Improve configuration for initial postgres install

cprice404 · cprice404 · commit ba802475ffde · 2012-06-08T14:00:24.000-07:00
This commit adds some configuration management for
postgres, to allow users to get a more complete
setup from their initial install.  Prior to this
commit, we were basically only ensuring that the
package was installed and the service was running.

Now, we support limited configuration for the
pg_hba.conf file to enable md5 authentication for
remote hosts, and for the postgresql.conf file
to specify the listener addresses where TCP
connections should be accepted.  Without these
two changes the initial postgres configuration
doesn't allow *any* connections from outside of the
local host.

This commit also adds an option for opening up the
postgres port in the firewall on redhat-based systems,
and an option to allow setting the password for the
'postgres' database user.

As of this commit, this module now has dependencies
on puppetlabs-stdlib (version &gt; 2.3.4, which includes
the new 'match' parameter for the 'file_line' resource
type), and on puppetlabs-firewall.
diff --git a/manifests/config.pp b/manifests/config.pp
@@ -0,0 +1,63 @@
+# Class: postgresql::config
+#
+# Parameters:
+#
+#   [*postgres_password*]       - postgres db user password.
+#   [*ip_mask_postgres_user*]   - ip mask for allowing remote access for postgres user; defaults to '127.0.0.1/32'
+#   [*ip_mask_all_users*]       - ip mask for allowing remote access for other users (besides postgres);
+#                                    defaults to '127.0.0.1/32'
+#   [*listen_addresses*]        - what IP address(es) to listen on; comma-separated list of addresses; defaults to
+#                                    'localhost', '*' = all
+#   [*pg_hba_conf_path*]        - path to pg_hba.conf file
+#   [*postgresql_conf_path*]    - path to postgresql.conf file
+#   [*manage_redhat_firewall*]  - boolean indicating whether or not the module should open a port in the firewall on
+#                                    redhat-based systems; this parameter is likely to change in future versions.  Possible
+#                                    changes include support for non-RedHat systems and finer-grained control over the
+#                                    firewall rule (currently, it simply opens up the postgres port to all TCP connections).
+#
+#
+# Actions:
+#
+# Requires:
+#
+# Usage:
+#
+#   class { 'postgresql::config':
+#     postgres_password     => 'postgres',
+#     ip_mask_other_user    => '127.0.0.1/32',
+#   }
+#
+class postgresql::config(
+  $postgres_password        = undef,
+  $ip_mask_postgres_user    = $postgresql::params::ip_mask_postgres_user,
+  $ip_mask_all_users        = $postgresql::params::ip_mask_all_users,
+  $listen_addresses         = $postgresql::params::listen_addresses,
+  $pg_hba_conf_path         = $postgresql::params::pg_hba_conf_path,
+  $postgresql_conf_path     = $postgresql::params::postgresql_conf_path,
+  $manage_redhat_firewall   = $postgresql::params::manage_redhat_firewall,
+) inherits postgresql::params {
+
+    # Basically, all this class needs to handle is passing parameters on
+    #  to the "beforeservice" and "afterservice" classes, and ensure
+    #  the proper ordering.
+
+    class { "postgresql::config::beforeservice":
+      ip_mask_postgres_user    => $ip_mask_postgres_user,
+      ip_mask_all_users        => $ip_mask_all_users,
+      listen_addresses         => $listen_addresses,
+      pg_hba_conf_path         => $pg_hba_conf_path,
+      postgresql_conf_path     => $postgresql_conf_path,
+      manage_redhat_firewall   => $manage_redhat_firewall,
+    }
+
+    class { "postgresql::config::afterservice":
+      postgres_password        => $postgres_password,
+    }
+
+    Class['postgresql::config'] ->
+        Class['postgresql::config::beforeservice'] ->
+        Service['postgresqld'] ->
+        Class['postgresql::config::afterservice']
+
+
+}
diff --git a/manifests/config/afterservice.pp b/manifests/config/afterservice.pp
@@ -0,0 +1,44 @@
+# Class: postgresql::config::afterservice
+#
+# Parameters:
+#
+#   [*postgres_password*]     - postgres db user password.
+#
+# Actions:
+#
+# Requires:
+#
+# Usage:
+#   This class is not intended to be used directly; it is
+#   managed by postgresl::config.  It contains resources
+#   that should be handled *after* the postgres service
+#   has been started up.
+#
+#   class { 'postgresql::config::afterservice':
+#     postgres_password     => 'postgres'
+#   }
+#
+class postgresql::config::afterservice(
+  $postgres_password        = undef
+) inherits postgresql::params {
+  if ($postgres_password != undef) {
+    # NOTE: this password-setting logic relies on the pg_hba.conf being configured
