From 16014c54a6c89443c8f5fd0e5e9ffc4ad1d6fae9 Mon Sep 17 00:00:00 2001 From: Joseph Palermo Date: Fri, 11 Aug 2023 10:44:21 -0700 Subject: [PATCH 1/3] When performing a major version upgrade, find the current package dir that matches the major postgres version being upgraded from. If no package dir exists, because they are making a large upgrade jump, print an error and exit. --- jobs/postgres/templates/pgconfig.sh.erb | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/jobs/postgres/templates/pgconfig.sh.erb b/jobs/postgres/templates/pgconfig.sh.erb index d34ec334..423459ac 100644 --- a/jobs/postgres/templates/pgconfig.sh.erb +++ b/jobs/postgres/templates/pgconfig.sh.erb @@ -26,7 +26,11 @@ pgversion_upgrade_from=postgres-unknown if [ -f "${VERSION_FILE}" ]; then pgversion_upgrade_from=$(cat ${VERSION_FILE}) DATA_DIR_OLD="${PG_STORE_DIR}/${pgversion_upgrade_from}" - PACKAGE_DIR_OLD=/var/vcap/packages/${pgversion_upgrade_from} + PACKAGE_DIR_OLD=(/var/vcap/packages/${pgversion_upgrade_from%.*}*) + if [ ! -d "${PACKAGE_DIR_OLD}" ]; then + echo "Unable to find older postgres package to use for major upgrade. Upgrade to and older version first." + exit 1 + fi fi <% if !['rfc3339', 'deprecated'].include?(p('databases.logging.format.timestamp')) From ae5bc412a8da6f686b292ea97f51d1e839e8a578 Mon Sep 17 00:00:00 2001 From: Joseph Palermo Date: Fri, 11 Aug 2023 10:46:05 -0700 Subject: [PATCH 2/3] If a VERSION file does not exist in the data director, but existing data directories exist, print an error and exit. We no longer have the postgres 9 packages to be able to upgrade from these versions. Users will have to upgrade to an older first first. --- jobs/postgres/templates/pre-start.sh.erb | 20 ++++++-------------- 1 file changed, 6 insertions(+), 14 deletions(-) diff --git a/jobs/postgres/templates/pre-start.sh.erb b/jobs/postgres/templates/pre-start.sh.erb index ff5e7491..a59f6243 100644 --- a/jobs/postgres/templates/pre-start.sh.erb +++ b/jobs/postgres/templates/pre-start.sh.erb @@ -42,20 +42,12 @@ function main() { chmod 700 "${PG_STORE_DIR}" if [ ! -f ${VERSION_FILE} ]; then - for version in "postgres-9.6.8" "postgres-9.6.6" "postgres-9.6.4"; do - if [[ -d "${PG_STORE_DIR}/${version}" ]]; then - if [[ -f "${PG_STORE_DIR}/${version}/postgresql.conf" ]]; then - echo "Creating the PostgreSQL data version file at version ${version}" - echo ${version} > ${VERSION_FILE} - chown -R vcap:vcap "${VERSION_FILE}" - chmod 700 "${VERSION_FILE}" - pgversion_upgrade_from=${version} - DATA_DIR_OLD="${PG_STORE_DIR}/${version}" - PACKAGE_DIR_OLD=/var/vcap/packages/${version} - break - fi - fi - done + existing_data_dirs=$(compgen -G "${PG_STORE_DIR}/postgres-*" || echo "") + + if [ -n "${existing_data_dirs}" ]; then + echo "Found existing data dirs that we cannot upgrade from in this release. Upgrade to and older version first." + exit 1 + fi fi mkdir -p "${LOG_DIR}" From 2bb0bd649428ed45f7faf5c31d3e72ab2d094e58 Mon Sep 17 00:00:00 2001 From: Joseph Palermo Date: Sun, 13 Aug 2023 12:00:29 -0700 Subject: [PATCH 3/3] Additional fixes for postgres 15 bump - The changes from tust to peer and md5 are a better security posture, but they break a lot of existing use cases and should probably instead be gated behind some sort of configuration flag. Co-located bbr relies upon passwordless connection to the database as vcap user, but runs a root. Many of the acceptance tests also try using the vcap user but run as root via ssh and fail with the changes. - Postgres 15 no longer grants users access to the public schema. This prevents generated users from being able to create tables. Update the create_databases function to grant access to the public schema for each role on each database. --- jobs/postgres/templates/pg_hba.conf.erb | 14 +++++++------- jobs/postgres/templates/utils.sh.erb | 8 ++++++++ 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/jobs/postgres/templates/pg_hba.conf.erb b/jobs/postgres/templates/pg_hba.conf.erb index 22f618ab..5210295a 100644 --- a/jobs/postgres/templates/pg_hba.conf.erb +++ b/jobs/postgres/templates/pg_hba.conf.erb @@ -1,18 +1,18 @@ -local all vcap peer -host all vcap 127.0.0.1/32 md5 -host all vcap ::1/128 md5 +local all vcap trust +host all vcap 127.0.0.1/32 trust +host all vcap ::1/128 trust <% if !p("databases.trust_local_connections").nil? && !p("databases.trust_local_connections") %> local all all md5 <% else %> -local all all peer -host all all 127.0.0.1/32 md5 -host all all ::1/128 md5 +local all all trust +host all all 127.0.0.1/32 trust +host all all ::1/128 trust <% end %> <% p("databases.roles", []).each do |role| %> <%= line=nil unless role["password"] - line = "hostssl all #{role["name"]} 0.0.0.0/0 cert clientcert=1 " + line = "hostssl all #{role["name"]} 0.0.0.0/0 cert clientcert=verify-full " line << 'map=cnmap' if role["common_name"] end line diff --git a/jobs/postgres/templates/utils.sh.erb b/jobs/postgres/templates/utils.sh.erb index ab479e90..95759ad9 100644 --- a/jobs/postgres/templates/utils.sh.erb +++ b/jobs/postgres/templates/utils.sh.erb @@ -52,6 +52,14 @@ function create_databases() { echo "Enabling pg_stat_statements extension..." pgexec "<%= database["name"] %>" "CREATE EXTENSION IF NOT EXISTS pg_stat_statements" <% end %> + <% p("databases.roles", []).each do |role| %> + echo "Granting public schema access to <%= role["name"] %> on <%= database["name"] %>" + "${PACKAGE_DIR}/bin/psql" \ + -U "vcap" \ + -p "${PORT}" \ + -d "<%= database["name"] %>" \ + -c "GRANT ALL ON schema public TO \"<%= role["name"] %>\"" + <% end %> <% end %> }