diff --git a/labs/lab-05-database/README.md b/labs/lab-05-database/README.md index ca153b8..8919a88 100644 --- a/labs/lab-05-database/README.md +++ b/labs/lab-05-database/README.md @@ -4,12 +4,19 @@ Deploy PostgreSQL in rete privata con persistenza dati. ## Avvio del Laboratorio +Leggi prima i tutorial nell'ordine indicato sotto. Il flusso principale del lab usa `docker-compose.yml`; il `Dockerfile` e solo un riferimento per client e strumenti, non un prerequisito di avvio. + ```bash cd labs/lab-05-database -docker build . docker compose up -d ``` +## Ordine Consigliato + +1. `tutorial/01-deploy-rds-database.md` +2. `tutorial/02-data-persistence.md` +3. `tutorial/03-security-compliance.md` + ## Verifica Completamento ```bash @@ -21,4 +28,4 @@ bash tests/99-final-verification.sh - [Tutorial](tutorial/) - Guida passo-passo - [How-to Guides](how-to-guides/) - Procedure specifiche - [Reference](reference/) - Documentazione tecnica -- [Explanation](explanation/) - Paralleli cloud \ No newline at end of file +- [Explanation](explanation/) - Paralleli cloud diff --git a/labs/lab-05-database/how-to-guides/connect-to-postgresql.md b/labs/lab-05-database/how-to-guides/connect-to-postgresql.md index 5b30890..11f96c0 100644 --- a/labs/lab-05-database/how-to-guides/connect-to-postgresql.md +++ b/labs/lab-05-database/how-to-guides/connect-to-postgresql.md @@ -5,7 +5,10 @@ ### Da container nella stessa rete ```bash -docker exec lab05-app psql -h db -U lab05_user -d lab05_db +docker run --rm --network lab05-vpc-private \ + -e PGPASSWORD=lab05_password \ + postgres:16-alpine \ + psql -h db -U lab05_user -d lab05_db ``` ### Dall'host con port forwarding (non recommended) @@ -43,13 +46,15 @@ postgresql://lab05_user:lab05_password@127.0.0.1:5432/lab05_db Il database è in rete privata. Devi connetterti da container nella stessa rete: ```bash -# Prima entra in un container -docker exec -it lab05-app sh - -# Poi connettiti -psql -h db -U lab05_user -d lab05_db +# Client temporaneo nella rete privata +docker run --rm -it --network lab05-vpc-private \ + -e PGPASSWORD=lab05_password \ + postgres:16-alpine \ + psql -h db -U lab05_user -d lab05_db ``` +Nota: il servizio `lab05-app` usa `nginx:alpine` e non include `psql`. + ### Password authentication failed Verifica le credenziali in docker-compose.yml: diff --git a/labs/lab-05-database/reference/postgresql-commands.md b/labs/lab-05-database/reference/postgresql-commands.md index bc1599a..759d494 100644 --- a/labs/lab-05-database/reference/postgresql-commands.md +++ b/labs/lab-05-database/reference/postgresql-commands.md @@ -8,8 +8,11 @@ # Connessione base docker exec lab05-db psql -U lab05_user -d lab05_db -# Connessione con host specificato -docker exec lab05-app psql -h db -U lab05_user -d lab05_db +# Connessione da client nella rete privata +docker run --rm --network lab05-vpc-private \ + -e PGPASSWORD=lab05_password \ + postgres:16-alpine \ + psql -h db -U lab05_user -d lab05_db # Esegui comando singolo docker exec lab05-db psql -U lab05_user -d lab05_db -c "SELECT version();" diff --git a/labs/lab-05-database/tests/99-final-verification.sh b/labs/lab-05-database/tests/99-final-verification.sh old mode 100755 new mode 100644 index 2ad867c..a9ce6cb --- a/labs/lab-05-database/tests/99-final-verification.sh +++ b/labs/lab-05-database/tests/99-final-verification.sh @@ -1,27 +1,49 @@ #!