welcome: please sign in

The following 251 words could not be found in the dictionary of 7 words (including 7 LocalSpellingWords) and are highlighted below:
account   Additionally   addprinc   addresses   Administration   administrative   admins   advantage   afs   after   alias   allow   allowed   also   always   Always   an   An   and   any   are   artifact   as   at   attempting   auth   Authentication   authentication   based   be   because   been   better   bit   bog   both   bug   bugzilla   but   by   can   Category   cgi   chown   clients   code   common   conf   configuration   configured   connect   connections   controlled   create   created   Current   daemon   database   databases   dbms   deal   decommissioned   details   docs   documentation   doing   Dom   Each   eliminating   enough   etc   every   explicitely   extract   fail   Firewall   for   fritz   from   functional   functions   future   grant   hack   has   hba   hcoop   here   hosts   html   http   https   id   ideal   Ideally   ident   identify   in   In   independence   install   is   Is   issue   it   It   itself   k5start   kerberos   Kerberos   Key   key   keytab   krb5   ktadd   least   less   list   listen   ll   maintaining   managed   management   map   may   meantime   members   methods   mire   module   much   must   mysteriously   name   navajos   need   Needs   net   Network   no   node   nodes   not   Note   of   on   once   one   only   opened   or   org   organizational   other   Otherwise   over   package   pg   pidentd   port   postgres   Postgres   postgresql   pretty   processes   progress   quite   randkey   re   readable   really   Remeber   remember   removed   Requiring   resolves   reverse   revisit   rule   rules   running   same   say   script   see   See   seems   server   servers   Service   service   set   shell   should   show   sides   since   so   some   source   space   specific   specifically   srv   standard   static   still   stored   support   System   system   table   Tablespaces   tcp   than   that   The   the   There   there   This   tickets   to   Tool   under   Unfortunately   universally   up   use   used   useful   user   uses   using   various   Warning   wasn   way   we   web   well   what   when   where   wide   will   with   Work   would   www   You  

Clear message

DaemonAdmin / PostgreSQL

Warning: postgresql configuration is not controlled by a Debian package, but it should be. Ideally pg_hba.conf and pg_ident.conf would be managed by DomTool, or some other system management daemon. In the meantime, here's what we're doing.

Current node is fritz, with Postgres 8.1 on port 5422, and Postgres 9.1 on 5433. Note that navajos/bog can only use Postgres 9.1, and support for 8.1 will be removed once mire has been decommissioned.

The source code of DomTool's dbms module is useful as documentation.

1. Tablespaces

Each user has a table space in /srv/database/$PATHBITS/$USER/{postgres,postgres-9.1}, created by the create-user-database script.

Tablespaces are an artifact from when we stored databases in afs. There may be some organizational advantage as well, but future admins should revisit the issue.

2. Authentication

The pg_hba.conf of every install must explicitely list the allowed hosts. Firewall rules on both sides should be opened.

Additionally, there must be a rule to allow clients on the database server to connect to itself over tcp for various administrative functions, since DomTool is configured to use TCP for maintaining node independence.

Postgres 8.1 uses ident (pidentd specifically). It's a hack, but GSSAPI support wasn't quite functional enough, or at least we'll say it wasn't.

Postgres 9.1 uses GSSAPI and ident. An pg_ident.conf is used to map $USER/daemon@HCOOP.NET to the Postgres user $USER. This has the advantage that $USER@HCOOP.NET resolves to the same database user. See the postgres auth docs for details; we're using a pretty standard set up.

Unfortunately, there's no way to universally grant CGI processes kerberos tickets from a keytab. Requiring members to deal with the kerberos API in CGIs seems a bit much, so the web nodes still use ident to identify members, but only after attempting GSSAPI based authentication. This is less than ideal, see https://bugzilla.hcoop.net/show_bug.cgi?id=937 for progress on eliminating ident. The user shell nodes should not need ident because the user always has tickets, and any servers will be running under k5start also with tickets.

2.1. Kerberos Service Key

Remeber to create and extract a service key for postgres. Note that the keytab is not the system wide keytab, but a postgres specific one. You must also chown it to be readable by only the postgres server account.

addprinc -randkey postgres/$HOST.hcoop.net
ktadd -k /etc/postgresql-common/krb5.keytab postgres/$HOST.hcoop.net

(where $HOST is the name Kerberos and reverse DNS name for the node, not the postgres alias).

3. Network

Always remember to set listen_addresses = '*', or (better) the IP that postgres should really listen on. Otherwise, connections will fail mysteriously.

CategoryNeedsWork CategorySystemAdministration

DaemonAdmin/PostgreSQL (last edited 2012-12-25 21:30:22 by ClintonEbadi)