docker/pgpool
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e346bd803bbf50ae0614ccb882c50fdab7bb9a17
pgpool/rootfs/opt/bitnami/scripts/libpgpool.sh
Bernhard Radermacher e346bd803b initial
2026-02-13 12:12:49 +00:00

619 lines
27 KiB
Bash
Raw Blame History

#!/bin/bash
# Copyright Broadcom, Inc. All Rights Reserved.
# SPDX-License-Identifier: APACHE-2.0
#
# Bitnami Pgpool-II library
# shellcheck disable=SC1090,SC1091
# Load Generic Libraries
. /opt/bitnami/scripts/libfile.sh
. /opt/bitnami/scripts/libfs.sh
. /opt/bitnami/scripts/liblog.sh
. /opt/bitnami/scripts/libnet.sh
. /opt/bitnami/scripts/libos.sh
. /opt/bitnami/scripts/libservice.sh
. /opt/bitnami/scripts/libvalidations.sh
########################
# Validate settings in PGPOOL_* env. variables
# Globals:
# PGPOOL_*
# Arguments:
# None
# Returns:
# None
#########################
pgpool_validate() {
info "Validating settings in PGPOOL_* env vars..."
local error_code=0
# Auxiliary functions
print_validation_error() {
error "$1"
error_code=1
}
if [[ -z "$PGPOOL_ADMIN_USERNAME" ]] || [[ -z "$PGPOOL_ADMIN_PASSWORD" ]]; then
print_validation_error "The Pgpool administrator user's credentials are mandatory. Set the environment variables PGPOOL_ADMIN_USERNAME and PGPOOL_ADMIN_PASSWORD with the Pgpool administrator user's credentials."
fi
if [[ "$PGPOOL_SR_CHECK_PERIOD" -gt 0 ]] && { [[ -z "$PGPOOL_SR_CHECK_USER" ]] || [[ -z "$PGPOOL_SR_CHECK_PASSWORD" ]]; }; then
print_validation_error "The Streaming Replication Check credentials are mandatory. Set the environment variables PGPOOL_SR_CHECK_USER and PGPOOL_SR_CHECK_PASSWORD with the Streaming Replication Check credentials."
fi
if [[ -z "$PGPOOL_HEALTH_CHECK_USER" ]] || [[ -z "$PGPOOL_HEALTH_CHECK_PASSWORD" ]]; then
print_validation_error "The PostgreSQL health check credentials are mandatory. Set the environment variables PGPOOL_HEALTH_CHECK_USER and PGPOOL_HEALTH_CHECK_PASSWORD with the PostgreSQL health check credentials."
fi
if is_boolean_yes "$PGPOOL_ENABLE_LDAP" && { [[ -z "${LDAP_URI}" ]] || [[ -z "${LDAP_BASE}" ]] || [[ -z "${LDAP_BIND_DN}" ]] || [[ -z "${LDAP_BIND_PASSWORD}" ]]; }; then
print_validation_error "The LDAP configuration is required when LDAP authentication is enabled. Set the environment variables LDAP_URI, LDAP_BASE, LDAP_BIND_DN and LDAP_BIND_PASSWORD with the LDAP configuration."
fi
if is_boolean_yes "$PGPOOL_ENABLE_LDAP" && (! is_boolean_yes "$PGPOOL_ENABLE_POOL_HBA" || ! is_boolean_yes "$PGPOOL_ENABLE_POOL_PASSWD"); then
print_validation_error "pool_hba.conf authentication and pool password should be enabled for LDAP to work. Keep the PGPOOL_ENABLE_POOL_HBA and PGPOOL_ENABLE_POOL_PASSWD environment variables set to 'yes'."
fi
if is_boolean_yes "$PGPOOL_ENABLE_POOL_PASSWD" && { [[ -z "$PGPOOL_POSTGRES_USERNAME" ]] || [[ -z "$PGPOOL_POSTGRES_PASSWORD" ]]; }; then
print_validation_error "The administrator's database credentials are required. Set the environment variables PGPOOL_POSTGRES_USERNAME and PGPOOL_POSTGRES_PASSWORD with the administrator's database credentials."
fi
if [[ -z "$PGPOOL_BACKEND_NODES" ]]; then
print_validation_error "The list of backend nodes cannot be empty. Set the environment variable PGPOOL_BACKEND_NODES with a comma separated list of backend nodes."
