From: | PG Bug reporting form <noreply(at)postgresql(dot)org> |
---|---|
To: | pgsql-bugs(at)lists(dot)postgresql(dot)org |
Cc: | mattwelchwork(at)gmail(dot)com |
Subject: | BUG #16955: Replication port problems |
Date: | 2021-04-08 13:53:45 |
Message-ID: | 16955-354a52705465f672@postgresql.org |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
The following bug has been logged on the website:
Bug reference: 16955
Logged by: Matt Welch
Email address: mattwelchwork(at)gmail(dot)com
PostgreSQL version: 12.5
Operating system: centos 08
Description:
While creating a async replication arrangement, I hit an unexpected issue
regarding ports
Primary server : 192.168.9.9, postgres running on port 5123
Secondary server : 192.168.9.20 postgres running on port 5121
created a replication user on primary : createuser --replication --pwprompt
--port=5121 repuser01
set up pg_hba.conf : host replication repuser01 192.168.9.1/24 md5
On the secondary, created the cluster folders and files using pg_basebackup
pointing to primary :
pg_basebackup --host 192.168.9.9 --port=5123 --pgdata=/var/lib/pgsql/data01
--username=repuser01 --progress --verbose --write-recovery-conf
--wal-method=stream --create-slot --slot=centos08_010_03
Resulting postgres.auto.conf file - note change of listening port for
standby cluster to 5121:
# Do not edit this file manually!
# It will be overwritten by the ALTER SYSTEM command.
listen_addresses = '*'
port = 5121
max_worker_processes = 2
max_parallel_workers = 2
autovacuum_max_workers = 2
archive_mode = 'on'
archive_command = '/usr/local/bin/pg_ssnc_archive.sh 03 %f %p'
primary_conninfo = 'user=repuser01 password=q1w2e3r4 channel_binding=prefer
host=192.168.9.9 port=5123 sslmode=prefer sslcompression=0
ssl_min_protocol_version=TLSv1.2 gssencmode=prefer krbsrvname=postgres
target_session_attrs=any'
primary_slot_name = 'centos08_010_03'
systemctl start postgresql(at)general01(dot)service
[root(at)centos08-010 ~]# systemctl status postgresql(at)general01(dot)service
● postgresql(at)general01(dot)service - PostgreSQL database server
Loaded: loaded (/usr/lib/systemd/system/postgresql(at)(dot)service; enabled;
vendor preset: disabled)
Drop-In: /etc/systemd/system/postgresql(at)general01(dot)service(dot)d
└─30-postgresql-setup.conf
Active: active (running) since Thu 2021-04-08 14:24:00 BST; 16s ago
Process: 12927 ExecStartPre=/usr/libexec/postgresql-check-db-dir
postgresql(at)general01 (code=exited, status=0/SUCCESS)
Main PID: 12930 (postmaster)
Tasks: 6 (limit: 49340)
Memory: 4.4M
CGroup:
/system.slice/system-postgresql.slice/postgresql(at)general01(dot)service
├─12930 /usr/bin/postmaster -D /var/lib/pgsql/data01
├─12931 postgres: logger
├─12932 postgres: startup waiting for
0000000200000000000000C1
├─12933 postgres: checkpointer
├─12934 postgres: background writer
└─12935 postgres: stats collector
Apr 08 14:23:58 centos08-010 systemd[1]: Starting PostgreSQL database
server...