+    #  to allow the postgres system user to connect via psql without specifying
+    #  a password ('ident', 'peer', or 'trust' security).  This is the default
+    #  for pg_hba.conf.
+    exec { 'set_postgres_postgrespw':
+        # This command works w/no password because we run it as postgres system user
+        command     => "psql -c \"ALTER ROLE postgres PASSWORD '$postgres_password'\"",
+        user        => $postgresql::params::user,
+        group       => $postgresql::params::group,
+        logoutput   => true,
+        cwd         => '/tmp',
+        # With this command we're passing -h to force TCP authentication, which does require
+        #  a password.  We specify the password via the PGPASSWORD environment variable.  If
+        #  the password is correct (current), this command will exit with an exit code of 0,
+        #  which will prevent the main command from running.
+        unless      => "env PGPASSWORD=\"$postgres_password\" psql -h localhost -c 'select 1' > /dev/null",
+        path        => '/usr/bin:/usr/local/bin',
+    }
+  }
+}
diff --git a/manifests/config/beforeservice.pp b/manifests/config/beforeservice.pp
@@ -0,0 +1,84 @@
+# Class: postgresql::config::beforeservice
+#
+# Parameters:
+#
+#   [*ip_mask_postgres_user*]   - ip mask for allowing remote access for postgres user; defaults to '127.0.0.1/32'
+#   [*ip_mask_all_users*]       - ip mask for allowing remote access for other users (besides postgres);
+#                                    defaults to '127.0.0.1/32'
+#   [*listen_addresses*]        - what IP address(es) to listen on; comma-separated list of addresses; defaults to
+#                                    'localhost', '*' = all
+#   [*pg_hba_conf_path*]        - path to pg_hba.conf file
+#   [*postgresql_conf_path*]    - path to postgresql.conf file
+#   [*manage_redhat_firewall*]  - boolean indicating whether or not the module should open a port in the firewall on
+#                                    redhat-based systems; this parameter is likely to change in future versions.  Possible
+#                                    changes include support for non-RedHat systems and finer-grained control over the
+#                                    firewall rule (currently, it simply opens up the postgres port to all TCP connections).
+#
+# Actions:
+#
+# Requires:
+#
+# Usage:
+#   This class is not intended to be used directly; it is
+#   managed by postgresl::config.  It contains resources
+#   that should be handled *before* the postgres service
+#   has been started up.
+#
+#   class { 'postgresql::config::before_service':
+#     ip_mask_other_user    => '127.0.0.1/32',
+#   }
+#
+class postgresql::config::beforeservice(
+  $ip_mask_postgres_user    = $postgresql::params::ip_mask_postgres_user,
+  $ip_mask_all_users        = $postgresql::params::ip_mask_all_users,
+  $listen_addresses         = $postgresql::params::listen_addresses,
+  $pg_hba_conf_path         = $postgresql::params::pg_hba_conf_path,
+  $postgresql_conf_path     = $postgresql::params::postgresql_conf_path,
+  $manage_redhat_firewall   = $postgresql::params::manage_redhat_firewall,
+) inherits postgresql::params {
+
+  File {
+    owner  => $postgresql::params::user,
+    group  => $postgresql::params::group,
+  }
+
+  # We use a templated version of pg_hba.conf.  Our main needs are to
+  #  make sure that md5 authentication can be made available for
+  #  remote hosts.
+  file { 'pg_hba.conf':
+    ensure      => file,
+    path        => $pg_hba_conf_path,
+    content     => template("postgresql/pg_hba.conf.erb"),
+    notify      => Service['postgresqld'],
+  }
+
+  # We must set a "listen_addresses" line in the postgresql.conf if we
+  #  want to allow any connections from remote hosts.
+  file_line { 'postgresql.conf':
+    path        => $postgresql_conf_path,
+    match       => '^listen_addresses\s*=.*$',
+    line        => "listen_addresses = '${listen_addresses}'",
+    notify      => Service['postgresqld'],
+  }
+
+  # TODO: is this a reasonable place for this firewall stuff?
+  # TODO: figure out a way to make this not platform-specific; debian and ubuntu have
+  #        an out-of-the-box firewall configuration that seems trickier to manage
+  # TODO: get rid of hard-coded port
+  if ($manage_redhat_firewall and $firewall_supported) {
+      exec { "persist-firewall":
+        command => $persist_firewall_command,
+        refreshonly => true,
+      }
+
+      Firewall {
+        notify => Exec["persist-firewall"]
+      }
+
+      firewall { '5432 accept - postgres':
+        port => '5432',
+        proto => 'tcp',
+        action => 'accept',
+      }
+  }
+}
diff --git a/manifests/params.pp b/manifests/params.pp
@@ -12,6 +12,15 @@
 #
 class postgresql::params {
 