else
read -r -a nodes <<<"$(tr ',;' ' ' <<<"${PGPOOL_BACKEND_NODES}")"
for node in "${nodes[@]}"; do
read -r -a fields <<<"$(tr ':' ' ' <<<"${node}")"
if [[ -z "${fields[0]:-}" ]]; then
print_validation_error "Error checking entry '$node', the field 'backend number' must be set!"
fi
if [[ -z "${fields[1]:-}" ]]; then
print_validation_error "Error checking entry '$node', the field 'host' must be set!"
fi
done
fi
if is_boolean_yes "$PGPOOL_AUTO_FAILBACK"; then
if [[ -z "$PGPOOL_BACKEND_APPLICATION_NAMES" ]]; then
print_validation_error "The list of backend application names cannot be empty. Set the environment variable PGPOOL_BACKEND_APPLICATION_NAMES with a comma separated list of backend nodes."
fi
read -r -a app_name_list <<<"$(tr ',;' ' ' <<<"${PGPOOL_BACKEND_APPLICATION_NAMES}")"
read -r -a nodes_list <<<"$(tr ',;' ' ' <<<"${PGPOOL_BACKEND_NODES}")"
if [[ ${#app_name_list[@]} -ne ${#nodes_list[@]} ]]; then
print_validation_error "PGPOOL_BACKEND_APPLICATION_NAMES and PGPOOL_BACKEND_NODES lists should have the same length"
fi
fi
if [[ -n "$PGPOOL_USER_CONF_FILE" && ! -e "$PGPOOL_USER_CONF_FILE" ]]; then
print_validation_error "The provided PGPOOL_USER_CONF_FILE: ${PGPOOL_USER_CONF_FILE} must exist."
fi
if [[ -n "$PGPOOL_USER_HBA_FILE" && ! -e "$PGPOOL_USER_HBA_FILE" ]]; then
print_validation_error "The provided PGPOOL_USER_HBA_FILE: ${PGPOOL_USER_HBA_FILE} must exist."
fi
local yes_no_values=("PGPOOL_ENABLE_POOL_HBA" "PGPOOL_ENABLE_POOL_PASSWD" "PGPOOL_ENABLE_LOAD_BALANCING" "PGPOOL_ENABLE_STATEMENT_LOAD_BALANCING" "PGPOOL_ENABLE_CONNECTION_CACHE" "PGPOOL_ENABLE_LOG_CONNECTIONS" "PGPOOL_ENABLE_LOG_HOSTNAME" "PGPOOL_ENABLE_LOG_PCP_PROCESSES" "PGPOOL_ENABLE_LOG_PER_NODE_STATEMENT" "PGPOOL_AUTO_FAILBACK")
for yn in "${yes_no_values[@]}"; do
if ! is_yes_no_value "${!yn}"; then
print_validation_error "The values allowed for $yn are: yes or no"
fi
done
local positive_values=("PGPOOL_NUM_INIT_CHILDREN" "PGPOOL_MAX_POOL" "PGPOOL_CHILD_MAX_CONNECTIONS" "PGPOOL_CHILD_LIFE_TIME" "PGPOOL_CONNECTION_LIFE_TIME" "PGPOOL_CLIENT_IDLE_LIMIT" "PGPOOL_HEALTH_CHECK_PERIOD" "PGPOOL_HEALTH_CHECK_TIMEOUT" "PGPOOL_HEALTH_CHECK_MAX_RETRIES" "PGPOOL_HEALTH_CHECK_RETRY_DELAY" "PGPOOL_RESERVED_CONNECTIONS" "PGPOOL_CONNECT_TIMEOUT" "PGPOOL_HEALTH_CHECK_PSQL_TIMEOUT")
for p in "${positive_values[@]}"; do
if [[ -n "${!p:-}" ]]; then
if ! is_positive_int "${!p}"; then
print_validation_error "The values allowed for $p: integer greater than 0"
fi
fi
done
if ! [[ "$PGPOOL_DISABLE_LOAD_BALANCE_ON_WRITE" =~ ^(off|transaction|trans_transaction|always)$ ]]; then
print_validation_error "The values allowed for PGPOOL_DISABLE_LOAD_BALANCE_ON_WRITE: off,transaction,trans_transaction,always"
fi
if ! is_yes_no_value "$PGPOOL_ENABLE_TLS"; then
print_validation_error "The values allowed for PGPOOL_ENABLE_TLS are: yes or no"
elif is_boolean_yes "$PGPOOL_ENABLE_TLS"; then
# TLS Checks
if [[ -z "$PGPOOL_TLS_CERT_FILE" ]]; then
