patroni icon indicating copy to clipboard operation
patroni copied to clipboard

Published 20 hours ago verified publisher icon zalando

allow-group-access clause in initdb seems not woking correctly

Open dan-aksenov opened this issue 3 years ago • 4 comments

Describe the bug When using allow-group-access clause in initdb still have some files stlil created with 600 permisstions

find /data/postgresql/11/data/ -type f  -perm 600
/data/postgresql/11/data/patroni.dynamic.json
/data/postgresql/11/data/postgresql.base.conf.backup
/data/postgresql/11/data/postgresql.conf.backup
/data/postgresql/11/data/recovery.done

As far as I know first 3 files are definitely created by patroni. recovery.* file also appears after restarting patroni daemon.

To Reproduce

  1. Create patroni config with allow-group-access option
initdb:
    - allow-group-access
  1. (Re)initialize cluster.
  2. Observe file permissions in data directory.

Expected behavior All files mast have group access permissions

Environment

  • Patroni version: patroni 1.6.5
  • PostgreSQL version: PostgreSQL 11.8 on x86_64-pc-linux-gnu, compiled by gcc (Ubuntu 7.5.0-3ubuntu1~18.04) 7.5.0, 64-bit
  • DCS (and its version): etcd Version: 3.2.17

I am not allowed to upgrade PostgreSQL and Patroni versions right now.

Patroni configuration file Not sure it's needed. Please let me know if it is.

patronictl show-config

patronictl -c /etc/patroni/config.yml show-config
loop_wait: 10
maximum_lag_on_failover: 1048576
postgresql:
  parameters:
    max_connections: '200'
    max_locks_per_transaction: '64'
    max_prepared_transactions: '3'
    max_worker_processes: '1'
    track_commit_timestamp: false
    wal_level: replica
    wal_log_hints: true
  use_pg_rewind: true
  use_slots: true
retry_timeout: 10
ttl: 30

Have you checked Patroni logs? Not sure it's needed. Please let me know if it is.

Have you checked PostgreSQL logs? Not sure it's needed. Please let me know if it is.

Have you tried to use GitHub issue search? Was unable to find anything usefull for allow-group-access

dan-aksenov avatar Apr 07 '21 10:04 dan-aksenov

Good catch. But, in order to fix it we should not rely on --allow-group-access option of initdb, but rather set umask based on permissions of PGDATA. This is exactly what Postgres does.

Do you want to work on that?

CyberDem0n avatar Apr 07 '21 11:04 CyberDem0n

If "work on that" means pull request, I'm afraid I dont have enough skill for the job.

dan-aksenov avatar Apr 07 '21 12:04 dan-aksenov

Yes, you got it right, pull request. I consider this problem as a minor one and don't plan to work on it in foreseeable future (week, maybe months).

CyberDem0n avatar Apr 07 '21 12:04 CyberDem0n

I'll see what I can do, but afraid it won't be any time soon too.

dan-aksenov avatar Apr 07 '21 13:04 dan-aksenov