migrate pgsql installation from rpm to container-based#62
migrate pgsql installation from rpm to container-based#62ehelms merged 1 commit intotheforeman:masterfrom
Conversation
|
idk what is wrong with image, it is failing everytime reading manifest in |
|
also i do not like doing this way, should i go with creating a separate role for postgresql and do the containerization work there? would it be good? any thoughts? |
This is an official Red Hat image locked behind subscriptions, only |
100% -- give it a role like all the other services |
archanaserver
force-pushed
the
pgsql-container
branch
4 times, most recently
from
ed4479f to
5b01376
Compare
archanaserver
force-pushed
the
pgsql-container
branch
2 times, most recently
from
b394a56 to
733a488
Compare
archanaserver
force-pushed
the
pgsql-container
branch
3 times, most recently
from
a9cf160 to
1699fff
Compare
archanaserver
force-pushed
the
pgsql-container
branch
from
1699fff to
be969a6
Compare
|
@ehelms how can we re run the workflow? edit: got it! |
|
With Candlepin, the thing to usually check is the
And the output I see is: |
| CREATE DATABASE {{ db.name }}; | ||
| ALTER DATABASE {{ db.name }} OWNER TO {{ db.owner }}; |
There was a problem hiding this comment.
Per https://www.postgresql.org/docs/current/sql-createdatabase.html you can set the owner on creation
| CREATE DATABASE {{ db.name }}; | |
| ALTER DATABASE {{ db.name }} OWNER TO {{ db.owner }}; | |
| CREATE DATABASE {{ db.name }} OWNER {{ db.owner }}; |
| {% for user in postgresql_users %} | ||
| psql -v ON_ERROR_STOP=1 --username "postgres" <<-EOSQL | ||
| CREATE USER {{ user.name }} WITH PASSWORD '{{ user.password }}'; | ||
| EOSQL | ||
| {% endfor %} |
There was a problem hiding this comment.
I was debating using createuser but reading the documentation I wonder how to properly deal with passing in the password.
Then my other thought was whether if it's better to create the users in a single query:
| {% for user in postgresql_users %} | |
| psql -v ON_ERROR_STOP=1 --username "postgres" <<-EOSQL | |
| CREATE USER {{ user.name }} WITH PASSWORD '{{ user.password }}'; | |
| EOSQL | |
| {% endfor %} | |
| psql -v ON_ERROR_STOP=1 --username "postgres" <<-EOSQL | |
| {% for user in postgresql_users %} | |
| CREATE USER {{ user.name }} WITH PASSWORD '{{ user.password }}'; | |
| {% endfor %} | |
| EOSQL |
And if you take that latter step to the extreme: should there just be a single script that creates the users and the databases.
| Network=host | ||
| Volume={{ postgresql_data_dir }}:/var/lib/pgsql/data:Z | ||
| Volume={{ playbook_dir }}/postgresql-init:/opt/app-root/src/postgresql-init:Z | ||
| Environment=POSTGRESQL_ADMIN_PASSWORD={{ postgresql_admin_password }} |
There was a problem hiding this comment.
These files will be world readable, meaning any user on the system can read the admin password. This should be supplied via a secret.
Having said that: why do we need an admin password? https://github.com/sclorg/postgresql-container/tree/master/13#postgresql-admin-account says you can still use local connections. Or is that insecure because we use the host network?
There was a problem hiding this comment.
These files will be world readable, meaning any user on the system can read the admin password. This should be supplied via a secret.
That's right! To address this i've moved the password storage to a dedicated secrets file and restrict file permission to 0600 so only container process can now access it. But I'm trying to do this with Podman secrets.
Having said that: why do we need an admin password? https://github.com/sclorg/postgresql-container/tree/master/13#postgresql-admin-account says you can still use local connections. Or is that insecure because we use the host network?
While the container allows local connections without a password here by default, but host networking exposes PostgreSQL to all network interfaces I believe(not just localhost). So without a password, anyone on the network could access the database with postgres privileges. And admin password is that is gonna adds a layer of security here, even if local connections are allowed. If we switch to a non-host network later, maybe the password isn't needed, but for now, it's safer.
There was a problem hiding this comment.
By using init you don't guarantee the password is correct. Perhaps not relevant now, but for the long term: do we need to provide a mechanism to rotate passwords?
Another thing I'm worried about: this will contain plain text passwords in the container. Will that be a security risk?
By the default the container already contains code to create a single user (POSTGRESQL_USER, POSTGRESQL_PASSWORD, POSTGRESQL_DATABASE) which could be provided via secrets. It makes me wonder what would be a good pattern. Should we have a PostgreSQL container for every database?
There was a problem hiding this comment.
By using
inityou don't guarantee the password is correct. Perhaps not relevant now, but for the long term: do we need to provide a mechanism to rotate passwords?