print_validation_error "You must provide a X.509 certificate in order to use TLS"
elif [[ ! -f "$PGPOOL_TLS_CERT_FILE" ]]; then
print_validation_error "The X.509 certificate file in the specified path ${PGPOOL_TLS_CERT_FILE} does not exist"
fi
if [[ -z "$PGPOOL_TLS_KEY_FILE" ]]; then
print_validation_error "You must provide a private key in order to use TLS"
elif [[ ! -f "$PGPOOL_TLS_KEY_FILE" ]]; then
print_validation_error "The private key file in the specified path ${PGPOOL_TLS_KEY_FILE} does not exist"
fi
if [[ -z "$PGPOOL_TLS_CA_FILE" ]]; then
warn "A CA X.509 certificate was not provided. Client verification will not be performed in TLS connections"
elif [[ ! -f "$PGPOOL_TLS_CA_FILE" ]]; then
print_validation_error "The CA X.509 certificate file in the specified path ${PGPOOL_TLS_CA_FILE} does not exist"
fi
if ! is_yes_no_value "$PGPOOL_TLS_PREFER_SERVER_CIPHERS"; then
print_validation_error "The values allowed for PGPOOL_TLS_PREFER_SERVER_CIPHERS are: yes or no"
fi
fi
# Check for Authentication method
if ! [[ "$PGPOOL_AUTHENTICATION_METHOD" =~ ^(md5|scram-sha-256|trust)$ ]]; then
print_validation_error "The values allowed for PGPOOL_AUTHENTICATION_METHOD: md5,scram-sha-256,trust"
elif [[ "$PGPOOL_AUTHENTICATION_METHOD" = "trust" ]]; then
warn "You set 'trust' as authentication method. For safety reasons, do not use this method in production environments."
fi
# Check for required environment variables for scram-sha-256 based authentication
if [[ "$PGPOOL_AUTHENTICATION_METHOD" = "scram-sha-256" ]]; then
# If scram-sha-256 is enabled, pg_pool_password cannot be disabled
if ! is_boolean_yes "$PGPOOL_ENABLE_POOL_PASSWD"; then
print_validation_error "PGPOOL_ENABLE_POOL_PASSWD cannot be disabled when PGPOOL_AUTHENTICATION_METHOD=scram-sha-256"
fi
fi
# Custom users validations
read -r -a custom_users_list <<<"$(tr ',;' ' ' <<<"${PGPOOL_POSTGRES_CUSTOM_USERS}")"
read -r -a custom_passwords_list <<<"$(tr ',;' ' ' <<<"${PGPOOL_POSTGRES_CUSTOM_PASSWORDS}")"
if [[ ${#custom_users_list[@]} -ne ${#custom_passwords_list[@]} ]]; then
print_validation_error "PGPOOL_POSTGRES_CUSTOM_USERS and PGPOOL_POSTGRES_CUSTOM_PASSWORDS lists should have the same length"
fi
[[ "$error_code" -eq 0 ]] || exit "$error_code"
}
########################
# Returns backend nodes info using PCP
# Globals:
# PGPOOL_*
# Returns:
# String with backend nodes info
#########################
pgpool_nodes_info() {
PCPPASSFILE=$(mktemp /tmp/pcppass-XXXXX)
export PCPPASSFILE
echo "localhost:9898:${PGPOOL_ADMIN_USERNAME}:${PGPOOL_ADMIN_PASSWORD}" >"${PCPPASSFILE}"
pcp_node_info -h localhost -U "${PGPOOL_ADMIN_USERNAME}" -p 9898 -a -w 2> /dev/null
rm -rf "$PCPPASSFILE"
unset PCPPASSFILE
}
########################
# Attach a backend node to Pgpool-II
# Globals:
# PGPOOL_*
# Arguments:
# $1 - node id
# Returns:
# None
#########################
pgpool_attach_node() {
local -r node_id=${1:?node id is missing}
echo "Attaching backend node..."
