From eae2eed7b06fa77eec36ced64b0700fbcc3eb852 Mon Sep 17 00:00:00 2001 From: Alexis Ben Miloud--Josselin Date: Thu, 16 Mar 2023 17:14:16 +0100 Subject: [PATCH 1/6] Add role for PgBouncer --- CHANGELOG.md | 2 ++ pgbouncer/README.md | 38 ++++++++++++++++++++++++++++ pgbouncer/defaults/main.yml | 7 +++++ pgbouncer/tasks/main.yml | 17 +++++++++++++ pgbouncer/templates/pgbouncer.ini.j2 | 29 +++++++++++++++++++++ pgbouncer/templates/userlist.txt.j2 | 3 +++ 6 files changed, 96 insertions(+) create mode 100644 pgbouncer/README.md create mode 100644 pgbouncer/defaults/main.yml create mode 100644 pgbouncer/tasks/main.yml create mode 100644 pgbouncer/templates/pgbouncer.ini.j2 create mode 100644 pgbouncer/templates/userlist.txt.j2 diff --git a/CHANGELOG.md b/CHANGELOG.md index dc0b7cc3..36b62cb2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added +* pgbouncer: new role + ### Changed ### Fixed diff --git a/pgbouncer/README.md b/pgbouncer/README.md new file mode 100644 index 00000000..2542f497 --- /dev/null +++ b/pgbouncer/README.md @@ -0,0 +1,38 @@ +# PgBouncer + +Installation and basic configuration of PgBouncer. + +## Tasks + +Everything is in the `tasks/main.yml` file. + +## Available variables + +Main variables are : + +* `pgbouncer_listen_addr`: the listen IP for PgBouncer (default: `127.0.0.1`), +* `pgbouncer_listen_port`: the listen post for PgBouncer (default: `6432`), +* `pgbouncer_databases`: the databases that clients of PgBouncer can connect to, +* `pgbouncer_account_list`: the accounts that clients of PgBouncer can connect to. + +The variable `pgbouncer_databases` must have the `name`, `host` and `port` attributes. The variable can be defined like this: + +``` +pgbouncer_databases: + - { name: "db1", host: "192.168.3.14", port: "5432" } + - { name: "*", host: "192.168.2.71", port: "5432" } +``` + +The variable `pgbouncer_account_list` must have the `name` and `hash` attributes. The variable can be defined like this: + +``` +pgbouncer_account_list: + - { name: "account1", hash: "" } + - { name: "account2", hash: "" } +``` + +The value of `hash` can be obtained by running this command on the PostgreSQL server: `select passwd from pg_shadow where usename='account1';` + +> These accounts must exist on the PostegreSQL server. + +The full list of variables (with default values) can be found in `defaults/main.yml`. diff --git a/pgbouncer/defaults/main.yml b/pgbouncer/defaults/main.yml new file mode 100644 index 00000000..7b246270 --- /dev/null +++ b/pgbouncer/defaults/main.yml @@ -0,0 +1,7 @@ +--- +pgbouncer_listen_addr: "127.0.0.1" +pgbouncer_listen_port: "6432" + +pgbouncer_databases: [] + +pgbouncer_account_list: [] diff --git a/pgbouncer/tasks/main.yml b/pgbouncer/tasks/main.yml new file mode 100644 index 00000000..67639044 --- /dev/null +++ b/pgbouncer/tasks/main.yml @@ -0,0 +1,17 @@ +--- +- name: PgBouncer is installed + apt: + name: pgbouncer + state: present +- name: Limit for PgBouncer is set + lineinfile: + path: /etc/default/pgbouncer + line: ulimit -n 65536 +- name: Add config file for PgBouncer + template: + src: pgbouncer.ini.j2 + dest: /etc/pgbouncer/pgbouncer.ini +- name: Populate userlist.txt + template: + src: userlist.txt.j2 + dest: /etc/pgbouncer/userlist.txt diff --git a/pgbouncer/templates/pgbouncer.ini.j2 b/pgbouncer/templates/pgbouncer.ini.j2 new file mode 100644 index 00000000..30d34ccb --- /dev/null +++ b/pgbouncer/templates/pgbouncer.ini.j2 @@ -0,0 +1,29 @@ +[databases] +{% for db in pgbouncer_databases %} +{{ db.name }} = host={{ db.host }} port={{ db.port }} +{% endfor %} + +[pgbouncer] +logfile = /var/log/postgresql/pgbouncer.log +pidfile = /var/run/postgresql/pgbouncer.pid + +listen_addr = {{ pgbouncer_listen_addr }} +listen_port = {{ pgbouncer_listen_port }} +unix_socket_dir = + +auth_type = scram-sha-256 +auth_file = /etc/pgbouncer/userlist.txt + +# La connexion au serveur redevient libre lorsque le client termine une transaction +# Autres valeurs possibles : session (lorsque le client ferme la session), statement (lorsque la requĂȘte se termine) +pool_mode = transaction + +# Nombre maximum de connexions entrantes +max_client_conn = 5000 + +# Nombre de connexion maintenues avec le serveur +default_pool_size = 20 + +# Ne pas enregistrer les connexions qui se passent bien +log_connections = 0 +log_disconnections = 0 diff --git a/pgbouncer/templates/userlist.txt.j2 b/pgbouncer/templates/userlist.txt.j2 new file mode 100644 index 00000000..abf316a3 --- /dev/null +++ b/pgbouncer/templates/userlist.txt.j2 @@ -0,0 +1,3 @@ +{% for account in pgbouncer_account_list %} +"{{ account.name }}" "{{ account.hash }}" +{% endfor %} From b7dea8d4569c3e7dfcd85ce5114b2a42fb316176 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 16 Mar 2023 21:35:03 +0100 Subject: [PATCH 2/6] minifirewall: support protocols in numeric