+
+  $user                     = 'postgres'
+  $group                    = 'postgres'
+  $ip_mask_postgres_user    = '127.0.0.1/32'
+  $ip_mask_all_users        = '127.0.0.1/32'
+  $listen_addresses         = 'localhost'
+  # TODO: figure out a way to make this not platform-specific
+  $manage_redhat_firewall   = false
+
   case $::operatingsystem {
     "Ubuntu": {
       $service_provider = upstart
@@ -23,21 +32,31 @@
 
   case $::osfamily {
     'RedHat': {
-      $service_name          = 'postgresql'
-      $client_package_name   = 'postgresql'
-      $server_package_name   = 'postgresql-server'
-      $needs_initdb          = true
-      $initdb_path           = '/usr/bin/initdb'
-      $datadir               = '/var/lib/pgsql/data/'
+      $service_name             = 'postgresql'
+      $client_package_name      = 'postgresql'
+      $server_package_name      = 'postgresql-server'
+      $needs_initdb             = true
+      $initdb_path              = '/usr/bin/initdb'
+      $datadir                  = '/var/lib/pgsql/data/'
+      $pg_hba_conf_path         = '/var/lib/pgsql/data/pg_hba.conf'
+      $postgresql_conf_path     = '/var/lib/pgsql/data/postgresql.conf'
+      $firewall_supported       = true
+      $persist_firewall_command = '/sbin/iptables-save > /etc/sysconfig/iptables'
     }
 
     'Debian': {
-      $service_name         = "postgresql-${::postgres_default_version}"
-      $client_package_name  = 'postgresql-client'
-      $server_package_name  = 'postgresql'
-      $needs_initdb         = false
-      $initdb_path          = "/usr/lib/postgresql/${::postgres_default_version}/bin/initdb"
-      $datadir              = "/var/lib/postgresql/${::postgres_default_version}/main"
+      $service_name             = "postgresql-${::postgres_default_version}"
+      $client_package_name      = 'postgresql-client'
+      $server_package_name      = 'postgresql'
+      $needs_initdb             = false
+      $initdb_path              = "/usr/lib/postgresql/${::postgres_default_version}/bin/initdb"
+      $datadir                  = "/var/lib/postgresql/${::postgres_default_version}/main"
+      $pg_hba_conf_path         = "/etc/postgresql/${::postgres_default_version}/main/pg_hba.conf"
+      $postgresql_conf_path     = "/etc/postgresql/${::postgres_default_version}/main/postgresql.conf"
+      $firewall_supported       = false
+      # TODO: not exactly sure yet what the right thing to do for Debian/Ubuntu is.
+      #$persist_firewall_command = '/sbin/iptables-save > /etc/iptables/rules.v4'
+
     }
 
 
diff --git a/manifests/server.pp b/manifests/server.pp
@@ -25,9 +25,17 @@
     ensure => $package_ensure,
   }
 
+  $config_class = {}
+  $config_class['postgresql::config'] = $config_hash
+
+  create_resources( 'class', $config_class )
+
+  Package['postgresql-server'] -> Class['postgresql::config']
+
   if ($needs_initdb) {
     include postgresql::initdb
 
