Manage postgresql_conf_path file permissions

[ekohl]

This adds a parameter (defaulting to true) to manage the postgresql_conf_path file resource. The actual content isn't managed because that's what postgresql::server::config_entry is for. However, managing the file ensures the correct permissions.

It also provides a workaround for PUP-10548 when using Red Hat SCL for packages when the correct SELinux file context isn't present. Without managing the file, an admin will need to either make sure the package is present before running Puppet, manage the file via another module or manually set the file context after Puppet ran. With this workaround, Puppet will converge on the second run and actually start PostgreSQL.

[puppet-community-rangefinder]

postgresql::globals is a class

Breaking changes to this file WILL impact these 20 modules (exact match):

• nicopaez-dockerserver
• jmkeyes-razor
• landcareresearch-pidservice
• nnutter-testdb
• landcareresearch-postgis
• chedi-django
• nicopaez-alfred
• nicopaez-triage
• lwo-dataverse
• tailoredautomation-patroni
• mukaibot-bamboo
• stackstorm-st2
• maestrodev-maestro
• it2ndq-barman
• deric-barman
• npwalker-pe_external_postgresql
• puppetlabs-puppetdb
• SchnWalter-happydev
• groupbuddies-gb
• conzar-pidservice

Breaking changes to this file MAY impact these 1 modules (near match):

• jmkeyes-netbox

postgresql::params is a class

Breaking changes to this file WILL impact these 1 modules (exact match):

• tailoredautomation-patroni

Breaking changes to this file MAY impact these 3 modules (near match):

• puppetfinland-trac
• maestrodev-continuum
• puppetfinland-bacula

postgresql::server is a class

Breaking changes to this file WILL impact these 36 modules (exact match):

• bltavares-baseline
• nicopaez-dockerserver
• jmkeyes-razor
• jjulien-trac
• dmexe-rails
• atmesh-deploy_railsapp
• landcareresearch-pidservice
• eschiller-trac
• driebit-zotonic
• nnutter-testdb
• katello-gutterball
• landcareresearch-postgis
• chedi-django
• nicopaez-alfred
• nicopaez-triage
• mjhas-mailserver
• lwo-dataverse
• urgi-galaxy_roles_profiles
• Ginja-puppet_stack
• hetzner-roundcube
• theforeman-pulpcore
• mukaibot-bamboo
• stackstorm-st2
• sensson-powerdns
• maestrodev-maestro
• npwalker-pe_external_postgresql
• zleslie-bacula
• puppetlabs-puppetdb
• SchnWalter-happydev
• groupbuddies-gb
• katello-candlepin
• theforeman-foreman
• blackknight36-bacula
• treydock-keycloak
• conzar-pidservice
• conzar-ckan

Breaking changes to this file MAY impact these 15 modules (near match):

• jmkeyes-netbox
• lboynton-gitlab
• Firebladee-moodle
• knowshan-phppgadmin
• fiddyspence-zabbix
• binford2k-drupal
• dmexe-deploy
• 4geeks-odoo
• aursu-puppet
• simp-foreman
• maestrodev-continuum
• vshn-uhosting
• ash-netbox
• Lavaburn-cabot
• cleo-harmony

postgresql::server::config is a class

that may have no external impact to Forge modules.

This module is declared in 71 of 575 indexed public Puppetfiles.

---

These results were generated with Rangefinder, a tool that helps predict the downstream impact of breaking changes to elements used in Puppet modules. You can run this on the command line to get a full report.

Exact matches are those that we can positively identify via namespace and the declaring modules' metadata. Non-namespaced items, such as Puppet 3.x functions, will always be reported as near matches only.

[ekohl]

There are a ton of whitespace changes here, but the actual change itself is much smaller.

[sheenaajay]

Thanks alot @ekohl for your contribution. Acceptance tests are failing with the following error on ubuntu https://travis-ci.org/github/puppetlabs/puppetlabs-postgresql/jobs/737110592 Error: Puppet::Util::FileType::FileTypeFlat could not write /tmp/postgresql.conf: Permission denied @ rb_sysopen - /tmp/postgresql.conf
Please let us know if you need more information. Will run the changes on all OSes and let you know. Thank you.

[ekohl]

Looks like the default file mode on Debian is 644 so I'll need to introduce a parameter for the file permission.

[ekohl]

I updated it and added the parameter. I only know its value for Red Hat (taken from CentOS 7 & 8) and Debian (taken from 8, 9 & 10, assuming Ubuntu is the same).

[ekohl]

All builds failed with

.rake aborted!

NoMethodError: undefined method `trace' for #<Logging::Logger:0x000000000444b570>

Did you mean?  trap

/home/travis/build/puppetlabs/puppetlabs-postgresql/vendor/bundle/ruby/2.5.0/gems/bolt-2.24.1/lib/bolt/pal/logging.rb:15:in `handle'

This looks like a bolt bug rather than something I did.

