Skip to content
Browse files

Merge "[services-ng] provide configurable password to postgresql serv…

…ice"
  • Loading branch information...
2 parents 0d0c5e9 + 0bb7451 commit b3fb125825825d2513345c9f7ffeae1bf9139851 @mflu mflu committed with Gerrit Code Review Jan 30, 2013
View
1 jobs/postgresql_node_ng/templates/postgresql_backup.yml.erb
@@ -32,6 +32,7 @@ postgresql:
'<%= version %>':
host: 127.0.0.1
user: vcap
+ pass: <%= node.password %>
port: <%= config['port'] %>
database: postgres
dump_bin: <%= "#{config['binary_dir']}/bin/pg_dump" %>
View
23 jobs/postgresql_node_ng/templates/postgresql_ctl.erb
@@ -4,6 +4,7 @@ service = "postgresql"
plan_enabled = properties.service_plans && properties.service_plans.send(service.to_sym)
plan = properties.plan || "free"
plan_conf = plan_enabled && properties.service_plans.send(service.to_sym).send(plan.to_sym).configuration
+abort unless properties.postgresql_node.password
%>
version=$1
shift
@@ -66,10 +67,18 @@ case "$1" in
echo "ERROR: Unable to initialize PostgreSQL DB"
exit 1
fi
-
- echo "host all all 0.0.0.0/0 md5" >> $DATA_DIR/pg_hba.conf
fi
+ # update the hba file in data directory
+ # By default, all access should provide password
+ # Only vcap (sys-user) in the same VM could login as vcap (pg super user) without password
+ pg_hba_conf_file=$DATA_DIR/pg_hba.conf
+ sed -i /host[[:space:]]*all[[:space:]]*/d $pg_hba_conf_file
+ echo "host all vcap 127.0.0.1/32 md5" >> $pg_hba_conf_file
+ echo "host all vcap ::1/128 md5" >> $pg_hba_conf_file
+ echo "host all vcap 0.0.0.0/0 reject" >> $pg_hba_conf_file
+ echo "host all all 0.0.0.0/0 md5" >> $pg_hba_conf_file
+
# update the config file in data directory
rsync -arl $SRC_CONF_FILE $DATA_DIR/postgresql.conf
@@ -84,6 +93,16 @@ case "$1" in
su - vcap -c "LD_LIBRARY_PATH=$PACKAGE_DIR/lib:$LD_LIBRARY_PATH $PACKAGE_DIR/bin/pg_ctl -w start -D $DATA_DIR -l \"$LOG_DIR/startup.log\""
if [ $? == 0 ]; then
+ echo "PostgreSQL start to set password."
+ # This script is excuted by vcap which is the sys-user of postgres, so it could login without password
+ su - vcap -c "LD_LIBRARY_PATH=$PACKAGE_DIR/lib:$LD_LIBRARY_PATH $PACKAGE_DIR/bin/psql -U vcap -p $PORT -d postgres -c \"alter role vcap password '<%= properties.postgresql_node.password %>'\""
+ if [ $? == 0 ]; then
+ echo "PostgreSQL set password successfully."
+ else
+ echo "PostgreSQL failed to set password."
+ $0 stop
+ exit 1
+ fi
echo "PostgreSQL $version started successfully"
master_pid=`head -n 1 $DATA_DIR/postmaster.pid`
echo $master_pid > $PIDFILE
View
1 jobs/postgresql_node_ng/templates/postgresql_node.yml.erb
@@ -58,6 +58,7 @@ postgresql:
'<%= version %>':
host: 127.0.0.1
user: vcap
+ pass: <%= node.password %>
port: <%= config['port'] %>
database: postgres
dump_bin: <%= "#{config['binary_dir']}/bin/pg_dump" %>
View
1 jobs/postgresql_node_ng/templates/postgresql_worker.yml.erb
@@ -54,6 +54,7 @@ postgresql:
'<%= version %>':
host: 127.0.0.1
user: vcap
+ pass: <%= node.password %>
