Command line flag to set the sslmode for PostgreSQL (Closes: #326)

[ddinu]

The flag name and its values match libpq's sslmode connection parameter.
The default value (prefer) will first try an SSL connection; if that fails, it will try a non-SSL connection.

Libpq documentation: https://www.postgresql.org/docs/14/libpq-connect.html#LIBPQ-CONNECT-SSLMODE

[ottok]

This PR has been without a review for over a year, let's try to get it some reviews now.

If the git commit subject line was

Command line flag to set the sslmode for PostgreSQL (Closes: #326)

then the issue in question would be auto-closed when this is merged on master.

In general it is also good practice to write a git commit message body. In this case if would have explained that the implementation and naming follows the existing mysql-ssl added in e5c8052, or at least almost.

This PR should also add/update tests, at least the file https://github.com/akopytov/sysbench/blob/master/tests/t/help_drv_pgsql.t

When you @ddinu update this, please also rebase on latest master. Thanks!

[ddinu]

Hi @ottok,I have updated the commit and PR with your suggestions, I hope the changes are ok. Thank you for your feedback!

[christianricci]

Hi @ddinu @ottok and @akopytov, please find the testing evidence of this change below. Step-by-step shown to facilitate the repro of the test if required.

Testing

1- install docker containers

sudo docker run -d -p 5432:5432 --name rds_postgres -e POSTGRES_PASSWORD=Admin123! postgres
sudo docker run --name ec2_al2 -t -i amazonlinux /bin/bash

2- setup postgres server to run in ssl mode
Refer to https://www.postgresql.org/docs/14/ssl-tcp.html

docker exec -ti rds_postgres bash

run in container

apt update 
apt install -y vim
cd /var/lib/postgresql/data
openssl req -new -x509 -days 365 -nodes -text -out server.crt \
  -keyout server.key -subj "/CN=dbhost.yourdomain.com"
chmod og-rwx server.key
openssl req -new -nodes -text -out root.csr \
  -keyout root.key -subj "/CN=root.yourdomain.com"
chmod og-rwx root.key
openssl x509 -req -in root.csr -text -days 3650 \
  -extfile /etc/ssl/openssl.cnf -extensions v3_ca \
  -signkey root.key -out root.crt
openssl req -new -nodes -text -out server.csr \
  -keyout server.key -subj "/CN=dbhost.yourdomain.com"
openssl x509 -req -in server.csr -text -days 365 \
  -CA root.crt -CAkey root.key -CAcreateserial \
  -out server.crt
chown postgres:postgres *.crt *.key
vim postgres.conf
# change as follows:
ssl=on
ssl_cert_file = 'server.crt'
ssl_key_file = 'server.key'

restart container

docker stop rds_postgres
docker start rds_postgres

3- compile sysbench

docker exec -ti ec2_al2 bash

run in container

yum -y install make automake libtool pkgconfig libaio-devel
yum -y install mariadb-devel openssl-devel
yum -y install postgresql-devel
cd /root
git clone https://github.com/ddinu/sysbench.git
git log -n 1
commit 1947e5387a65b606a086c4aee30198d0bf1c0738 (HEAD -> master, origin/master, origin/HEAD)
Author: Daniel Dinu <daniel@danieldinu.com>
Date:   Sat Apr 4 14:08:20 2020 -0700

    Command line flag to set the sslmode for PostgreSQL (Closes: #326)

    The flag name and its values match libpq's sslmode connection parameter.
    The default value (prefer) will first try an SSL connection; if that
    fails, it will try a non-SSL connection.

    Libpq documentation: https://www.postgresql.org/docs/14/libpq-connect.html#LIBPQ-CONNECT-SSLMODE
cd sysbench
./autogen.sh
# Add --with-pgsql to build with PostgreSQL support
./configure --with-pgsql --with-postgresql --with-mysql
make -j
make install

4- run a test with sslmode=prefer (ssl enabled)
On first terminal

docker exec -ti ec2_al2 bash

run in container

psql -U postgres -h 240.10.0.1
create database test;
\q

run benchmark

cd /usr/local/bin
./sysbench /root/sysbench/src/lua/select_random_points.lua --db-driver=pgsql --pgsql-db=test --pgsql-host=240.10.0.1 --pgsql-port=5432 --pgsql-user=postgres --pgsql-password=Admin123! --pgsql-sslmode=prefer --report-interval=60 --table_size=450 --histogram=on --threads=3 --tables=5 --percentile=50 --warmup-time=60 prepare
./sysbench /root/sysbench/src/lua/select_random_points.lua --db-driver=pgsql --pgsql-db=test --pgsql-host=240.10.0.1 --pgsql-port=5432 --pgsql-user=postgres --pgsql-password=Admin123! --pgsql-sslmode=prefer --report-interval=60 --table_size=450 --histogram=on --threads=3 --tables=5 --percentile=50 --warmup-time=60 run

