Commit 5e2f5de1c6c5f0b5756fb73550233121d1cdc960
1 parent
beef3138
Exists in
master
and in
9 other branches
Use sockets and peer authentication for Postgres
Showing
8 changed files
with
65 additions
and
17 deletions
Show diff stats
CHANGELOG
| @@ -9,6 +9,7 @@ | @@ -9,6 +9,7 @@ | ||
| 9 | - Support changing the 'signin_enabled' option (Konstantinos Paliouras) | 9 | - Support changing the 'signin_enabled' option (Konstantinos Paliouras) |
| 10 | - Fix Nginx HTTP-to-HTTPS log configuration error (Konstantinos Paliouras) | 10 | - Fix Nginx HTTP-to-HTTPS log configuration error (Konstantinos Paliouras) |
| 11 | - Create the authorized-keys.lock file for gitlab-shell 1.9.4 | 11 | - Create the authorized-keys.lock file for gitlab-shell 1.9.4 |
| 12 | +- Use sockets and peer authentication for Postgres | ||
| 12 | 13 | ||
| 13 | 6.9.? | 14 | 6.9.? |
| 14 | - Create the authorized-keys.lock file for gitlab-shell 1.9.4 | 15 | - Create the authorized-keys.lock file for gitlab-shell 1.9.4 |
files/gitlab-cookbooks/gitlab/attributes/default.rb
| @@ -123,8 +123,8 @@ default['gitlab']['gitlab-rails']['db_encoding'] = "unicode" | @@ -123,8 +123,8 @@ default['gitlab']['gitlab-rails']['db_encoding'] = "unicode" | ||
| 123 | default['gitlab']['gitlab-rails']['db_database'] = "gitlabhq_production" | 123 | default['gitlab']['gitlab-rails']['db_database'] = "gitlabhq_production" |
| 124 | default['gitlab']['gitlab-rails']['db_pool'] = 10 | 124 | default['gitlab']['gitlab-rails']['db_pool'] = 10 |
| 125 | default['gitlab']['gitlab-rails']['db_username'] = "gitlab" | 125 | default['gitlab']['gitlab-rails']['db_username'] = "gitlab" |
| 126 | -default['gitlab']['gitlab-rails']['db_password'] = "password" | ||
| 127 | -default['gitlab']['gitlab-rails']['db_host'] = "localhost" | 126 | +default['gitlab']['gitlab-rails']['db_password'] = nil |
| 127 | +default['gitlab']['gitlab-rails']['db_host'] = nil | ||
| 128 | default['gitlab']['gitlab-rails']['db_port'] = 5432 | 128 | default['gitlab']['gitlab-rails']['db_port'] = 5432 |
| 129 | default['gitlab']['gitlab-rails']['db_socket'] = nil | 129 | default['gitlab']['gitlab-rails']['db_socket'] = nil |
| 130 | 130 | ||
| @@ -184,12 +184,11 @@ default['gitlab']['postgresql']['shell'] = "/bin/sh" | @@ -184,12 +184,11 @@ default['gitlab']['postgresql']['shell'] = "/bin/sh" | ||
| 184 | default['gitlab']['postgresql']['home'] = "/var/opt/gitlab/postgresql" | 184 | default['gitlab']['postgresql']['home'] = "/var/opt/gitlab/postgresql" |
| 185 | default['gitlab']['postgresql']['user_path'] = "/opt/gitlab/embedded/bin:/opt/gitlab/bin:$PATH" | 185 | default['gitlab']['postgresql']['user_path'] = "/opt/gitlab/embedded/bin:/opt/gitlab/bin:$PATH" |
| 186 | default['gitlab']['postgresql']['sql_user'] = "gitlab" | 186 | default['gitlab']['postgresql']['sql_user'] = "gitlab" |
| 187 | -default['gitlab']['postgresql']['sql_password'] = "snakepliskin" | ||
| 188 | default['gitlab']['postgresql']['port'] = 5432 | 187 | default['gitlab']['postgresql']['port'] = 5432 |
| 189 | -default['gitlab']['postgresql']['listen_address'] = 'localhost' | 188 | +default['gitlab']['postgresql']['listen_address'] = nil |
| 190 | default['gitlab']['postgresql']['max_connections'] = 200 | 189 | default['gitlab']['postgresql']['max_connections'] = 200 |
| 191 | -default['gitlab']['postgresql']['md5_auth_cidr_addresses'] = [ ] | ||
| 192 | -default['gitlab']['postgresql']['trust_auth_cidr_addresses'] = [ '127.0.0.1/32', '::1/128' ] | 190 | +default['gitlab']['postgresql']['md5_auth_cidr_addresses'] = [] |
| 191 | +default['gitlab']['postgresql']['trust_auth_cidr_addresses'] = [] | ||
| 193 | default['gitlab']['postgresql']['shmmax'] = kernel['machine'] =~ /x86_64/ ? 17179869184 : 4294967295 | 192 | default['gitlab']['postgresql']['shmmax'] = kernel['machine'] =~ /x86_64/ ? 17179869184 : 4294967295 |
