Quickstart: up and running in 5 minutes
Start angarabase-server, connect via psql, run basic DDL/DML, and verify
that data and catalog survive a restart.
Prerequisites
- Linux x86_64, glibc ≥ 2.28. The portable build checks this itself: on an
older glibc,
angarabase-serverexits fail-closed with an explicit compatibility message. - One of: the portable archive
x86_64-unknown-linux-gnu, or a source build (Rust toolchain — seerust-toolchain.toml). - A
psqlclient (or any PostgreSQL-compatible client).
Install
Portable archive
VER=0.6.8
mkdir -p /opt/angarabase
tar -xzf angarabase-$VER-x86_64-unknown-linux-gnu.tar.gz -C /opt/angarabase
/opt/angarabase/angarabase-$VER/bin/angarabase-server --version
Build from source
cargo build --release -p angarabase-server -p angara-cli
# binary: target/release/angarabase-server
Step 1. Config
AngaraBase does not start from “magic” defaults — the data path and listen
address are set explicitly. A minimal angarabase.conf:
[server]
addr = "127.0.0.1:5432"
[storage]
data_directory = "/var/lib/angarabase/data"
transaction_log_directory = "/var/lib/angarabase/txlog"
[logging]
log_level = "info"
The config path is passed via --config-path; without the flag, the server
looks for /etc/angarabase/angarabase.conf. If a config is found but contains
legacy keys, the server fails closed (exit 78) and lists them — there is no
silent fall-through to defaults.
Step 2. Initialize the instance
A one-time initialization creates the catalog, data/, and txlog/ at the
paths from the config. --init is a separate single-pass mode: the binary
initializes the instance and exits with code 0.
angarabase-server --config-path ./angarabase.conf --init \
--superuser angara_root \
--superuser-password-file ./superuser.pw \
--auth-mode scram --require-auth
--auth-mode scram— SCRAM-SHA-256 (the default;scramis an alias for the full namescram-sha-256).--require-auth— fail-closed: init refuses if no superuser password is provided for a non-trustmode.- Password:
--superuser-password-file <file>(recommended) or--superuser-password-env <VAR>. The inline form--superuser-password '...'exists too, but the password lands in your shell history.
Init prints instance_id, data_directory, txlog_directory. Re-running init
on an already-initialized directory is fail-closed (already initialized).
⚠️ Insecure modes — explicit only.
trust/no-auth(no authentication) is allowed only with an explicit--insecure-trust:--auth-mode trust --insecure-trust. Without that flag, init refuses. Use it only in isolated labs, never on a network.
Alternatively, without editing the config, override the instance root with
flags; data/ and txlog/ are then created under that directory:
angarabase-server --config-path ./angarabase.conf --init \
--init-root /var/lib/angarabase \
--superuser angara_root --superuser-password-file ./superuser.pw \
--auth-mode scram --require-auth
Step 3. Start the server
angarabase-server --config-path ./angarabase.conf
The server listens on 127.0.0.1:5432 (from the config). Binding to a
non-loopback address without TLS/auth is also fail-closed: it requires an
explicit --allow-insecure (or [security].allow_insecure = true). That flag
is for controlled environments, not production.
⚠️
--allow-insecure/--allow-insecure-no-auth/--devenable insecure presets (no TLS, no enforced auth). Use only in dev/test.
Step 4. Connect with psql
psql "host=127.0.0.1 port=5432 user=angara_root dbname=base password=<password> sslmode=disable"
base is the default logical database (schema public).
SecurityContext (scram / cert modes)
In scram/cert modes, protected SQL (RLS tables, tenant-scoped data) requires
a session context — otherwise the security policy has nothing to bind to. Set
the claim right after connecting:
SET SESSION CONTEXT 'app.tenant_id' = 'public';
-- equivalent short form:
SET app.tenant_id = 'public';
SET SESSION CONTEXT cannot be issued inside an open transaction (it returns an
error). The value is read via current_setting('app.tenant_id') — RLS policies
are built on it (see Authorization).
Smoke SQL
CREATE TABLE t (id INT PRIMARY KEY, v INT);
INSERT INTO t (id, v) VALUES (1, 10);
INSERT INTO t (id, v) VALUES (2, 20);
SELECT * FROM t ORDER BY id;
Restart check (DDL survives restart)
CREATE TABLE metadata (catalog) should survive a restart.
- Stop the server (
Ctrl+C). - Start it again:
angarabase-server --config-path ./angarabase.conf. - Verify the table is still there:
SELECT table_name FROM sys.tables WHERE table_name = 't';
Introspection via sys.*
SELECT * FROM sys.identity;
SELECT * FROM sys.health;
SELECT * FROM sys.settings WHERE name IN ('server.addr', 'storage.data_directory');
SELECT * FROM sys.tables;
SELECT * FROM sys.columns WHERE table_name = 't';
Optional: SQL shutdown (fail-closed)
By default, shutdown via SQL is disabled (knob ops.allow_sql_shutdown). Enable
it locally/for tests:
export ANGARABASE_ALLOW_SQL_SHUTDOWN=1
You can then request a shutdown from psql:
SELECT sys.request_shutdown();
The operation passes an RBAC check and is written to the audit log; a user without privileges is denied.
If something fails
- “Known issues”:
../reference/known-issues.md - Connecting clients (DBeaver, etc.):
../reference/client-compatibility.md - To report bugs, gather artifacts per
../reference/support.md.
What’s next
Once the server answers psql -h 127.0.0.1 and a basic SELECT succeeds, the
logical next steps:
- What is AngaraBase — a product overview: what the project is for, how it differs from vanilla PostgreSQL.
- SQL Compatibility Overview — what parts of the standard you can use right now.
- Configuration — how to run the server beyond defaults, tailored to your scenario.
- Security Model — before letting anyone else in but yourself.