PCPPASSFILE=$(mktemp /tmp/pcppass-XXXXX)
export PCPPASSFILE
echo "localhost:9898:${PGPOOL_ADMIN_USERNAME}:${PGPOOL_ADMIN_PASSWORD}" >"${PCPPASSFILE}"
pcp_attach_node -h localhost -U "${PGPOOL_ADMIN_USERNAME}" -p 9898 -n "${node_id}" -w
rm -rf "$PCPPASSFILE"
unset PCPPASSFILE
}
########################
# Check Pgpool-II health and attached offline backends when they are online
# Globals:
# PGPOOL_*
# Arguments:
# None
# Returns:
# 0 when healthy
# 1 when unhealthy
#########################
pgpool_healthcheck() {
local backends node_id node_host node_port
# Check backend nodes
if backends="$(pgpool_nodes_info)"; then
# We're not interested in nodes marked as down|down
backends="$(grep -v "down down" <<< "$backends")"
# We should also check whether there are discrepancies between Pgpool-II and the actual primary node
if grep -e "standby primary" -e "primary standby" <<< "$backends" > /dev/null; then
echo "Found inconsistencies in pgpool_status"
return 1
fi
# Look up backends that are marked offline but being up
read -r -a nodes_to_attach <<< "$(grep "down up" <<< "$backends" | awk '{print $1,$2}' | tr ' ' '|' | tr '\n' ' ')"
for node in "${nodes_to_attach[@]}"; do
node_host=$(echo "$node" | awk -F '|' '{print $1}')
node_port=$(echo "$node" | awk -F '|' '{print $2}')
node_id=$(grep "$node_host" "$PGPOOL_CONF_FILE" | awk '{print $1}' | sed 's/^backend_hostname//')
if [[ $(PGCONNECT_TIMEOUT=3 PGPASSWORD="${PGPOOL_POSTGRES_PASSWORD}" psql -U "${PGPOOL_POSTGRES_USERNAME}" \
-d postgres -h "${node_host}" -p "${node_port}" -tA -c "SELECT 1" || true) == 1 ]]; then
# Attach backend if it has come back online
pgpool_attach_node "$node_id"
fi
done
else
echo "unable to list pool nodes"
return 1
fi
# Check if Pgpool-II responds to simple queries
PGCONNECT_TIMEOUT=$PGPOOL_HEALTH_CHECK_PSQL_TIMEOUT PGPASSWORD="$PGPOOL_POSTGRES_PASSWORD" \
psql -U "$PGPOOL_POSTGRES_USERNAME" -d postgres -h "$PGPOOL_TMP_DIR" -p "$PGPOOL_PORT_NUMBER" \
-tA -c "SELECT 1" 2> /dev/null
}
########################
# Create basic pg_hba.conf file
# Globals:
# PGPOOL_*
# Arguments:
# None
# Returns:
# None
#########################
pgpool_create_pghba() {
local all_authentication="$PGPOOL_AUTHENTICATION_METHOD"
is_boolean_yes "$PGPOOL_ENABLE_LDAP" && all_authentication="pam pamservice=pgpool"
local postgres_authentication="scram-sha-256"
# We avoid using 'trust' for the postgres user even if PGPOOL_AUTHENTICATION_METHOD is set to 'trust'
[[ "$PGPOOL_AUTHENTICATION_METHOD" = "md5" ]] && postgres_authentication="md5"
info "Generating pg_hba.conf file..."