Apr 08 14:23:59 centos08-010 postmaster[12930]: 2021-04-08 14:23:59.407 BST
[12930] LOG: starting PostgreSQL 12.5 on x86_64-redhat-linux-gnu, compiled
by gcc (GCC) 8.4.1 20>
Apr 08 14:23:59 centos08-010 postmaster[12930]: 2021-04-08 14:23:59.408 BST
[12930] LOG: listening on IPv4 address "0.0.0.0", port 5121
Apr 08 14:23:59 centos08-010 postmaster[12930]: 2021-04-08 14:23:59.408 BST
[12930] LOG: listening on IPv6 address "::", port 5121
Apr 08 14:23:59 centos08-010 postmaster[12930]: 2021-04-08 14:23:59.455 BST
[12930] LOG: listening on Unix socket "/var/run/postgresql/.s.PGSQL.5121"
Apr 08 14:23:59 centos08-010 postmaster[12930]: 2021-04-08 14:23:59.558 BST
[12930] LOG: listening on Unix socket "/tmp/.s.PGSQL.5121"
Apr 08 14:23:59 centos08-010 postmaster[12930]: 2021-04-08 14:23:59.643 BST
[12930] LOG: redirecting log output to logging collector process
Apr 08 14:23:59 centos08-010 postmaster[12930]: 2021-04-08 14:23:59.643 BST
[12930] HINT: Future log output will appear in directory "log".
Apr 08 14:24:00 centos08-010 systemd[1]: Started PostgreSQL database
server.
So the slave is now listening on 5121 with the primary on 5123, read only
connections to the slave work OK, as do read-write to the primart
However, the log on the secondary reports :
2021-04-08 14:29:20.525 BST [13316] FATAL: could not connect to the primary
server: could not connect to server: Permission denied
Is the server running on host "192.168.9.9" and accepting
TCP/IP connections on port 5123?
2021-04-08 14:29:25.534 BST [13320] FATAL: could not connect to the primary
server: could not connect to server: Permission denied
Is the server running on host "192.168.9.9" and accepting
TCP/IP connections on port 5123?
2021-04-08 14:29:30.535 BST [13324] FATAL: could not connect to the primary
server: could not connect to server: Permission denied
Is the server running on host "192.168.9.9" and accepting
TCP/IP connections on port 5123?
this seems odd as psql connections from the secondary to the primary on port
5123 work OK
Selinux messages appear in the /var/log/messages file on the secondary
indicating issues with port 5123
Apr 8 14:32:43 centos08-010 setroubleshoot[12939]: SELinux is preventing
/usr/bin/postgres from name_connect access on the tcp_socket port
5123.#012#012***** Plugin connect_ports (92.2 confidence) suggests
*********************#012#012If you want to allow /usr/bin/postgres to
connect to network port 5123#012Then you need to modify the port
type.#012Do#012# semanage port -a -t PORT_TYPE -p tcp 5123#012 where
PORT_TYPE is one of the following: auth_port_t, dns_port_t, dnssec_port_t,
kerberos_port_t, ldap_port_t, ocsp_port_t, postgresql_port_t.#012#012*****
Plugin catchall_boolean (7.83 confidence) suggests
******************#012#012If you want to allow nis to enabled#012Then you
must tell SELinux about this by enabling the 'nis_enabled'
boolean.#012#012Do#012setsebool -P nis_enabled 1#012#012***** Plugin
catchall (1.41 confidence) suggests **************************#012#012If
you believe that postgres should be allowed name_connect access on the port
5123 tcp_socket by default.#012Then you should report this as a bug.#012You
can generate a local policy module to allow this access.#012Do#012allow this
access for now by executing:#012# ausearch -c 'postmaster' --raw |
audit2allow -M my-postmaster#012# semodule -X 300 -i my-postmaster.pp#012
Given that port 5123 is operative on the primary rather than the secondary,
why should SELinux on the secondary be recording issues for port 5123 ?
Issue is resolved by running "semanage port -a -t postgresql_port_t -p tcp
5123" on the secondary
Why would the secondary SELinux config need 5123 configured when this is a
primary side port ?
From | Date | Subject | |
---|---|---|---|
Next Message | PG Bug reporting form | 2021-04-08 15:00:22 | BUG #16956: psql won't load command history |
Previous Message | PG Bug reporting form | 2021-04-08 13:35:45 | BUG #16954: After install postgresql.service activates but does not activate postgresql@11-main.service |