opuppet/module-postgresql
5
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Add support for port parameter to postgresql::server, fix underlying assumptions that port=5432

Browse source
This commit is contained in:
Brian Almeida 2014-04-17 15:09:07 -04:00
parent 3d73e7fe7f
commit 86f2950248
17 changed files with 116 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
README.md
View file

@ -399,6 +399,9 @@ This setting is used to specify the name of the default database to connect with
####`listen_addresses` ####`listen_addresses`
This value defaults to `localhost`, meaning the postgres server will only accept connections from localhost. If you'd like to be able to connect to postgres from remote machines, you can override this setting. A value of `*` will tell postgres to accept connections from any remote machine. Alternately, you can specify a comma-separated list of hostnames or IP addresses. (For more info, have a look at the `postgresql.conf` file from your system's postgres package). This value defaults to `localhost`, meaning the postgres server will only accept connections from localhost. If you'd like to be able to connect to postgres from remote machines, you can override this setting. A value of `*` will tell postgres to accept connections from any remote machine. Alternately, you can specify a comma-separated list of hostnames or IP addresses. (For more info, have a look at the `postgresql.conf` file from your system's postgres package).
####`port`
This value defaults to `5432`, meaning the postgres server will listen on TCP port 5432. Note that the same port number is used for all IP addresses the server listens on.
####`ip_mask_deny_postgres_user` ####`ip_mask_deny_postgres_user`
This value defaults to `0.0.0.0/0`. Sometimes it can be useful to block the superuser account from remote connections if you are allowing other database users to connect remotely. Set this to an IP and mask for which you want to deny connections by the postgres superuser account. So, e.g., the default value of `0.0.0.0/0` will match any remote IP and deny access, so the postgres user won't be able to connect remotely at all. Conversely, a value of `0.0.0.0/32` would not match any remote IP, and thus the deny rule will not be applied and the postgres user will be allowed to connect. This value defaults to `0.0.0.0/0`. Sometimes it can be useful to block the superuser account from remote connections if you are allowing other database users to connect remotely. Set this to an IP and mask for which you want to deny connections by the postgres superuser account. So, e.g., the default value of `0.0.0.0/0` will match any remote IP and deny access, so the postgres user won't be able to connect remotely at all. Conversely, a value of `0.0.0.0/32` would not match any remote IP, and thus the deny rule will not be applied and the postgres user will be allowed to connect.

1
lib/puppet/provider/postgresql_psql/ruby.rb
View file

@ -63,6 +63,7 @@ Puppet::Type.type(:postgresql_psql).provide(:ruby) do
command = [resource[:psql_path]] command = [resource[:psql_path]]
command.push("-d", resource[:db]) if resource[:db] command.push("-d", resource[:db]) if resource[:db]
command.push("-p", resource[:port]) if resource[:port]
command.push("-t", "-c", sql) command.push("-t", "-c", sql)
if resource[:cwd] if resource[:cwd]

4
lib/puppet/type/postgresql_psql.rb
View file

@ -49,6 +49,10 @@ Puppet::Type.newtype(:postgresql_psql) do
desc "The name of the database to execute the SQL command against." desc "The name of the database to execute the SQL command against."
end end
newparam(:port) do
desc "The port of the database server to execute the SQL command against."
end
newparam(:search_path) do newparam(:search_path) do
desc "The schema search path to use when executing the SQL command" desc "The schema search path to use when executing the SQL command"
end end

1
manifests/params.pp
View file

@ -4,6 +4,7 @@ class postgresql::params inherits postgresql::globals {
$version = $globals_version $version = $globals_version
$postgis_version = $globals_postgis_version $postgis_version = $globals_postgis_version
$listen_addresses = 'localhost' $listen_addresses = 'localhost'
$port = 5432
$ip_mask_deny_postgres_user = '0.0.0.0/0' $ip_mask_deny_postgres_user = '0.0.0.0/0'
$ip_mask_allow_all_users = '127.0.0.1/32' $ip_mask_allow_all_users = '127.0.0.1/32'
$ipv4acls = [] $ipv4acls = []

