsearchfilter="<LDAP SEARCH FILTER>"
-
Set permissions for
custom_pg_hba.conf
.Note
If you are using your own container registry, you will need to update the image reference passed to
docker image inspect
in the command below to reference the immuta-db image in your container registry.DB_UID=$(docker image inspect --format='{{.Config.User}}' / registry.immuta.com/immuta/immuta-db:2022.5.13) chown ${DB_UID:?}:${DB_UID:?} "${IMMUTA_HOME}/volumes/db/custom_pg_hba.conf" chmod 600 "${IMMUTA_HOME}/volumes/db/custom_pg_hba.conf"
-
Add the following two key/value pairs to dictionary:
db
inimmuta.toml
.[db] environment = [ CUSTOM_PG_HBA_FILE="/var/run/immuta/custom_pg_hba.conf" ] volumes = [ "/opt/immuta/volumes/immuta-db/custom_pg_hba.conf:/var/run/immuta/custom_pg_hba.conf" ]
Note
If using a custom install path be sure to update the absolute path in toml key
volumes
. -
Remove
immuta-db
container.immuta-snd down immuta-db
-
Create a new
immuta-db
container with the changes applied.immuta-snd init
Note
immuta-snd
is smart enough to know the remaining Immuta containers (i.e.,immuta-service
,immuta-db
) are healthy. They will not be touched wheninit
is invoked.(Optional) Disable Query Engine Port
If you only use integrations, port 5432 is optional and can be disabled. To do this run
immuta-snd init --db-publish-port=false
-
Start
immuta-db
container.immuta-snd start immuta-db
Modifying or Replacing an External Certificate
-
Before proceeding make sure all Immuta containers are running and healthy.
-
Remove the
immuta-proxy
container:immuta-snd down immuta-proxy
-
Modify values for
immuta.external_tls_cert
andimmuta.external_tls_key
inimmuta.toml
. You can overwrite the existing paths if you would like. -
Recreate the
immuta-proxy
container:immuta-snd init
To issue new self-signed certificates for all internal connections between containers, append
--internal-tls-generate
to the previous command:immuta-snd init --internal-tls-generate