Ask Your Question
0

PostgreSQL not applying all parts of minifest

asked 2016-09-01 15:12:55 -0500

jackb gravatar image

updated 2016-09-02 04:42:48 -0500

Hello,

Please see my manifest below. Keep in mind this is my first ever puppet manifest :)

I've got an older environment which I've setup by hand, but am now trying to automate parts of it with Puppet. Unfortunately I'm stuck on a small part of my puppet manifest for postgresql which isn't being applied completely. No errors are thrown, but the bolded values in the code below are not being set in postgresql.conf.

Everything else works out fine. The databases get created, the users and passwords are set, but these additional configuration parameters are just not being applied.

I'm using this module: https://forge.puppet.com/puppetlabs/p...

Appreciate any help.

node server.lan {

class { 'postgresql::globals':
  encoding => 'UTF-8',
}

class { 'postgresql::server':
ip_mask_deny_postgres_user => '0.0.0.0/32',
ip_mask_allow_all_users    => '127.0.0.1/32',
listen_addresses           => '*',
postgres_password          => 'Test1234',
ipv4acls                   => ['hostssl dba1 pgsql_dba 192.168.1.0/24 md5'],
}

class { 'postgresql::server::contrib':
        package_ensure => 'latest',
    }

postgresql::server::role { 'pgsql_dba':
password_hash => postgresql_password('pgsql_dba', 'Test1234'),
}

postgresql::server::database { 'dba1':
owner     => 'pgsql_dba',
encoding => 'UTF-8',
}

#Config changes
postgresql::server::config_entry { 'ssl':
  value => 'true',
}

postgresql::server::config_entry { 'ssl_ciphers':
  value => 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH',
}

postgresql::server::config_entry { 'ssl_prefer_server_ciphers':
  value => 'on',
}

postgresql::server::config_entry { 'ssl_cert_file':
  value => '/etc/ssl/certs/certificate.cert.pem',
}

postgresql::server::config_entry { 'ssl_key_file':
  value => '/etc/ssl/private/certificate.key.pem',
}

postgresql::server::config_entry { 'ssl_ca_file':
  value => '/etc/postgresql/9.5/main/chain.cert.pem',
}

}

For clarity, these settings do not get applied

postgresql::server::config_entry { 'ssl_ciphers':
  value => 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH',
}

postgresql::server::config_entry { 'ssl_prefer_server_ciphers':
  value => 'on',
}

postgresql::server::config_entry { 'ssl_ca_file':
  value => '/etc/postgresql/9.5/main/chain.cert.pem',
}

System: Ubuntu 16.04 PGSQL: 9.4

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2016-09-02 03:31:38 -0500

lupin gravatar image

updated 2016-09-02 03:32:24 -0500

What distro are you running on? On centos-7 possible value of ssl is either on|of. So the manifest read like this.

  postgresql::server::config_entry { 'ssl':
    ensure => 'present',
    value  => on,
  }

[root@ha-centos7 module0]# grep ssl /var/lib/pgsql/data/postgresql.conf
#ssl = off              # (change requires restart)
#ssl_ciphers = 'ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH'  # allowed SSL ciphers
#ssl_renegotiation_limit = 0        # amount of data between renegotiations
#ssl_cert_file = 'server.crt'       # (change requires restart)
#ssl_key_file = 'server.key'        # (change requires restart)
#ssl_ca_file = ''           # (change requires restart)
#ssl_crl_file = ''          # (change requires restart)
ssl_ciphers = 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'
ssl_prefer_server_ciphers = on
ssl = on
edit flag offensive delete link more

Comments

Hi, thanks for getting back to me. I'm using Ubuntu 16.04. I saw in the compatible OS's for the puppet module that it didn't state 16.04. I went ahead and installed a CentOS 7 system and then applied the same manifest as shown in my first post and everything worked. Maybe a bug with Ubuntu 16.04?

jackb gravatar imagejackb ( 2016-09-02 04:36:58 -0500 )edit

regarding "SSL = true". It's the default on the Ubuntu repo at least. Maybe it takes both on/off and true/false seeing as it's a boolean. It does work as intended with true though (PostgreSQl 9.4).

jackb gravatar imagejackb ( 2016-09-02 04:40:09 -0500 )edit

I've updated my initial post to give a clearer view of what's not working. It's specifically certain configuration parameters.

jackb gravatar imagejackb ( 2016-09-02 04:45:58 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2016-09-01 15:12:55 -0500

Seen: 24 times

Last updated: Sep 02 '16