Skip to content

You are viewing documentation for Immuta version 2022.1.

For the latest version, view our documentation for Immuta SaaS or the latest self-hosted version.

Single Node Docker Advanced Configuration

Ensure immuta.toml is present

Prior to executing any of the snd commands below, ensure an immuta.toml configuration file has been created.

If not created, refer to instructions in Single Node Docker Install, Step 1.

Custom pg_hba.conf Rules


The following set of instructions presume Immuta is running.

To support Query Engine Authentication, the Single Node Docker installation provides a method to configure your own pg_hba.conf rules. Custom pg_hba.conf rules are appended to the top of the default pg_hba.conf file. pg_hba.conf rules are evaluated from top to bottom, selecting the first match. See the instructions below for enabling custom pg_hba.conf rules:

  1. Set IMMUTA_HOME and change into it (by default /opt/immuta):

    export IMMUTA_HOME="/opt/immuta"
    cd "${IMMUTA_HOME:?}"
  2. Create a text-file containing your pg_hba.conf rules at ${IMMUTA_HOME}/volumes/immuta-db/custom_pg_hba.conf.


    host immuta +<IAMID>_user ldap ldapserver="<LDAP SERVER>" ldapbinddb="<BIND DN>" ldapbindpasswd="<BIND PASSWORD>" ldapbasedn="<BASE DN>" ldapsearchfilter="<LDAP SEARCH FILTER>"
  3. Set permissions for custom_pg_hba.conf.


    If you are using your own container registry, you will need to update the image reference passed to docker image inspect in the command below to reference the immuta-db image in your container registry.

    DB_UID=$(docker image inspect --format='{{.Config.User}}' /
    chown ${DB_UID:?}:${DB_UID:?} "${IMMUTA_HOME}/volumes/db/custom_pg_hba.conf"
    chmod 600 "${IMMUTA_HOME}/volumes/db/custom_pg_hba.conf"
  4. Add the following two key/value pairs to dictionary: db in immuta.toml.

    environment = [
    volumes = [

    If using a custom install path be sure to update the absolute path in toml key volumes.

  5. Remove immuta-db container.

    immuta-snd down immuta-db
  6. Create a new immuta-db container with the changes applied.

    immuta-snd init

    immuta-snd is smart enough to know the remaining Immuta containers (i.e., immuta-service, immuta-db) are healthy. They will not be touched when init is invoked.

    (Optional) Disable Query Engine Port

    If you only use integrations, port 5432 is optional and can be disabled. To do this run

    immuta-snd init --db-publish-port=false
  7. Start immuta-db container.

    immuta-snd start immuta-db

Modifying or Replacing an External Certificate

  1. Before proceeding make sure all Immuta containers are running and healthy.

  2. Remove the immuta-proxy container:

    immuta-snd down immuta-proxy
  3. Modify values for immuta.external_tls_cert and immuta.external_tls_key in immuta.toml. You can overwrite the existing paths if you would like.

  4. Recreate the immuta-proxy container:

    immuta-snd init

    To issue new self-signed certificates for all internal connections between containers, append --internal-tls-generate to the previous command:

    immuta-snd init --internal-tls-generate