opuppet/module-postgresql
5
0
Fork 0
Code Issues Pull requests Releases Wiki Activity
module-postgresql/manifests/server/config.pp
Ken Barber 1d974be09f (MODULES-2181) Fix variable scope for systemd-override 
$manage_package_repo wasn't in scope for the template systemd-override.erb
This was causing all RHEL7 systems with manage_package_repo on to fail on
startup using systemctl, as the proper path to the original service file
is set incorrectly.

This patch adds the manage_package_repo to the top of the ::config class,
and adds some basic tests in config_spec.rb to ensure we don't regress on
this.

Signed-off-by: Ken Barber <ken@bob.sh>
2015-07-01 14:13:29 -07:00

180 lines
6.5 KiB
Puppet
Raw Blame History

# PRIVATE CLASS: do not call directly
class postgresql::server::config {
$ip_mask_deny_postgres_user = $postgresql::server::ip_mask_deny_postgres_user
$ip_mask_allow_all_users = $postgresql::server::ip_mask_allow_all_users
$listen_addresses = $postgresql::server::listen_addresses
$port = $postgresql::server::port
$ipv4acls = $postgresql::server::ipv4acls
$ipv6acls = $postgresql::server::ipv6acls
$pg_hba_conf_path = $postgresql::server::pg_hba_conf_path
$pg_ident_conf_path = $postgresql::server::pg_ident_conf_path
$postgresql_conf_path = $postgresql::server::postgresql_conf_path
$recovery_conf_path = $postgresql::server::recovery_conf_path
$pg_hba_conf_defaults = $postgresql::server::pg_hba_conf_defaults
$user = $postgresql::server::user
$group = $postgresql::server::group
$version = $postgresql::server::_version
$manage_package_repo = $postgresql::server::manage_package_repo
$manage_pg_hba_conf = $postgresql::server::manage_pg_hba_conf
$manage_pg_ident_conf = $postgresql::server::manage_pg_ident_conf
$manage_recovery_conf = $postgresql::server::manage_recovery_conf
$datadir = $postgresql::server::datadir
$logdir = $postgresql::server::logdir
if ($manage_pg_hba_conf == true) {
# Prepare the main pg_hba file
concat { $pg_hba_conf_path:
owner => $user,
group => $group,
mode => '0640',
warn => true,
notify => Class['postgresql::server::reload'],
}
if $pg_hba_conf_defaults {
Postgresql::Server::Pg_hba_rule {
database => 'all',
user => 'all',
}
# Lets setup the base rules
$local_auth_option = $version ? {
'8.1' => 'sameuser',
default => undef,
}
postgresql::server::pg_hba_rule { 'local access as postgres user':
type => 'local',
user => $user,
auth_method => 'ident',
auth_option => $local_auth_option,
order => '001',
}
postgresql::server::pg_hba_rule { 'local access to database with same name':
type => 'local',
auth_method => 'ident',
auth_option => $local_auth_option,
order => '002',
}
postgresql::server::pg_hba_rule { 'allow localhost TCP access to postgresql user':
type => 'host',
user => $user,
address => '127.0.0.1/32',
auth_method => 'md5',
order => '003',
}
postgresql::server::pg_hba_rule { 'deny access to postgresql user':
type => 'host',
user => $user,
address => $ip_mask_deny_postgres_user,
auth_method => 'reject',
order => '004',
}
postgresql::server::pg_hba_rule { 'allow access to all users':
type => 'host',
address => $ip_mask_allow_all_users,
auth_method => 'md5',
order => '100',
}
postgresql::server::pg_hba_rule { 'allow access to ipv6 localhost':
type => 'host',
address => '::1/128',
auth_method => 'md5',
order => '101',
}
}
# ipv4acls are passed as an array of rule strings, here we transform
# them into a resources hash, and pass the result to create_resources
$ipv4acl_resources = postgresql_acls_to_resources_hash($ipv4acls,
'ipv4acls', 10)
create_resources('postgresql::server::pg_hba_rule', $ipv4acl_resources)
# ipv6acls are passed as an array of rule strings, here we transform
# them into a resources hash, and pass the result to create_resources
$ipv6acl_resources = postgresql_acls_to_resources_hash($ipv6acls,
'ipv6acls', 102)
create_resources('postgresql::server::pg_hba_rule', $ipv6acl_resources)
}
# We must set a "listen_addresses" line in the postgresql.conf if we
# want to allow any connections from remote hosts.
postgresql::server::config_entry { 'listen_addresses':
value => $listen_addresses,
}
postgresql::server::config_entry { 'port':
value => $port,
}
postgresql::server::config_entry { 'data_directory':
value => $datadir,
}
if $logdir {
postgresql::server::config_entry { 'log_directory':
value => $logdir,
}
}
# RedHat-based systems hardcode some PG* variables in the init script, and need to be overriden
# in /etc/sysconfig/pgsql/postgresql. Create a blank file so we can manage it with augeas later.
if ($::osfamily == 'RedHat') and ($::operatingsystemrelease !~ /^7/) and ($::operatingsystem != 'Fedora') {
file { '/etc/sysconfig/pgsql/postgresql':
ensure => present,
replace => false,
}
# The init script from the packages of the postgresql.org repository
# sources an alternate sysconfig file.
# I. e. /etc/sysconfig/pgsql/postgresql-9.3 for PostgreSQL 9.3
# Link to the sysconfig file set by this puppet module
file { "/etc/sysconfig/pgsql/postgresql-${version}":
ensure => link,
target => '/etc/sysconfig/pgsql/postgresql',
require => File[ '/etc/sysconfig/pgsql/postgresql' ],
}
}
if ($manage_pg_ident_conf == true) {
concat { $pg_ident_conf_path:
owner => $user,
group => $group,
force => true, # do not crash if there is no pg_ident_rules
mode => '0640',
warn => true,
notify => Class['postgresql::server::reload'],
}
}
if ($manage_recovery_conf == true) {
concat { $recovery_conf_path:
owner => $user,
group => $group,
force => true, # do not crash if there is no recovery conf file
mode => '0640',
warn => true,
notify => Class['postgresql::server::reload'],
}
}
if $::osfamily == 'RedHat' {
if $::operatingsystemrelease =~ /^7/ or $::operatingsystem == 'Fedora' {
file { 'systemd-override':
ensure => present,
path => "/etc/systemd/system/${postgresql::params::service_name}.service",
owner => root,
group => root,
content => template('postgresql/systemd-override.erb'),
notify => [ Exec['restart-systemd'], Class['postgresql::server::service'] ],
before => Class['postgresql::server::reload'],
}
exec { 'restart-systemd':
command => 'systemctl daemon-reload',
refreshonly => true,
path => '/bin:/usr/bin:/usr/local/bin'
}
}
}
}
Reference in a new issue View git blame Copy permalink