/bin/bash # Lab 05 - Database & RDS # Test 99: Final Verification (Double Check) -# Verifica finale end-to-end per studenti set -euo pipefail -# Colori per output RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' NC='\033[0m' -# Contatori +TEST_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +LAB_DIR="$(cd "$TEST_DIR/.." && pwd)" + pass_count=0 fail_count=0 skip_count=0 -# Funzioni helper inc_pass() { ((pass_count++)) || true; } inc_fail() { ((fail_count++)) || true; } inc_skip() { ((skip_count++)) || true; } +check_pass() { + echo -e "${GREEN}OK${NC}" + inc_pass +} + +check_fail() { + echo -e "${RED}FAIL${NC}" + inc_fail +} + +check_warn() { + echo -e "${YELLOW}WARN${NC} $1" + inc_skip +} + +cleanup() { + docker compose down >/dev/null 2>&1 || true +} + +trap cleanup EXIT + +cd "$LAB_DIR" + echo "==========================================" echo "Lab 05 - Final Verification (Double Check)" echo "==========================================" @@ -30,219 +52,204 @@ echo "Verifica completa: Lab 05 - Database & RDS" echo "Parallelo: PostgreSQL in Docker ↔ RDS in AWS VPC" echo "" -# Verifica file docker-compose.yml echo -n "[CHECK] Verifica docker-compose.yml esista... " -if [ -f "docker-compose.yml" ]; then - echo -e "${GREEN}OK${NC}" - inc_pass +if [ -f docker-compose.yml ]; then + check_pass else - echo -e "${RED}FAIL${NC}" - inc_fail - echo "ERRORE: docker-compose.yml non trovato" - exit 1 + check_fail + exit 1 +fi + +echo -n "[CHECK] Sintassi docker compose valida... " +if docker compose config >/dev/null 2>&1; then + check_pass +else + check_fail + exit 1 fi echo "" echo "=== VERIFICA CONFIGURAZIONE ===" -# Verifica servizio database -echo -n "[CHECK] Servizio 'database' definito... " -if grep -q "database:" docker-compose.yml; then - echo -e "${GREEN}OK${NC}" - inc_pass +echo -n "[CHECK] Servizio 'db' definito... " +if grep -q '^ db:$' <(docker compose config); then + check_pass else - echo -e "${RED}FAIL${NC}" - inc_fail + check_fail fi -# Verifica immagine PostgreSQL echo -n "[CHECK] Immagine PostgreSQL... " -if grep -q "image: postgres" docker-compose.yml; then - echo -e "${GREEN}OK${NC}" - inc_pass +if grep -q 'image: postgres:16-alpine' docker-compose.yml; then + check_pass else - echo -e "${RED}FAIL${NC}" - inc_fail + check_fail fi -# Verifica credenziali echo -n "[CHECK] Credenziali PostgreSQL configurate... " -if grep -q "POSTGRES_DB:" docker-compose.yml && \ - grep -q "POSTGRES_USER:" docker-compose.yml && \ - grep -q "POSTGRES_PASSWORD:" docker-compose.yml; then - echo -e "${GREEN}OK${NC}" - inc_pass +if grep -q 'POSTGRES_DB:' docker-compose.yml && \ + grep -q 'POSTGRES_USER:' docker-compose.yml && \ + grep -q 'POSTGRES_PASSWORD:' docker-compose.yml; then + check_pass else - echo -e "${RED}FAIL${NC}" - inc_fail + check_fail fi -# Verifica volume echo -n "[CHECK] Volume 'db-data' configurato... " -if grep -q "db-data:" docker-compose.yml; then - echo -e "${GREEN}OK${NC}" - inc_pass +if grep -q '^ db-data:$' <(docker compose config); then + check_pass else - echo -e "${RED}FAIL${NC}" - inc_fail + check_fail fi -# Verifica rete privata echo -n "[CHECK] Database in rete 'vpc-private'... " -if grep -A 20 "database:" docker-compose.yml | grep -q "vpc-private"; then - echo -e "${GREEN}OK${NC}" - inc_pass +if docker compose config | grep -A 30 '^ db:$' | grep -q 'vpc-private'; then + check_pass else - echo -e "${RED}FAIL${NC}" - inc_fail + check_fail fi -# Verifica nessuna porta esposta -echo -n "[CHECK] NESSUNA porta esposta (INF-02)... " -if grep -A 30 "database:" docker-compose.yml | grep -q "ports:"; then - echo -e "${YELLOW}WARN${NC} (porte configurate - RDS non espone porte)" - inc_skip +echo -n "[CHECK] NESSUNA porta esposta sul database (INF-02)... " +if docker compose config | grep -A 30 '^ db:$' | grep -q 'ports:'; then + check_fail else - echo -e "${GREEN}OK${NC}" - inc_pass + check_pass fi -# Verifica limiti risorse -echo -n "[CHECK] Limiti risorse configurati (INF-03)... " -if grep -A 30 "database:" docker-compose.yml | grep -q "cpus:" && \ - grep -A 30 "database:" docker-compose.yml | grep -q "memory:"; then - echo -e "${GREEN}OK${NC}" - inc_pass +echo -n "[CHECK] Limiti risorse configurati sul database (INF-03)... " +if docker compose config | grep -A 30 '^ db:$' | grep -q 'cpus:' && \ + docker compose config | grep -A 30 '^ db:$' | grep -q 'memory:'; then + check_pass else - echo -e "${RED}FAIL${NC}" - inc_fail + check_fail fi echo "" echo "=== VERIFICA ESECUZIONE ===" -# Verifica container in esecuzione +docker compose down >/dev/null 2>&1 || true +docker compose up -d >/dev/null +sleep 10 + echo -n "[CHECK] Container 'lab05-db' in esecuzione... " -if docker ps --format '{{{{Names}}}}' | grep -q "^lab05-db$"; then - echo -e "${GREEN}OK${NC}" - inc_pass +if docker ps --format '{{.Names}}' | grep -q '^lab05-db$'; then + check_pass else - echo -e "${RED}FAIL${NC}" - inc_fail - echo "Avviare i container: docker compose up -d" - echo "" - echo "Risultato: $pass_count PASS, $fail_count FAIL, $skip_count SKIP" - exit 1 + check_fail + echo "Avviare i container: docker compose up -d" + exit 1 fi -# Verifica healthcheck -echo -n "[CHECK] Healthcheck configurato... " -health_status=$(docker inspect lab05-db --format '{{.State.Health.Status}}' 2>/dev/null || echo "unknown") -if [ "$health_status" != "unknown" ]; then - echo -e "${GREEN}OK${NC} ($health_status)" - inc_pass +echo -n "[CHECK] Healthcheck database... " +health_status=$(docker inspect lab05-db --format '{{.State.Health.Status}}' 2>/dev/null || echo unknown) +if [ "$health_status" = "healthy" ]; then + check_pass +elif [ "$health_status" = "starting" ]; then + check_warn "(database ancora in avvio)" else - echo -e "${YELLOW}WARN${NC} (nessun healthcheck)" - inc_skip + check_fail fi -# Verifica pg_isready echo -n "[CHECK] PostgreSQL pronto (pg_isready)... " -if docker exec lab05-db pg_isready &>/dev/null; then - echo -e "${GREEN}OK${NC}" - inc_pass +if docker exec lab05-db pg_isready -U lab05_user >/dev/null 2>&1; then + check_pass else - echo -e "${YELLOW}WARN${NC} (PostgreSQL non ancora pronto)" - inc_skip + check_fail fi echo "" echo "=== VERIFICA SICUREZZA ===" -# INF-01: Non-root -echo -n "[CHECK] Container NON gira come root (INF-01)... " -container_user=$(docker