Replication by file syncing and data directory permissions

From: Yuri Khan <y(dot)khan(at)2gis(dot)ru>
To: <pgsql-general(at)postgresql(dot)org>
Subject: Replication by file syncing and data directory permissions
Date: 2013-10-28 11:45:13
Message-ID: 526E4E49.8080702@2gis.ru
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Hello All,

I am trying to automate setting up a hot standby slave replication on
Ubuntu Precise, with PostgreSQL 9.1, following the Binary Replication
Tutorial: http://wiki.postgresql.org/wiki/Binary_Replication_Tutorial .

(Distribution-specific conventions: postmaster runs as a dedicated
system user named postgres; data directory is in
/var/lib/postgresql/9.1/main; most config files are in
/etc/postgresql/9.1/main.)

The current workflow is as follows:

* The server’s pg_hba.conf is set up to allow replication connections
from a specific subnet.
* Administrator logs on to the to-be slave, installs a package that
depends on postgresql-9.1, runs a shell script passing it the address of
the server.
* The script’s main part is (error handling omitted for clarity):

===
service postgresql stop
ssh postgres(at)$MASTER \
"psql -c \"select pg_start_backup('clone', true);\""
rsync -av --exclude pg_xlog --exclude postgresql.conf \
--exclude postmaster.pid \
-e "ssh postgres(at)$MASTER" $MASTER:$DATA_DIR/\* $DATA_DIR
ssh postgres(at)$MASTER \
"psql -c \"select pg_stop_backup();\""
rsync -av -e "ssh postgres(at)$MASTER" $MASTER/$DATA_DIR/pg_xlog \
$DATA_DIR/
cat >$DATA_DIR/recovery.conf <<-EOF
standby_mode = 'on'
primary_conninfo = 'host=$MASTER port=$PORT'
EOF
service postgresql start
===

This works, but leaves a bit to be desired:

* The script uses four SSH connections to the master server. In order to
avoid multiple password requests, we use public key authentication.
* Two ssh connections that run the start/stop_backup queries could be
replaced with normal psql connections as a special role granted the
rights to execute pg_start_backup and pg_stop_backup.
* rsync invocations have to have read and execute (list files) access to
the data directory on the master, and read access to individual files.
Write access is generally not necessary. However, PostgreSQL refuses to
start when the data directory is readable by anyone other than just
postgres, so we have to have rsync connect as postgres.
* Thus, the slave has an ssh key allowing superuser access to the master
database.

We would like to harden the access rights of the standby as tightly as
practical, preferably to read-only on the data directory.

I am aware that it is possible to use pg_basebackup over a replication
connection for the initial synchronization, but that way we won’t have
resume capabilities if connection drops. Additionally, I’m not sure if
--gzip applies to the network traffic on the wire or if pg_basebackup
just zips up the resulting .tar on the receiving side.

What would be the best way to limit the access rights of the slave while
retaining on-the-wire traffic compression and resumable data transfers?

--
senior developer, 2GIS Unix Team
jabber (gtalk, xmpp): yurivkhan(at)gmail(dot)com

Browse pgsql-general by date

  From Date Subject
Next Message Herouth Maoz 2013-10-28 16:27:42 Table partitioning
Previous Message Eelke Klein 2013-10-28 07:59:01 Re: Work table