Red Hat Bugzilla – Bug 847357
Postgres startup script disregards /var/lib/pgsql/data/postgresql.conf TCP settings
Last modified: 2013-07-02 23:45:44 EDT
Description of problem:
configuring PostgreSQL on RHEL6 platform we needed to change default port on which PostgreSQL listens from 5432 to 15432. Changing /var/lib/pgsql/data/postgresql.conf didn't yield desired results as postgres daemon kept on listenting on 5432 port.
Looking closer at init script it seems like things were geared towards running several instances. Which is fine, but you don't have to control ports at that level as it's enough to control PGDATA and everything else can be controlled from "normal" postgresql.conf.
Version-Release number of selected component (if applicable):
# rpm -q postgresql
Steps to Reproduce:
1. service postgresql stop
2. uncomment and change connection settings in /var/lib/pgsql/data/postgresql.conf :
listen_addresses = 'localhost'
port = 15432
3. service postgresql start
postgresql listening on port 5432
postgresql listenting on port 15432
Things may be fixed by *not* supplying PGPORT portion to postmaster invocation in cases where "grep -qe '^\s*port\s*=' $PGDATA/postgresql.conf" yields positive result.
As a matter of fact PGDATA can also be overridden in postgresql.conf file...
as a side-note: moving postgresql to a different port number also triggers SELinux denial which could be resolved with:
#============= postgresql_t ==============
allow postgresql_t port_t:tcp_socket name_bind;
Since postgresql in RHEL6 seems to be geared for multi-DB setups, it may be better to have SELinux tunable for the above rule. I found allow_user_postgresql_connect which is one tunable to enable connection *to* postgreSQL process, but there needs to be another one to allow postgreSQL bind to an arbitrary port?
This is not a bug. It has always been the case that the port number (like PGDATA) has to be configured in the init script if you want to change it. Changing it in postgresql.conf won't work reliably because pg_ctl has to know it.
I will agree that this fact is underdocumented :-(
Development Management has reviewed and declined this request.
You may appeal this decision by reopening this request.
should I open a separate bug for comment #2 then, as it seems that only first comment was addressed in reply?
That would be something to discuss with the selinux-policy people, not me. I think it's a questionable thing anyway whether selinux-policy should support nonstandard configurations out-of-the-box ... who's to say whether postgres connecting to an unusual port isn't something selinux *ought* to complain about?
With respect to the SELinux configuration issue, I've added the following text to the README.rpm-dist doc file for postgresql:
If you are running SELinux in enforcing mode (which is highly recommended,
particularly for network-exposed services like PostgreSQL) you will need to
adjust SELinux policy to allow the postmaster to use non-default PGPORT or
PGDATA settings. To allow use of a non-default port, say 5433, do this
semanage port -a -t postgresql_port_t -p tcp 5433
To allow use of a non-default data directory, say /special/pgdata, do:
semanage fcontext -a -t postgresql_db_t "/special/pgdata(/.*)?"
If you already created the directory, follow that with:
restorecon -R /special/pgdata
These settings are persistent across reboots. For more information
see "man semanage".
(This is only in the Fedora copy at the moment, but it will propagate into RHEL in due time.)