/
Environment Variables for Advanced Setup - 10.3.x (EN)

Environment Variables for Advanced Setup - 10.3.x (EN)

  • Draft

    • Introduction

    Last modified: May 12, 2025

    This guide describes advanced-level configuration methods for QueryPie. this article distinguishes between two types of configuration methods

    1. Cases that can be configured by modifying only compose-env

    2. Cases that require you to modify the docker-compose.yml file as well

    Modifications to the compose-env file

    Depending on your situation, you need to modify the compose-env file as shown below.

    Common Features

    Environment Variable Name

    Default Value

    Description

    Environment Variable Name

    Default Value

    Description

    Enable_file_logging

    true

    whether to write logs to the component-specific log file in/var/log/querypie

    API_JVM_HEAPSIZE

    2g

    Heap memory setting for QueryPie API components

    Redis settings

    Environment Variable Name

    Default Value

    Description

    Environment Variable Name

    Default Value

    Description

    REDIS_DB

    0

    Redis Database Number. One of 0 through 15. default value is 0.

    REDIS_USE_SSL

    false

    Set to true if QueryPie Redis requires a TLS connection.
    QueryPie supports two types of TLS connections: TLS-Only and mTLS.
    For more information, see the following documentation: QueryPie Redis with TLS Certificate (KO)

    REDIS_USERNAME

     

    Set if Redis requires a Username.

    Redis_server_cert_file

     

    Specifies the path to the Root CA file used to set up the TLS certificate for Redis Server. This value is required if you are enforcing a TLS connection.

    Redis_client_cert_file

     

    Specifies the path to the Client Certificate file. If you are only enforcing TLS encryption and not mTLS authentication, leave this value empty.

    Redis_client_key_file

     

    Specifies the path to the private key file for the client certificate.

    Redis_client_key_password

     

    If you try to open the Client Certificate file and a password is applied, set this value.

     

    Proxy settings

    Environment Variable Name

    Default Value

    Description

    Environment Variable Name

    Default Value

    Description

    Proxy_port_start

    40000

    Port start number to use as DAC Agentless (inclusive)

    Proxy_port_end

    40030

    Port end number to use for DAC Agentless (inclusive)

     

    MySQL Connection Settings

    Environment Variable Name

    Default Value

    Description

    Environment Variable Name

    Default Value

    Description

    LOG_DB_HOST

    ${DB_HOST}

    DB host address to use as Log DB

    LOG_DB_PORT

    ${DB_PORT}

    DB host port to use as Log DB

    LOG_DB_USERNAME

    ${DB_USERNAME}

    DB username to use as Log DB

    LOG_DB_PASSWORD

    ${DB_PASSWORD}

    Password of the DB to be used as Log DB

    Log_db_max_connection_size

    ${db_max_connection_size:-20}

    Maximum number of CONNECTIONS used for LOG DB connection

    ENG_DB_HOST

    ${DB_HOST}

    DB host address to use as Snapshot DB

    ENG_DB_PORT

    ${DB_PORT}

    DB host port to use as Snapshot DB

    ENG_DB_USERNAME

    ${DB_USERNAME}

    DB username to use as Snapshot DB

    ENG_DB_PASSWORD

    ${DB_PASSWORD}

    Password of the DB to be used as Snapshot DB

    Setting up MySQL connection for QueryPie Tools

    If you want to use a different DB account for running QueryPie Server Container and a different DB account for running Tools, utilize this environment variable.

    When running QueryPie Server Container, only Data Manipulation Language (SELECT, INSERT, UPDATE, DELETE) permissions can be granted. When running QueryPie Tools, you can temporarily grant limited Data Definition Language (CREATE, ALTER, DROP, TRUNCATE) permissions.

    See: [Tools] DB Admin 계정의 필수 권한

    Environment Variable Name

    Default Value

    Description

    Environment Variable Name

    Default Value

    Description

    Db_tools_username

    ${DB_USERNAME}

    Meta DB Account Username with DDL authorization

    Db_tools_password

    ${DB_PASSWORD}

    Meta DB Account password with DDL privileges

    Log_db_tools_username

    ${DB_USERNAME}

    Log DB Account Username with DDL authorization

    Log_db_tools_password

    ${DB_PASSWORD}

    Log DB Account password with DDL authorization

    Eng_db_tools_username

    ${DB_USERNAME}

    Snapshot DB Account Username with DDL authorization

    Eng_db_tools_password

    ${DB_PASSWORD}

    Snapshot DB Account password with DDL authorization

    Setting up a connection for Oven Storage

    To utilize the Oven component to effectively store and handle audit logs, you must apply the following settings.

    For more information about utilizing the Oven component, please contact your technical support representative.

