Mo Morsi <[email protected]> writes: > --- > recipes/aeolus/files/pg_hba-ssl.conf | 7 ------- > recipes/aeolus/files/pg_hba.conf | 4 ---- > recipes/aeolus/manifests/conductor.pp | 23 ++++++++--------------- > recipes/postgres/manifests/server.pp | 4 +--- > recipes/postgres/manifests/user.pp | 12 ++++++------ > 5 files changed, 15 insertions(+), 35 deletions(-) > delete mode 100644 recipes/aeolus/files/pg_hba-ssl.conf > delete mode 100644 recipes/aeolus/files/pg_hba.conf > > diff --git a/recipes/aeolus/files/pg_hba-ssl.conf > b/recipes/aeolus/files/pg_hba-ssl.conf > deleted file mode 100644 > index 722867b..0000000 > --- a/recipes/aeolus/files/pg_hba-ssl.conf > +++ /dev/null > @@ -1,7 +0,0 @@ > -# we are still leaving Unix-domain sockets open, if we want to disable > -# make sure to append "sslmode=require" and "-h localhost" to all psql > -# commands > -local all all trust > -hostssl all all 127.0.0.1/32 md5 > -hostssl all all ::1/128 md5 > - > diff --git a/recipes/aeolus/files/pg_hba.conf > b/recipes/aeolus/files/pg_hba.conf > deleted file mode 100644 > index ef3f6f5..0000000 > --- a/recipes/aeolus/files/pg_hba.conf > +++ /dev/null > @@ -1,4 +0,0 @@ > -local all all trust > -host all all 127.0.0.1 255.255.255.255 md5 > -host all all ::1/128 md5 > - > diff --git a/recipes/aeolus/manifests/conductor.pp > b/recipes/aeolus/manifests/conductor.pp > index 30882c3..9fb8a66 100644 > --- a/recipes/aeolus/manifests/conductor.pp > +++ b/recipes/aeolus/manifests/conductor.pp > @@ -96,37 +96,30 @@ class aeolus::conductor inherits aeolus { > owner => 'postgres', > group => 'postgres', > notify => Service['postgresql'] } > - file { "/var/lib/pgsql/data/pg_hba.conf": > - source => "puppet:///modules/aeolus/pg_hba-ssl.conf", > - require => Exec["pginitdb"], > - owner => 'postgres', > - group => 'postgres', > - notify => Service['postgresql']} > file { "/var/lib/pgsql/data/postgresql.conf": > source => "puppet:///modules/aeolus/postgresql.conf", > require => Exec["pginitdb"], > owner => 'postgres', > group => 'postgres', > notify => Service['postgresql']} > - } else { > - file { "/var/lib/pgsql/data/pg_hba.conf": > - source => "puppet:///modules/aeolus/pg_hba.conf", > - require => Exec["pginitdb"], > - owner => 'postgres', > - group => 'postgres', > - notify => Service['postgresql']} > + } > + exec{ "pgauthuser": > + command => "/usr/bin/sed -i s/ident/md5/ > /var/lib/pgsql/data/pg_hba.conf", > + onlyif => '/bin/grep -q ident /var/lib/pgsql/data/pg_hba.conf', > + require => Exec["pginitdb"], > + notify => Service["postgresql"] > } > postgres::user{"aeolus": > password => "v23zj59an", > roles => "CREATEDB", > - require => [Service["postgresql"], > File["/var/lib/pgsql/data/pg_hba.conf"]] } > + require => Service["postgresql"] } > > > # Create aeolus database > aeolus::rails::create::db{"create_aeolus_database": > cwd => "/usr/share/aeolus-conductor", > rails_env => "production", > - require => [Postgres::User[aeolus], > Package['aeolus-conductor']] } > + require => [Postgres::User[aeolus], Exec['pgauthuser'], > Package['aeolus-conductor']] } > aeolus::rails::migrate::db{"migrate_aeolus_database": > cwd => "/usr/share/aeolus-conductor", > rails_env => "production", > diff --git a/recipes/postgres/manifests/server.pp > b/recipes/postgres/manifests/server.pp > index 09ea6d7..1bd4b28 100644 > --- a/recipes/postgres/manifests/server.pp > +++ b/recipes/postgres/manifests/server.pp > @@ -24,9 +24,7 @@ class postgres::server inherits postgres { > } > > exec { "pginitdb": > - command => "/usr/bin/initdb --pgdata='/var/lib/pgsql/data' > -E UTF8", > - user => "postgres", > - group => "postgres", > + command => "/usr/bin/postgresql-setup initdb", > creates => "/var/lib/pgsql/data/PG_VERSION", > require => Package["postgresql-server"], > notify => Service["postgresql"], > diff --git a/recipes/postgres/manifests/user.pp > b/recipes/postgres/manifests/user.pp > index a910a2e..e767e1d 100644 > --- a/recipes/postgres/manifests/user.pp > +++ b/recipes/postgres/manifests/user.pp > @@ -2,13 +2,13 @@ define postgres::user($ensure='created', $password="", > $roles=""){ > case $ensure { > 'created': { > exec{"create_${name}_postgres_user": > - unless => "/usr/bin/test `psql postgres postgres -P > tuples_only -c \"select count(*) from pg_user where usename='${name}';\"` = > \"1\"", > - command => "/usr/bin/psql postgres postgres -c \ > - \"CREATE USER ${name} WITH PASSWORD '${password}' > ${roles}\""}} > + unless => "/usr/bin/test `/usr/bin/su postgres -c \"psql > postgres postgres -P tuples_only -c \\\"select count(*) from pg_user where > usename='${name}';\\\"\"` = \"1\"", > + command => "/usr/bin/su postgres -c \"/usr/bin/psql postgres > postgres -c \ > + \\\"CREATE USER ${name} WITH PASSWORD '${password}' > ${roles}\\\"\""}} > 'dropped': { > exec{"drop_${name}_postgres_user": > - onlyif => "/usr/bin/test `psql postgres postgres -P > tuples_only -c \"select count(*) from pg_user where usename='${name}';\"` = > \"1\"", > - command => "/usr/bin/psql postgres postgres -c \ > - \"DROP USER ${name}\""}} > + onlyif => "/usr/bin/test `/usr/bin/su postgres -c \"psql > postgres postgres -P tuples_only -c \\\"select count(*) from pg_user where > usename='${name}';\\\"\"` = \"1\"", > + command => "/usr/bin/su postgres -c \"/usr/bin/psql postgres > postgres -c \ > + \\\"DROP USER ${name}\\\"\""}} > } > } > -- > 1.7.10.2
On existing installs, running aeolus-configure after applying this patch does not fix the existing problem. In this case, the existing pg_hba.conf stays in place (as laid down by previous run(s) of configure) and that file still contains the 'local all all trust' bit. On a clean installation, this works as described. I don't know if the intention is to try and retroactively fix "bad" installs or not. If not, then ACK, as this works fine in the clean install case.
