Commit 810f5db6738c8096db80ca7b6fa73014ef92f3ae

Authored by Jacob Vosmaer
2 parents 56549c2b 5e2f5de1

Merge branch 'pg_peer' of dev.gitlab.org:gitlab/omnibus-gitlab

Conflicts:
	CHANGELOG
CHANGELOG
... ... @@ -21,6 +21,13 @@ omnibus-gitlab repository.
21 21 - Change default Runit log rotation from 10x1MB to 30x24h
22 22 - Security: Restrict redis and postgresql log directory permissions to 0700
23 23 - Add a 'gitlab-ctl deploy-page' command
  24 +- Security: Use sockets and peer authentication for Postgres
  25 +
  26 +6.9.4-ee.omnibus.1
  27 +- Security: Use sockets and peer authentication for Postgres
  28 +
  29 +6.9.2.omnibus.2
  30 +- Security: Use sockets and peer authentication for Postgres
24 31  
25 32 6.9.2
26 33 - Create the authorized-keys.lock file for gitlab-shell 1.9.4
... ...
files/gitlab-cookbooks/gitlab/attributes/default.rb
... ... @@ -123,8 +123,8 @@ default['gitlab']['gitlab-rails']['db_encoding'] = "unicode"
123 123 default['gitlab']['gitlab-rails']['db_database'] = "gitlabhq_production"
124 124 default['gitlab']['gitlab-rails']['db_pool'] = 10
125 125 default['gitlab']['gitlab-rails']['db_username'] = "gitlab"
126   -default['gitlab']['gitlab-rails']['db_password'] = "password"
127   -default['gitlab']['gitlab-rails']['db_host'] = "localhost"
  126 +default['gitlab']['gitlab-rails']['db_password'] = nil
  127 +default['gitlab']['gitlab-rails']['db_host'] = nil
128 128 default['gitlab']['gitlab-rails']['db_port'] = 5432
129 129 default['gitlab']['gitlab-rails']['db_socket'] = nil
130 130  
... ... @@ -182,12 +182,11 @@ default['gitlab']['postgresql']['shell'] = "/bin/sh"
182 182 default['gitlab']['postgresql']['home'] = "/var/opt/gitlab/postgresql"
183 183 default['gitlab']['postgresql']['user_path'] = "/opt/gitlab/embedded/bin:/opt/gitlab/bin:$PATH"
184 184 default['gitlab']['postgresql']['sql_user'] = "gitlab"
185   -default['gitlab']['postgresql']['sql_password'] = "snakepliskin"
186 185 default['gitlab']['postgresql']['port'] = 5432
187   -default['gitlab']['postgresql']['listen_address'] = 'localhost'
  186 +default['gitlab']['postgresql']['listen_address'] = nil
188 187 default['gitlab']['postgresql']['max_connections'] = 200
189   -default['gitlab']['postgresql']['md5_auth_cidr_addresses'] = [ ]
190   -default['gitlab']['postgresql']['trust_auth_cidr_addresses'] = [ '127.0.0.1/32', '::1/128' ]
  188 +default['gitlab']['postgresql']['md5_auth_cidr_addresses'] = []
  189 +default['gitlab']['postgresql']['trust_auth_cidr_addresses'] = []
191 190 default['gitlab']['postgresql']['shmmax'] = kernel['machine'] =~ /x86_64/ ? 17179869184 : 4294967295
192 191 default['gitlab']['postgresql']['shmall'] = kernel['machine'] =~ /x86_64/ ? 4194304 : 1048575
193 192  
... ...
files/gitlab-cookbooks/gitlab/libraries/gitlab.rb
... ... @@ -66,16 +66,12 @@ module Gitlab
66 66 end
67 67 end
68 68  
69   - Gitlab['postgresql']['sql_password'] ||= generate_hex(50)
70 69 Gitlab['gitlab_rails']['secret_token'] ||= generate_hex(64)
71 70  
72 71 if File.directory?("/etc/gitlab")
73 72 File.open("/etc/gitlab/gitlab-secrets.json", "w") do |f|
74 73 f.puts(
75 74 Chef::JSONCompat.to_json_pretty({
76   - 'postgresql' => {
77   - 'sql_password' => Gitlab['postgresql']['sql_password'],
78   - },
79 75 'gitlab_rails' => {
80 76 'secret_token' => Gitlab['gitlab_rails']['secret_token'],
81 77 }
... ...
files/gitlab-cookbooks/gitlab/recipes/gitlab-rails.rb
... ... @@ -74,6 +74,7 @@ template_symlink File.join(gitlab_rails_etc_dir, "database.yml") do
74 74 group "root"
75 75 mode "0644"
76 76 variables database_attributes
  77 + helpers SingleQuoteHelper
77 78 restarts dependent_services
78 79 end
79 80  
... ...
files/gitlab-cookbooks/gitlab/recipes/postgresql.rb
... ... @@ -115,6 +115,13 @@ template pg_hba_config do
115 115 notifies :restart, 'service[postgresql]' if OmnibusHelper.should_notify?("postgresql")
116 116 end
117 117  
  118 +template File.join(postgresql_data_dir, "pg_ident.conf") do
  119 + owner node['gitlab']['postgresql']['username']
  120 + mode "0644"