local postgres_auth_line=""
if is_boolean_yes "$PGPOOL_ENABLE_POOL_PASSWD"; then
postgres_auth_line="host all ${PGPOOL_POSTGRES_USERNAME} all ${postgres_authentication}"
fi
local sr_check_auth_line=""
if [[ -n "$PGPOOL_SR_CHECK_USER" ]]; then
sr_check_auth_line="host all ${PGPOOL_SR_CHECK_USER} all ${postgres_authentication}"
fi
cat >"$PGPOOL_PGHBA_FILE" <<EOF
local all all trust
EOF
if ! is_empty_value "$PGPOOL_TLS_CA_FILE"; then
cat >>"$PGPOOL_PGHBA_FILE" <<EOF
hostssl all all 0.0.0.0/0 cert
hostssl all all ::/0 cert
EOF
fi
cat >>"$PGPOOL_PGHBA_FILE" <<EOF
${sr_check_auth_line}
${postgres_auth_line}
host all all all ${all_authentication}
EOF
}
########################
# Modify the pgpool.conf file by setting a property
# Globals:
# PGPOOL_*
# Arguments:
# $1 - property
# $2 - value
# $3 - Path to configuration file (default: $PGPOOL_CONF_FILE)
# Returns:
# None
#########################
pgpool_set_property() {
local -r property="${1:?missing property}"
local -r value="${2:-}"
local -r conf_file="${3:-$PGPOOL_CONF_FILE}"
replace_in_file "$conf_file" "^#*\s*${property}\s*=.*" "${property} = '${value}'" false
}
########################
# Add a backend configuration to pgpool.conf file
# Globals:
# PGPOOL_*
# Arguments:
# None
# Returns:
# None
#########################
pgpool_create_backend_config() {
local -r node=${1:?node is missing}
local -r application="${2:-}"
# default values
read -r -a fields <<<"$(tr ':' ' ' <<<"${node}")"
local -r num="${fields[0]:?field num is needed}"
local -r host="${fields[1]:?field host is needed}"
local -r port="${fields[2]:-5432}"
local -r weight="${fields[3]:-1}"
local -r dir="${fields[4]:-$PGPOOL_DATA_DIR}"
local -r flag="${fields[5]:-ALLOW_TO_FAILOVER}"
debug "Adding '$host' information to the configuration..."
cat >>"$PGPOOL_CONF_FILE" <<EOF
backend_hostname$num = '$host'
backend_port$num = $port
backend_weight$num = $weight
backend_data_directory$num = '$dir'
backend_flag$num = '$flag'
EOF
if [[ -n "$application" ]]; then
cat >>"$PGPOOL_CONF_FILE" <<EOF
backend_application_name$num = '$application'
EOF
fi
}
########################
# Create basic pgpool.conf file using the example provided in the etc/ folder
# Globals:
# PGPOOL_*
# Arguments:
# None
# Returns:
# None
#########################
pgpool_create_config() {
local pool_passwd=""
local i=0
if is_boolean_yes "$PGPOOL_ENABLE_POOL_PASSWD"; then
pool_passwd="$PGPOOL_PASSWD_FILE"
else
# Specifying '' (empty) disables the use of password file.
# ref: https://www.pgpool.net/docs/latest/en/html/runtime-config-connection.html#GUC-POOL-PASSWD
pool_passwd=""
fi
info "Generating pgpool.conf file..."
# Configuring Pgpool-II to use the streaming replication mode since it's the recommended way
# ref: http://www.pgpool.net/docs/latest/en/html/configuring-pgpool.html
cp "${PGPOOL_BASE_DIR}/etc/pgpool.conf.sample" "$PGPOOL_CONF_FILE"
# Working directory
pgpool_set_property "work_dir" "$PGPOOL_WORK_DIR"
# Connection settings
# ref: http://www.pgpool.net/docs/latest/en/html/runtime-config-connection.html#RUNTIME-CONFIG-CONNECTION-SETTINGS
pgpool_set_property "listen_addresses" "*"
pgpool_set_property "port" "$PGPOOL_PORT_NUMBER"
pgpool_set_property "unix_socket_directories" "$PGPOOL_TMP_DIR"
pgpool_set_property "pcp_socket_dir" "$PGPOOL_TMP_DIR"
# Connection Pooling settings
# http://www.pgpool.net/docs/latest/en/html/runtime-config-connection-pooling.html
[[ -n "${PGPOOL_NUM_INIT_CHILDREN:-}" ]] && pgpool_set_property "num_init_children" "$PGPOOL_NUM_INIT_CHILDREN"