| 194 | default['gitlab']['postgresql']['shmall'] = kernel['machine'] =~ /x86_64/ ? 4194304 : 1048575 | 193 | default['gitlab']['postgresql']['shmall'] = kernel['machine'] =~ /x86_64/ ? 4194304 : 1048575 |
| 195 | 194 |
files/gitlab-cookbooks/gitlab/libraries/gitlab.rb
| @@ -65,16 +65,12 @@ module Gitlab | @@ -65,16 +65,12 @@ module Gitlab | ||
| 65 | end | 65 | end |
| 66 | end | 66 | end |
| 67 | 67 | ||
| 68 | - Gitlab['postgresql']['sql_password'] ||= generate_hex(50) | ||
| 69 | Gitlab['gitlab_rails']['secret_token'] ||= generate_hex(64) | 68 | Gitlab['gitlab_rails']['secret_token'] ||= generate_hex(64) |
| 70 | 69 | ||
| 71 | if File.directory?("/etc/gitlab") | 70 | if File.directory?("/etc/gitlab") |
| 72 | File.open("/etc/gitlab/gitlab-secrets.json", "w") do |f| | 71 | File.open("/etc/gitlab/gitlab-secrets.json", "w") do |f| |
| 73 | f.puts( | 72 | f.puts( |
| 74 | Chef::JSONCompat.to_json_pretty({ | 73 | Chef::JSONCompat.to_json_pretty({ |
| 75 | - 'postgresql' => { | ||
| 76 | - 'sql_password' => Gitlab['postgresql']['sql_password'], | ||
| 77 | - }, | ||
| 78 | 'gitlab_rails' => { | 74 | 'gitlab_rails' => { |
| 79 | 'secret_token' => Gitlab['gitlab_rails']['secret_token'], | 75 | 'secret_token' => Gitlab['gitlab_rails']['secret_token'], |
| 80 | } | 76 | } |
files/gitlab-cookbooks/gitlab/recipes/gitlab-rails.rb
| @@ -74,6 +74,7 @@ template_symlink File.join(gitlab_rails_etc_dir, "database.yml") do | @@ -74,6 +74,7 @@ template_symlink File.join(gitlab_rails_etc_dir, "database.yml") do | ||
| 74 | group "root" | 74 | group "root" |
| 75 | mode "0644" | 75 | mode "0644" |
| 76 | variables database_attributes | 76 | variables database_attributes |
| 77 | + helpers SingleQuoteHelper | ||
| 77 | restarts dependent_services | 78 | restarts dependent_services |
| 78 | end | 79 | end |
| 79 | 80 |
files/gitlab-cookbooks/gitlab/recipes/postgresql.rb
| @@ -119,6 +119,13 @@ template pg_hba_config do | @@ -119,6 +119,13 @@ template pg_hba_config do | ||
| 119 | notifies :restart, 'service[postgresql]' if OmnibusHelper.should_notify?("postgresql") | 119 | notifies :restart, 'service[postgresql]' if OmnibusHelper.should_notify?("postgresql") |
| 120 | end | 120 | end |
| 121 | 121 | ||
| 122 | +template File.join(postgresql_data_dir, "pg_ident.conf") do | ||
| 123 | + owner node['gitlab']['postgresql']['username'] | ||
| 124 | + mode "0644" | ||
| 125 | + variables(node['gitlab']['postgresql'].to_hash) | ||
| 126 | + notifies :restart, 'service[postgresql]' if OmnibusHelper.should_notify?("postgresql") | ||
| 127 | +end | ||
| 128 | + | ||
| 122 | should_notify = OmnibusHelper.should_notify?("postgresql") | 129 | should_notify = OmnibusHelper.should_notify?("postgresql") |
| 123 | 130 | ||
| 124 | runit_service "postgresql" do | 131 | runit_service "postgresql" do |
| @@ -148,10 +155,9 @@ bin_dir = "/opt/gitlab/embedded/bin" | @@ -148,10 +155,9 @@ bin_dir = "/opt/gitlab/embedded/bin" | ||
| 148 | db_name = "gitlabhq_production" | 155 | db_name = "gitlabhq_production" |
| 149 | 156 | ||
| 150 | sql_user = node['gitlab']['postgresql']['sql_user'] | 157 | sql_user = node['gitlab']['postgresql']['sql_user'] |
| 151 | -sql_user_passwd = node['gitlab']['postgresql']['sql_password'] | ||
| 152 | 158 | ||
| 153 | execute "create #{sql_user} database user" do | 159 | execute "create #{sql_user} database user" do |
| 154 | - command "#{bin_dir}/psql --port #{pg_port} -d template1 -c \"CREATE USER #{sql_user} WITH ENCRYPTED PASSWORD '#{sql_user_passwd}'\"" | 160 | + command "#{bin_dir}/psql --port #{pg_port} -d template1 -c \"CREATE USER #{sql_user}\"" |
| 155 | user pg_user | 161 | user pg_user |
| 156 | not_if { !pg_helper.is_running? || pg_helper.sql_user_exists? } | 162 | not_if { !pg_helper.is_running? || pg_helper.sql_user_exists? } |
| 157 | end | 163 | end |
files/gitlab-cookbooks/gitlab/templates/default/database.yml.erb
