welcome: please sign in

Revision 7 as of 2012-12-10 08:03:05

Clear message
Edit

DaemonAdmin / PostgreSQL

Warning: postgresql configuration is not controlled by a Debian package, but it should be. Ideally pg_hba.conf and pg_ident.conf would be managed by DomTool, or some other system management daemon.

Current node is fritz, with Postgres 8.1 on port 5422, and Postgres 9.1 on 5433. Note that navajos/bog can only use Postgres 9.1, and support for 8.1 will be removed once mire has been decommissioned.

The source code of DomTool's dbms module is useful as documentation.

1. Tablespaces

Each user has a table space in /srv/database/$PATHBITS/$USER/{postgres,postgres-9.1}, created by the create-user-database script.

Tablespaces are an artifact from when we stored databases in afs. There may be some organizational advantage as well, but future admins should revisit the issue.

2. Authentication

The pg_hba.conf of every install must explicitely list the allowed hosts. Firewall rules on both sides should be opened.

Postgres 8.1 uses ident. It's a hack, but GSSAPI support wasn't quite functional enough, or at least we'll say it wasn't.

Postgres 9.1 uses GSSAPI. An pg_ident.conf is used to map $USER/daemon@HCOOP.NET to the Postgres user $USER. This has the advantage that $USER@HCOOP.NET resolves to the same database user. See the postgres auth docs for details; we're using a pretty standard set up.

Additionally, there must be a rule to allow clients on the database server to connect to itself over tcp for various administrative functions, since DomTool is configured to use TCP for maintaining node independence.

3. Network

Always remember to set listen_addresses = '*', or (better) the IP that postgres should really listen on. Otherwise, connections will fail mysteriously.


CategoryNeedsWork CategorySystemAdministration