1. 首頁
  2. 問答
  3. 我可以在SELinux中使用.pgpass嗎? [centos7,pgagent_96,postgresql 9.6.5]

我可以在SELinux中使用.pgpass嗎? [centos7,pgagent_96,postgresql 9.6.5]

2017-10-19 159 views
3

.pgpass似乎不工作。你能檢查我的行李設置嗎?我可以在SELinux中使用.pgpass嗎? [centos7,pgagent_96,postgresql 9.6.5]

OS : centos 7 (I did NOT disable selinux) 

Database : postgresql 9.6.5 

pgagent : pgagent_96 3.4.0-9.rhel7 (installed package using yum)
  1. 我登錄CentOS的服務器作爲用戶 '坦率'

  2. 上開始pgagent之前,我查pgagent的狀態。 (我沒有啓用pgagent_96服務。)

    [[email protected]]$ systemctl status pgagent_96.service 

● pgagent_96.service - PgAgent for PostgreSQL 9.6 

Loaded: loaded (/usr/lib/systemd/system/pgagent_96.service; disabled; vendor preset: disabled) 
Active: inactive (dead)

  3. 我開始了pgagent。起初看起來很成功。但幾十秒後,它未能建立連接並死亡。 (雖然開始的CentOS問我坦率的OS密碼)。

    [[email protected]]$ systemctl start pgagent_96.service 
[[email protected]]$ systemctl status pgagent_96.service 
● pgagent_96.service - PgAgent for PostgreSQL 9.6 
    Loaded: loaded (/usr/lib/systemd/system/pgagent_96.service; disabled; vendor preset: disabled) 
    Active: active (running) since 2017-10-16 16:42:11 KST; 5s ago 
    Process: 9507 ExecStart=/usr/bin/pgagent_96 -s ${LOGFILE} hostaddr=${DBHOST} dbname=${DBNAME} user=${DBUSER} port=${DBPORT} (code=exited, status=0/SUCCESS) 
Main PID: 9510 (pgagent_96) 
    CGroup: /system.slice/pgagent_96.service 
    └─9510 /usr/bin/pgagent_96 -s /var/log/pgagent_96.log hostaddr=127.0.0.1 dbname=postgres user=postgres port=5432 

16 Oct 16:42:11 web.frank.net systemd[1]: Starting PgAgent for PostgreSQL 9.6... 
16 Oct 16:42:11 web.frank.net systemd[1]: Started PgAgent for PostgreSQL 9.6.

(後幾十秒鐘......)

[[email protected]]$ systemctl status pgagent_96.service 
    ● pgagent_96.service - PgAgent for PostgreSQL 9.6 
     Loaded: loaded (/usr/lib/systemd/system/pgagent_96.service; disabled; vendor preset: disabled) 
     Active: failed (Result: exit-code) since 2017-10-16 16:42:56 KST; 4min 9s ago 
     Process: 9507 ExecStart=/usr/bin/pgagent_96 -s ${LOGFILE} hostaddr=${DBHOST} dbname=${DBNAME} user=${DBUSER} port=${DBPORT} (code=exited, status=0/SUCCESS) 
    Main PID: 9510 (code=exited, status=1/FAILURE) 

    16 Oct 16:42:11 web.frank.net systemd[1]: Starting PgAgent for PostgreSQL 9.6... 
    16 Oct 16:42:11 web.frank.net systemd[1]: Started PgAgent for PostgreSQL 9.6. 
    16 Oct 16:42:56 web.frank.net systemd[1]: pgagent_96.service: main process exited, code=exited, status=1/FAILURE 
    16 Oct 16:42:56 web.frank.net systemd[1]: Unit pgagent_96.service entered failed state. 
    16 Oct 16:42:56 web.frank.net systemd[1]: pgagent_96.service failed.