    Environment Variable Name

    Default Value

    Description

    Environment Variable Name

    Default Value

    Description

    STORAGE_DB_HOST

    ${ENG_DB_HOST}

    OVEN Storage

    STORAGE_DB_PORT

    ${ENG_DB_PORT}

    OVEN Storage

    Storage_db_catalog

    ${eng_db_catalog}

    OVEN Storage

    STORAGE_DB_USER

    ${eng_db_username}

    OVEN Storage

    Storage_db_password

    ${eng_db_password}

    OVEN Storage

    Storage_db_max_connection_size

    ${db_max_connection_size}

    OVEN Storage

    Storage_s3_enabled

    false

    Whether to use S3 for OVEN storage

    STORAGE_S3_MODE

    aws

    OVEN Storage S3 mode

    Storage_s3_endpoint

     

    MinIO endpoint

    Storage_s3_bucket

     

    S3 bucket name

    Storage_s3_region

     

    S3 region

    Storage_s3_credential_type

     

    S3 credential type

    Storage_s3_credential_access_key_id

     

    S3 access key ID

    Storage_s3_credential_secret_access_key

     

    S3 secret access key

    Storage_s3_credential_session_token

     

    S3 session token

    Settings for changing QueryPie features

    If you want to change the way the QueryPie feature works based on your specific security policies and requirements, you can set the following environment variables.

    Environment Variable Name

    Default Value

    Description

    Environment Variable Name

    Default Value

    Description

    Ff_disable_dac_proxy_comment

    false

    Option to remove comments like /* ApplicationName=QueryPie Proxy */ that are attached when running QueryPie

    Ff_disable_dac_indirect_policy

    false

    environment variable to allow columns with masking policy to be used in WHERE condition

     

    JDBC Driver for AWS Aurora DB Clusters

    QueryPie provides the ability to change the JDBC Driver that QueryPie uses to connect to Meta DB, Snapshot DB, and Log DB. this allows you to use the automatic fail-over feature when using AWS Aurora DB Clusters.

    If you are using AWS Aurora DB Clusters, add the following to your compose-env.

    ### JDBC Driver for AWS Aurora DB Clusters ## The default value is org.mariadb.jdbc.Driver. ## For AWS Aurora DB clusters, QueryPie supports automatic fail-over ## when the driver is set to software.amazon.jdbc.Driver. DB_DRIVER_CLASS=software.amazon.jdbc.Driver ENG_DB_DRIVER_CLASS=software.amazon.jdbc.Driver LOG_DB_DRIVER_CLASS=software.amazon.jdbc.Driver

     

    Installation Guide for Using DAC HTTPS Proxy (Target DB: Athena, Trino)

    For the HTTP Proxy for Athena and Trino, you can apply a valid public TLS certificate. (For QueryPie 10.2.8 or later enhancements, proceed with the setup without changing the docker-compose.yml file. )

    As a first step, place the certificate file inside the ./certs/ directory. If the certificate file you received is named localhost_querypie_com.pfx, save it as the path to ./certs/localhost_querypie_com.pfx.

    as a second step, in compose-env, add the following entry

    PROXY_HTTPS_CERT_PATH with a value of /app/certs/ followed by a filename. The ./certs/ path on the Docker Host will be volume mounted to the /app/certs/ path inside the Container.

    finally, restart the QueryPie Container.

    Environment Variable Name

    Default Value

    Description

    Environment Variable Name

    Default Value

    Description

    Proxy_https_hostname

     

    The hostname of the DB Connection provided by the User Agent. Use localhost.querypie.com unless there is a special reason.

    Proxy_https_cert_path

     

    use /app/certs/localhost_querypie_com.pfx unless there is a special reason.

    Proxy_https_cert_password

     

    enter the decryption passkey for the certificate file. Use the shared secret key from QueryPie.

    Setup guide for offering HTTPS services

    refer to the following documents

     

    modifications to the docker-compose.yml file

    modify the docker-compose.yml and compose-env files according to the scenarios described below.

    installation guide for using classifier

    (Supported since 10.2.0)

    add a classifier container to your docker-compose.yml file as shown below.

    You can enter the following environment variables to tune AIDD(classifier) speed performance.

    Environment Variable Name

    Default Value

    Description

    Environment Variable Name

    Default Value

    Description

    TORCH_NUM_THREAD

    (Determined by auto-detection)

    number of CPU threads actually used by deep learning inside the classifier

    Classifier_batch_size

    20

    number of data inputs to the deep learning model at a time inside the classifier

    uncomment the commented out #- CLASSIFIER_URL=${CLASSIFIER_URL:-http://classifier:8081} part in the queryypie(app) container to make it look like this

     

    Setting up for QueryPie MySQL requiring a TLS connection (see

    customer case) kakao Enterprise

    When configuring QueryPie MySQL, if you apply MySQL Server that requires TLS connection, you can apply the TLS certificate file through environment variable setting.

    • as a first step, place the certificate files for the mysql server connection in the ./certs/ directory. We recommend saving each file with the following names

      • Root CA: mysql_server.crt

      • Client Certificate: mysql_client.pfx (PKCS12 formatted certificate file)

    • second, in the compose-env configuration file, set the following environment variables.

