Default POSTGRES_HOST_AUTH_METHOD=md5 value is not applied for localhost connections

[AnatoliyTishaev-Epam]

Description on docker image

POSTGRES_HOST_AUTH_METHOD
This optional variable can be used to control the auth-method for host connections for all databases, all users, and all addresses. If unspecified then md5 password authentication is used. On an uninitialized database, this will populate pg_hba.conf via this approximate line:

echo "host all all all $POSTGRES_HOST_AUTH_METHOD" >> pg_hba.conf

Yes, this is happens and at the bottom of pg_hba.conf there is a line host all all all md5 is present. The problem is that we still have standard row above

# IPv4 local connections:
host    all             all             127.0.0.1/32            trust

And because it is above it gets applied first for connections from localhost. And it does allow to login without any passwod specified.
Postgres official docs:

The first record with a matching connection type, client address, requested database, and user name is used to perform authentication.

Is this overlooked or IPv4 local connections aren't considered as a "host" ones?

psql -h localhost postgres postgres

[wglambert]

Right, the second entry: host all all 127.0.0.1/32 trust is the first matching line for an ipv4 tcp/ip localhost connection

Doing -h localhost will actually use the unix socket, but the preceding local all all trust entry marks that connection method as trusted also

So then the host all all all md5 entry matches everything that's not unix socket or 127.0.0.1/32

POSTGRES_HOST_AUTH_METHOD was added from the discussion in #580

Also #580 (comment)

localhost doesn't mean anything in a Docker context. If you're running your database with localhost being the only thing accessible inside Docker, you might as well not be running it at all (since localhost is only accessible from directly within the PostgreSQL container itself).

[AnatoliyTishaev-Epam]

@wglambert
Thank you for clarifications. I didn't know that -h localhost still will use socket and not a TCP/IP connection.

Actually wondering how is then possible to trigger TCP/IP connection via psql from localhost? Documentation says if -h is not specified then "local socket" is used. And I was assuming that otherwise we will not use socket but TCP/IP

$ psql --help

Connection options:
  -h, --host=HOSTNAME      database server host or socket directory (default: "local socket")

[wglambert]

Ah I was thinking of mysql which uses a unix socket if the hostname is localhost https://dev.mysql.com/doc/mysql-shell/8.0/en/mysql-shell-connection-socket.html
You're right Postgres still uses tcp/ip for localhost and 127.0.0.1

If you have further questions you could try asking over at the Docker Community Forums, Docker Community Slack, or Stack Overflow. Since these repos aren't really a user-help forum