  • 我檢查行李記錄。 (在/var/log/pgagent_96.log登錄)

    WARNING: Couldn't create the primary connection (attempt 1): fe_sendauth: no password supplied 
WARNING: Couldn't create the primary connection (attempt 2): fe_sendauth: no password supplied 
WARNING: Couldn't create the primary connection (attempt 3): fe_sendauth: no password supplied 
WARNING: Couldn't create the primary connection (attempt 4): fe_sendauth: no password supplied 
WARNING: Couldn't create the primary connection (attempt 5): fe_sendauth: no password supplied 
WARNING: Couldn't create the primary connection (attempt 6): fe_sendauth: no password supplied 
WARNING: Couldn't create the primary connection (attempt 7): fe_sendauth: no password supplied 
WARNING: Couldn't create the primary connection (attempt 8): fe_sendauth: no password supplied 
WARNING: Couldn't create the primary connection (attempt 9): fe_sendauth: no password supplied 
WARNING: Couldn't create the primary connection (attempt 10): fe_sendauth: no password supplied 
ERROR: Stopping pgAgent: Couldn't establish the primary connection with the database server.

  • 經過我的.pgpass文件。 (.pgpass是坦誠的主目錄。/家庭/弗蘭克)

    [[email protected]]$ ls -alZ .pgpass 
-rw-------. frank frank unconfined_u:object_r:user_home_t:s0 .pgpass 
[[email protected]]$ ls -al .pgpass 
-rw-------. 1 frank frank 43 16 Oct 16:23 .pgpass 
[[email protected]]$ id -Z 
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 
[[email protected]]$ id 
uid=1000(frank) gid=1000(frank) groups=1000(frank),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

  • 經過我的pg_hba.conf。

    [[email protected]]$ su - postgres 
-bash-4.2$ pwd 
/var/lib/pgsql/9.6/data 
-bash-4.2$ ls -alZ pg_hba.conf 
-rw-------. postgres postgres unconfined_u:object_r:postgresql_db_t:s0 pg_hba.conf(pg_hba.conf)

    • [pg_hba.conf的內容]

    # TYPE DATABASE  USER   ADDRESS     METHOD 
# "local" is for Unix domain socket connections only 
#local all    all          peer 
local all    all        md5 

# IPv4 local connections: 
#host all    all    127.0.0.1/32   ident 
host all all 122.32.2.21/32  md5 (122.32.2.21 is my server's IP) 

# IPv6 local connections: 
#host all    all    ::1/128     ident 
host all    all    ::1/128     md5 

# Allow replication connections from localhost, by a user with the 
# replication privilege. 
#local replication  postgres        peer 
#host replication  postgres  127.0.0.1/32   ident 
#host replication  postgres  ::1/128     ident

  • 我改變postgres用戶的密碼這樣的。

    postgres=# ALTER USER postgres WITH PASSWORD 'pwd';

  • .pgpass文件的內容。

    localhost:5432:postgres:postgres:pwd

  • 我將所有者,.pgpass的團隊從frank改爲postgres。但結果是一樣的。我測試了OS用戶'root'(/ root),'postgres'(/ var/lib/pgsql)以及home目錄位於/ home的其他兩個普通用戶的相同內容。

    • (1)嘗試啓動作爲OS用戶 '根'

    [[email protected] frank]# ls -al .pgpass 
    -rw-------. 1 postgres postgres 43 10월 16 17:08 .pgpass 
    [[email protected] frank]# ls -alZ .pgpass 
    -rw-------. postgres postgres unconfined_u:object_r:user_home_t:s0 .pgpass 
    [[email protected] frank]# cat .pgpass 
    localhost:5432:postgres:postgres:pwd 
    [[email protected] frank]# systemctl start pgagent_96  (Here, centos asked frank's OS password) 
    [[email protected] frank]# systemctl status pgagent_96 
    ● pgagent_96.service - PgAgent for PostgreSQL 9.6 
     Loaded: loaded (/usr/lib/systemd/system/pgagent_96.service; disabled; vendor preset: disabled) 
     Active: failed (Result: exit-code) since 2017-10-16 23:33:15 KST; 3s ago 
     Process: 25928 ExecStart=/usr/bin/pgagent_96 -s ${LOGFILE} hostaddr=${DBHOST} dbname=${DBNAME} user=${DBUSER} port=${DBPORT} (code=exited, status=0/SUCCESS) 
    Main PID: 25930 (code=exited, status=1/FAILURE) 

