From 4872677066ed553cd84aed336f3c98c33486a312 Mon Sep 17 00:00:00 2001 From: Sebastian Kippe Date: Thu, 7 Jan 2021 13:53:30 +0100 Subject: [PATCH] Configure postgres recipes for VMs and zerotier access * Remove encfs (using encrypted volumes instead) * Allow access without TLS from zerotier network --- nodes/postgres-2.json | 7 +- roles/postgresql_primary.rb | 4 +- roles/postgresql_replica.rb | 2 +- .../kosmos-postgresql/recipes/default.rb | 90 ------------------- .../kosmos-postgresql/recipes/firewall.rb | 15 ++++ .../recipes/firewall_replicas.rb | 36 -------- .../kosmos-postgresql/recipes/primary.rb | 33 +++++++ .../kosmos-postgresql/recipes/replica.rb | 47 +++++----- .../kosmos-postgresql/resources/server.rb | 57 ++---------- 9 files changed, 86 insertions(+), 205 deletions(-) delete mode 100644 site-cookbooks/kosmos-postgresql/recipes/default.rb create mode 100644 site-cookbooks/kosmos-postgresql/recipes/firewall.rb delete mode 100644 site-cookbooks/kosmos-postgresql/recipes/firewall_replicas.rb create mode 100644 site-cookbooks/kosmos-postgresql/recipes/primary.rb diff --git a/nodes/postgres-2.json b/nodes/postgres-2.json index f170a95..64d44bc 100644 --- a/nodes/postgres-2.json +++ b/nodes/postgres-2.json @@ -12,11 +12,13 @@ "hostname": "postgres-2", "ipaddress": "192.168.122.244", "roles": [ - + "postgresql_replica" ], "recipes": [ "kosmos-base", "kosmos-base::default", + "kosmos-postgresql::replica", + "kosmos-postgresql::firewall", "apt::default", "timezone_iii::default", "timezone_iii::debian", @@ -47,6 +49,7 @@ } }, "run_list": [ - "recipe[kosmos-base]" + "recipe[kosmos-base]", + "role[postgresql_replica]" ] } \ No newline at end of file diff --git a/roles/postgresql_primary.rb b/roles/postgresql_primary.rb index 16db3d9..ba5e5be 100644 --- a/roles/postgresql_primary.rb +++ b/roles/postgresql_primary.rb @@ -1,6 +1,6 @@ name "postgresql_primary" run_list %w( - kosmos-postgresql::default - kosmos-postgresql::firewall_replicas + kosmos-postgresql::primary + kosmos-postgresql::firewall ) diff --git a/roles/postgresql_replica.rb b/roles/postgresql_replica.rb index 3b247b2..07fc7c6 100644 --- a/roles/postgresql_replica.rb +++ b/roles/postgresql_replica.rb @@ -2,5 +2,5 @@ name "postgresql_replica" run_list %w( kosmos-postgresql::replica - kosmos-postgresql::firewall_replicas + kosmos-postgresql::firewall ) diff --git a/site-cookbooks/kosmos-postgresql/recipes/default.rb b/site-cookbooks/kosmos-postgresql/recipes/default.rb deleted file mode 100644 index 8055b8b..0000000 --- a/site-cookbooks/kosmos-postgresql/recipes/default.rb +++ /dev/null @@ -1,90 +0,0 @@ -# -# Cookbook:: kosmos-postgresql -# Recipe:: default -# -# The MIT License (MIT) -# -# Copyright:: 2019, Kosmos Developers -# -# Permission is hereby granted, free of charge, to any person obtaining a copy -# of this software and associated documentation files (the "Software"), to deal -# in the Software without restriction, including without limitation the rights -# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -# copies of the Software, and to permit persons to whom the Software is -# furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included in -# all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -# THE SOFTWARE. - -postgresql_version = "12" -postgresql_service = "postgresql@#{postgresql_version}-main" - -service postgresql_service do - supports restart: true, status: true, reload: true -end - -postgresql_custom_server postgresql_version do - role "primary" -end - -# This will only be run once, if the /var/lib/postgresql/10/main directory -# exists. The old data directory is then moved. -execute "upgrade postgresql to 12" do - command <<-EOF -systemctl stop postgresql@12-main -systemctl stop postgresql@10-main -su - postgres -c "/usr/lib/postgresql/12/bin/pg_upgrade --old-bindir=/usr/lib/postgresql/10/bin/ --new-bindir=/usr/lib/postgresql/12/bin/ --old-datadir=/etc/postgresql/10/main/ --new-datadir=/etc/postgresql/12/main/" -mv /var/lib/postgresql/10/main /var/lib/postgresql/10/main.old -systemctl start postgresql@12-main - EOF - only_if { ::File.exist? "/var/lib/postgresql/10/main" } -end - -# Services that connect to PostgreSQL need to have the postgresql_client role -# as part of their run list. See the gitea and ejabberd roles. -postgresql_clients = search(:node, "roles:postgresql_client AND chef_environment:#{node.chef_environment}") || [] - -postgresql_clients.each do |client| - ip = ip_for(client) - hostname = client[:hostname] - - postgresql_access "#{hostname} all" do - access_type "host" - access_db "all" - access_user "all" - access_addr "#{ip}/32" - access_method "md5" - notifies :reload, "service[#{postgresql_service}]", :immediately - end - - firewall_rule "postgresql #{hostname}" do - port 5432 - protocol :tcp - command :allow - source ip - end -end - -postgresql_replicas.each do |replica| - postgresql_access "#{replica[:hostname]} replication" do - access_type "host" - access_db "replication" - access_user "replication" - access_addr "#{replica[:ipaddress]}/32" - access_method "md5" - notifies :reload, "service[#{postgresql_service}]", :immediately - end - -end - -unless node.chef_environment == "development" - include_recipe "kosmos-postgresql::firewall_replicas" -end diff --git a/site-cookbooks/kosmos-postgresql/recipes/firewall.rb b/site-cookbooks/kosmos-postgresql/recipes/firewall.rb new file mode 100644 index 0000000..7b9b380 --- /dev/null +++ b/site-cookbooks/kosmos-postgresql/recipes/firewall.rb @@ -0,0 +1,15 @@ +# +# Cookbook:: kosmos-postgresql +# Recipe:: firewall +# + +unless node.chef_environment == "development" + include_recipe "kosmos-base::firewall" + + firewall_rule "postgresql zerotier members" do + port 5432 + protocol :tcp + command :allow + source "10.1.1.0/24" + end +end diff --git a/site-cookbooks/kosmos-postgresql/recipes/firewall_replicas.rb b/site-cookbooks/kosmos-postgresql/recipes/firewall_replicas.rb deleted file mode 100644 index 0ad0a47..0000000 --- a/site-cookbooks/kosmos-postgresql/recipes/firewall_replicas.rb +++ /dev/null @@ -1,36 +0,0 @@ -# -# Cookbook:: kosmos-postgresql -# Recipe:: firewall_replicas -# -# The MIT License (MIT) -# -# Copyright:: 2020, Kosmos Developers -# -# Permission is hereby granted, free of charge, to any person obtaining a copy -# of this software and associated documentation files (the "Software"), to deal -# in the Software without restriction, including without limitation the rights -# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell -# copies of the Software, and to permit persons to whom the Software is -# furnished to do so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included in -# all copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN -# THE SOFTWARE. - -include_recipe "kosmos-base::firewall" - -postgresql_replicas.each do |replica| - firewall_rule "postgresql replica #{replica[:hostname]}" do - port 5432 - protocol :tcp - command :allow - source replica[:ipaddress] - end -end diff --git a/site-cookbooks/kosmos-postgresql/recipes/primary.rb b/site-cookbooks/kosmos-postgresql/recipes/primary.rb new file mode 100644 index 0000000..b3a7534 --- /dev/null +++ b/site-cookbooks/kosmos-postgresql/recipes/primary.rb @@ -0,0 +1,33 @@ +# +# Cookbook:: kosmos-postgresql +# Recipe:: primary +# + +postgresql_version = "12" +postgresql_service = "postgresql@#{postgresql_version}-main" + +service postgresql_service do + supports restart: true, status: true, reload: true +end + +postgresql_custom_server postgresql_version do + role "primary" +end + +postgresql_access "zerotier members" do + access_type "host" + access_db "all" + access_user "all" + access_addr "10.1.1.0/24" + access_method "md5" + notifies :reload, "service[#{postgresql_service}]", :immediately +end + +postgresql_access "zerotier members replication" do + access_type "host" + access_db "replication" + access_user "replication" + access_addr "10.1.1.0/24" + access_method "md5" + notifies :reload, "service[#{postgresql_service}]", :immediately +end diff --git a/site-cookbooks/kosmos-postgresql/recipes/replica.rb b/site-cookbooks/kosmos-postgresql/recipes/replica.rb index 5418ad9..a5b82b9 100644 --- a/site-cookbooks/kosmos-postgresql/recipes/replica.rb +++ b/site-cookbooks/kosmos-postgresql/recipes/replica.rb @@ -19,43 +19,38 @@ postgresql_data_bag_item = data_bag_item('credentials', 'postgresql') primary = postgresql_primary unless primary.nil? - postgresql_data_dir = "#{node["kosmos_encfs"]["data_directory"]}/postgresql/#{postgresql_version}/main" + # TODO + postgresql_data_dir = "/var/lib/postgresql/#{postgresql_version}/main" - if node['kosmos-postgresql']['ready_to_set_up_replica'] - execute "set up replication" do - command <<-EOF + # FIXME get zerotier IP + execute "set up replication" do + command <<-EOF systemctl stop #{postgresql_service} mv #{postgresql_data_dir} #{postgresql_data_dir}.old -pg_basebackup -h #{primary[:ipaddress]} -U replication -D #{postgresql_data_dir} -R +pg_basebackup -h 10.1.1.167 -U replication -D #{postgresql_data_dir} -R chown -R postgres:postgres #{postgresql_data_dir} systemctl start #{postgresql_service} - EOF - environment 'PGPASSWORD' => postgresql_data_bag_item['replication_password'] - sensitive true - not_if { ::File.exist? "#{postgresql_data_dir}/standby.signal" } - end + EOF + environment 'PGPASSWORD' => postgresql_data_bag_item['replication_password'] + sensitive true + not_if { ::File.exist? "#{postgresql_data_dir}/standby.signal" } end - postgresql_access "replication" do + postgresql_access "zerotier members" do access_type "host" - access_db "replication" - access_user "replication" - access_addr "#{primary[:ipaddress]}/32" + access_db "all" + access_user "all" + access_addr "10.1.1.0/24" access_method "md5" notifies :reload, "service[#{postgresql_service}]", :immediately end - # On the next Chef run the replica will be set up - node.normal['kosmos-postgresql']['ready_to_set_up_replica'] = true - - unless node.chef_environment == "development" - include_recipe "kosmos-base::firewall" - - firewall_rule "postgresql primary #{primary[:hostname]}" do - port 5432 - protocol :tcp - command :allow - source primary[:ipaddress] - end + postgresql_access "zerotier members replication" do + access_type "host" + access_db "replication" + access_user "replication" + access_addr "10.1.1.0/24" + access_method "md5" + notifies :reload, "service[#{postgresql_service}]", :immediately end end diff --git a/site-cookbooks/kosmos-postgresql/resources/server.rb b/site-cookbooks/kosmos-postgresql/resources/server.rb index 8e1ff58..c131023 100644 --- a/site-cookbooks/kosmos-postgresql/resources/server.rb +++ b/site-cookbooks/kosmos-postgresql/resources/server.rb @@ -4,22 +4,13 @@ property :postgresql_version, String, required: true, name_property: true property :role, String, required: true # Can be primary or replica action :create do - encfs_data_dir = node["kosmos_encfs"]["data_directory"] postgresql_version = new_resource.postgresql_version - postgresql_data_dir = "#{encfs_data_dir}/postgresql/#{postgresql_version}/main" + postgresql_data_dir = "/var/lib/postgresql/#{postgresql_version}/main" postgresql_service = "postgresql@#{postgresql_version}-main" + postgresql_credentials = data_bag_item('credentials', 'postgresql') - node.override['build-essential']['compile_time'] = true - include_recipe 'build-essential::default' - - user "postgres" do - manage_home false - end - - directory "#{encfs_data_dir}/postgresql" do - owner "postgres" - group "postgres" - mode "0750" + build_essential do + compile_time true end package("libpq-dev") { action :nothing }.run_action(:install) @@ -28,13 +19,14 @@ action :create do compile_time true end - postgresql_data_bag_item = data_bag_item('credentials', 'postgresql') + user "postgres" do + manage_home false + end postgresql_server_install "main" do version postgresql_version setup_repo true - password postgresql_data_bag_item['server_password'] - data_directory postgresql_data_dir + password postgresql_credentials['server_password'] action :install end @@ -43,9 +35,6 @@ action :create do action :start end - # Activates the postgres service when encrypted data dir is mounted - encfs_path_activation_unit postgresql_service - # This service is a dependency that will auto-start our cluster service on # boot if it's enabled, so we disable it explicitly service "postgresql" do @@ -69,36 +58,8 @@ action :create do additional_config[:promote_trigger_file] = "#{postgresql_data_dir}/failover.trigger" - ssl_cert = postgresql_data_bag_item['ssl_cert'] - ssl_cert_path = "#{postgresql_data_dir}/server.crt" - ssl_key = postgresql_data_bag_item['ssl_key'] - ssl_key_path = "#{postgresql_data_dir}/server.key" - - file ssl_cert_path do - content ssl_cert - owner "postgres" - group "postgres" - mode "0640" - sensitive true - end - - file ssl_key_path do - content ssl_key - owner "postgres" - group "postgres" - mode "0600" - sensitive true - end - - additional_config[:ssl] = "on" - additional_config[:ssl_cert_file] = ssl_cert_path - additional_config[:ssl_key_file] = ssl_key_path - # ejabberd does not support 1.3 yet - additional_config[:ssl_min_protocol_version] = "TLSv1.2" - postgresql_server_conf "main" do version postgresql_version - data_directory postgresql_data_dir additional_config additional_config notifies :reload, "service[#{postgresql_service}]", :delayed end @@ -106,7 +67,7 @@ action :create do postgresql_user "replication" do action :create replication true - password postgresql_data_bag_item['replication_password'] + password postgresql_credentials['replication_password'] end end