[[ -n "${PGPOOL_RESERVED_CONNECTIONS:-}" ]] && pgpool_set_property "reserved_connections" "$PGPOOL_RESERVED_CONNECTIONS"
pgpool_set_property "max_pool" "$PGPOOL_MAX_POOL"
[[ -n "${PGPOOL_CHILD_MAX_CONNECTIONS:-}" ]] && pgpool_set_property "child_max_connections" "$PGPOOL_CHILD_MAX_CONNECTIONS"
[[ -n "${PGPOOL_CHILD_LIFE_TIME:-}" ]] && pgpool_set_property "child_life_time" "$PGPOOL_CHILD_LIFE_TIME"
pgpool_set_property "connection_cache" "$(is_boolean_yes "$PGPOOL_ENABLE_CONNECTION_CACHE" && echo "on" || echo "off")"
[[ -n "${PGPOOL_CONNECTION_LIFE_TIME:-}" ]] && pgpool_set_property "connection_life_time" "$PGPOOL_CONNECTION_LIFE_TIME"
[[ -n "${PGPOOL_CLIENT_IDLE_LIMIT-}" ]] && pgpool_set_property "client_idle_limit" "$PGPOOL_CLIENT_IDLE_LIMIT"
# Logging settings
# https://www.pgpool.net/docs/latest/en/html/runtime-config-logging.html
pgpool_set_property "log_connections" "$(is_boolean_yes "$PGPOOL_ENABLE_LOG_CONNECTIONS" && echo "on" || echo "off")"
pgpool_set_property "log_hostname" "$(is_boolean_yes "$PGPOOL_ENABLE_LOG_HOSTNAME" && echo "on" || echo "off")"
pgpool_set_property "log_pcp_processes" "$(is_boolean_yes "$PGPOOL_ENABLE_LOG_PCP_PROCESSES" && echo "on" || echo "off")"
pgpool_set_property "log_per_node_statement" "$(is_boolean_yes "$PGPOOL_ENABLE_LOG_PER_NODE_STATEMENT" && echo "on" || echo "off")"
[[ -n "${PGPOOL_LOG_LINE_PREFIX:-}" ]] && pgpool_set_property "log_line_prefix" "$PGPOOL_LOG_LINE_PREFIX"
[[ -n "${PGPOOL_CLIENT_MIN_MESSAGES:-}" ]] && pgpool_set_property "client_min_messages" "$PGPOOL_CLIENT_MIN_MESSAGES"
# Authentication settings
# ref: http://www.pgpool.net/docs/latest/en/html/runtime-config-connection.html#RUNTIME-CONFIG-AUTHENTICATION-SETTINGS
pgpool_set_property "enable_pool_hba" "$(is_boolean_yes "$PGPOOL_ENABLE_POOL_HBA" && echo "on" || echo "off")"
# ref: https://www.pgpool.net/docs/latest/en/html/runtime-config-connection.html#GUC-ALLOW-CLEAR-TEXT-FRONTEND-AUTH
if ! is_boolean_yes "$PGPOOL_ENABLE_POOL_HBA" || [[ "$PGPOOL_AUTHENTICATION_METHOD" = "trust" ]]; then
pgpool_set_property "allow_clear_text_frontend_auth" "on"
else
pgpool_set_property "allow_clear_text_frontend_auth" "off"
fi
pgpool_set_property "pool_passwd" "$pool_passwd"
pgpool_set_property "authentication_timeout" "30"
# File Locations settings
pgpool_set_property "pid_file_name" "$PGPOOL_PID_FILE"
pgpool_set_property "logdir" "$PGPOOL_LOG_DIR"
# Load Balancing settings
# https://www.pgpool.net/docs/latest/en/html/runtime-config-load-balancing.html
pgpool_set_property "load_balance_mode" "$(is_boolean_yes "$PGPOOL_ENABLE_LOAD_BALANCING" && echo "on" || echo "off")"
pgpool_set_property "black_function_list" "nextval,setval"
pgpool_set_property "statement_level_load_balance" "$(is_boolean_yes "$PGPOOL_ENABLE_STATEMENT_LOAD_BALANCING" && echo "on" || echo "off")"
# Streaming Replication Check settings
# https://www.pgpool.net/docs/latest/en/html/runtime-streaming-replication-check.html
pgpool_set_property "sr_check_user" "$PGPOOL_SR_CHECK_USER"
pgpool_set_property "sr_check_password" "$(pgpool_encrypt_password ${PGPOOL_SR_CHECK_PASSWORD})"
pgpool_set_property "sr_check_period" "$PGPOOL_SR_CHECK_PERIOD"
pgpool_set_property "sr_check_database" "$PGPOOL_SR_CHECK_DATABASE"
# Healthcheck per node settings
# https://www.pgpool.net/docs/latest/en/html/runtime-config-health-check.html
pgpool_set_property "health_check_period" "$PGPOOL_HEALTH_CHECK_PERIOD"
