nixos/postgresql: run ExecStartPost as an unprivileged user #95294
Conversation
|
@GrahamcOfBorg test postgresql postgresql-wal-receiver |
aanderse
changed the title
aanderse
force-pushed
the
postgresql-rootless
branch
from
53917c5
to
8e045b4
Compare
|
@GrahamcOfBorg test postgresql postgresql-wal-receiver |
|
LGTM. I don't currently have any postgres deployments outside of my gitlab server and for that the gitlab test should suffice. @GrahamcOfBorg test gitlab |
|
Thanks @talyz! Any final issues/comments/concerns before merge? We're approaching feature freeze and I still have a PR or two I'd like to get in for this module. |
|
Not from me, it looks ready to me :) |
|
@Ma27 that's one of the problems with |
| superUser = mkOption { | ||
| type = types.str; | ||
| default= if versionAtLeast config.system.stateVersion "17.09" then "postgres" else "root"; | ||
| default = "postgres"; |
There was a problem hiding this comment.
This breaks systems (like hydra.nixos.org) that use root as the superuser. Starting postgresql fails with
Oct 17 20:50:45 haumea postgres[19691]: [19691] FATAL: role "postgres" does not exist
Oct 17 20:50:45 haumea postgres[19694]: [19694] FATAL: role "postgres" does not exist
Oct 17 20:50:45 haumea postgres[19698]: [19698] FATAL: role "postgres" does not exist
Oct 17 20:50:45 haumea systemd[1]: postgresql.service: start-post operation timed out. Terminating.
Oct 17 20:50:45 haumea postgres[6462]: [6462] LOG: received fast shutdown request
Oct 17 20:50:45 haumea postgres[6462]: [6462] LOG: aborting any active transactions
Oct 17 20:50:45 haumea postgres[7740]: [7740] FATAL: terminating connection due to administrator command
Oct 17 20:50:45 haumea postgres[6462]: [6462] LOG: background worker "logical replication launcher" (PID 6471) exited with exit code 1
Oct 17 20:50:45 haumea postgres[6466]: [6466] LOG: shutting down
Oct 17 20:50:45 haumea postgres[6462]: [6462] LOG: database system is shut down
and since this option is marked as readOnly, I can't even override it.
There was a problem hiding this comment.
@edolstra thanks for your feedback. The migration path, while manual, is fairly trivial: https://nixos.org/manual/nixos/unstable/release-notes.html#sec-release-20.09
You should be able to add this to your configuration:
services.postgresql.dataDir = "/var/db/postgresql";
And run the following as your existing super user account before upgrading:
CREATE ROLE postgres LOGIN SUPERUSER;
The trade off of running postgresql entirely as an unprivileged user (added security, simplification of module, etc..) is having long time users add 1 line of configuration and imperatively run a single command. Certainly opinions can vary, but to me this is a fair trade off.
Please let me know if you think the release notes aren't sufficient, or if you continue to disagree with this change.
There was a problem hiding this comment.
Further to this, while stateVersion is great and I appreciate that it exists, when stateVersion starts introducing lower security standards or code that isn't manageable I would argue that having long time users run a migration step or two (minimal effort) seems to be worthwhile, at least in my opinion.
There was a problem hiding this comment.
@aanderse Thanks for the explanation!
Motivation for this change
rootThings done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)