    16 Oct 23:32:30 web.frank.net systemd[1]: Starting PgAgent for Postgre.... 
    16 Oct 23:32:30 web.frank.net systemd[1]: Started PgAgent for PostgreS.... 
    16 Oct 23:33:15 web.frank.net systemd[1]: pgagent_96.service: main pro...E 
    16 Oct 23:33:15 web.frank.net systemd[1]: Unit pgagent_96.service ente.... 
    16 Oct 23:33:15 web.frank.net systemd[1]: pgagent_96.service failed. 
    Hint: Some lines were ellipsized, use -l to show in full.

    (2)嘗試啓動作爲OS用戶 '坦率'

    [[email protected] ~]$ systemctl start pgagent_96 (Here, centos asked frank's OS password) 
    [[email protected] ~]$ systemctl status pgagent_96 
    ● pgagent_96.service - PgAgent for PostgreSQL 9.6 
     Loaded: loaded (/usr/lib/systemd/system/pgagent_96.service; disabled; vendor preset: disabled) 
     Active: failed (Result: exit-code) since 월 2017-10-16 23:41:03 KST; 1min 21s ago 
     Process: 26531 ExecStart=/usr/bin/pgagent_96 -s ${LOGFILE} hostaddr=${DBHOST} dbname=${DBNAME} user=${DBUSER} port=${DBPORT} (code=exited, status=0/SUCCESS) 
    Main PID: 26533 (code=exited, status=1/FAILURE) 

    16 Oct 23:40:18 web.frank.net systemd[1]: Starting PgAgent for Postgre.... 
    16 Oct 23:40:18 web.frank.net systemd[1]: Started PgAgent for PostgreS.... 
    16 Oct 23:41:03 web.frank.net systemd[1]: pgagent_96.service: main pro...E 
    16 Oct 23:41:03 web.frank.net systemd[1]: Unit pgagent_96.service ente.... 
    16 Oct 23:41:03 web.frank.net systemd[1]: pgagent_96.service failed. 
    Hint: Some lines were ellipsized, use -l to show in full.

    (3)嘗試以OS用戶'postgres'開始

    -bash-4.2$ systemctl start pgagent_96  (Here, centos asked frank's OS password) 
    -bash-4.2$ systemctl status pgagent_96 
    ● pgagent_96.service - PgAgent for PostgreSQL 9.6 
     Loaded: loaded (/usr/lib/systemd/system/pgagent_96.service; disabled; vendor preset: disabled) 
     Active: failed (Result: exit-code) since 월 2017-10-16 23:54:22 KST; 21s ago 
     Process: 27511 ExecStart=/usr/bin/pgagent_96 -s ${LOGFILE} hostaddr=${DBHOST} dbname=${DBNAME} user=${DBUSER} port=${DBPORT} (code=exited, status=0/SUCCESS) 
    Main PID: 27515 (code=exited, status=1/FAILURE)

    (4)'root'和'frank'的安全上下文'和 'postgres的'

    (根)

    [[email protected] ~]# id 
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

    (坦率)

    [[email protected] ~]$ id 
uid=1000(frank) gid=1000(frank) groups=1000(frank),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

    (postgres的)

    -bash-4.2$ id 
uid=26(postgres) gid=26(postgres) groups=26(postgres) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

  • 中當然,我可以像這樣登錄數據庫。但我無法使用.pgpass文件。

    [[email protected] bin]# su - postgres 
-bash-4.2$ psql -h localhost -U postgres 
psql (9.6.5) 
postgres=#

  • 目前,我認爲這個問題可能與.pgpass的安全上下文有關。 pgagent_96或systemd可能不被允許讀取.pgpass文件...(只是我的猜測^^)我檢查了pgagent_96或systemd是否可以讀取.pgpass。

