Application Infrastructure Azure

CloudBeaver CE on Ubuntu 24.04 on Azure User Guide

| Product: CloudBeaver CE on Ubuntu 24.04 LTS on Azure

Overview

CloudBeaver CE (Community Edition) is a browser based database manager from the DBeaver team, a web edition of the popular DBeaver desktop client. From a single web console you connect to PostgreSQL, MySQL, MariaDB, SQLite and other engines, browse schemas and data with the database navigator, and write and run SQL with a full featured editor, with nothing to install on the client. The cloudimg image installs Docker CE from the official Docker repository and runs CloudBeaver CE 26.1.2 as a container (managed by Docker with a restart policy), bound to the loopback connector 127.0.0.1:8978 behind an nginx reverse proxy on port 80. nginx is configured with the WebSocket upgrade CloudBeaver uses for its session channel. CloudBeaver's workspace lives on a dedicated Azure data disk, and a unique admin password is generated on the first boot of every VM. Backed by 24/7 cloudimg support.

What is included:

  • CloudBeaver CE 26.1.2 running as a container managed by Docker
  • Docker CE preinstalled from the official Docker apt repository
  • The CloudBeaver web console on :80, fronted by nginx with the WebSocket upgrade proxied
  • A unique admin password generated on first boot and recorded in a root only file (username cbadmin)
  • A dedicated Azure data disk at /var/lib/cloudbeaver holding the workspace: users, saved connections and query history
  • docker.service + nginx.service as systemd units, enabled and active
  • An unauthenticated /healthz endpoint for Azure Load Balancer health probes
  • 24/7 cloudimg support

Prerequisites

An active Azure subscription, an SSH key pair, and a VNet + subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is a reasonable starting point; size up for heavier query workloads. NSG inbound: allow 22/tcp from your management network and 80/tcp. CloudBeaver serves plain HTTP on port 80; for production, terminate TLS in front of it with your own domain (see Maintenance), since the console can hold credentials for your databases.

Step 1 - Deploy from the Azure Marketplace

Sign in to the Azure Portal, choose Create a resource, search the Marketplace for CloudBeaver by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22) and HTTP (80). Review the dedicated data disk on the Disks tab, then Review + create -> Create.

Step 2 - Deploy from the Azure CLI

az vm create \
  --resource-group <your-rg> \
  --name cloudbeaver \
  --image <marketplace-image-urn> \
  --size Standard_B2s \
  --admin-username azureuser \
  --ssh-key-values ~/.ssh/id_ed25519.pub \
  --vnet-name <your-vnet> --subnet <your-subnet> \
  --public-ip-sku Standard

az vm open-port --resource-group <your-rg> --name cloudbeaver --port 80 --priority 1010

Step 3 - Connect to your VM

ssh azureuser@<vm-public-ip>

Step 4 - Confirm the services are running

systemctl is-active docker.service nginx.service

Both report active. Docker manages the CloudBeaver CE container (bound to the loopback connector 127.0.0.1:8978), and nginx fronts it on port 80 with the WebSocket upgrade the console requires. CloudBeaver's workspace lives on the dedicated Azure data disk mounted at /var/lib/cloudbeaver.

docker.service and nginx.service active, the CloudBeaver container running on the loopback connector 8978, and the dedicated data disk mounted at /var/lib/cloudbeaver

Step 5 - Retrieve your admin password

The CloudBeaver admin password is generated uniquely on the first boot of your VM and written to a root only file:

sudo cat /root/cloudbeaver-credentials.txt

This file contains CLOUDBEAVER_USERNAME (always cbadmin), CLOUDBEAVER_PASSWORD and the URL to open. Store the password somewhere safe.

The CloudBeaver version reported by the GraphQL endpoint and the per-VM credentials file with the generated admin password and URL

Step 6 - Confirm the health endpoint

nginx serves an unauthenticated health endpoint for load balancers and probes:

curl -s http://localhost/healthz

It returns ok. The main console at / returns HTTP 200, and the CloudBeaver GraphQL API answers at /api/gql. This /healthz endpoint never requires authentication, so it is safe for an Azure Load Balancer health probe.