pgpool_set_property "health_check_timeout" "$PGPOOL_HEALTH_CHECK_TIMEOUT"
pgpool_set_property "health_check_user" "$PGPOOL_HEALTH_CHECK_USER"
pgpool_set_property "health_check_password" "$(pgpool_encrypt_password ${PGPOOL_HEALTH_CHECK_PASSWORD})"
pgpool_set_property "health_check_max_retries" "$PGPOOL_HEALTH_CHECK_MAX_RETRIES"
pgpool_set_property "health_check_retry_delay" "$PGPOOL_HEALTH_CHECK_RETRY_DELAY"
pgpool_set_property "connect_timeout" "$PGPOOL_CONNECT_TIMEOUT"
# Failover settings
pgpool_set_property "failover_command" "echo \">>> Failover - that will initialize new primary node search!\""
pgpool_set_property "failover_on_backend_error" "$PGPOOL_FAILOVER_ON_BACKEND_ERROR"
pgpool_set_property "failover_on_backend_shutdown" "$PGPOOL_FAILOVER_ON_BACKEND_SHUTDOWN"
# Keeps searching for a primary node forever when a failover occurs
pgpool_set_property "search_primary_node_timeout" "0"
pgpool_set_property "disable_load_balance_on_write" "$PGPOOL_DISABLE_LOAD_BALANCE_ON_WRITE"
# SSL settings
# https://www.pgpool.net/docs/latest/en/html/runtime-ssl.html
if is_boolean_yes "$PGPOOL_ENABLE_TLS"; then
chmod 600 "$PGPOOL_TLS_KEY_FILE" || warn "Could not set compulsory permissions (600) on file ${PGPOOL_TLS_KEY_FILE}"
pgpool_set_property "ssl" "on"
# Server ciphers are preferred by default
! is_boolean_yes "$PGPOOL_TLS_PREFER_SERVER_CIPHERS" && pgpool_set_property "ssl_prefer_server_ciphers" "off"
[[ -n $PGPOOL_TLS_CA_FILE ]] && pgpool_set_property "ssl_ca_cert" "$PGPOOL_TLS_CA_FILE"
pgpool_set_property "ssl_cert" "$PGPOOL_TLS_CERT_FILE"
pgpool_set_property "ssl_key" "$PGPOOL_TLS_KEY_FILE"
fi
# Backend settings
read -r -a nodes <<<"$(tr ',;' ' ' <<<"${PGPOOL_BACKEND_NODES}")"
if is_boolean_yes "$PGPOOL_AUTO_FAILBACK"; then
pgpool_set_property "auto_failback" "on"
read -r -a app_name <<<"$(tr ',;' ' ' <<<"${PGPOOL_BACKEND_APPLICATION_NAMES}")"
fi
for node in "${nodes[@]}"; do
pgpool_create_backend_config "$node" "$(is_boolean_yes "$PGPOOL_AUTO_FAILBACK" && echo "${app_name[i]}")"
((i += 1))
done
if [[ -f "$PGPOOL_USER_CONF_FILE" ]]; then
info "Custom configuration '$PGPOOL_USER_CONF_FILE' detected!. Adding it to the configuration file."
cat "$PGPOOL_USER_CONF_FILE" >>"$PGPOOL_CONF_FILE"
fi
if [[ -f "$PGPOOL_USER_HBA_FILE" ]]; then
info "Custom configuration '$PGPOOL_USER_HBA_FILE' detected!. Overwriting the generated hba file."
cat "$PGPOOL_USER_HBA_FILE" >"$PGPOOL_PGHBA_FILE"
fi
}
########################
# Execute postgresql encrypt command
# Globals:
# PGPOOL_*
# Arguments:
# $@ - Command to execute
# Returns:
# String
#########################
pgpool_encrypt_execute() {
local -a password_encryption_cmd=("pg_md5")
# If authentication method for 'all' users is 'trust', we still use
# pg_enc to generate encrypted passwords for 'postgres' and 'sr_check' users
if [[ "$PGPOOL_AUTHENTICATION_METHOD" =~ ^(scram-sha-256|trust)$ ]]; then
if is_file_writable "$PGPOOLKEYFILE"; then
# Creating a PGPOOLKEYFILE as it is writeable
echo "$PGPOOL_AES_KEY" > "$PGPOOLKEYFILE"
# Fix permissions for PGPOOLKEYFILE
chmod 0600 "$PGPOOLKEYFILE"
fi
password_encryption_cmd=("pg_enc" "--key-file=${PGPOOLKEYFILE}")
fi
"${password_encryption_cmd[@]}" "$@"
}
########################
# Generates a password file for local authentication
# Globals:
# PGPOOL_*
# Arguments:
# None
# Returns:
# None
#########################
pgpool_generate_password_file() {
if is_boolean_yes "$PGPOOL_ENABLE_POOL_PASSWD"; then
info "Generating password file for local authentication..."
