postgresql icon indicating copy to clipboard operation
postgresql copied to clipboard

Published 20 hours ago verified publisher icon ANXS

Convert ssl to redhat standard

Open gclough opened this issue 6 years ago • 12 comments

Fixed #302

The default for RedHat (and PostgreSQL in general) is to put the key files into $PGDATA, so this patch follows that behaviour on RedHat, leaving Debian with the "snakeoil" configuration

gclough avatar Mar 13 '18 20:03 gclough

Thanks @jlozadad ... I tried that, but it's got a dependency on the pyOpenSSL library. I can add it too, but is it better to stick with the existing OS utilities?

TASK [postgresql.issue302 : PostgreSQL | Generate SSL server.key | RedHat] ***********************************
fatal: [192.168.45.86]: FAILED! => {"changed": false, "msg": "The python pyOpenSSL library is required"}
	to retry, use: --limit @/home/ansible/postgres.retry

gclough avatar Mar 14 '18 13:03 gclough

It seems we will need to install pip, and pyopenssl. Do you think that's acceptable for most users?

- name: PostgreSQL | Install pip | RedHat
  yum:
    name: python2-pip
  when: ansible_os_family == "RedHat" and
        postgresql_ssl == "on"

- name: PostgreSQL | Install pyOpenSSL | RedHat
  pip:
    name: pyopenssl
  when: ansible_os_family == "RedHat" and
        postgresql_ssl == "on"

gclough avatar Mar 14 '18 13:03 gclough

We can add the dependencies in install_yum.yml in the task make sure the dependencies are installed. We already install some python rpms in there. Then the task you created installing with pip can be added can be added at the bottom of that

aoyawale avatar Mar 14 '18 15:03 aoyawale

@jlozadad , I've made the changes you suggested. It's a lot more code, and dependencies... but it's no doubt cleaner to keep it all inside Ansible rather than using shell:

Could you review it and let me know if you have any other suggestions?

gclough avatar Mar 15 '18 12:03 gclough

@UnderGreen , I've added in the extra RedHat check... thanks for finding that!

@jlozadad , I've also cleaned some of the code, removing blahblah == "true"... which seems to be bad practice.

Hopefully that's OK to be merged now, but if you have other suggestions then please let me know.

gclough avatar Mar 19 '18 13:03 gclough

fatal: [postgresql-9.3]: FAILED! => {"changed": false, "msg": "No package matching 'python2-pip' found available, installed or updated", "rc": 126, "results": ["No package matching 'python2-pip' found available, installed or updated"]}

UnderGreen avatar Mar 19 '18 14:03 UnderGreen

@UnderGreen looks like it should be 'python-pip'

aoyawale avatar Mar 20 '18 00:03 aoyawale

Not being a python person, this perplexes me... any hints @jlozadad or @UnderGreen ? Does this mean that the python version on CentOS v6 can't support it?

Downloading pyOpenSSL-17.5.0-py2.py3-none-any.whl (53kB)
Collecting six>=1.5.2 (from pyopenssl)
Downloading six-1.11.0-py2.py3-none-any.whl
Collecting cryptography>=2.1.4 (from pyopenssl)
Downloading cryptography-2.2.1.tar.gz (443kB)
Complete output from command python setup.py egg_info:
Traceback (most recent call last):
      File \"<string>\", line 20, in <module>
      File \"/tmp/pip-build-DhKsLU/cryptography/setup.py\", line 28, in <module>
        \"cryptography requires setuptools 18.5 or newer, please upgrade to a \"
    RuntimeError: cryptography requires setuptools 18.5 or newer, please upgrade to a newer version of setuptools

gclough avatar Mar 21 '18 15:03 gclough

@jlozadad and @UnderGreen ... this finally works, but it's not as clean as I would have preferred. I can see a few options:

  1. Convert it all back to use shell:... but I'd rather not do that, as it's a step backwards.

  2. Fix the CentOS build so pyopenssl works... but I've no idea how, and some potential solutions I've tried are pretty messy.

  3. Accept the code as-is, as it's a big step forward for those using CentOS, as it means they can turn on SSL... whereas before, it was completely broken. We can open a new ticket to refactor it later-on if you think that's necessary.

gclough avatar Mar 22 '18 11:03 gclough

i think having centos use shell its fine for now. i havent tested the issues you had but, it is expected due to older python version in 6. at least we have the usage of openssl modules for the latest version. the check of 7 or 6 ypu added ahould avoid any confusion

aoyawale avatar Mar 30 '18 06:03 aoyawale

to verify what vars we need to define to kick off this correctly? trying to test.

aoyawale avatar Mar 30 '18 16:03 aoyawale

for centos7 its failing because its trying to install python2-pip but, the correct rpm is python-pip

it is also failing to install python-pip because its trying to install it before epel-release is installed and that needs to be installed before you can install this.

/ TASK [postgresql : PostgreSQL | Install Python pip \
\ installer | yum]                                   /
 ----------------------------------------------------
        \   ^__^
         \  (oo)\_______
            (__)\       )\/\
                ||----w |
                ||     ||

[DEPRECATION WARNING]: Using tests as filters is deprecated. Instead of using 
`result|version_compare` instead use `result is version_compare`. This feature 
will be removed in version 2.9. Deprecation warnings can be disabled by setting
 deprecation_warnings=False in ansible.cfg.
fatal: [anxs.local]: FAILED! => {"changed": false, "msg": "No package matching 'python-pip' found available, installed or updated", "rc": 126, "results": ["No package matching 'python-pip' found available, installed or updated"]}
	to retry, use: --limit @/data/git/postgresql/tests/playbook.retry

aoyawale avatar Mar 30 '18 16:03 aoyawale

This pr has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!

github-actions[bot] avatar Apr 26 '24 23:04 github-actions[bot]