Merge branch '6-9-stable' into 6-9-stable-ee

53391ff5 · Jacob Vosmaer · 1caa6bc9 · 8fc5a8f4 · 53391ff5 · 53391ff5
Commit 53391ff5 authored 10 years ago by Jacob Vosmaer
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -9,6 +9,7 @@
 - Support changing the 'signin_enabled' option (Konstantinos Paliouras)
 - Fix Nginx HTTP-to-HTTPS log configuration error (Konstantinos Paliouras)
 - Create the authorized-keys.lock file for gitlab-shell 1.9.4
+- Use sockets and peer authentication for Postgres
  
 6.9.1
 - Fix Nginx HTTP-to-HTTPS log configuration error (Konstantinos Paliouras)

--- a/files/gitlab-cookbooks/gitlab/attributes/default.rb
+++ b/files/gitlab-cookbooks/gitlab/attributes/default.rb
@@ -106,8 +106,8 @@ default['gitlab']['gitlab-rails']['db_encoding'] = "unicode"
 default['gitlab']['gitlab-rails']['db_database'] = "gitlabhq_production"
 default['gitlab']['gitlab-rails']['db_pool'] = 10
 default['gitlab']['gitlab-rails']['db_username'] = "gitlab"
-default['gitlab']['gitlab-rails']['db_password'] = "password"
-default['gitlab']['gitlab-rails']['db_host'] = "localhost"
+default['gitlab']['gitlab-rails']['db_password'] = nil
+default['gitlab']['gitlab-rails']['db_host'] = nil
 default['gitlab']['gitlab-rails']['db_port'] = 5432
 default['gitlab']['gitlab-rails']['db_socket'] = nil
  
@@ -155,12 +155,11 @@ default['gitlab']['postgresql']['shell'] = "/bin/sh"
 default['gitlab']['postgresql']['home'] = "/var/opt/gitlab/postgresql"
 default['gitlab']['postgresql']['user_path'] = "/opt/gitlab/embedded/bin:/opt/gitlab/bin:$PATH"
 default['gitlab']['postgresql']['sql_user'] = "gitlab"
-default['gitlab']['postgresql']['sql_password'] = "snakepliskin"
 default['gitlab']['postgresql']['port'] = 5432
-default['gitlab']['postgresql']['listen_address'] = 'localhost'
+default['gitlab']['postgresql']['listen_address'] = nil
 default['gitlab']['postgresql']['max_connections'] = 200
-default['gitlab']['postgresql']['md5_auth_cidr_addresses'] = [ ]
-default['gitlab']['postgresql']['trust_auth_cidr_addresses'] = [ '127.0.0.1/32', '::1/128' ]
+default['gitlab']['postgresql']['md5_auth_cidr_addresses'] = []
+default['gitlab']['postgresql']['trust_auth_cidr_addresses'] = []
 default['gitlab']['postgresql']['shmmax'] = kernel['machine'] =~ /x86_64/ ? 17179869184 : 4294967295
 default['gitlab']['postgresql']['shmall'] = kernel['machine'] =~ /x86_64/ ? 4194304 : 1048575
  

--- a/files/gitlab-cookbooks/gitlab/libraries/gitlab.rb
+++ b/files/gitlab-cookbooks/gitlab/libraries/gitlab.rb
@@ -65,16 +65,12 @@ module Gitlab
        end
      end
  
-      Gitlab['postgresql']['sql_password'] ||= generate_hex(50)
      Gitlab['gitlab_rails']['secret_token'] ||= generate_hex(64)
  
      if File.directory?("/etc/gitlab")
        File.open("/etc/gitlab/gitlab-secrets.json", "w") do |f|
          f.puts(
            Chef::JSONCompat.to_json_pretty({
-              'postgresql' => {
-                'sql_password' => Gitlab['postgresql']['sql_password'],
-              },
              'gitlab_rails' => {
                'secret_token' => Gitlab['gitlab_rails']['secret_token'],
              }

--- a/files/gitlab-cookbooks/gitlab/recipes/gitlab-rails.rb
+++ b/files/gitlab-cookbooks/gitlab/recipes/gitlab-rails.rb
@@ -71,6 +71,7 @@ template_symlink File.join(gitlab_rails_etc_dir, "database.yml") do
  group "root"
  mode "0644"
  variables database_attributes
+  helpers SingleQuoteHelper
  restarts dependent_services
 end
  

--- a/files/gitlab-cookbooks/gitlab/recipes/postgresql.rb
+++ b/files/gitlab-cookbooks/gitlab/recipes/postgresql.rb
@@ -112,6 +112,13 @@ template pg_hba_config do
  notifies :restart, 'service[postgresql]' if OmnibusHelper.should_notify?("postgresql")
 end
  