debug_execute pgpool_encrypt_execute -m --config-file="$PGPOOL_CONF_FILE" -u "$PGPOOL_POSTGRES_USERNAME" "$PGPOOL_POSTGRES_PASSWORD"
if [[ -n "$PGPOOL_SR_CHECK_USER" ]]; then
debug_execute pgpool_encrypt_execute -m --config-file="$PGPOOL_CONF_FILE" -u "$PGPOOL_SR_CHECK_USER" "$PGPOOL_SR_CHECK_PASSWORD"
fi
if [[ -n "${PGPOOL_POSTGRES_CUSTOM_USERS}" ]]; then
read -r -a custom_users_list <<<"$(tr ',;' ' ' <<<"${PGPOOL_POSTGRES_CUSTOM_USERS}")"
read -r -a custom_passwords_list <<<"$(tr ',;' ' ' <<<"${PGPOOL_POSTGRES_CUSTOM_PASSWORDS}")"
local index=0
for user in "${custom_users_list[@]}"; do
debug_execute pgpool_encrypt_execute -m --config-file="$PGPOOL_CONF_FILE" -u "$user" "${custom_passwords_list[$index]}"
((index += 1))
done
fi
else
info "Skip generating password file due to PGPOOL_ENABLE_POOL_PASSWD = no"
fi
}
########################
# Encrypts a password
# Globals:
# PGPOOL_*
# Arguments:
# $1 - password
# Returns:
# String
#########################
pgpool_encrypt_password() {
local -r password="${1:?missing password}"
if [[ "$PGPOOL_AUTHENTICATION_METHOD" =~ ^(scram-sha-256|trust)$ ]]; then
pgpool_encrypt_execute "$password" | grep -o -E "AES.+" | tr -d '\n'
else
pgpool_encrypt_execute "$password" | tr -d '\n'
fi
}
########################
# Run custom initialization scripts
# Globals:
# PGPOOL_*
# Arguments:
# None
# Returns:
# None
#########################
pgpool_custom_init_scripts() {
if [[ -n $(find "$PGPOOL_INITSCRIPTS_DIR/" -type f -name "*.sh") ]]; then
info "Loading user's custom files from $PGPOOL_INITSCRIPTS_DIR ..."
find "$PGPOOL_INITSCRIPTS_DIR/" -type f -name "*.sh" | sort | while read -r f; do
if [[ -x "$f" ]]; then
debug "Executing $f"
"$f"
else
debug "Sourcing $f"
. "$f"
fi
done
fi
}
########################
# Generate a password file for pgpool admin user
# Globals:
# PGPOOL_*
# Arguments:
# None
# Returns:
# None
#########################
pgpool_generate_admin_password_file() {
info "Generating password file for pgpool admin user..."
local passwd
passwd=$(pg_md5 "$PGPOOL_ADMIN_PASSWORD")
cat >>"$PGPOOL_PCP_CONF_FILE" <<EOF
$PGPOOL_ADMIN_USERNAME:$passwd
EOF
}
########################
# Ensure Pgpool is initialized
# Globals:
# PGPOOL_*
# Arguments:
# None
# Returns:
# None
#########################
pgpool_initialize() {
info "Initializing Pgpool-II..."
# This fixes an issue where the trap would kill the entrypoint.sh, if a PID was left over from a previous run
# Exec replaces the process without creating a new one, and when the container is restarted it may have the same PID
rm -f "$PGPOOL_PID_FILE"
# Configuring permissions for tmp, logs and data folders
am_i_root && configure_permissions_ownership "$PGPOOL_TMP_DIR $PGPOOL_LOG_DIR" -u "$PGPOOL_DAEMON_USER" -g "$PGPOOL_DAEMON_GROUP"
am_i_root && configure_permissions_ownership "$PGPOOL_DATA_DIR" -u "$PGPOOL_DAEMON_USER" -g "$PGPOOL_DAEMON_GROUP" -d "755" -f "644"
pgpool_create_pghba
pgpool_create_config
pgpool_generate_password_file
pgpool_generate_admin_password_file
}
Reference in New Issue View Git Blame Copy Permalink