The nginx health endpoint returning ok, the console returning HTTP 200, and the CloudBeaver GraphQL serverConfig query answering through nginx on port 80

Step 7 - Verify authentication from the command line

CloudBeaver's local authentication hashes the password in the browser before it is sent, so an API login sends the MD5 (uppercase) of your password. The command below reproduces that: it authenticates with the correct per-VM password and CloudBeaver returns authStatus: SUCCESS; a wrong password is rejected. Because the command embeds your unique password, run it interactively rather than from a script - substitute the value of CLOUDBEAVER_PASSWORD from Step 5 for <CLOUDBEAVER_PASSWORD>:

H=$(printf '%s' '<CLOUDBEAVER_PASSWORD>' | md5sum | awk '{print toupper($1)}')
curl -s -H 'Content-Type: application/json' --data "{\"query\":\"query(\$c:Object!){authLogin(provider:\\\"local\\\",credentials:\$c){authStatus}}\",\"variables\":{\"c\":{\"user\":\"cbadmin\",\"password\":\"$H\"}}}" http://127.0.0.1/api/gql

A correct password returns a JSON body with "authStatus":"SUCCESS". A wrong password returns an Invalid user credentials error.

The admin authentication round trip: the correct per-VM password returns authStatus SUCCESS with the cbadmin user token, and a wrong password is rejected as invalid credentials

Step 8 - Sign in to the console

Browse to http://<vm-public-ip>/. CloudBeaver shows a sign-in page; enter the username cbadmin and the password from Step 5.

The CloudBeaver CE sign-in page in the browser

Step 9 - Add a database connection

Once signed in, click New Connection in the navigator toolbar. CloudBeaver ships JDBC drivers for PostgreSQL, MySQL, MariaDB, Oracle, SQL Server, SQLite, ClickHouse and more. Choose your engine, then enter the host, port, database and credentials on the connection form.

The CloudBeaver New connection dialog listing the bundled database drivers: PostgreSQL, MySQL, MariaDB, Oracle, SQL Server and more

Step 10 - Browse the navigator

Your new connection appears in the left navigator. Expand it to browse databases, schemas, tables, views and columns, and double click any table to view its data in a grid.

The CloudBeaver database navigator with a PostgreSQL connection expanded, showing the databases, administer and system info nodes

Step 11 - Run SQL from the browser

Click Open SQL Editor to open a query editor bound to your connection. Type a statement and press Ctrl + Enter to execute; results appear in a sortable, filterable grid you can export to CSV.

The CloudBeaver SQL editor running a SELECT against a PostgreSQL table with the result grid showing the returned rows and the execution time

Step 12 - Confirm data lives on the dedicated disk

CloudBeaver's workspace - users, saved connections, query history and resource manager scripts - is stored under /var/lib/cloudbeaver on the dedicated Azure data disk (mounted into the container as /opt/cloudbeaver/workspace), so it survives OS changes and can be resized independently:

findmnt /var/lib/cloudbeaver

The mount is backed by a separate Azure data disk captured into the image and re-provisioned on every VM.

Maintenance

  • Password: the admin password is set on first boot. To change it, sign in and use the account menu in the console, or manage users from the Administration area.
  • Upgrades: CloudBeaver runs as the cloudbeaver container from the pinned dbeaver/cloudbeaver:26.1.2 image; to upgrade, pull a newer tag, remove the container and re-run it with the same -v /var/lib/cloudbeaver:/opt/cloudbeaver/workspace mount so your workspace is preserved.
  • Storage: all CloudBeaver state lives under /var/lib/cloudbeaver on the data disk; back up that volume to protect your users, connections and query history.
  • Anonymous access: the image disables anonymous access, so every user must sign in; add more users from the Administration area.
  • TLS: CloudBeaver serves plain HTTP on port 80; front it with TLS (e.g. certbot with your own domain) before production use, since the console can store credentials for your databases.
  • Security patches: unattended-upgrades remains enabled so the OS continues to receive security updates automatically.

Support

cloudimg provides 24/7 expert support for this image. Contact support@cloudimg.co.uk.