+template File.join(postgresql_data_dir, "pg_ident.conf") do
+  owner node['gitlab']['postgresql']['username']
+  mode "0644"
+  variables(node['gitlab']['postgresql'].to_hash)
+  notifies :restart, 'service[postgresql]' if OmnibusHelper.should_notify?("postgresql")
+end
+
 should_notify = OmnibusHelper.should_notify?("postgresql")
  
 runit_service "postgresql" do
@@ -141,9 +148,9 @@ bin_dir = "/opt/gitlab/embedded/bin"
 db_name = "gitlabhq_production"
  
 sql_user        = node['gitlab']['postgresql']['sql_user']
-sql_user_passwd = node['gitlab']['postgresql']['sql_password']
  
-execute "#{bin_dir}/psql --port #{pg_port} -d template1 -c \"CREATE USER #{sql_user} WITH ENCRYPTED PASSWORD '#{sql_user_passwd}'\"" do
+execute "create #{sql_user} database user" do
+  command "#{bin_dir}/psql --port #{pg_port} -d template1 -c \"CREATE USER #{sql_user}\""
  user pg_user
  not_if { !pg_helper.is_running? || pg_helper.sql_user_exists? }
 end

--- a/files/gitlab-cookbooks/gitlab/templates/default/database.yml.erb
+++ b/files/gitlab-cookbooks/gitlab/templates/default/database.yml.erb
@@ -7,8 +7,8 @@ production:
  encoding: <%= @db_encoding %>
  database: <%= @db_database %>
  pool: <%= @db_pool %>
-  username: "<%= @db_username %>"
-  password: "<%= @db_password %>"
-  host: <%= @db_host %>
+  username: <%= single_quote(@db_username) %>
+  password: <%= single_quote(@db_password) %>
+  host: <%= single_quote(@db_host) %>
  port: <%= @db_port %>
-  socket: <%= @db_socket %>
+  socket: <%= single_quote(@db_socket) %>
--- a/files/gitlab-cookbooks/gitlab/templates/default/pg_hba.conf.erb
+++ b/files/gitlab-cookbooks/gitlab/templates/default/pg_hba.conf.erb
@@ -67,7 +67,7 @@
 # TYPE  DATABASE    USER        CIDR-ADDRESS          METHOD
  
 # "local" is for Unix domain socket connections only
-local   all         all                               trust
+local   all         all                               peer map=gitlab
  
 <% node['gitlab']['postgresql']['trust_auth_cidr_addresses'].each do |cidr| %>
 host    all         all         <%= cidr %>           trust

--- a/files/gitlab-cookbooks/gitlab/templates/default/pg_ident.conf.erb
+++ b/files/gitlab-cookbooks/gitlab/templates/default/pg_ident.conf.erb
+# PostgreSQL User Name Maps
+# =========================
+#
+# Refer to the PostgreSQL documentation, chapter "Client
+# Authentication" for a complete description.  A short synopsis
+# follows.
+#
+# This file controls PostgreSQL user name mapping.  It maps external
+# user names to their corresponding PostgreSQL user names.  Records
+# are of the form:
+#
+# MAPNAME  SYSTEM-USERNAME  PG-USERNAME
+#
+# (The uppercase quantities must be replaced by actual values.)
+#
+# MAPNAME is the (otherwise freely chosen) map name that was used in
+# pg_hba.conf.  SYSTEM-USERNAME is the detected user name of the
+# client.  PG-USERNAME is the requested PostgreSQL user name.  The
+# existence of a record specifies that SYSTEM-USERNAME may connect as
+# PG-USERNAME.
+#
+# If SYSTEM-USERNAME starts with a slash (/), it will be treated as a
+# regular expression.  Optionally this can contain a capture (a
+# parenthesized subexpression).  The substring matching the capture
+# will be substituted for \1 (backslash-one) if present in
+# PG-USERNAME.
+#
+# Multiple maps may be specified in this file and used by pg_hba.conf.
+#
+# No map names are defined in the default configuration.  If all
+# system user names and PostgreSQL user names are the same, you don't
+# need anything in this file.
+#
+# This file is read on server startup and when the postmaster receives
+# a SIGHUP signal.  If you edit the file on a running system, you have
+# to SIGHUP the postmaster for the changes to take effect.  You can
+# use "pg_ctl reload" to do that.
+
+# Put your actual configuration here
+# ----------------------------------
+
+# MAPNAME       SYSTEM-USERNAME         PG-USERNAME
+gitlab  <%= node['gitlab']['user']['username'] %>  <%= node['gitlab']['postgresql']['sql_user'] %>
+# Default to a 1-1 mapping between system usernames and Postgres usernames
+gitlab  /^(.*)$  \1