1
manifests/server.pp
View file

@ -18,6 +18,7 @@ class postgresql::server (
$default_database = $postgresql::params::default_database, $default_database = $postgresql::params::default_database,
$listen_addresses = $postgresql::params::listen_addresses, $listen_addresses = $postgresql::params::listen_addresses,
$port = $postgresql::params::port,
$ip_mask_deny_postgres_user = $postgresql::params::ip_mask_deny_postgres_user, $ip_mask_deny_postgres_user = $postgresql::params::ip_mask_deny_postgres_user,
$ip_mask_allow_all_users = $postgresql::params::ip_mask_allow_all_users, $ip_mask_allow_all_users = $postgresql::params::ip_mask_allow_all_users,
$ipv4acls = $postgresql::params::ipv4acls, $ipv4acls = $postgresql::params::ipv4acls,

13
manifests/server/config.pp
View file

@ -4,6 +4,7 @@ class postgresql::server::config {
$ip_mask_deny_postgres_user = $postgresql::server::ip_mask_deny_postgres_user $ip_mask_deny_postgres_user = $postgresql::server::ip_mask_deny_postgres_user
$ip_mask_allow_all_users = $postgresql::server::ip_mask_allow_all_users $ip_mask_allow_all_users = $postgresql::server::ip_mask_allow_all_users
$listen_addresses = $postgresql::server::listen_addresses $listen_addresses = $postgresql::server::listen_addresses
$port = $postgresql::server::port
$ipv4acls = $postgresql::server::ipv4acls $ipv4acls = $postgresql::server::ipv4acls
$ipv6acls = $postgresql::server::ipv6acls $ipv6acls = $postgresql::server::ipv6acls
$pg_hba_conf_path = $postgresql::server::pg_hba_conf_path $pg_hba_conf_path = $postgresql::server::pg_hba_conf_path
@ -97,6 +98,18 @@ class postgresql::server::config {
postgresql::server::config_entry { 'listen_addresses': postgresql::server::config_entry { 'listen_addresses':
value => $listen_addresses, value => $listen_addresses,
} }
postgresql::server::config_entry { 'port':
value => "${port}",
}
# RedHat-based systems hardcode some PG* variables in the init script, and need to be overriden
# in /etc/sysconfig/pgsql/postgresql. Create a blank file so we can manage it with augeas later.
if ($::osfamily == 'RedHat') {
file { '/etc/sysconfig/pgsql/postgresql':
ensure => present,
replace => false,
}
}
} else { } else {
file { $pg_hba_conf_path: file { $pg_hba_conf_path:
ensure => absent, ensure => absent,

14
manifests/server/config_entry.pp
View file

@ -26,6 +26,20 @@ define postgresql::server::config_entry (
} }
} }
if ($::osfamily == 'RedHat') {
if ($name == 'port') {
augeas { 'override PGPORT in /etc/sysconfig/pgsql/postgresql':
lens => 'Shellvars.lns',
incl => '/etc/sysconfig/pgsql/*',
context => '/files/etc/sysconfig/pgsql/postgresql',
changes => "set PGPORT $value",
require => File['/etc/sysconfig/pgsql/postgresql'],
notify => Class['postgresql::server::service'],
before => Class['postgresql::server::reload'],
}
}
}
case $ensure { case $ensure {
/present|absent/: { /present|absent/: {
postgresql_conf { $name: postgresql_conf { $name:

6
manifests/server/database.pp
View file

@ -12,6 +12,7 @@ define postgresql::server::database(
$user = $postgresql::server::user $user = $postgresql::server::user
$group = $postgresql::server::group $group = $postgresql::server::group
$psql_path = $postgresql::server::psql_path $psql_path = $postgresql::server::psql_path
$port = $postgresql::server::port
$version = $postgresql::server::version $version = $postgresql::server::version
$default_db = $postgresql::server::default_database $default_db = $postgresql::server::default_database
@ -20,6 +21,7 @@ define postgresql::server::database(
psql_user => $user, psql_user => $user,
psql_group => $group, psql_group => $group,
psql_path => $psql_path, psql_path => $psql_path,
port => $port,
} }
# Optionally set the locale switch. Older versions of createdb may not accept # Optionally set the locale switch. Older versions of createdb may not accept
@ -45,12 +47,13 @@ define postgresql::server::database(
default => "--tablespace='${tablespace}' ", default => "--tablespace='${tablespace}' ",
} }
$createdb_command = "${createdb_path} --owner='${owner}' --template=${template} ${encoding_option}${locale_option}${tablespace_option} '${dbname}'" $createdb_command = "${createdb_path} --port='${port}' --owner='${owner}' --template=${template} ${encoding_option}${locale_option}${tablespace_option} '${dbname}'"
postgresql_psql { "Check for existence of db '${dbname}'": postgresql_psql { "Check for existence of db '${dbname}'":
command => 'SELECT 1', command => 'SELECT 1',
unless => "SELECT datname FROM pg_database WHERE datname='${dbname}'", unless => "SELECT datname FROM pg_database WHERE datname='${dbname}'",
db => $default_db, db => $default_db,
port => $port,
require => Class['postgresql::server::service'] require => Class['postgresql::server::service']
}~> }~>
exec { $createdb_command : exec { $createdb_command :
@ -63,6 +66,7 @@ define postgresql::server::database(
# granted privileges. # granted privileges.
postgresql_psql {"REVOKE ${public_revoke_privilege} ON DATABASE \"${dbname}\" FROM public": postgresql_psql {"REVOKE ${public_revoke_privilege} ON DATABASE \"${dbname}\" FROM public":
db => $default_db, db => $default_db,
port => $port,
refreshonly => true, refreshonly => true,
} }