    • third, in the docker-compose.yml file, the environment: section adds the added environment variables.

      • you will need to add them to both the services → app → environment section and the services → tools → environment section.

    after completing the configuration, restart the QueryPie Server Container.

    The path ./certs/ on the Docker Host is set to mount to /app/certs/ inside the Container. the file path of the environment variable should be set based on the file path inside the Container.

    Environment Variable Name

    Default Value

    Description

    Environment Variable Name

    Default Value

    Description

    DB_DRIVER_CLASS

    org.mariadb.jdbc.Driver

    possible values: org.mariadb.jdbc.Driver, software.amazon.jdbc.Driver

    DB_SSL_MODE

     

    possible values: DISABLED, TRUST, VERIFY_CA, VERIFY_FULL

    DISABLED: Use an unencrypted connection.
    VERIFY_CA: Validate the Server's TLS certificate using the Root CA.

    Db_server_ssl_cert

     

    Specifies the path to the Root CA file. This refers to the Root CA certificate file that you used to set up TLS for mysql server. It will have a path starting with
    file:/app/certs/.

    DB_KEY_STORE

     

    Specifies the path to the Client Certificate file. the required file format is PKCS12. You will have a path that starts with
    file:/app/certs/.
    If a Client Certificate is not required, leave this value empty.

    Db_key_store_password

     

    If a password is required to decrypt the Client Certificate, enter it.
    If no password exists, leave this value blank.

    For detailed configuration instructions, including the procedure to create the Client Certificate file and changes to compose-env and docker-compose.yml, see the following documentation: QueryPie MetaDB SSL 로 연결하기

    When connecting Log DB and Snapshot DB to another DB Host, if you use SSL encryption, you can use the following environment variables.

    • DB_DRIVER_CLASS Related: ENG_DB_DRIVER_CLASS, LOG_DB_DRIVER_CLASS

    • DB_SSL_MODE Related: ENG_DB_SSL_MODE, LOG_DB_SSL_MODE

     

    Installation guide for using NOVA

    QueryPie comes with Network Outbound Virtual Access (NOVA) feature by default starting with version 10.2.1. By installing and running the Nova Client in a segmented network area where inbound access is blocked, you can configure a Reverse Proxy environment that can communicate with QueryPie Server. this Nova Client acts as a reverse proxy, allowing QueryPie Server to access databases and systems within the segmented network zone.

     

    Install NOVA Server

    add the querypie(app) environment variable in docker-compose.yml as shown below.

     

    add the environment variables to compose-env.

    Environment Variable Name

    Default Value

    Description

    Environment Variable Name

    Default Value

    Description

    Novas_agent_port

    9022

    Endpoint TCP port of the NOVA server.

    Novas_agent_token

     

    Access Token for the NOVA server and NOVA client to communicate.
    , a random string excluding the characters. e.g. e1134c60-d28f-4773-ade8-5001b412f778

     

    Install NOVA Client

    you need to change the settings of novac service in novac-compose.yml like below.

     

    Environment Variable Name

    Default Value

    Description

    Environment Variable Name

    Default Value

    Description

    NOVAC_SERVER

     

    NOVAS host server information. You can enter multiple NOVAS hosts , separated by commas.
    example) novas-1.dev.querypie.com:9022,novas-2.dev.querypie.com:9022

    NOVAC_TOKEN

     

    This is the Access Token used to communicate with the NOVA server.
    Unlike NOVAS_AGENT_TOKEN of NOVAS, only one token can be entered.

    NOVAC_NAME

     

    This is the host name of NOVAC to be passed to NOVAS. In AWS environment, it is recommended to enter the name of the VPC where NOVAC is installed.

    NOVAC_TAGS

     

    Tags of NOVAC to pass to NOVAS. NOVAC tags are applied to the target server to use the reverse tunnel.
    ; You can specify multiple tag key-values with a separator.

    below is a sample command to run a novac container.

     

     

    Guide to health check API when enabling AWS NLB PPv2

    If you want to preserve the origin IP in an inter-VPC communication environment utilizing VPC Endpoint, you can use AWS NLB PPv2.

    if you enable NLB PPv2, NLB sends HTTP requests in PPv2 method when calling health check API to TargetGroup. (Reference - https://docs.aws.amazon.com/ko_kr/elasticloadbalancing/latest/network/edit-target-group-attributes.html#health-check-connections)

    the existing /readyz health check API on port 80 does not support Proxy Protocol and fails the health check. therefore, we provide an additional /readyz API on port 10080, which can be used as a health check API when PPv2 is enabled.

    the health check API of port 10080 is not port bound by default in docker-compose.yml. Modify docker-compose.yml as shown below to enable port binding of port 10080.

    notethat /readyzon port 10080 only supports Proxy Protocol.

    If NLB does not use the Proxy Protocol, you must use the /readyz API on port 80 as the Health Check Endpoint.