Enterprise Server: Container settings
The settings on this page can be passed in as environment variables into the pganalyze Enterprise Server container. Any change of these settings requires a container restart to read the new configuration.
DATABASE_URL: PostgreSQL server used for storing statistics information (required)
LICENSE_KEY: License key provided to you by the pganalyze team (required)
DOMAIN_NAME: Domain name where you are hosting the pganalyze app (optional, but recommended, and required for SSO)
MAILER_URL: SMTP server used to send system emails, e.g. user invites (optional, recommended)
MAILER_FROM: "From" address used to send system emails (optional, recommended if setting MAILER_URL)
REDIS_URL: Redis server used for scale out architecture (optional, only needed when running Redis separately)
An example configuration looks like this:
DATABASE_URL=postgres://myusername:firstname.lastname@example.org:5432/mydatabase LICENSE_KEY=KEYKEYKEY DOMAIN_NAME=pganalyze.example.com MAILER_URL=smtp://myusername:email@example.com:25 MAILER_FROMfirstname.lastname@example.org
SIDEKIQ_CONCURRENCY: Concurrency (number of threads) for background workers, defaults to 1. Set this to 0 to turn off the workers in the combined image (requires 2023.06.0 or newer).
DISABLE_DIRECT_SIGNUP: Whether direct signups to the pganalyze application are permitted (without requiring an invite or going through Single Sign-On)
DEFAULT_ORG_ROLE: How new users are added to the organization when they sign up (optional, default:
none- new users are not organization members and have to be invited by an existing user (recommended)
admin- assigns the role named "Admin (All Servers)"
modify_all- assigns the role named "View & Modify (All Servers)"
view_all- assigns the role named "View (All Servers)"
Important: If you are hosting your pganalyze Enterprise Server installation on a publicly available interface (i.e. without explicit access control at the network level), we recommend setting
DISABLE_DIRECT_SIGNUP is not compatible with the
DEFAULT_ORG_ROLE setting: If
DISABLE_DIRECT_SIGNUP is enabled, and
DEFAULT_ORG_ROLE is not
none, it will be the same as setting it to
none, since direct registrations are not possible.
For using Log Insights and Automated EXPLAIN, additional settings must be configured for object storage.
When using the object storage on AWS, the required IAM credentials can either be set using an instance role (recommended), or by explicitly setting these environment variables:
AWS_ACCESS_KEY_ID: AWS Access Key ID (optional)
AWS_SECRET_ACCESS_KEY: AWS Secret Access Key (optional)
You can also configure the following object storage settings:
AWS_S3_SNAPSHOTS_BUCKET: Name of the snapshots S3 bucket (required for object storage)
AWS_S3_LOGS_BUCKET: Name of the logs S3 bucket (required for object storage)
AWS_KMS_LOGS_CMK: Identifier for the KMS key used for client-side log text encryption (required for object storage)
AWS_S3_SNAPSHOTS_PREFIX: Prefix for all objects stored in snapshots bucket (optional, empty by default)
AWS_S3_LOGS_PREFIX: Prefix for all objects stored in logs bucket (optional, empty by default)
Note that when using the collector inside the Enterprise Server container to monitor Amazon RDS or Aurora, the actual fetching of log data from RDS will also use these same credentials. Ensure to also set the collector IAM policy in that case.
In addition, you can also set these other general settings:
AWS_REGION: Default AWS region (optional)
AWS_ENDPOINT_S3_URL: VPC endpoint to use for Amazon S3 API access (optional)
AWS_ENDPOINT_KMS_URL: VPC endpoint to use for Amazon KMS API access (optional)
AWS_ENDPOINT_STS_URL: VPC endpoint to use for Amazon STS API access (optional)
When using Amazon EKS with IAM roles associated to a service account, the following additional settings can be used:
AWS_ROLE_ARN: Role to assume for AWS API access (automatically set by EKS)
AWS_WEB_IDENTITY_TOKEN_FILE: Location of Web Identity token file (automatically set by EKS)
AWS_ROLE_SESSION_NAME: Session name to use when assuming roles (optional, defaults to "pganalyze")
Additionally the following optional settings are available:
MINIO_SNAPSHOTS_BUCKET: Name of the snapshots bucket in Minio (optional, defaults to
MINIO_LOGS_BUCKET: Name of the logs bucket in Minio (optional, defaults to
GOOGLE_CLIENT_SECRET. See separate instructions.
PAGERDUTY_APP_ID. See separate instructions.
SLACK_CLIENT_SECRET. See separate instructions.
The collector can optionally support using an LDAP connection to verify user credentials, instead of using a username/password stored in the pganalyze database. When LDAP is enabled regular user authentication is turned off.
LDAP is commonly utilized when using Microsoft Active Directory on-premise. If possible we recommend using the SAML integration instead, including when using Azure Active Directory.
When using LDAP, it is recommended to also set
DEFAULT_ORG_ROLE to a non-empty value (see above)
to ensure that new LDAP users are added to the existing organization.
LDAP_HOST: Internal hostname or IP of your LDAP server
LDAP_PORT: Port of your LDAP server. Use port 636 for LDAPS
LDAP_BASE_DN: Base DN that all lookups should be done with. You can use this to restrict access to a subset of your LDAP accounts. Note that both the admin CN and regular users need to be members of this DN.
LDAP_LOOKUP_CN: Common Name of an account that will be used to run authentication lookups on your LDAP directory
LDAP_LOOKUP_PASSWORD: Password for the account that will be used to run authentication lookups
LDAP_FIELD_UID: UID field on your LDAP entries. This is usually
sAMAccountNameon Active Directory servers
LDAP_ENCRYPTION: Encryption mode to use for LDAP connections. Only add this when you want to use LDAPS (Port 636) or STARTTLS (Port 389) for a secure connection to your server. Specify
sslfor LDAPS, and
tlsfor STARTTLS (optional)
Example LDAP configuration, with the required
DEFAULT_ORG_ROLE setting, but without other unrelated settings:
LDAP_HOST=example.com LDAP_PORT=389 LDAP_BASE_DN=OU=Users,OU=ldaptest,DC=ldaptest,DC=pganalyze,DC=com LDAP_LOOKUP_CN=Admin LDAP_LOOKUP_PASSWORD=ReallyLongSecurePassword LDAP_FIELD_UID=sAMAccountName LDAP_ENCRYPTION=ssl DEFAULT_ORG_ROLE=view_all
Note you can run an Enterprise self-check to verify the connection and lookup LDAP information, but some configuration errors are only visible once logging in.
The metrics HTTP endpoint
/metrics is available for Prometheus scraping. Currently, it provides worker queue metrics using the sidekiq-prometheus-exporter gem.
The endpoint is protected with a bearer auth, the token is specified with the
SIDEKIQ_PROMETHEUS_TOKEN environment variable. The endpoint is only available when the environment variable is set.
If you have a Prometheus setup already, you can add the hostname and port of your web server as an additional target to the Prometheus config file to scrape.
Below is an example of a
prometheus.yml file (with web server
scrape_configs: - job_name: "sidekiq-prometheus" scrape_interval: 60s scrape_timeout: 10s authorization: credentials: $SIDEKIQ_PROMETHEUS_TOKEN static_configs: - targets: [ '0.0.0.0:5000' ]
Couldn't find what you were looking for or want to talk about something specific?
Start a conversation with us →