8
manifests/server/firewall.pp
View file

@ -3,17 +3,17 @@ class postgresql::server::firewall {
$ensure = $postgresql::server::ensure $ensure = $postgresql::server::ensure
$manage_firewall = $postgresql::server::manage_firewall $manage_firewall = $postgresql::server::manage_firewall
$firewall_supported = $postgresql::server::firewall_supported $firewall_supported = $postgresql::server::firewall_supported
$port = $postgresql::server::port
if ($manage_firewall and $firewall_supported) { if ($manage_firewall and $firewall_supported) {
if ($ensure == 'present' or $ensure == true) { if ($ensure == 'present' or $ensure == true) {
# TODO: get rid of hard-coded port firewall { "$port accept - postgres":
firewall { '5432 accept - postgres': port => $port,
port => '5432',
proto => 'tcp', proto => 'tcp',
action => 'accept', action => 'accept',
} }
} else { } else {
firewall { '5432 accept - postgres': firewall { "$port accept - postgres":
ensure => absent, ensure => absent,
} }
} }

4
manifests/server/grant.pp
View file

@ -6,7 +6,8 @@ define postgresql::server::grant (
$object_type = 'database', $object_type = 'database',
$object_name = $db, $object_name = $db,
$psql_db = $postgresql::server::default_database, $psql_db = $postgresql::server::default_database,
$psql_user = $postgresql::server::user $psql_user = $postgresql::server::user,
$port = $postgresql::server::port
) { ) {
$group = $postgresql::server::group $group = $postgresql::server::group
$psql_path = $postgresql::server::psql_path $psql_path = $postgresql::server::psql_path
@ -68,6 +69,7 @@ define postgresql::server::grant (
$grant_cmd = "GRANT ${_privilege} ON ${_object_type} \"${object_name}\" TO \"${role}\"" $grant_cmd = "GRANT ${_privilege} ON ${_object_type} \"${object_name}\" TO \"${role}\""
postgresql_psql { $grant_cmd: postgresql_psql { $grant_cmd:
db => $on_db, db => $on_db,
port => $port,
psql_user => $psql_user, psql_user => $psql_user,
psql_group => $group, psql_group => $group,
psql_path => $psql_path, psql_path => $psql_path,

2
manifests/server/role.pp
View file

@ -4,6 +4,7 @@ define postgresql::server::role(
$createdb = false, $createdb = false,
$createrole = false, $createrole = false,
$db = $postgresql::server::default_database, $db = $postgresql::server::default_database,
$port = $postgresql::server::port,
$login = true, $login = true,
$inherit = true, $inherit = true,
$superuser = false, $superuser = false,
@ -30,6 +31,7 @@ define postgresql::server::role(
Postgresql_psql { Postgresql_psql {
db => $db, db => $db,
port => $port,
psql_user => $psql_user, psql_user => $psql_user,
psql_group => $psql_group, psql_group => $psql_group,
psql_path => $psql_path, psql_path => $psql_path,

2
manifests/server/service.pp
View file

@ -5,6 +5,7 @@ class postgresql::server::service {
$service_provider = $postgresql::server::service_provider $service_provider = $postgresql::server::service_provider
$service_status = $postgresql::server::service_status $service_status = $postgresql::server::service_status
$user = $postgresql::server::user $user = $postgresql::server::user
$port = $postgresql::server::port
$default_database = $postgresql::server::default_database $default_database = $postgresql::server::default_database
$service_ensure = $ensure ? { $service_ensure = $ensure ? {
@ -33,6 +34,7 @@ class postgresql::server::service {
postgresql::validate_db_connection { 'validate_service_is_running': postgresql::validate_db_connection { 'validate_service_is_running':
run_as => $user, run_as => $user,
database_name => $default_database, database_name => $default_database,
database_port => $port,
sleep => 1, sleep => 1,
tries => 60, tries => 60,
create_db_first => false, create_db_first => false,