exec lab05-db whoami 2>/dev/null || echo "unknown") -if [ "$container_user" = "postgres" ]; then - echo -e "${GREEN}OK${NC} ($container_user)" - inc_pass +echo -n "[CHECK] Processo principale NON gira come root (INF-01)... " +pid1_user=$(docker exec lab05-db sh -c "ps -o user,pid,args | awk '\$2 == 1 {print \$1}'" 2>/dev/null | tr -d '[:space:]') +pid1_uid=$(docker exec lab05-db sh -c "awk '/^Uid:/ {print \$2}' /proc/1/status" 2>/dev/null | tr -d '[:space:]') +if [ -n "$pid1_uid" ] && [ "$pid1_uid" -ne 0 ]; then + echo -e "${GREEN}OK${NC} ($pid1_user uid=$pid1_uid)" + inc_pass else - echo -e "${RED}FAIL${NC} ($container_user)" - inc_fail + check_fail fi -# INF-02: No host ports -echo -n "[CHECK] NESSUNA porta su host (INF-02)... " -db_port=$(docker port lab05-db 5432 2>/dev/null || echo "") +echo -n "[CHECK] NESSUNA porta host sul DB (INF-02)... " +db_port=$(docker port lab05-db 5432 2>/dev/null || true) if [ -z "$db_port" ]; then - echo -e "${GREEN}OK${NC}" - inc_pass + check_pass else - echo -e "${RED}FAIL${NC} (porta $db_port)" - inc_fail + echo -e "${RED}FAIL${NC} ($db_port)" + inc_fail +fi + +echo -n "[CHECK] Isolamento rete pubblica -> DB... " +if docker exec lab05-test-public ping -c 1 db >/dev/null 2>&1; then + check_fail +else + check_pass +fi + +echo -n "[CHECK] App privata puo raggiungere DB... " +if docker exec lab05-app ping -c 1 db >/dev/null 2>&1; then + check_pass +else + check_fail fi -# INF-03: Resource limits echo -n "[CHECK] Limiti risorsa applicati (INF-03)... " -if docker inspect lab05-db --format '{{.HostConfig.Memory}}' | grep -q "[1-9]"; then - echo -e "${GREEN}OK${NC}" - inc_pass +db_memory=$(docker inspect lab05-db --format '{{.HostConfig.Memory}}' 2>/dev/null || echo 0) +db_cpus=$(docker inspect lab05-db --format '{{.HostConfig.NanoCpus}}' 2>/dev/null || echo 0) +if [ "$db_memory" -gt 0 ] && [ "$db_cpus" -gt 0 ]; then + check_pass else - echo -e "${RED}FAIL${NC}" - inc_fail + check_fail fi -# INF-04: Volume persistence -echo -n "[CHECK] Volume persistenza (INF-04)... " -if docker volume ls --format '{{{{.Name}}}}' | grep -q "^lab05_db-data$"; then - echo -e "${GREEN}OK${NC}" - inc_pass +echo -n "[CHECK] Volume persistenza presente (INF-04)... " +if docker volume ls --format '{{.Name}}' | grep -q '^lab-05-database_db-data$'; then + check_pass else - echo -e "${RED}FAIL${NC}" - inc_fail + check_fail fi echo "" -echo "=== VERIFICA FUNZIONALITÀ ===" +echo "=== VERIFICA FUNZIONALITA ===" -# Test connessione database echo -n "[CHECK] Connessione database funziona... " -if docker exec lab05-db psql -U lab05_user -d lab05_db -c "SELECT 1;" &>/dev/null; then - echo -e "${GREEN}OK${NC}" - inc_pass +if docker exec lab05-db psql -U lab05_user -d lab05_db -c 'SELECT 1;' >/dev/null 2>&1; then + check_pass else - echo -e "${RED}FAIL${NC}" - inc_fail + check_fail fi -# Test creazione tabella echo -n "[CHECK] Creazione tabella... " -if docker exec lab05-db psql -U lab05_user -d lab05_db -c "CREATE TABLE IF NOT EXISTS verify_test (id SERIAL);" &>/dev/null; then - echo -e "${GREEN}OK${NC}" - inc_pass +if docker exec lab05-db psql -U lab05_user -d lab05_db -c 'CREATE TABLE IF NOT EXISTS verify_test (id SERIAL PRIMARY KEY, note TEXT);' >/dev/null 