[sheenaajay]

@ekohl Thank you for the quick response. Looks like its using older version of bolt 2.24.1
https://travis-ci.org/github/puppetlabs/puppetlabs-postgresql/jobs/741465093#L498
Let me clear the cache and kick for a rerun. Thank you

[ekohl]

Haven't been able to quite figure out why this failed. Rebased it to get the output cleanups in to make the output a bit easier to read.

[ekohl]

So the problem on Debian based systems is with /tmp:

# ls -ld /tmp /tmp/postgresql.conf 
drwxrwxrwt. 2 root     root     4096 Nov 10 14:09 /tmp
-rw-------. 1 postgres postgres    0 Nov 10 14:08 /tmp/postgresql.conf
# echo test >> /tmp/postgresql.conf 
bash: /tmp/postgresql.conf: Permission denied
# id
uid=0(root) gid=0(root) groups=0(root)

This is probably because it's mounted as sticky. Changing the path to /etc should help.

[ekohl]

This is really hard to debug because litmus output is really not telling me a lot. I'd guess something can't read the config file, but I can't quite figure it out.

[sheenaajay]

@ekohl Thanks alot for the quick changes. Was looking at the errors. Its failing with the folllowing error 1) postgresql::server::grant_role: grants a role to a user/superuser On hostlocalhost:2224'
Failure/Error: LitmusHelper.instance.run_shell("cd /tmp; su #{shellescape(user)} -c #{shellescape(psql)}", acceptable_exit_codes: exit_codes, &block)
RuntimeError:
shell failed
cd /tmp; su psql_grant_role_tester -c psql\ --command\=\"SELECT\ 1\ WHERE\ pg_has_role\(\'psql_grant_role_tester\',\ \'test_group\',\ \'MEMBER\'\)\ \=\ true\"\ grant_role_test
======
[{"target"=>"localhost:2224", "action"=>"command", "object"=>"cd /tmp; su psql_grant_role_tester -c psql\ --command\=\"SELECT\ 1\ WHERE\ pg_has_role\(\'psql_grant_role_tester\',\ \'test_group\',\ \'MEMBER\'\)\ \=\ true\"\ grant_role_test", "status"=>"failure", "value"=>{"stdout"=>"", "stderr"=>"Error: Invalid data directory\n", "exit_code"=>1, "_error"=>{"kind"=>"puppetlabs.tasks/command-error", "issue_code"=>"COMMAND_ERROR", "msg"=>"The command failed with exit code 1", "details"=>{"exit_code"=>1}}}}]

 # ./vendor/bundle/ruby/2.5.0/gems/puppet_litmus-0.18.4/lib/puppet_litmus/puppet_helpers.rb:173:in `block in run_shell'
 # ./vendor/bundle/ruby/2.5.0/gems/honeycomb-beeline-2.3.0/lib/honeycomb/client.rb:70:in `start_span'
 # ./vendor/bundle/ruby/2.5.0/gems/puppet_litmus-0.18.4/lib/puppet_litmus/puppet_helpers.rb:157:in `run_shell'
 # ./spec/spec_helper_acceptance_local.rb:47:in `psql'
 # ./spec/acceptance/server/grant_role_spec.rb:164:in `block (2 levels) in <top (required)>'

`
/spec/acceptance/server/grant_role_spec.rb:164

https://github.com/ekohl/puppetlabs-postgresql/blob/manage-postgresql-config/spec/acceptance/server/grant_role_spec.rb#L164

## Check that the role was granted to the user psql('--command="SELECT 1 WHERE pg_has_role(\'psql_grant_role_tester\', \'test_group\', \'MEMBER\') = true" grant_role_test', 'psql_grant_role_tester') do |r|

https://github.com/ekohl/puppetlabs-postgresql/blob/manage-postgresql-config/spec/spec_helper_acceptance_local.rb#L47

def psql(psql_cmd, user = 'postgres', exit_codes = [0, 1], &block) psql = "psql #{psql_cmd}" LitmusHelper.instance.run_shell("cd /tmp; su #{shellescape(user)} -c #{shellescape(psql)}", acceptable_exit_codes: exit_codes, &block) end

By default it executes psql command from /tmp directory. We can modify the psql function to accepts one parameter to make the config path configurable.

[ekohl]

There is a known issue that you often end up executing it from /root which can't be read. I can try to change it to / which should also not produce an error but I don't expect that to matter.

[DavidS]

shouldn't this be using postgresql_conf_mode?

[ekohl]

I think you may have found the thing I was struggling to find. Sometimes you're blind to your own code.

[ekohl]

Thanks to @DavidS it's green now.

[sheenaajay]

wow superb. Thank you @DavidS and @ekohl .

[sheenaajay]

Thank you @ekohl for your contribution.