form --- CHANGELOG.md | 2 ++ minifirewall/files/check_minifirewall | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 36b62cb2..cd14c099 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,6 +17,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +minifirewall: support protocols in numeric form + ### Fixed ### Removed diff --git a/minifirewall/files/check_minifirewall b/minifirewall/files/check_minifirewall index e14d73f2..bcf70ff8 100644 --- a/minifirewall/files/check_minifirewall +++ b/minifirewall/files/check_minifirewall @@ -39,7 +39,7 @@ is_minifirewall_started() { if test -x /usr/share/scripts/minifirewall_status; then /usr/share/scripts/minifirewall_status > /dev/null else - /sbin/iptables -L -n | grep -q -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$" + /sbin/iptables -L -n | grep -q -E "^(DROP\s+(udp|17)|ACCEPT\s+(icmp|1)))\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$" fi fi } From be03dfcb086bf00978077a1f6bf05cd9b0b2c466 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 16 Mar 2023 21:36:13 +0100 Subject: [PATCH 3/6] apt: deb822 migration python script is looked relative to shell script --- CHANGELOG.md | 3 ++- apt/files/deb822-migration.sh | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index cd14c099..649f90e0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -17,7 +17,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed -minifirewall: support protocols in numeric form +* apt: deb822 migration python script is looked relative to shell script +* minifirewall: support protocols in numeric form ### Fixed diff --git a/apt/files/deb822-migration.sh b/apt/files/deb822-migration.sh index cffa2f95..4e4a4dbc 100644 --- a/apt/files/deb822-migration.sh +++ b/apt/files/deb822-migration.sh @@ -3,7 +3,7 @@ deb822_migrate_script=$(command -v deb822-migration.py) if [ -z "${deb822_migrate_script}" ]; then - deb822_migrate_script="./deb822-migration.py" + deb822_migrate_script="$(dirname "$0")/deb822-migration.py" fi if [ ! -x "${deb822_migrate_script}" ]; then >&2 echo "ERROR: '${deb822_migrate_script}' not found or not executable" From 8bfc4c28bc98674d91671dd2bc2b2b6559120419 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 16 Mar 2023 21:36:57 +0100 Subject: [PATCH 4/6] listupgrade: remove old typo version of the cron task --- CHANGELOG.md | 1 + listupgrade/tasks/main.yml | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 649f90e0..4c32947d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -18,6 +18,7 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed * apt: deb822 migration python script is looked relative to shell script +* listupgrade: remove old typo version of the cron task * minifirewall: support protocols in numeric form ### Fixed diff --git a/listupgrade/tasks/main.yml b/listupgrade/tasks/main.yml index 2e38ef03..42864806 100644 --- a/listupgrade/tasks/main.yml +++ b/listupgrade/tasks/main.yml @@ -58,6 +58,12 @@ month: "{{ listupgrade_cron_month }}" state: "{{ listupgrade_cron_enabled | bool | ternary('present','absent') }}" +- name: Remove old lisupgrade typo + cron: + name: "lisupgrade.sh" + cron_file: "listupgrade" + state: absent + - name: old-kernel-autoremoval script is present copy: src: old-kernel-autoremoval.sh From edeb5bcfcf20c134ae4e40f8ee09a4eb7f8a2101 Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 16 Mar 2023 22:00:36 +0100 Subject: [PATCH 5/6] minifirewall also fix minifirewall_status --- minifirewall/files/minifirewall_status | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/minifirewall/files/minifirewall_status b/minifirewall/files/minifirewall_status index 7bf09285..2eec3697 100644 --- a/minifirewall/files/minifirewall_status +++ b/minifirewall/files/minifirewall_status @@ -2,7 +2,7 @@ is_started() { /sbin/iptables -L -n \ - | grep -E "^(DROP\s+udp|ACCEPT\s+icmp)\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$" + | grep --quiet --extended-regexp "^(DROP\s+(udp|17)|ACCEPT\s+(icmp|1))\s+--\s+0\.0\.0\.0\/0\s+0\.0\.0\.0\/0\s*$" } return_started() { echo "started" From fac45cb64da38ae436188a78690bac0ad5a6e60c Mon Sep 17 00:00:00 2001 From: Jeremy Lecour Date: Thu, 16 Mar 2023 22:17:46 +0100 Subject: [PATCH 6/6] Release 23.03.1 --- CHANGELOG.md | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4c32947d..edb6c431 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -13,6 +13,18 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Added +### Changed + +### Fixed + +### Removed + +### Security + +## [23.03.1] 2023-03-16 + +### Added + * pgbouncer: new role ### Changed @@ -21,12 +33,6 @@ The **patch** part changes is incremented if multiple releases happen the same m * listupgrade: remove old typo version of the cron task * minifirewall: support protocols in numeric form -### Fixed - -### Removed - -### Security - ## [23.03] 2023-03-16 ### Added