Bug 1121727 - Openshift overwrites postgresql.conf during restart, destroying SSL configuration
Summary: Openshift overwrites postgresql.conf during restart, destroying SSL configura...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Online
Classification: Red Hat
Component: Image
Version: 2.x
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Ben Parees
QA Contact: libra bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-07-21 17:40 UTC by JVerstry
Modified: 2015-05-15 00:44 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-10-10 00:49:14 UTC


Attachments (Terms of Use)
development logs (23.34 KB, text/plain)
2014-07-23 03:21 UTC, chunchen
no flags Details

Description JVerstry 2014-07-21 17:40:00 UTC
Description of problem:

Openshift overwrites PostgreSql configuration file when an application restart is performed (with rhc for example or when pushing changes).

Implementing SSL communications to database requires adding 'ssl = on' in postgresql.conf. The restart overwrites the existing configuration file (as confirmed by someone on IRC). 

Version-Release number of selected component (if applicable):

Unknown


How reproducible:

Steps to Reproduce:
1. Create an application with a PostgreSql database. 
2. Modify postgresql.conf.
3. Restart the application.


Actual results:

Overwriting of postgresql.conf.


Expected results:

No overwritting of postgresql.conf


Additional info:

A question has been opened on Stackoverflow: http://stackoverflow.com/questions/24869485/openshift-overwrites-postgresql-conf-during-restart

Comment 1 Dan McPherson 2014-07-21 17:42:34 UTC
We'll need to add a new env var for turning ssl on.

Comment 2 Ben Parees 2014-07-21 18:37:44 UTC
Will add logic such that if OPENSHIFT_POSTGRESQL_SSL_ENABLED is set to "true" (case insensitive), "ssl = on" will be added to the config whenever it is generated.

Note that postgres still requires significant other configuration to enable ssl (generation and placement of certs), which I am not addressing with this fix:

http://www.postgresql.org/docs/8.4/static/ssl-tcp.html

Comment 4 chunchen 2014-07-23 03:19:11 UTC
Checked on devenv_4996, the Postgresql can not be restarted after setting the OPENSHIFT_POSTGRESQL_SSL_ENABLED variable, please refer to the following results:

1. Create an app with postgresql
rhc app create cphp php-5.4 postgresql-9 --no-git 

2. Set the OPENSHIFT_POSTGRESQL_SSL_ENABLED variable
rhc env-set  OPENSHIFT_POSTGRESQL_SSL_ENABLED="true" -a cphp
OR
rhc env-set  OPENSHIFT_POSTGRESQL_SSL_ENABLED=true -a cphp

3. Try to restart Postgresql
rhc cartridge restart postgresql -a cphp

Results:
Using postgresql-9.2 (PostgreSQL 9.2) for 'postgresql'
Restarting postgresql-9.2 ... 
Failed to execute: 'control restart' for /var/lib/openshift/53cf5ddc4d319b165900000a/postgresql

FYI, please also refer to the logs at attachment.

Comment 5 chunchen 2014-07-23 03:21:12 UTC
Created attachment 920080 [details]
development logs

Comment 6 Ben Parees 2014-07-23 04:13:14 UTC
This is expected per comment 2.  Additional configuration is required to enable ssl. I will see if a more useful error can be logged when the configuration is not present.

Comment 7 Ben Parees 2014-07-24 22:21:57 UTC
After further reflection, without going down a path of generating useful messages for every possible misconfiguration, I don't think there's something smart we can do here.

I debated dumping the log file to the console, but again, that's not something we do for any other cartridge that fails to start, so I'm hesistant to do it here.


So I'm marking this back to ON_QA, with emphasis on the fact that configuring SSL on postgres requires more than just setting this env var, there are manual steps required to define appropriate certs, this fix is only intended to ensure that the SSL configuration can be properly enabled in the conf file by the user and is not lost on restart.  It assumes the user has done the other necessary steps, described here:



http://www.postgresql.org/docs/8.4/static/ssl-tcp.html

Comment 8 chunchen 2014-07-25 05:28:49 UTC
checked on devenv_5008, according to comment 7, after adding server.key and server.crt under ~/postgresql/data, the app can be restarted, so mark it as VERIFIED.

Comment 9 Jurgen 2014-07-26 04:33:49 UTC
Regarding the overwriting of postgresql.conf, can i ask if there is or will be a way to change Locale and Formatting variables in postgres.conf? specifically i need to change the default values for datestyle, lc_messages, lc_monetary, lc_numeric, lc_time.

Comment 10 Ben Parees 2014-07-26 20:19:56 UTC
If you open a new bug we can look into making those values also configurable via environment value so that the regenerated conf file will contain your desired value.  (as was done with the ssl configuration value).  Will that work for you?


Note You need to log in before you can comment on or make changes to this bug.