On a second Terminal while "sysbench run" is running confirm ssl is enabled since argument is "--pgsql-sslmode=prefer". To confirm this look at the query below and check column ssl with value "t" (true) indicating ssl is enabled.

docker exec -ti ec2_al2 bash

check database connection

psql -U postgres -h 240.10.0.1

postgres=# select version();select name,setting from pg_settings where name = 'ssl';select s.pid,s.ssl,s.version,a.usename,a.query from pg_stat_activity a, pg_stat_ssl s where a.pid=s.pid and s.pid!=pg_backend_pid();
                                                           version
-----------------------------------------------------------------------------------------------------------------------------
 PostgreSQL 14.1 (Debian 14.1-1.pgdg110+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 10.2.1-6) 10.2.1 20210110, 64-bit
(1 row)

 name | setting
------+---------
 ssl  | on
(1 row)

 pid | ssl | version | usename  |                             query
-----+-----+---------+----------+----------------------------------------------------------------
  99 | t   | TLSv1.2 | postgres |         SELECT id, k, c, pad                                  +
     |     |         |          |           FROM sbtest1                                        +
     |     |         |          |           WHERE k IN ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)+
     |     |         |          |
  98 | t   | TLSv1.2 | postgres |         SELECT id, k, c, pad                                  +
     |     |         |          |           FROM sbtest1                                        +
     |     |         |          |           WHERE k IN ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)+
     |     |         |          |
 100 | t   | TLSv1.2 | postgres |         SELECT id, k, c, pad                                  +
     |     |         |          |           FROM sbtest1                                        +
     |     |         |          |           WHERE k IN ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)+
     |     |         |          |
(3 rows)

5- run a test with sslmode=disable (ssl disabled)

On first terminal

docker exec -ti ec2_al2 bash

run a benchmark

psql -U postgres -h 240.10.0.1
create database test;
\q

cd /usr/local/bin
./sysbench /root/sysbench/src/lua/select_random_points.lua --db-driver=pgsql --pgsql-db=test --pgsql-host=240.10.0.1 --pgsql-port=5432 --pgsql-user=postgres --pgsql-password=Admin123! --pgsql-sslmode=disable --report-interval=60 --table_size=450 --histogram=on --threads=3 --tables=5 --percentile=50 --warmup-time=60 prepare

./sysbench /root/sysbench/src/lua/select_random_points.lua --db-driver=pgsql --pgsql-db=test --pgsql-host=240.10.0.1 --pgsql-port=5432 --pgsql-user=postgres --pgsql-password=Admin123! --pgsql-sslmode=disable --report-interval=60 --table_size=450 --histogram=on --threads=3 --tables=5 --percentile=50 --warmup-time=60 run

On a second Terminal while "sysbench run" is running confirm ssl is disabled since argument is "--pgsql-sslmode=disable". To confirm this look at the query below and check column ssl with value "f" (false) indicating ssl is disabled.

docker exec -ti ec2_al2 bash

check database connection

psql -U postgres -h 240.10.0.1

postgres=# select version();select name,setting from pg_settings where name = 'ssl';select s.pid,s.ssl,s.version,a.usename,a.query from pg_stat_activity a, pg_stat_ssl s where a.pid=s.pid and s.pid!=pg_backend_pid();
                                                           version
-----------------------------------------------------------------------------------------------------------------------------
 PostgreSQL 14.1 (Debian 14.1-1.pgdg110+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 10.2.1-6) 10.2.1 20210110, 64-bit
(1 row)

 name | setting
------+---------
 ssl  | on
(1 row)

 pid | ssl | version | usename  |                             query
-----+-----+---------+----------+----------------------------------------------------------------
 115 | f   |         | postgres |         SELECT id, k, c, pad                                  +
     |     |         |          |           FROM sbtest1                                        +
     |     |         |          |           WHERE k IN ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)+
     |     |         |          |
 116 | f   |         | postgres |         SELECT id, k, c, pad                                  +
     |     |         |          |           FROM sbtest1                                        +
     |     |         |          |           WHERE k IN ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)+
     |     |         |          |
 117 | f   |         | postgres |         SELECT id, k, c, pad                                  +
     |     |         |          |           FROM sbtest1                                        +
     |     |         |          |           WHERE k IN ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)+
     |     |         |          |
(3 rows)

[christianricci]

testing-evidence.txt

[christianricci]

This change has been tested locally using docker. It does work when pgsql-sslmode is set to prefer or disable, see my comments in the Conversation #353 (comment).

Approved.

[ottok]

@akopytov This seems complete, tested and reviewed to me. Cloud you Alexey please merge it? Thanks :)

[akopytov]

Merged. My apologies for a very slow response. Thank you for the contribution!