    • 在/ etc /簡檔 [/ etc/profile的內容](1)I組PGPASSFILE可變

    export PGDATA=/var/lib/pgsql/9.6/data 
export PGPASSFILE=/var/lib/pgsql/.pgpass

    (2)試圖啓動pgagent_96從爲user_home_t改變.pgpass上下文類型到postgresql_db_t,bin_t,usr_t。但我得到了同樣的錯誤。

    -bash-4.2$ echo $PGPASSFILE 
/var/lib/pgsql/.pgpass 
-bash-4.2$ ls -alZ .pgpass 
-rw-------. postgres postgres unconfined_u:object_r:postgresql_db_t:s0 .pgpass 
-bash-4.2$ systemctl start pgagent_96 
    ====> failed to start pgAgent_96. same error. 
-bash-4.2$ chcon --type bin_t .pgpass 
-bash-4.2$ ls -alZ .pgpass 
-rw-------. postgres postgres unconfined_u:object_r:bin_t:s0 .pgpass 
-bash-4.2$ systemctl start pgagent_96 
    ====> failed to start pgAgent_96. same error. 
-bash-4.2$ chcon --type usr_t .pgpass 
-bash-4.2$ ls -alZ .pgpass 
-rw-------. postgres postgres unconfined_u:object_r:usr_t:s0 .pgpass 
-bash-4.2$ systemctl start pgagent_96 
    ====> failed to start pgAgent_96. same error.

    [pgagent_96,systemd,pg_hba.conf文件的安全上下文]

    [[email protected] frank]# ls -alZ /usr/bin/pgagent_96 
-rwxr-xr-x. root root system_u:object_r:bin_t:s0 /usr/bin/pgagent_96 
[[email protected] frank]# ls -alZ /usr/lib/systemd/systemd 
-rwxr-xr-x. root root system_u:object_r:init_exec_t:s0 /usr/lib/systemd/systemd 
[[email protected] frank]# ls -alZ /var/lib/pgsql/9.6/data/pg_hba.conf 
-rw-------. postgres postgres unconfined_u:object_r:postgresql_db_t:s0 /var/lib/pgsql/9.6/data/pg_hba.conf

    現在,我不知道我應該嘗試。請幫我...

    UPDATE

  • 我安裝PostgreSQL的10,pgagent_10。但結果是一樣的...我想用systemctl命令啓動pgagent。我將啓用pagent服務以自動啓動pgagent服務。
    •

    來源

    2017-10-19 arayo

    回答

    0

    我與CentOS的同樣的問題7.我對你的解決方案是:
    爲先,查了一些變量的服務腳本:

    貓/ usr/lib目錄/ systemd /系統/ pgagent_96。默認情況下用戶服務

    1)= pgagent組= pgagent - 這是所有者/組的.pgpass文件,
    你需要設置
    CHOWN pgagent:pgagent .pgpass
    搭配chmod 0600 .pgpass
    2)接下來,移動.pgpass文件到目錄中的用戶pgagent可以讀取該文件
    (/家/坦誠不redable用戶皮克代理,請試試,例如你的postgres安裝dir /var/lib/pgsql/9.6或/ var/lib/pgsql)
    3)檢查pgagent_96配置的位置變量,
    默認爲EnvironmentFile =/etc/pgagent/pgagent_96.conf - 您需要編輯此文件。

    下一步,開pgagent_96.conf在編輯器中,並做修改:可變DBHOST =本地主機的
    一)變化值(這很重要)
    B)添加變量PGPASSFILE = /路徑/您/ pgpasfile/.pgpass(PGPASSFILE =/var/lib/pgsql/.pgpass)

    在我的情況下,pgagent開始工作沒有問題。

    來源

    2018-02-07 16:28:53 Serge

    +0

    您可以添加解釋爲什麼您認爲這是該問題的解決方案嗎? –

    +0

    在我的經驗中,.pgpass文件中的pgagent hostadr變量和主機名必須具有相同的值。在我的情況下,我將它設置爲本地主機。 – Serge

    相關問題

     相關問題