PostgreSQL Image Password Not Specified Issue

Some people have recently come across an error with the circleci/postgres image that looks something like this:

Error: Database is uninitialized and superuser password is not specified.
       You must specify POSTGRES_PASSWORD for the superuser. Use
       "-e POSTGRES_PASSWORD=password" to set it in "docker run".

       You may also use POSTGRES_HOST_AUTH_METHOD=trust to allow all connections
       without a password. This is *not* recommended. See PostgreSQL
       documentation about "trust":
       https://www.postgresql.org/docs/current/auth-trust.html

The PostgreSQL Docker Team pushed a breaking change as a patch release for several PostgreSQL versions. While a breaking change in a patch release is unfortunate, this change was done for the sake of security.

The Problem

Newer upstream PostgreSQL Docker images, and thus the CircleCI images, now require a password for use. If you were previously using passwordless access to a PostgreSQL DB within CircleCI, it will likely fail.

Affected Versions

Here’s a list of versions for where this change takes affect. This may not be a complete list. Even if you’re using an unaffected version, you can always implement one of the solutions below to future proof from this change.

• v12.2 and up
• v11.7 and up
• v10.12 and up
• v9.6.17 and up
• v9.5.21 and up

Solutions

Option 1 - Implement a password

You can set a password for PostgreSQL using the environment variable POSTGRES_PASSWORD. Then you’d need to simply use that password when connecting to the DB. Here’s how you would add it to your CircleCI config:

job:
  build:
    docker:
      - image: circleci/postgres:9.6
        environment:
          #...
          POSTGRES_PASSWORD: password
          #...

Option 2 - Disable the password requirement

You can disable the new password requirement basically reverting to original behavior of the PostgreSQL image. This is done by setting the environment variable POSTGRES_HOST_AUTH_METHOD to “trust”. Here’s how you would add it to your CircleCI config:

job:
  build:
    docker:
      - image: circleci/postgres:9.6
        environment:
          #...
          POSTGRES_HOST_AUTH_METHOD: trust
          #...

Any questions or additional information to add? Please post them here.

I’d add that what probably matters the most is whether you’re using this image for your primary container or not. If not, you have to store the password in config.yml because there’s no way to get any secret there safely (e.g., via setting project environment variable) unless I’m missing something. If you can’t use safe password, why even bother… If password is needed for some reason, setting an empty password might be best to signal to the reader unfamiliar with PostgreSQL authentication that this isn’t about safety.

Sadly, this whole thing is quite unfortunate because the error message is confusing. The documentation hasn’t be updated (I know I can submit PRs ), the Docker image documentation doesn’t tackle this and the upstream image talks about this in production context… This isn’t a criticism of CircleCI but my current state which can serve as shorter description of problem areas that would be nice to address IMHO

Hi @0W9cuJpS, and welcome to the communityf! Thanks for offering feedback - we’re always happy to hear it.

The CircleCI Documentations? If so, where would you image to see this in the docs?

I don’t know the product, company or broader community enough as to say what the standards and expectations are – I simply inherited quite a lot of pipelines where CircleCI plays a central role. So, I’m not sure if I’m the right person to answer this.

Nevertheless, I prefer code examples to be self-contained (to work as-is), so I’d start with places identified by something like this:

git clone git@github.com:circleci/circleci-docs.git
fgrep -Rl 'circleci/postgres' circleci-docs

And make sure that all the examples work.