postgresql: Move socket dir to /run/postgresql #57677
Conversation
The default, which is /tmp, has a few issues associated with it: One being that it makes it easy for users on the system to spoof a PostgreSQL server if it's not running, causing applications to connect to their provided sockets instead of just failing to connect. Another one is that it makes sandboxing of PostgreSQL and other services unnecessarily difficult. This is already the case if only PrivateTmp is used in a systemd service, so in order for such a service to be able to connect to PostgreSQL, a bind mount needs to be done from /tmp to some other path, so the service can access it. This pretty much defeats the whole purpose of PrivateTmp. We regularily run into issues with this in the past already (one example would be NixOS#24317) and with the new systemd-confinement mode upcoming in NixOS#57519, it makes it even more tedious to sandbox services. I've tested this change against all the postgresql NixOS VM tests and they still succeed and I also grepped through the source tree to replace other occasions where we might have /tmp hardcoded. Luckily there were very few occasions. Signed-off-by: aszlig <aszlig@nix.build> Cc: @ocharles, @thoughtpolice, @danbst
|
👍 would be awesome if it was changed to Also, add release notes, because it can make old |
|
I would stick to |
Yep, that's why I added that label, just wanted to see first whether there is any opposition. |
This is a backwards-incompatible change and while it won't probably affect a whole lot of users, it makes sense to give them a heads-up anyway. Signed-off-by: aszlig <aszlig@nix.build>
|
@thoughtpolice, @danbst: Done. |
|
BTW, this should be only for Linux system, right? Does darwin platform have |
|
@danbst: Hm, good catch, but even if OSX would have |
We only have /run on modern GNU/Linux systems and it's not necessarily the case for Mac OS X or *BSD, so let's add the patch only if stdenv.isLinux. Thanks to @danbst for catching this. Signed-off-by: aszlig <aszlig@nix.build>
GrahamcOfBorg
added
10.rebuild-darwin: 0
and removed
10.rebuild-darwin: 501+
10.rebuild-darwin: 501-1000
labels
|
This PR seems to have broken the build of hydra, since it doesn't use the systemd service to launch postgresql and as such, it doesn't have a |
|
can we tweak the hydra module to simply enable the postgresql module through |
|
wait, I don't get it - the hydra module already uses the postgresql module, and this one should set up |
|
no, that part's fine. It's during doCheck that it fails: https://hydra.nixos.org/build/91221682 |
|
@puckipedia we also can't just mkdir -p /run/postgresql in hydra's We however might be able to tweak hydra's |
|
Very unfortunate situation. I tend to revert this, and reapply when Nix does allow creating @aszlig what do you think? |
|
@danbst: Nix doesn't need to allow this, because you can simply set |
|
I just see it as regression - previously it was possible to do Probably the best approach would be to patch postgres server to create socket in |
|
Added a discussion topic here https://www.postgresql.org/message-id/CANZg%2Byd2OdqxM%3DHwnrkT-QecNMqLKNp%2BbGO_2SirJGznGK6h_w%40mail.gmail.com Meanwhile, we just have to mention in release notes that |
In NixOS/nixpkgs#57677 default postgresql socket directory was changed to `/run/postgresql`, which doesn't exist (and can't be created) in Nix build environment. We'll use /tmp as socket dir explicitly then. Fixes build failure https://hydra.nixos.org/build/91221682 Cc @aszlig @edolstra
|
@danbst can we either revert this PR, or add a fetchpatch |
|
I believe this might also fix a race condition between |
|
@tilpner another reason to run systemd-tmpfiles as part of sysinit.target, before every other "regular" service ;-) see #56265 (comment) and following. |
|
This breaks postgres outside of NixOS, this shouldn't be patched but handled in the nixos modules instead IMHO. |
|
@LnL7 true, but outside NixOS it is easy fixable with |
|
That doesn't matter, the default usage is broken because of non-standard behaviour. If this was a change in postgresql it would be another story. |
|
While I think getting rid of sockets in |
|
So revert this PR and pass |
|
Is anyone in favor of a |
|
@LnL7 unfortunately, it was already "non-standard", depending on what is "standard". Ubuntu (and Debian afaik) uses @edolstra Upstream doesn't work to improve this. https://www.postgresql.org/message-id/25758.1553906401%40sss.pgh.pa.us @tilpner no, because PG consists of "server" and "client". And PG wants both to have same config parameter. So either both use same location, or they don't communicate each other. |
|
@danbst Well, Tom Lane isn't wrong about "a Babel of servers and clients that can't talk to each other", as this issue shows... Having said that, the fact that Ubuntu/Debian already use |
|
Unlike the apt packages, nix won't ensure these defaults are functional however. |
This seems to be mostly a pre - NixOS#57677 relict. As postgresql sockets now are not in /tmp anymore, isolate /tmp.
The default, which is
/tmp, has a few issues associated with it:One being that it makes it easy for users on the system to spoof a PostgreSQL server if it's not running, causing applications to connect to their provided sockets instead of just failing to connect.
Another one is that it makes sandboxing of PostgreSQL and other services unnecessarily difficult. This is already the case if only
PrivateTmpis used in a systemd service, so in order for such a service to be able to connect to PostgreSQL, a bind mount needs to be done from/tmpto some other path, so the service can access it. This pretty much defeats the whole purpose ofPrivateTmp.We regularly run into issues with this in the past already (one example would be #24317) and with the new systemd-confinement mode upcoming in #57519, it makes it even more tedious to sandbox services.
I've tested this change against all the postgresql NixOS VM tests and they still succeed and I also grepped through the source tree to replace other occasions where we might have /tmp hardcoded. Luckily there were very few occasions.