+    Class['postgresql::initdb'] -> Class['postgresql::config']
     Class['postgresql::initdb'] -> Service['postgresqld']
   }
 
diff --git a/templates/pg_hba.conf.erb b/templates/pg_hba.conf.erb
@@ -0,0 +1,88 @@
+# PostgreSQL Client Authentication Configuration File
+# ===================================================
+#
+# Refer to the "Client Authentication" section in the
+# PostgreSQL documentation for a complete description
+# of this file.  A short synopsis follows.
+#
+# This file controls: which hosts are allowed to connect, how clients
+# are authenticated, which PostgreSQL user names they can use, which
+# databases they can access.  Records take one of these forms:
+#
+# local      DATABASE  USER  METHOD  [OPTIONS]
+# host       DATABASE  USER  CIDR-ADDRESS  METHOD  [OPTIONS]
+# hostssl    DATABASE  USER  CIDR-ADDRESS  METHOD  [OPTIONS]
+# hostnossl  DATABASE  USER  CIDR-ADDRESS  METHOD  [OPTIONS]
+#
+# (The uppercase items must be replaced by actual values.)
+#
+# The first field is the connection type: "local" is a Unix-domain socket,
+# "host" is either a plain or SSL-encrypted TCP/IP socket, "hostssl" is an
+# SSL-encrypted TCP/IP socket, and "hostnossl" is a plain TCP/IP socket.
+#
+# DATABASE can be "all", "sameuser", "samerole", a database name, or
+# a comma-separated list thereof.
+#
+# USER can be "all", a user name, a group name prefixed with "+", or
+# a comma-separated list thereof.  In both the DATABASE and USER fields
+# you can also write a file name prefixed with "@" to include names from
+# a separate file.
+#
+# CIDR-ADDRESS specifies the set of hosts the record matches.
+# It is made up of an IP address and a CIDR mask that is an integer
+# (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that specifies
+# the number of significant bits in the mask.  Alternatively, you can write
+# an IP address and netmask in separate columns to specify the set of hosts.
+#
+# METHOD can be "trust", "reject", "md5", "password", "gss", "sspi", "krb5",
+# "ident", "pam", "ldap" or "cert".  Note that "password" sends passwords
+# in clear text; "md5" is preferred since it sends encrypted passwords.
+#
+# OPTIONS are a set of options for the authentication in the format
+# NAME=VALUE. The available options depend on the different authentication
+# methods - refer to the "Client Authentication" section in the documentation
+# for a list of which options are available for which authentication methods.
+#
+# Database and user names containing spaces, commas, quotes and other special
+# characters must be quoted. Quoting one of the keywords "all", "sameuser" or
+# "samerole" makes the name lose its special character, and just match a
+# database or username with that name.
+#
+# This file is read on server startup and when the postmaster receives
+# a SIGHUP signal.  If you edit the file on a running system, you have
+# to SIGHUP the postmaster for the changes to take effect.  You can use
+# "pg_ctl reload" to do that.
+
+# Put your actual configuration here
+# ----------------------------------
+#
+# If you want to allow non-local connections, you need to add more
+# "host" records. In that case you will also need to make PostgreSQL listen
+# on a non-local interface via the listen_addresses configuration parameter,
+# or via the -i or -h command line switches.
+#
+
+
+
+
+# DO NOT DISABLE!
+# If you change this first entry you will need to make sure that the
+# database
+# super user can access the database using some other method.
+# Noninteractive
+# access to all databases is required during automatic maintenance
+# (custom daily cronjobs, replication, and similar tasks).
+#
+# Database administrative login by UNIX sockets
+local   all         postgres                          ident
+
+# TYPE  DATABASE    USER        CIDR-ADDRESS          METHOD
+
+# "local" is for Unix domain socket connections only
+local   all         all                               ident
+# IPv4 local connections:
+host    all         postgres    <%= @ip_mask_postgres_user + "\t" %>      md5
+host    all         all         <%= @ip_mask_all_users + "\t" %>      md5
+# IPv6 local connections:
+host    all         all         ::1/128               md5
+
diff --git a/tests/server.pp b/tests/server.pp
@@ -1,2 +1,9 @@
 class { 'postgresql::server':
+    config_hash => {
+        'ip_mask_postgres_user' => '0.0.0.0/0',
+        'ip_mask_all_users' => '0.0.0.0/0',
+        'listen_addresses' => '*',
+        'manage_redhat_firewall' => true,
+        'postgres_password' => 'postgres',
+    },
 }