2
manifests/server/table_grant.pp
View file

@ -5,12 +5,14 @@ define postgresql::server::table_grant(
$table, $table,
$db, $db,
$role, $role,
$port = $postgresql::server::port,
$psql_db = undef, $psql_db = undef,
$psql_user = undef $psql_user = undef
) { ) {
postgresql::server::grant { "table:${name}": postgresql::server::grant { "table:${name}":
role => $role, role => $role,
db => $db, db => $db,
port => $port,
privilege => $privilege, privilege => $privilege,
object_type => 'TABLE', object_type => 'TABLE',
object_name => $table, object_name => $table,

2
manifests/server/tablespace.pp
View file

@ -6,12 +6,14 @@ define postgresql::server::tablespace(
) { ) {
$user = $postgresql::server::user $user = $postgresql::server::user
$group = $postgresql::server::group $group = $postgresql::server::group
$port = $postgresql::server::port
$psql_path = $postgresql::server::psql_path $psql_path = $postgresql::server::psql_path
Postgresql_psql { Postgresql_psql {
psql_user => $user, psql_user => $user,
psql_group => $group, psql_group => $group,
psql_path => $psql_path, psql_path => $psql_path,
port => $port,
} }
if ($owner == undef) { if ($owner == undef) {

25
spec/acceptance/server/database_spec.rb
View file

@ -27,3 +27,28 @@ describe 'postgresql::server::database:', :unless => UNSUPPORTED_PLATFORMS.inclu
end end
end end
end end
describe 'postgresql::server::database: alternate port', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do
it 'should idempotently create a db on a non-default port that we can connect to' do
begin
pp = <<-EOS.unindent
$db = 'postgresql_test_db'
class { 'postgresql::server':
port => 5433,
}
postgresql::server::database { $db: }
EOS
apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, :catch_changes => true)
psql('--command="select datname from pg_database" --port=5433 postgresql_test_db') do |r|
expect(r.stdout).to match(/postgresql_test_db/)
expect(r.stderr).to eq('')
end
ensure
psql('--command="drop database postgresql_test_db" --port=5433 postgres')
end
end
end

26
spec/acceptance/server_spec.rb
View file

@ -87,9 +87,6 @@ describe 'server without defaults:', :unless => UNSUPPORTED_PLATFORMS.include?(f
user => "foo1", user => "foo1",
password => postgresql_password('foo1', 'foo1'), password => postgresql_password('foo1', 'foo1'),
} }
postgresql::server::config_entry { 'port':
value => '5432',
}
EOS EOS
apply_manifest(pp, :catch_failures => true) apply_manifest(pp, :catch_failures => true)
@ -181,3 +178,26 @@ describe 'server without pg_hba.conf:', :unless => UNSUPPORTED_PLATFORMS.include
end end
end end
end end
describe 'server on alternate port:', :unless => UNSUPPORTED_PLATFORMS.include?(fact('osfamily')) do
after :all do
apply_manifest("class { 'postgresql::server': ensure => absent }", :catch_failures => true)
end
context 'test installing postgresql with alternate port' do
it 'perform installation and make sure it is idempotent' do
pp = <<-EOS.unindent
class { "postgresql::server":
port => 5433,
}
EOS
apply_manifest(pp, :catch_failures => true)
apply_manifest(pp, :catch_changes => true)
end
describe port(5433) do
it { should be_listening }
end
end
end

11
spec/spec_helper_acceptance.rb
View file

@ -45,6 +45,17 @@ hosts.each do |host|
install_package host, 'rubygems' install_package host, 'rubygems'
on host, 'gem install puppet --no-ri --no-rdoc' on host, 'gem install puppet --no-ri --no-rdoc'
on host, "mkdir -p #{host['distmoduledir']}" on host, "mkdir -p #{host['distmoduledir']}"
osfamily = fact 'osfamily'
# install augeas dependencies
if osfamily =~ /Debian/
install_package host, 'ruby-dev'
install_package host, 'libaugeas-dev'
end
if osfamily =~ /RedHat/
install_package host, 'ruby-devel'
install_package host, 'augeas-devel'
end
on host, 'gem install ruby-augeas --no-ri --no-rdoc'
end end
end end