Startup scripts silently fail if DB password include a '$'

[ljfranklin]

If you include a password containing a '$' under databases.roles, the postgres job will report as running but the DB won't have a password set. In /var/vcap/sys/log/postgres/postgres_ctl.err.log I see:

[2017-08-18 20:46:02+0000] + echo 'Setting password for role cloud_controller...'
[2017-08-18 20:46:02+0000] /var/vcap/jobs/postgres/bin/postgres_start.sh: line 81: $6: unbound variable

My cloud_controller DB password does have a '...$6...' in the middle. Looks like this line is not doing any escaping so special characters get expanded. On CAPI we usually use Ruby's Shellwords.shellescape in our ERB templates around passwords.

Also a big +1 on this comment around failing the job if setting the roles fails:

postgres-release/jobs/postgres/templates/postgres_ctl.erb

Lines 31 to 37 in 865224b

	# TODO: This script is responsible for both
	# starting PostgreSQL and running some queries
	# (create DBs, roles, applying grants). One problem
	# that needs to be addressed in the future is that
	# if some queries fail job is still considered running.
	# Later we'll change it to use a more involved approach
	# (i.e. script that brings DB to sync)

. Would have been much easier to debug if the postgres job failing immediately rather than silently erroring.

[cf-gitbot]

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/150374169

The labels on this github issue will be updated when the story is started.

[valeriap]

@ljfranklin
Thanks for reporting this issue. We have opened a separate story to have the postgres job to fail when a query fails.
For the empty password issue, we have fixed it as suggested and you will find the fix in the next release.

[valeriap]

The empty password issue has been fixed in v21.