port: <%= config['port'] %>
database: postgres
dump_bin: <%= "#{config['binary_dir']}/pg_dump" %>
View
36 jobs/postgresql_node_ng/templates/warden_service_ctl
@@ -20,6 +20,13 @@ case $OP in
start)
BIN_DIR=$5
PORT=$6
+ PASSWD=$7
+ HOST_IP=$8
+
+ if [ -z "$PASSWD" ]; then
+ echo "ERROR: require password"
+ exit 1
+ fi
echo `date` >> $LOG_DIR/postgresql_ctl.log
@@ -38,14 +45,26 @@ case $OP in
fi
rsync -arl $BIN_DIR/initdb/pg_hba.conf $BASE_DIR/pg_hba.conf
- rsync -arl $BIN_DIR/initdb/postgresql.conf $BASE_DIR/postgresql.conf
+ rsync -arl $BIN_DIR/initdb/postgresql.conf $BASE_DIR/postgresql.conf
chown -R vcap:vcap $BASE_DIR
chmod -R 700 $BASE_DIR
+ # update the hba file
+ # By default, all access should provide password
+ # vcap (sys-user) in the container could login as vcap (pg super user) without password
+ # Login as vcap (pg super user)
+ # Password should be provided
+ # Source IP should be in the same VM (outside the container)
+ # If source IP outside the VM, should be rejected.
+ sed -i /host[[:space:]]*all[[:space:]]*/d $BASE_DIR/pg_hba.conf
# host server could connect the container without password
- host_ip=`ip route | grep "^default" | cut -d' ' -f3`
- echo "host all all $host_ip/32 trust" >> $BASE_DIR/pg_hba.conf
+ GW_IP=`ip route | grep "^default" | cut -d' ' -f3`
+ echo "host all vcap $GW_IP/32 md5" >> $BASE_DIR/pg_hba.conf
+ echo "host all vcap $HOST_IP/32 md5" >> $BASE_DIR/pg_hba.conf
+ echo "host all vcap 127.0.0.1/32 md5" >> $BASE_DIR/pg_hba.conf
+ echo "host all vcap ::1/128 md5" >> $BASE_DIR/pg_hba.conf
+ echo "host all vcap 0.0.0.0/0 reject" >> $BASE_DIR/pg_hba.conf
echo "host all all 0.0.0.0/0 md5" >> $BASE_DIR/pg_hba.conf
# since postgresql service is alive
@@ -60,6 +79,17 @@ case $OP in
LD_LIBRARY_PATH=$BIN_DIR/lib:$LD_LIBRARY_PATH $BIN_DIR/bin/pg_ctl -w start -D $BASE_DIR -l "$LOG_DIR/startup.log"
if [ $? == 0 ]; then
+ echo "PostgreSQL start to set password."
+ # This script is excuted by vcap which is the sys-user of postgres, so it could login without password.
+ # Other users or outside the container(even using vcap), you should also provide password to login
+ ${BIN_DIR}/bin/psql -U vcap -p $PORT -d postgres -c "alter role vcap password '$PASSWD'"
+ if [ $? == 0 ]; then
+ echo "PostgreSQL set password successfully."
+ else
+ echo "PostgreSQL failed to set password."
+ $0 stop
+ exit 1
+ fi
echo "PostgreSQL `cat $BASE_DIR/PG_VERSION` started successfully" >> $LOG_DIR/postgresql_ctl.log
head -1 $BASE_DIR/postmaster.pid > $PIDFILE
if [ $FIRST_TIME -eq 1 ]; then
2 src/services
@@ -1 +1 @@
-Subproject commit 240d0570b5b64bc6e061515c2057d3c0a2a8ea0c
+Subproject commit 65c483c1d8087e83ae28cfed5adf4d7997a93860
2 src/services_warden
@@ -1 +1 @@
-Subproject commit de745a1be6d6f5c5d99d8b61ddbf8937174ff49d
+Subproject commit 2113fe7098de5a52cda1d1940786f6df962f1134

0 comments on commit b3fb125

Please sign in to comment.
Something went wrong with that request. Please try again.