It only works for initial step for now and isn't idempotent. I suppose we can add separate tasks to manage users/passwords or maybe we have Ansible modules to handle this, not sure. For now, yes we need that.
https://docs.ansible.com/ansible/latest/collections/community/postgresql/postgresql_user_module.html
Another thing I'm worried about: this will contain plain text passwords in the container. Will that be a security risk?
After looking at it that's valid point. Here the init script run once during container initialization, but the file is in postgresql-init/ could expose secrets. So I restricted now dir permission to owner access but better would be do it with Podman secrets or file based, so that's another to-do.
By the default the container already contains code to create a single user (
POSTGRESQL_USER,POSTGRESQL_PASSWORD,POSTGRESQL_DATABASE) which could be provided via secrets. It makes me wonder what would be a good pattern. Should we have a PostgreSQL container for every database?
Can't think of much but If we want strict isolation then we should adopt multiple containers, each with its own secrets and we gonna definitely need a private podman network in that case. Or I guess starting with a single container would be good but with a private network so we can revisit it later for multi-container isolation?
archanaserver
force-pushed
the
pgsql-container
branch
3 times, most recently
from
74f315b to
910cb46
Compare
archanaserver
force-pushed
the
pgsql-container
branch
from
910cb46 to
086154c
Compare
archanaserver
force-pushed
the
pgsql-container
branch
4 times, most recently
from
ec9d4c4 to
7a63df8
Compare
roles/postgresql/tasks/main.yml
Outdated
| login_host: localhost | ||
| state: present | ||
| loop: "{{ postgresql_users }}" | ||
| when: postgresql_users | length > 0 |
There was a problem hiding this comment.
You can omit the when here, if the array is empty, the loop will not be executed :)
roles/postgresql/tasks/main.yml
Outdated
| login_host: localhost | ||
| state: present | ||
| loop: "{{ postgresql_databases }}" | ||
| when: postgresql_databases | length > 0 |
There was a problem hiding this comment.
You can omit the when here, if the array is empty, the loop will not be executed :)
roles/postgresql/tasks/main.yml
Outdated
| - name: Configure host based authentication | ||
| ansible.builtin.template: | ||
| src: pg_hba.conf.j2 | ||
| dest: "{{ postgresql_data_dir }}/pg_hba.conf" | ||
| mode: "0644" |
There was a problem hiding this comment.
If I am reading https://github.com/sclorg/postgresql-container/blob/master/13/root/usr/share/container-scripts/postgresql/common.sh#L228-L240 correctly, we don't need to configure hba in the container case, as the container is already configured as "everyone can connect"
archanaserver
force-pushed
the
pgsql-container
branch
from
7b237a8 to
f32f43e
Compare
tests/postgresql_test.py
Outdated
| def test_postgresql_hba_config(server): | ||
| result = server.run("podman exec postgresql cat /var/lib/pgsql/data/pg_hba.conf") | ||
| assert re.search(r"host\s+all\s+all\s+127\.0\.0\.1/32\s+md5", result.stdout) |
There was a problem hiding this comment.
You dropped the hba editing, so I think this test can be removed (and then the re import too)
archanaserver
force-pushed
the
pgsql-container
branch
from
f32f43e to
64d917a
Compare
roles/postgresql/tasks/main.yml
Outdated
| env: | ||
| POSTGRESQL_ADMIN_PASSWORD: "{{ postgresql_admin_password }}" |
There was a problem hiding this comment.
You created a secret for that above, so let's use it
| env: | |
| POSTGRESQL_ADMIN_PASSWORD: "{{ postgresql_admin_password }}" | |
| secrets: | |
| - 'postgresql_admin_password,target=POSTGRESQL_ADMIN_PASSWORD,type=env' |
archanaserver
force-pushed
the
pgsql-container
branch
from
64d917a to
35bd960
Compare
roles/postgresql/defaults/main.yml
Outdated
|
|
||
| postgresql_databases: [] | ||
| postgresql_users: [] | ||
| postgresql_hba_entries: [] |
There was a problem hiding this comment.
This can be removed now (and so can the setting of it in deploy.yaml)
archanaserver
force-pushed
the
pgsql-container
branch
2 times, most recently
from
11ca8fc to
ed5a8f5
Compare
archanaserver
force-pushed
the
pgsql-container
branch
from
ed5a8f5 to
0b163b0
Compare
|
Great to see this working! How much data do we want on how upgrades work (#66) before we merge this change? |
|
I would see those as separate problems (= no data required to merge this). It seems the container does support running pg_upgrade if it starts with existing data and
So we might be rather lucky here and be able to orchestrate updates in a very similar way we do on base rhel |
|
@archanaserver Do you know if this container setup satisfies #106 ? |
No it doesn't, currently container setup by default uses |
archanaserver
force-pushed
the
pgsql-container
branch
from
0b163b0 to
667bc2b
Compare
ehelms
left a comment
ehelms
left a comment
There was a problem hiding this comment.
The SCRAM update can be a follow up.
4 participants
This PR transitions the pgsql installation from an RPM-based installation to a containerized based.