diff --git a/CHANGELOG b/CHANGELOG index 5bb42a6..d7a70fa 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -9,6 +9,7 @@ - Support changing the 'signin_enabled' option (Konstantinos Paliouras) - Fix Nginx HTTP-to-HTTPS log configuration error (Konstantinos Paliouras) - Create the authorized-keys.lock file for gitlab-shell 1.9.4 +- Use sockets and peer authentication for Postgres 6.9.1 - Fix Nginx HTTP-to-HTTPS log configuration error (Konstantinos Paliouras) diff --git a/files/gitlab-cookbooks/gitlab/attributes/default.rb b/files/gitlab-cookbooks/gitlab/attributes/default.rb index a98acd7..089cb37 100644 --- a/files/gitlab-cookbooks/gitlab/attributes/default.rb +++ b/files/gitlab-cookbooks/gitlab/attributes/default.rb @@ -106,8 +106,8 @@ default['gitlab']['gitlab-rails']['db_encoding'] = "unicode" default['gitlab']['gitlab-rails']['db_database'] = "gitlabhq_production" default['gitlab']['gitlab-rails']['db_pool'] = 10 default['gitlab']['gitlab-rails']['db_username'] = "gitlab" -default['gitlab']['gitlab-rails']['db_password'] = "password" -default['gitlab']['gitlab-rails']['db_host'] = "localhost" +default['gitlab']['gitlab-rails']['db_password'] = nil +default['gitlab']['gitlab-rails']['db_host'] = nil default['gitlab']['gitlab-rails']['db_port'] = 5432 default['gitlab']['gitlab-rails']['db_socket'] = nil @@ -155,12 +155,11 @@ default['gitlab']['postgresql']['shell'] = "/bin/sh" default['gitlab']['postgresql']['home'] = "/var/opt/gitlab/postgresql" default['gitlab']['postgresql']['user_path'] = "/opt/gitlab/embedded/bin:/opt/gitlab/bin:$PATH" default['gitlab']['postgresql']['sql_user'] = "gitlab" -default['gitlab']['postgresql']['sql_password'] = "snakepliskin" default['gitlab']['postgresql']['port'] = 5432 -default['gitlab']['postgresql']['listen_address'] = 'localhost' +default['gitlab']['postgresql']['listen_address'] = nil default['gitlab']['postgresql']['max_connections'] = 200 -default['gitlab']['postgresql']['md5_auth_cidr_addresses'] = [ ] -default['gitlab']['postgresql']['trust_auth_cidr_addresses'] = [ '127.0.0.1/32', '::1/128' ] +default['gitlab']['postgresql']['md5_auth_cidr_addresses'] = [] +default['gitlab']['postgresql']['trust_auth_cidr_addresses'] = [] default['gitlab']['postgresql']['shmmax'] = kernel['machine'] =~ /x86_64/ ? 17179869184 : 4294967295 default['gitlab']['postgresql']['shmall'] = kernel['machine'] =~ /x86_64/ ? 4194304 : 1048575 diff --git a/files/gitlab-cookbooks/gitlab/libraries/gitlab.rb b/files/gitlab-cookbooks/gitlab/libraries/gitlab.rb index 6732a24..28b9bb0 100644 --- a/files/gitlab-cookbooks/gitlab/libraries/gitlab.rb +++ b/files/gitlab-cookbooks/gitlab/libraries/gitlab.rb @@ -65,16 +65,12 @@ module Gitlab end end - Gitlab['postgresql']['sql_password'] ||= generate_hex(50) Gitlab['gitlab_rails']['secret_token'] ||= generate_hex(64) if File.directory?("/etc/gitlab") File.open("/etc/gitlab/gitlab-secrets.json", "w") do |f| f.puts( Chef::JSONCompat.to_json_pretty({ - 'postgresql' => { - 'sql_password' => Gitlab['postgresql']['sql_password'], - }, 'gitlab_rails' => { 'secret_token' => Gitlab['gitlab_rails']['secret_token'], } diff --git a/files/gitlab-cookbooks/gitlab/recipes/gitlab-rails.rb b/files/gitlab-cookbooks/gitlab/recipes/gitlab-rails.rb index 66fa5c3..a04c3de 100644 --- a/files/gitlab-cookbooks/gitlab/recipes/gitlab-rails.rb +++ b/files/gitlab-cookbooks/gitlab/recipes/gitlab-rails.rb @@ -71,6 +71,7 @@ template_symlink File.join(gitlab_rails_etc_dir, "database.yml") do group "root" mode "0644" variables database_attributes + helpers SingleQuoteHelper restarts dependent_services end diff --git a/files/gitlab-cookbooks/gitlab/recipes/postgresql.rb b/files/gitlab-cookbooks/gitlab/recipes/postgresql.rb index a753e46..2953b08 100644 --- a/files/gitlab-cookbooks/gitlab/recipes/postgresql.rb +++ b/files/gitlab-cookbooks/gitlab/recipes/postgresql.rb @@ -112,6 +112,13 @@ template pg_hba_config do notifies :restart, 'service[postgresql]' if OmnibusHelper.should_notify?("postgresql") end +template File.join(postgresql_data_dir, "pg_ident.conf") do + owner node['gitlab']['postgresql']['username'] + mode "0644" + variables(node['gitlab']['postgresql'].to_hash) + notifies :restart, 'service[postgresql]' if OmnibusHelper.should_notify?