  121 + variables(node['gitlab']['postgresql'].to_hash)
  122 + notifies :restart, 'service[postgresql]' if OmnibusHelper.should_notify?("postgresql")
  123 +end
  124 +
118 125 should_notify = OmnibusHelper.should_notify?("postgresql")
119 126  
120 127 runit_service "postgresql" do
... ... @@ -143,10 +150,9 @@ bin_dir = "/opt/gitlab/embedded/bin"
143 150 db_name = "gitlabhq_production"
144 151  
145 152 sql_user = node['gitlab']['postgresql']['sql_user']
146   -sql_user_passwd = node['gitlab']['postgresql']['sql_password']
147 153  
148 154 execute "create #{sql_user} database user" do
149   - command "#{bin_dir}/psql --port #{pg_port} -d template1 -c \"CREATE USER #{sql_user} WITH ENCRYPTED PASSWORD '#{sql_user_passwd}'\""
  155 + command "#{bin_dir}/psql --port #{pg_port} -d template1 -c \"CREATE USER #{sql_user}\""
150 156 user pg_user
151 157 not_if { !pg_helper.is_running? || pg_helper.sql_user_exists? }
152 158 end
... ...
files/gitlab-cookbooks/gitlab/templates/default/database.yml.erb
... ... @@ -7,8 +7,8 @@ production:
7 7 encoding: <%= @db_encoding %>
8 8 database: <%= @db_database %>
9 9 pool: <%= @db_pool %>
10   - username: "<%= @db_username %>"
11   - password: "<%= @db_password %>"
12   - host: <%= @db_host %>
  10 + username: <%= single_quote(@db_username) %>
  11 + password: <%= single_quote(@db_password) %>
  12 + host: <%= single_quote(@db_host) %>
13 13 port: <%= @db_port %>
14   - socket: <%= @db_socket %>
  14 + socket: <%= single_quote(@db_socket) %>
... ...
files/gitlab-cookbooks/gitlab/templates/default/pg_hba.conf.erb
... ... @@ -67,7 +67,7 @@
67 67 # TYPE DATABASE USER CIDR-ADDRESS METHOD
68 68  
69 69 # "local" is for Unix domain socket connections only
70   -local all all trust
  70 +local all all peer map=gitlab
71 71  
72 72 <% node['gitlab']['postgresql']['trust_auth_cidr_addresses'].each do |cidr| %>
73 73 host all all <%= cidr %> trust
... ...
files/gitlab-cookbooks/gitlab/templates/default/pg_ident.conf.erb 0 → 100644
... ... @@ -0,0 +1,45 @@
  1 +# PostgreSQL User Name Maps
  2 +# =========================
  3 +#
  4 +# Refer to the PostgreSQL documentation, chapter "Client
  5 +# Authentication" for a complete description. A short synopsis
  6 +# follows.
  7 +#
  8 +# This file controls PostgreSQL user name mapping. It maps external
  9 +# user names to their corresponding PostgreSQL user names. Records
  10 +# are of the form:
  11 +#
  12 +# MAPNAME SYSTEM-USERNAME PG-USERNAME
  13 +#
  14 +# (The uppercase quantities must be replaced by actual values.)
  15 +#
  16 +# MAPNAME is the (otherwise freely chosen) map name that was used in
  17 +# pg_hba.conf. SYSTEM-USERNAME is the detected user name of the
  18 +# client. PG-USERNAME is the requested PostgreSQL user name. The
  19 +# existence of a record specifies that SYSTEM-USERNAME may connect as
  20 +# PG-USERNAME.
  21 +#
  22 +# If SYSTEM-USERNAME starts with a slash (/), it will be treated as a
  23 +# regular expression. Optionally this can contain a capture (a
  24 +# parenthesized subexpression). The substring matching the capture
  25 +# will be substituted for \1 (backslash-one) if present in
  26 +# PG-USERNAME.
  27 +#
  28 +# Multiple maps may be specified in this file and used by pg_hba.conf.
  29 +#
  30 +# No map names are defined in the default configuration. If all
  31 +# system user names and PostgreSQL user names are the same, you don't
  32 +# need anything in this file.
  33 +#
  34 +# This file is read on server startup and when the postmaster receives
  35 +# a SIGHUP signal. If you edit the file on a running system, you have
  36 +# to SIGHUP the postmaster for the changes to take effect. You can
  37 +# use "pg_ctl reload" to do that.
  38 +
  39 +# Put your actual configuration here
  40 +# ----------------------------------
  41 +
  42 +# MAPNAME SYSTEM-USERNAME PG-USERNAME
  43 +gitlab <%= node['gitlab']['user']['username'] %> <%= node['gitlab']['postgresql']['sql_user'] %>
  44 +# Default to a 1-1 mapping between system usernames and Postgres usernames
  45 +gitlab /^(.*)$ \1
... ...