Skip to content

support setting the gitlab-psql password in postgresql and populating it in the patroni configuration

Summary

Customer raised a ticket following an audit by their security/compliance folks. GitLab team members can read more in the ticket.

They need to switch to md5_auth_cidr_addresses and ensure all accounts have passwords set, including the gitlab-psql (AKA the database install user / OID 10)

Proposal

Ensure all accounts can be secured to reasonably common corporate compliance requirements, including setting gitlab-psql with password that has been generated by the customer - for example using a corporate password vault for non-human accounts.

Additionally, put the gitlab-psql password in the patroni configuration. This appears to be needed when md5_auth_cidr_addresses is selected. Currently only the username for superuser is provided.

postgresql:
  authentication:
    superuser:
      username: gitlab-psql
      password: ******
    replication:
      username: gitlab_replicator
      password: ******

operations not affected

A reasonable number of operations within a node seem to use other accounts (or the socket) and so the gitlab-psql password can be set/reset without affecting a patroni node. This includes

  • re-initializing a replica (PG11, Omnibus 13.12.15 (containers))
  • major version upgrade (Omnibus 13.12.15 (containers) from PG11 to PG12)

pg_rewind is affected

A replica recovery that uses pg_rewind requires the gitlab-psql password in /var/opt/gitlab/patroni/patroni.yaml. I established this by adding it in manually. Then, the replica was able to recover.

postgresql:
  authentication:
    superuser:
      username: gitlab-psql
      password: ******
    replication:
      username: gitlab_replicator
      password: ******

Having set the password on the primary node, I restarted a cluster members (docker containers as it happens) and on recovery, a new node was selected as leader. The original leader failed to recover:

errors from leader in patroni log
2021-12-20_10:14:56.79572 2021-12-20 10:14:56,793 INFO: Lock owner: gitlab-testdbc10-patroni1; I am gitlab-testdbc10-patroni3
2021-12-20_10:14:56.82191 2021-12-20 10:14:56,818 INFO: running pg_rewind from gitlab-testdbc10-patroni1
2021-12-20_10:14:56.84355 2021-12-20 10:14:56,841 ERROR: Exception when working with leader
2021-12-20_10:14:56.84359 Traceback (most recent call last):
2021-12-20_10:14:56.84360   File "/opt/gitlab/embedded/lib/python3.7/site-packages/patroni/postgresql/rewind.py", line 66, in check_leader_is_not_in_recovery
2021-12-20_10:14:56.84360     with get_connection_cursor(connect_timeout=3, options='-c statement_timeout=2000', **kwargs) as cur:
2021-12-20_10:14:56.84361   File "/opt/gitlab/embedded/lib/python3.7/contextlib.py", line 112, in __enter__
2021-12-20_10:14:56.84361     return next(self.gen)
2021-12-20_10:14:56.84362   File "/opt/gitlab/embedded/lib/python3.7/site-packages/patroni/postgresql/connection.py", line 43, in get_connection_cursor
2021-12-20_10:14:56.84362     with psycopg2.connect(**kwargs) as conn:
2021-12-20_10:14:56.84363   File "/opt/gitlab/embedded/lib/python3.7/site-packages/psycopg2-2.8.6-py3.7-linux-x86_64.egg/psycopg2/__init__.py", line 127, in connect
2021-12-20_10:14:56.84363     conn = _connect(dsn, connection_factory=connection_factory, **kwasync)
2021-12-20_10:14:56.84364 psycopg2.OperationalError: fe_sendauth: no password supplied

The node was in a crash loop like this, retrying multiple times.

After added the gitlab-psql password to that node's patroni configuration:

pg_rewind executes
2021-12-20_10:18:53.70187 
2021-12-20_10:18:53.71154 2021-12-20 10:18:53,709 INFO: Lock owner: gitlab-testdbc10-patroni1; I am gitlab-testdbc10-patroni3
2021-12-20_10:18:53.75086 2021-12-20 10:18:53,749 INFO: Local timeline=12 lsn=0/16000028
2021-12-20_10:18:53.78498 2021-12-20 10:18:53,783 INFO: master_timeline=13
2021-12-20_10:18:53.78501 2021-12-20 10:18:53,784 INFO: master: history=9   0/10CA4F80  no recovery target specified
2021-12-20_10:18:53.78502 10    0/111578A8  no recovery target specified
2021-12-20_10:18:53.78502 11    0/11689A60  no recovery target specified
2021-12-20_10:18:53.78504 12    0/15422EF0  no recovery target specified
2021-12-20_10:18:53.84004 2021-12-20 10:18:53,829 INFO: Deregister service postgresql-ha/gitlab-testdbc10-patroni3
2021-12-20_10:18:53.84007 2021-12-20 10:18:53,832 INFO: running pg_rewind from gitlab-testdbc10-patroni1
2021-12-20_10:18:53.84008 2021-12-20 10:18:53,835 INFO: Lock owner: gitlab-testdbc10-patroni1; I am gitlab-testdbc10-patroni3
2021-12-20_10:18:53.84009 2021-12-20 10:18:53,837 INFO: running pg_rewind from gitlab-testdbc10-patroni1 in progress
2021-12-20_10:18:53.86849 2021-12-20 10:18:53,864 INFO: running pg_rewind from dbname=postgres user=gitlab-psql host=172.18.10.111 port=5432
2021-12-20_10:18:56.70993 2021-12-20 10:18:56,709 INFO: pg_rewind exit code=0
2021-12-20_10:18:56.70998 2021-12-20 10:18:56,709 INFO:  stdout=servers diverged at WAL location 0/15422EF0 on timeline 12
2021-12-20_10:18:56.70999 rewinding from last common checkpoint at 0/15422E48 on timeline 12
2021-12-20_10:18:56.70999 Done!
2021-12-20_10:18:56.71000 

References

Edited by Ben Prescott_