Merge branch 'checkup20' into 'main'

Checkup20

See merge request postgres-ai/postgres_ai!27

Author: Dementii Priadko

README.md

@@ -4,8 +4,35 @@ A complete PostgreSQL monitoring solution with automated performance analysis an
 
 ## 📋 Requirements
 
+**Infrastructure:**
+- **Linux machine** with Docker installed (separate from your database server)
+- **Docker access** - the user running `postgres_ai` must have Docker permissions
+- **Network access** to the PostgreSQL database(s) you want to monitor
+
+**Database:**
 - Supports PostgreSQL versions 14-17
 
+## ⚠️ Security Notice
+
+**WARNING: Security is your responsibility!**
+
+This monitoring solution exposes several ports that **MUST** be properly firewalled:
+- **Port 3000** (Grafana) - Contains sensitive database metrics and dashboards
+- **Port 58080** (PGWatch Postgres) - Database monitoring interface  
+- **Port 58089** (PGWatch Prometheus) - Database monitoring interface
+- **Port 59090** (Prometheus) - Metrics storage and queries
+- **Port 59091** (PGWatch Prometheus endpoint) - Metrics collection
+- **Port 55000** (Flask API) - Backend API service
+- **Port 55432** (Demo DB) - When using `--demo` option
+- **Port 55433** (Metrics DB) - PostgreSQL metrics storage
+
+**Configure your firewall to:**
+- Block public access to all monitoring ports
+- Allow access only from trusted networks/IPs
+- Use VPN or SSH tunnels for remote access
+
+Failure to secure these ports may expose sensitive database information!
+
 ## 🚀 Quick start
 
 Create a new DB user in database to be monitored (skip this if you want just to check out `postgres_ai` monitoring with a synthetic `demo` database):

config/pgwatch-prometheus/metrics.yml

@@ -311,57 +311,8 @@ metrics:
           pg_stat_database, pg_control_system()
         where
           datname = current_database()
-      17: |-
-        select /* pgwatch_generated */
-          (extract(epoch from now()) * 1e9)::int8 as epoch_ns,
-          current_database() as tag_datname,
-          numbackends,
-          xact_commit,
-          xact_rollback,
-          blks_read,
-          blks_hit,
-          tup_returned,
-          tup_fetched,
-          tup_inserted,
-          tup_updated,
-          tup_deleted,
-          conflicts,
-          temp_files,
-          temp_bytes,
-          deadlocks,
-          shared_blk_read_time as blk_read_time,
-          shared_blk_write_time as blk_write_time,
-          extract(epoch from (now() - pg_postmaster_start_time()))::int8 as postmaster_uptime_s,
-          checksum_failures,
-          extract(epoch from (now() - checksum_last_failure))::int8 as checksum_last_failure_s,
-          case when pg_is_in_recovery() then 1 else 0 end as in_recovery_int,
-          system_identifier::text as tag_sys_id,
-          session_time::int8,
-          active_time::int8,
-          idle_in_transaction_time::int8,
-          sessions,
-          sessions_abandoned,
-          sessions_fatal,
-          sessions_killed,
-          (select count(*) from pg_index i
-            where not indisvalid
-            and not exists ( /* leave out ones that are being actively rebuilt */
-              select * from pg_locks l
-              join pg_stat_activity a using (pid)
-              where l.relation = i.indexrelid
-              and a.state = 'active'
-              and a.query ~* 'concurrently'
-          )) as invalid_indexes
-        from
-          pg_stat_database, pg_control_system()
-        where
-          datname = current_database()
     gauges:
-      - numbackends
-      - postmaster_uptime_s
-      - backup_duration_s
-      - backup_duration_s
-      - checksum_last_failure_s
+      - '*'
   locks_mode:
     description: >
       Retrieves lock mode statistics from the PostgreSQL `pg_locks` view, providing insights into the different lock modes currently held in the database.

postgres_ai

@@ -200,16 +200,28 @@ check_docker_running() {
     log_info "Checking Docker daemon status..."
 
     if ! docker info &> /dev/null; then
-        log_error "Docker daemon is not running"
+        log_error "Cannot access Docker daemon"
         echo
-        echo "Please start Docker:"
-        echo "  macOS: Start Docker Desktop application"
-        echo "  Linux: sudo systemctl start docker"
-        echo "  Windows: Start Docker Desktop application"
+        echo "This could be due to:"
+        echo "  1. Docker daemon not running"
+        echo "  2. User lacks permission to access Docker"
+        echo
+        echo "Solutions:"
+        echo "  If Docker daemon is not running:"
+        echo "    • macOS: Start Docker Desktop application"
+        echo "    • Linux: sudo systemctl start docker"
+        echo "    • Windows: Start Docker Desktop application"
+        echo
+        echo "  If permission denied:"
+        echo "    • Linux: Add user to docker group: sudo usermod -aG docker \$USER"
+        echo "    • Then log out and back in, or run: newgrp docker"
+        echo "    • Verify with: docker run hello-world"
+        echo
+        echo "  Alternative: Run postgres_ai with sudo (not recommended)"
         exit 1
     fi
 
-    log_success "Docker daemon is running"
+    log_success "Docker daemon is accessible"
 }
 
 # Check system resources
@@ -894,12 +906,12 @@ start_services() {
 
     if is_demo_mode; then
         log_info "Starting Postgres AI services (demo mode - including target database)..."
-        $compose_cmd -f "$COMPOSE_FILE" up -d --build
+        $compose_cmd -f "$COMPOSE_FILE" up -d 
     else
         log_info "Starting Postgres AI monitoring services (production mode)..."
         log_info "Target demo database not included - add your own PostgreSQL instances to monitor"
         # Start all services except target-db
-        $compose_cmd -f "$COMPOSE_FILE" up -d sources-generator sink-postgres sink-prometheus pgwatch-postgres pgwatch-prometheus grafana flask-backend postgres-reports --build
+        $compose_cmd -f "$COMPOSE_FILE" up -d sources-generator sink-postgres sink-prometheus pgwatch-postgres pgwatch-prometheus grafana flask-backend postgres-reports 
     fi
 
     log_success "Services started!"