Skip to content

You are viewing documentation for Immuta version 2023.1.

For the latest version, view our documentation for Immuta SaaS or the latest self-hosted version.

Single Node Docker Advanced Configuration

Rocky Linux 9

Review the potential impacts of Immuta's Rocky Linux 9 upgrade to your environment before proceeding.

Ensure immuta.toml is present

Prior to executing any of the snd commands below, ensure an immuta.toml configuration file has been created.

If not created, refer to instructions in Single Node Docker Install, Step 1.

Custom pg_hba.conf Rules

Note

The following set of instructions presume Immuta is running.

To support Query Engine Authentication, the Single Node Docker installation provides a method to configure your own pg_hba.conf rules. Custom pg_hba.conf rules are appended to the top of the default pg_hba.conf file. pg_hba.conf rules are evaluated from top to bottom, selecting the first match. See the instructions below for enabling custom pg_hba.conf rules:

  1. Set IMMUTA_HOME and change into it (by default /opt/immuta):

    export IMMUTA_HOME="/opt/immuta"
    cd "${IMMUTA_HOME:?}"
    
  2. Create a text-file containing your pg_hba.conf rules at ${IMMUTA_HOME}/volumes/immuta-db/custom_pg_hba.conf.

    custom_pg_hba.conf

    host immuta +<IAMID>_user 0.0.0.0/0 ldap ldapserver="<LDAP SERVER>" ldapbinddb="<BIND DN>" ldapbindpasswd="<BIND PASSWORD>" ldapbasedn="<BASE DN>" ldapsearchfilter="<LDAP SEARCH FILTER>"
    
  3. Set permissions for custom_pg_hba.conf.

    Note

    If you are using your own container registry, you will need to update the image reference passed to docker image inspect in the command below to reference the immuta-db image in your container registry.

    DB_UID=$(docker image inspect --format='{{.Config.User}}' /
        registry.immuta.com/immuta/immuta-db:2023.1.2)
    chown ${DB_UID:?}:${DB_UID:?} "${IMMUTA_HOME}/volumes/db/custom_pg_hba.conf"
    chmod 600 "${IMMUTA_HOME}/volumes/db/custom_pg_hba.conf"
    
  4. Add the following two key/value pairs to dictionary: db in immuta.toml.

    [db]
    
    environment = [
        CUSTOM_PG_HBA_FILE="/var/run/immuta/custom_pg_hba.conf"
    ]
    
    volumes = [
        "/opt/immuta/volumes/immuta-db/custom_pg_hba.conf:/var/run/immuta/custom_pg_hba.conf"
    ]
    
    Note

    If using a custom install path be sure to update the absolute path in toml key volumes.

  5. Remove immuta-db container.

    immuta-snd down immuta-db
    
  6. Create a new immuta-db container with the changes applied.

    immuta-snd init
    
    Note

    immuta-snd is smart enough to know the remaining Immuta containers (i.e., immuta-service, immuta-db) are healthy. They will not be touched when init is invoked.

    (Optional) Disable Query Engine Port

    If you only use integrations, port 5432 is optional and can be disabled. To do this run

    immuta-snd init --db-publish-port=false
    
  7. Start immuta-db container.

    immuta-snd start immuta-db
    

Modifying or Replacing an External Certificate

  1. Before proceeding make sure all Immuta containers are running and healthy.

  2. Remove the immuta-proxy container:

    immuta-snd down immuta-proxy
    
  3. Modify values for immuta.external_tls_cert and immuta.external_tls_key in immuta.toml. You can overwrite the existing paths if you would like.

  4. Recreate the immuta-proxy container:

    immuta-snd init
    

    To issue new self-signed certificates for all internal connections between containers, append --internal-tls-generate to the previous command:

    immuta-snd init --internal-tls-generate