| @@ -7,8 +7,8 @@ production: | @@ -7,8 +7,8 @@ production: | ||
| 7 | encoding: <%= @db_encoding %> | 7 | encoding: <%= @db_encoding %> |
| 8 | database: <%= @db_database %> | 8 | database: <%= @db_database %> |
| 9 | pool: <%= @db_pool %> | 9 | pool: <%= @db_pool %> |
| 10 | - username: "<%= @db_username %>" | ||
| 11 | - password: "<%= @db_password %>" | ||
| 12 | - host: <%= @db_host %> | 10 | + username: <%= single_quote(@db_username) %> |
| 11 | + password: <%= single_quote(@db_password) %> | ||
| 12 | + host: <%= single_quote(@db_host) %> | ||
| 13 | port: <%= @db_port %> | 13 | port: <%= @db_port %> |
| 14 | - socket: <%= @db_socket %> | 14 | + socket: <%= single_quote(@db_socket) %> |
files/gitlab-cookbooks/gitlab/templates/default/pg_hba.conf.erb
| @@ -67,7 +67,7 @@ | @@ -67,7 +67,7 @@ | ||
| 67 | # TYPE DATABASE USER CIDR-ADDRESS METHOD | 67 | # TYPE DATABASE USER CIDR-ADDRESS METHOD |
| 68 | 68 | ||
| 69 | # "local" is for Unix domain socket connections only | 69 | # "local" is for Unix domain socket connections only |
| 70 | -local all all trust | 70 | +local all all peer map=gitlab |
| 71 | 71 | ||
| 72 | <% node['gitlab']['postgresql']['trust_auth_cidr_addresses'].each do |cidr| %> | 72 | <% node['gitlab']['postgresql']['trust_auth_cidr_addresses'].each do |cidr| %> |
| 73 | host all all <%= cidr %> trust | 73 | host all all <%= cidr %> trust |
files/gitlab-cookbooks/gitlab/templates/default/pg_ident.conf.erb
0 → 100644
| @@ -0,0 +1,45 @@ | @@ -0,0 +1,45 @@ | ||
| 1 | +# PostgreSQL User Name Maps | ||
| 2 | +# ========================= | ||
| 3 | +# | ||
| 4 | +# Refer to the PostgreSQL documentation, chapter "Client | ||
| 5 | +# Authentication" for a complete description. A short synopsis | ||
| 6 | +# follows. | ||
| 7 | +# | ||
| 8 | +# This file controls PostgreSQL user name mapping. It maps external | ||
| 9 | +# user names to their corresponding PostgreSQL user names. Records | ||
| 10 | +# are of the form: | ||
| 11 | +# | ||
| 12 | +# MAPNAME SYSTEM-USERNAME PG-USERNAME | ||
| 13 | +# | ||
| 14 | +# (The uppercase quantities must be replaced by actual values.) | ||
| 15 | +# | ||
| 16 | +# MAPNAME is the (otherwise freely chosen) map name that was used in | ||
| 17 | +# pg_hba.conf. SYSTEM-USERNAME is the detected user name of the | ||
| 18 | +# client. PG-USERNAME is the requested PostgreSQL user name. The | ||
| 19 | +# existence of a record specifies that SYSTEM-USERNAME may connect as | ||
| 20 | +# PG-USERNAME. | ||
| 21 | +# | ||
| 22 | +# If SYSTEM-USERNAME starts with a slash (/), it will be treated as a | ||
| 23 | +# regular expression. Optionally this can contain a capture (a | ||
| 24 | +# parenthesized subexpression). The substring matching the capture | ||
| 25 | +# will be substituted for \1 (backslash-one) if present in | ||
| 26 | +# PG-USERNAME. | ||
| 27 | +# | ||
| 28 | +# Multiple maps may be specified in this file and used by pg_hba.conf. | ||
| 29 | +# | ||
| 30 | +# No map names are defined in the default configuration. If all | ||
| 31 | +# system user names and PostgreSQL user names are the same, you don't | ||
| 32 | +# need anything in this file. | ||
| 33 | +# | ||
| 34 | +# This file is read on server startup and when the postmaster receives | ||
| 35 | +# a SIGHUP signal. If you edit the file on a running system, you have | ||
| 36 | +# to SIGHUP the postmaster for the changes to take effect. You can | ||
| 37 | +# use "pg_ctl reload" to do that. | ||
| 38 | + | ||
| 39 | +# Put your actual configuration here | ||
| 40 | +# ---------------------------------- | ||
| 41 | + | ||
| 42 | +# MAPNAME SYSTEM-USERNAME PG-USERNAME | ||
| 43 | +gitlab <%= node['gitlab']['user']['username'] %> <%= node['gitlab']['postgresql']['sql_user'] %> | ||
| 44 | +# Default to a 1-1 mapping between system usernames and Postgres usernames | ||
| 45 | +gitlab /^(.*)$ \1 |