("postgresql") +end + should_notify = OmnibusHelper.should_notify?("postgresql") runit_service "postgresql" do @@ -141,9 +148,9 @@ bin_dir = "/opt/gitlab/embedded/bin" db_name = "gitlabhq_production" sql_user = node['gitlab']['postgresql']['sql_user'] -sql_user_passwd = node['gitlab']['postgresql']['sql_password'] -execute "#{bin_dir}/psql --port #{pg_port} -d template1 -c \"CREATE USER #{sql_user} WITH ENCRYPTED PASSWORD '#{sql_user_passwd}'\"" do +execute "create #{sql_user} database user" do + command "#{bin_dir}/psql --port #{pg_port} -d template1 -c \"CREATE USER #{sql_user}\"" user pg_user not_if { !pg_helper.is_running? || pg_helper.sql_user_exists? } end diff --git a/files/gitlab-cookbooks/gitlab/templates/default/database.yml.erb b/files/gitlab-cookbooks/gitlab/templates/default/database.yml.erb index 8e2f3a9..5a5ae3e 100644 --- a/files/gitlab-cookbooks/gitlab/templates/default/database.yml.erb +++ b/files/gitlab-cookbooks/gitlab/templates/default/database.yml.erb @@ -7,8 +7,8 @@ production: encoding: <%= @db_encoding %> database: <%= @db_database %> pool: <%= @db_pool %> - username: "<%= @db_username %>" - password: "<%= @db_password %>" - host: <%= @db_host %> + username: <%= single_quote(@db_username) %> + password: <%= single_quote(@db_password) %> + host: <%= single_quote(@db_host) %> port: <%= @db_port %> - socket: <%= @db_socket %> + socket: <%= single_quote(@db_socket) %> diff --git a/files/gitlab-cookbooks/gitlab/templates/default/pg_hba.conf.erb b/files/gitlab-cookbooks/gitlab/templates/default/pg_hba.conf.erb index be48fa3..c45f4d8 100644 --- a/files/gitlab-cookbooks/gitlab/templates/default/pg_hba.conf.erb +++ b/files/gitlab-cookbooks/gitlab/templates/default/pg_hba.conf.erb @@ -67,7 +67,7 @@ # TYPE DATABASE USER CIDR-ADDRESS METHOD # "local" is for Unix domain socket connections only -local all all trust +local all all peer map=gitlab <% node['gitlab']['postgresql']['trust_auth_cidr_addresses'].each do |cidr| %> host all all <%= cidr %> trust diff --git a/files/gitlab-cookbooks/gitlab/templates/default/pg_ident.conf.erb b/files/gitlab-cookbooks/gitlab/templates/default/pg_ident.conf.erb new file mode 100644 index 0000000..e023b7e --- /dev/null +++ b/files/gitlab-cookbooks/gitlab/templates/default/pg_ident.conf.erb @@ -0,0 +1,45 @@ +# PostgreSQL User Name Maps +# ========================= +# +# Refer to the PostgreSQL documentation, chapter "Client +# Authentication" for a complete description. A short synopsis +# follows. +# +# This file controls PostgreSQL user name mapping. It maps external +# user names to their corresponding PostgreSQL user names. Records +# are of the form: +# +# MAPNAME SYSTEM-USERNAME PG-USERNAME +# +# (The uppercase quantities must be replaced by actual values.) +# +# MAPNAME is the (otherwise freely chosen) map name that was used in +# pg_hba.conf. SYSTEM-USERNAME is the detected user name of the +# client. PG-USERNAME is the requested PostgreSQL user name. The +# existence of a record specifies that SYSTEM-USERNAME may connect as +# PG-USERNAME. +# +# If SYSTEM-USERNAME starts with a slash (/), it will be treated as a +# regular expression. Optionally this can contain a capture (a +# parenthesized subexpression). The substring matching the capture +# will be substituted for \1 (backslash-one) if present in +# PG-USERNAME. +# +# Multiple maps may be specified in this file and used by pg_hba.conf. +# +# No map names are defined in the default configuration. If all +# system user names and PostgreSQL user names are the same, you don't +# need anything in this file. +# +# This file is read on server startup and when the postmaster receives +# a SIGHUP signal. If you edit the file on a running system, you have +# to SIGHUP the postmaster for the changes to take effect. You can +# use "pg_ctl reload" to do that. + +# Put your actual configuration here +# ---------------------------------- + +# MAPNAME SYSTEM-USERNAME PG-USERNAME +gitlab <%= node['gitlab']['user']['username'] %> <%= node['gitlab']['postgresql']['sql_user'] %> +# Default to a 1-1 mapping between system usernames and Postgres usernames +gitlab /^(.*)$ \1 -- libgit2 0.21.2