DaemonAdmin/PostgreSQL102012-12-25 21:30:22ClintonEbadi92012-12-25 21:06:10ClintonEbadievery time I make a plan it turns out it doesn't work82012-12-11 08:01:40ClintonEbadidocument extracting the host key72012-12-10 08:03:05ClintonEbadithe mystery is solved for the third time, this time let's write it down62012-12-10 00:58:59ClintonEbadimore info52012-12-10 00:48:58ClintonEbadilook ma, it's not outdated anymore, just not very useful!42012-04-23 04:20:23ClintonEbadipostgres is definitely not in afs any more32008-07-07 04:28:17localhostconverted to 1.6 markup22007-02-07 14:08:19212.15.185.21012007-02-07 14:05:55212.15.185.210Warning: postgresql configuration is not controlled by a Debian package, but it should be. Ideally pg_hba.conf
and pg_ident.conf
would be managed by DomTool, or some other system management daemon. In the meantime, here's what we're doing. Current node is fritz, with Postgres 8.1 on port 5422, and Postgres 9.1 on 5433. Note that navajos/bog can only use Postgres 9.1, and support for 8.1 will be removed once mire has been decommissioned. The source code of DomTool's dbms module is useful as documentation. TablespacesEach user has a table space in /srv/database/$PATHBITS/$USER/{postgres,postgres-9.1}
, created by the create-user-database
script. Tablespaces are an artifact from when we stored databases in afs. There may be some organizational advantage as well, but future admins should revisit the issue. AuthenticationThe pg_hba.conf
of every install must explicitely list the allowed hosts. Firewall rules on both sides should be opened. Additionally, there must be a rule to allow clients on the database server to connect to itself over tcp for various administrative functions, since DomTool is configured to use TCP for maintaining node independence. Postgres 8.1 uses ident (pidentd
specifically). It's a hack, but GSSAPI support wasn't quite functional enough, or at least we'll say it wasn't. Postgres 9.1 uses GSSAPI and ident. An pg_ident.conf
is used to map $USER/daemon@HCOOP.NET
to the Postgres user $USER
. This has the advantage that $USER@HCOOP.NET
resolves to the same database user. See the postgres auth docs for details; we're using a pretty standard set up. Unfortunately, there's no way to universally grant CGI processes kerberos tickets from a keytab. Requiring members to deal with the kerberos API in CGIs seems a bit much, so the web nodes still use ident to identify members, but only after attempting GSSAPI based authentication. This is less than ideal, see for progress on eliminating ident. The user shell nodes should not need ident because the user always has tickets, and any servers will be running under k5start also with tickets. Kerberos Service KeyRemeber to create and extract a service key for postgres. Note that the keytab is not the system wide keytab, but a postgres specific one. You must also chown it to be readable by only the postgres server account. (where $HOST
is the name Kerberos and reverse DNS name for the node, not the postgres
alias). NetworkAlways remember to set listen_addresses = '*'
, or (better) the IP that postgres should really listen on. Otherwise, connections will fail mysteriously. CategoryNeedsWork CategorySystemAdministration