-
-
Notifications
You must be signed in to change notification settings - Fork 567
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Q: Using Postgres V16 in docker-compose instead of V12 #9628
Comments
The main reason why we haven't updated the postgres tag is because the upgrade procedure for postgres is a lot more manual than it is for redis or mysql. There aren't any new postgres features required by authentik either, but we test in CI with 12, 15 and 16. We will probably upgrade in the future, after we have some docs on how to upgrade too |
Thank you for your explanation. A few days ago, I attempted to update the database following several online guides, but it turned out to be a disaster. Fortunately, I had taken a backup. The issues I'm concerned about (perhaps not without good reason) are performance improvements and possibly patched security issues. |
I dont think there's too much to gain there, although I don't have any numbers for performance, but for security especially since postgres isn't exposed to anything there shouldn't be any issues |
According to this article by EntrepriseDB, there is a 10% performance increase between Postgres 12 and 15. I could not find any statistics for V16. But for what it's worth, it is probably best to wait for EOL. Updating from a Docker container is way trickier than on the VM |
Gonna write docs for the upgrade and open a pull request as I have made the update myself with basically no issues |
I don't believe this is exactly true when using the default docker-compose file from: https://goauthentik.io/docker-compose.yml There is no use of separated networks in the compose file where the network for the Postgres container is set to:
So the Postgres container will have access to the outside internet with the default docker-compose file and can be vulnerable to attacks. |
@appiekap653 So basically, the best solution would be 2 networks? |
You only need one other container on that and network where an attacker can take over the container, and he can launch his attacks to the rest of the containers. I use two networks, with one of them set to internal, just to be sure. I read somewhere that docker was automatically doing something to iptables for all containers in a bridge network, which made it insecure when not using internal=true. I don't know the actual in's and outs, but can never be sure enough when it comes to security. Look at the custom network part: https://spin.atomicobject.com/defined-docker-networks/ |
Oh that's good to know. Thanks for sharing |
I noticed in the docker-compose.yml file that the Postgres image is set to version 12. Is there any specific reason why a newer version isn't recommended in the Docker Compose file? Considering that version 12 will reach its end of life in six months, would it be wise to create the database on version 16 or attempt to upgrade the current one? Also, how does this decision impact security?
The text was updated successfully, but these errors were encountered: