Conjur Persistent Database Guide

This is an easy way to have Conjur use an external PostgreSQL database instead of the one bundled in the provided Docker-compose file. This will keep your data persistent during a restart of the Docker containers.

BACKUP YOUR DATABASE BEFORE CONTINUING
BACKUP YOUR CONJUR DATA KEY BEFORE CONTINUING

Prerequisite

Set up a PostgreSQL Server

First, you’re going to need a new PostgreSQL server to replace the containerized one. This can be done by following the documentation on the PostgreSQL site for the specific operating system you are hosting it on. You can host the server locally or remotely depending on what works for your organization.

The current(as of writing this) maximum supported version of PostgreSQL with Conjur is 9.4.

An optional step would be to move the data you backed up from the Postgres database in the Docker container to your new separate database.

Change Database in Docker-Compose

Next, you’re going to need to change the environment variables that are in container that hosts the Conjur server. If you start your Conjur cluster with a docker-compose.yml file you can just edit that. This is the standard Conjur docker-compose file that’s been edited to use a standalone PostgreSQL database:
version: '2'
services:
  openssl:
    image: svagi/openssl:latest
    container_name: openssl
    entrypoint:
     - openssl
     - req
     - -newkey
     - rsa:2048
     - -days
     - "365"
     - -nodes
     - -x509
     - -config
     - tmp/conf/tls.conf
     - -extensions
     - v3_ca
     - -keyout
     - tmp/conf/nginx.key
     - -out
     - tmp/conf/nginx.crt
    volumes:
     - ./conf/tls/:/tmp/conf

  conjur:
    image: cyberark/conjur
    container_name: conjur_server
    command: server
    environment:
      DATABASE_URL: ***INSERT DATABASE ADDRESS***
      CONJUR_DATA_KEY: ***INSERT DATA KEY***

  proxy:
    image: nginx:1.13.6-alpine
    container_name: nginx_proxy
    ports:
      - "8443:443"
    volumes:
      - ./conf/default.conf:/etc/nginx/conf.d/default.conf:ro
      - ./conf/tls/nginx.key:/etc/nginx/nginx.key:ro
      - ./conf/tls/nginx.crt:/etc/nginx/nginx.crt:ro
    depends_on: [ conjur ]

  client:
    image: cyberark/conjur-cli:5
    container_name: conjur_client
    depends_on: [ proxy ]
    entrypoint: sleep
    command: infinity
    volumes:
    - ./conf/policy:/policy

The changes in this sample docker-compose file are:

  • removing the postgres container
  • removing the dependency of the database from the conjur container
  • updating the database address

Before starting the Conjur instance, instead of hardcoding your database url and data key into the docker-compose file, you could also change the DATABASE_URL and CONJUR_DATA_KEY environment variables. Example:
export CONJUR_DATA_KEY="$(< data_key)"
export DATABASE_URL="$(< database_url)"

Just make sure you keep those values in a safe location. If you lose the data key you cannot get it back and your data is lost.
After all of this, you can enjoy the peace of mind that your data in Conjur will be safe in the event that the Docker containers are shut down.

4 Likes

Is this supported for Conjur enterprise or is it recommended only for conjur OSS

Hi @sjohnkennedy, I’ve only tried this for OSS. There is probably a different way to do this for DAP

@jake Please let me know if there is any documentation available for configuring this in DAP

Thanks for the roundup.
Does anyone know: Is PostgreSQL 9.4 still the maximum supported version with Conjur?
Because PostgreSQL Version 9.4 is End Of Life!
https://www.postgresql.org/about/news/2011/