2>&1; then + check_pass else - echo -e "${RED}FAIL${NC}" - inc_fail + check_fail fi -# Test inserimento dati echo -n "[CHECK] Inserimento dati... " -if docker exec lab05-db psql -U lab05_user -d lab05_db -c "INSERT INTO verify_test DEFAULT VALUES;" &>/dev/null; then - echo -e "${GREEN}OK${NC}" - inc_pass +if docker exec lab05-db psql -U lab05_user -d lab05_db -c "INSERT INTO verify_test (note) VALUES ('ok');" >/dev/null 2>&1; then + check_pass else - echo -e "${RED}FAIL${NC}" - inc_fail + check_fail fi -# Test query dati echo -n "[CHECK] Query dati... " -count=$(docker exec lab05-db psql -U lab05_user -d lab05_db -t -c "SELECT COUNT(*) FROM verify_test;" 2>/dev/null | tr -d ' ') -if [ -n "$count" ] && [ "$count" -gt 0 ]; then - echo -e "${GREEN}OK${NC} ($count righe)" - inc_pass +count=$(docker exec lab05-db psql -U lab05_user -d lab05_db -tAc "SELECT COUNT(*) FROM verify_test WHERE note='ok';" 2>/dev/null | tr -d '[:space:]') +if [ -n "$count" ] && [ "$count" -ge 1 ]; then + echo -e "${GREEN}OK${NC} ($count righe)" + inc_pass else - echo -e "${RED}FAIL${NC}" - inc_fail + check_fail +fi + +echo -n "[CHECK] Persistenza dati dopo restart DB... " +docker compose restart db >/dev/null +sleep 8 +persist_count=$(docker exec lab05-db psql -U lab05_user -d lab05_db -tAc "SELECT COUNT(*) FROM verify_test WHERE note='ok';" 2>/dev/null | tr -d '[:space:]') +if [ -n "$persist_count" ] && [ "$persist_count" -ge 1 ]; then + echo -e "${GREEN}OK${NC} ($persist_count righe)" + inc_pass +else + check_fail fi echo "" @@ -253,20 +260,20 @@ echo " $fail_count FAIL" echo " $skip_count SKIP" echo "==========================================" -if [ $fail_count -eq 0 ]; then - echo "" - echo -e "${GREEN}✓ LAB 05 COMPLETATO CON SUCCESSO${NC}" - echo "" - echo "Paralleli confermati:" - echo " PostgreSQL container → RDS Instance" - echo " Private network → VPC Private Subnet" - echo " Named volume → EBS Volume" - echo " Resource limits → DB Instance Class" - echo "" - exit 0 +if [ "$fail_count" -eq 0 ]; then + echo "" + echo -e "${GREEN}✓ LAB 05 COMPLETATO CON SUCCESSO${NC}" + echo "" + echo "Paralleli confermati:" + echo " PostgreSQL container → RDS Instance" + echo " Private network → VPC Private Subnet" + echo " Named volume → EBS Volume" + echo " Resource limits → DB Instance Class" + echo "" + exit 0 else - echo "" - echo -e "${RED}✗ LAB 05 HA ERRORI - RISOLVERE E RIPETERE${NC}" - echo "" - exit 1 + echo "" + echo -e "${RED}✗ LAB 05 HA ERRORI - RISOLVERE E RIPETERE${NC}" + echo "" + exit 1 fi diff --git a/labs/lab-05-database/tutorial/01-deploy-rds-database.md b/labs/lab-05-database/tutorial/01-deploy-rds-database.md index 8928d20..f3ca628 100644 --- a/labs/lab-05-database/tutorial/01-deploy-rds-database.md +++ b/labs/lab-05-database/tutorial/01-deploy-rds-database.md @@ -16,20 +16,20 @@ Deployare PostgreSQL in Docker private network che simula RDS in VPC privata AWS ## Passo 1: Verifica l'ambiente -Verifica che le reti private siano già state create. +Il compose di questo lab crea da solo le reti `lab05-vpc-public` e `lab05-vpc-private`. Lab 02 resta un prerequisito concettuale, non una dipendenza runtime. Esegui: ```bash -# Verifica reti esistenti -docker network ls | grep vpc +# Verifica servizi e reti definiti nel compose +docker compose config --services +docker compose config | grep -A 20 "networks:" # Atteso: -# lab05-vpc-private -# lab05-vpc-public +# app +# db +# test-public ``` -Se le reti non esistono, consulta prima il Lab 02. - --- ## Passo 2: Esamina docker-compose.yml @@ -109,10 +109,13 @@ Atteso: `healthy` o `accepting connections` Puoi connetterti SOLO da container nella stessa rete privata. -Esegui dal container `app`: +Esegui da un client PostgreSQL temporaneo collegato alla rete privata: ```bash -# Connettiti dal container app -docker exec lab05-app psql -h db -U lab05_user -d lab05_db +# Connettiti da un client nella stessa rete privata +docker run --rm --network lab05-vpc-private \ + -e PGPASSWORD=lab05_password \ + postgres:16-alpine \ + psql -h db -U lab05_user -d lab05_db # Una volta connesso, esegui: lab05_db=> SELECT version(); @@ -163,8 +166,7 @@ Esegui lo script di verifica finale. Esegui: ```bash -cd tests -./99-final-verification.sh +bash tests/99-final-verification.sh ``` Tutti i test devono PASSARE. diff --git a/labs/lab-05-database/tutorial/02-data-persistence.md b/labs/lab-05-database/tutorial/02-data-persistence.md index d998e2b..4c2ee82 100644 --- a/labs/lab-05-database/tutorial/02-data-persistence.md +++ b/labs/lab-05-database/tutorial/02-data-persistence.md @@ -24,10 +24,10 @@ Esegui: docker volume ls | grep db-data # Atteso: -# local lab05_db-data +# local lab-05-database_db-data ``` -Il volume è nominativo (`local` driver), quindi i dati sopravvivono. +Il volume e nominativo (`local` driver), quindi i dati sopravvivono. Nel repository il nome reale include il prefisso del progetto compose: `lab-05-database_db-data`. --- @@ -142,10 +142,10 @@ Esplora il volume per capire come PostgreSQL memorizza i dati. Esegui: ```bash # Trova il mount point del volume -docker inspect lab05-db --format '{{range .Mounts}}{{if eq .Destination "/var/lib/postgresql/data"}}{{.Source}}{{end}}{{end}}' +docker volume inspect lab-05-database_db-data --format '{{.Mountpoint}}' # Lista file nel volume (come root) -sudo ls -la /var/lib/docker/volumes/lab05_db-data/_data/ +sudo ls -la $(docker volume inspect lab-05-database_db-data --format '{{.Mountpoint}}') ``` Struttura chiave: @@ -215,7 +215,7 @@ Tutte le verifiche devono passare. ### Dati persi dopo riavvio ```bash # Verifica che il volume sia nominativo -docker volume inspect lab05_db-data +docker volume inspect lab-05-database_db-data # Verifica montaggio corretto docker inspect lab05-db --format '{{json .Mounts}}' | jq @@ -226,17 +226,17 @@ docker inspect lab05-db --format '{{json .Mounts}}' | jq # Lista tutti i volumi docker volume ls -# Se il volume non esiste, ricrea -docker volume create lab05_db-data +# Se il volume non esiste, ricrealo rialzando il compose +docker compose up -d ``` ### Permesso negato su volume ```bash # Verifica proprietà volume -sudo ls -la /var/lib/docker/volumes/lab05_db-data/ +sudo ls -la $(docker volume inspect lab-05-database_db-data --format '{{.Mountpoint}}') # PostgreSQL deve poter scrivere -sudo chown -R 999:999 /var/lib/docker/volumes/lab05_db-data/ +sudo chown -R 999:999 $(docker volume inspect lab-05-database_db-data --format '{{.Mountpoint}}') ``` --- diff --git a/labs/lab-05-database/tutorial/03-security-compliance.md b/labs/lab-05-database/tutorial/03-security-compliance.md index 1bb3bf4..61b8619 100644 --- a/labs/lab-05-database/tutorial/03-security-compliance.md +++ b/labs/lab-05-database/tutorial/03-security-compliance.md @@ -19,21 +19,21 @@ PostgreSQL official image NON gira come root. Esegui: ```bash -# Verifica utente nel container -docker exec lab05-db whoami +# Verifica l'utente del processo principale (PID 1) +docker exec lab05-db sh -c "ps -o user,pid,args | awk '\$2 == 1 {print \$1, \$2, \$3}'" -# Atteso: postgres +# Atteso: postgres 1 postgres ``` Verifica UID: ```bash -# Verifica UID != 0 -docker exec lab05-db id -u +# Verifica UID del processo principale != 0 +docker exec lab05-db sh -c "awk '/^Uid:/ {print \$2}' /proc/1/status" -# Atteso: 999 (postgres user UID) +# Atteso: un valore non-zero (nel lab osservato: 70) ``` -Se l'utente è `root` o UID `0`, c'è una violazione di sicurezza. +Nota: `docker exec ... whoami` puo mostrare `root` per la shell di debug lanciata con `exec`, ma non rappresenta il processo principale del database. Per INF-01 devi controllare il processo PID 1. --- @@ -62,8 +62,14 @@ Test isolamento: # Prova connessione dall'host (DEVE fallire) psql -h localhost -U lab05_user -d lab05_db 2>&1 || echo "Corretto: non accessibile" -# Prova connessione da container app (DEVE successo) -docker exec lab05-app psql -h db -U lab05_user -d lab05_db -c "SELECT 1;" +# Prova reachability dal container app (DEVE riuscire) +docker exec lab05-app ping -c 2 db + +# Prova query SQL da un client nella rete privata (DEVE riuscire) +docker run --rm --network lab05-vpc-private \ + -e PGPASSWORD=lab05_password \ + postgres:16-alpine \ + psql -h db -U lab05_user -d lab05_db -c "SELECT 1;" ``` --- @@ -104,13 +110,13 @@ I dati devono persistere in volume nominativo. Esegui: ```bash # Verifica volume esista -docker volume ls | grep lab05_db-data +docker volume ls | grep lab-05-database_db-data # Verifica montaggio docker inspect lab05-db --format '{{range .Mounts}}{{if eq .Destination "/var/lib/postgresql/data"}}{{.Name}}{{end}}{{end}}' ``` -Atteso: `lab05_db-data` +Atteso: `lab-05-database_db-data` --- @@ -120,11 +126,10 @@ Esegui lo script di verifica sicurezza. Esegui: ```bash -cd tests -./04-security-test.sh +bash tests/99-final-verification.sh ``` -Tutti i test devono PASSARE. +Lo script finale copre anche i controlli di sicurezza principali del lab. --- @@ -205,8 +210,7 @@ Esegui la verifica finale completa. Esegui: ```bash -cd tests -./99-final-verification.sh +bash tests/99-final-verification.sh ``` Tutti i test devono PASSARE, inclusi: @@ -249,11 +253,9 @@ Prima di passare al production (simulato): ### Container gira come root ```bash -# Verifica image -docker inspect lab05-db --format '{{.Config.User}}' - -# PostgreSQL official image deve usare 'postgres' -# Se root, controlla Dockerfile +# Verifica il processo principale, non la shell lanciata con docker exec +docker exec lab05-db sh -c "ps -o user,pid,args | awk '\$2 == 1 {print \$1, \$2, \$3}'" +docker exec lab05-db sh -c "awk '/^Uid:/ {print \$2}' /proc/1/status" ``` ### Database accessibile dall'host