Re: initdb recommendations

From: Andrew Dunstan <andrew(dot)dunstan(at)2ndquadrant(dot)com>
To: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com>
Cc: pgsql-hackers(at)lists(dot)postgresql(dot)org
Subject: Re: initdb recommendations
Date: 2019-07-22 17:02:13
Message-ID: c0ccc036-8e58-f057-304f-9feb8f6ec80c@2ndQuadrant.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-docs pgsql-hackers


On 7/22/19 12:25 PM, Tom Lane wrote:
> I wrote:
>> Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> writes:
>>> Pushed with that note. Thanks.
>> This has completely broken the buildfarm.
> On inspection, it seems the reason for that is that the buildfarm
> script runs initdb with '-U buildfarm', so that peer-auth connections
> will only work if the buildfarm is being run by an OS user named
> exactly "buildfarm". That happens to be true on my macOS animals,
> which is why they're not broken ... but apparently, nobody else
> does it that way.
>
> I'm afraid we're going to have to revert this, at least till
> such time as a fixed buildfarm client is in universal use.
>
> As for the nature of that fix, I don't quite understand why
> the forced -U is there --- maybe we could just remove it?
> But there are multiple places in the buildfarm client that
> have hard-wired references to "buildfarm".

This goes back quite a way:

commit 7528701abb88ab84f6775448c59b392ca7f33a07
Author: Andrew Dunstan <andrew(at)dunslane(dot)net>
Date:   Tue Nov 27 13:47:38 2012 -0500

    Run everything as buildfarm rather than local user name.
   
    This will help if we ever want to do things like comparing dump
diffs.
    Done by setting PGUSER and using initdb's -U option.

The pg_upgrade test (not the cross-version one) doesn't use this - it
explicitly unsets PGUSER.

There are a few things we could do. We could force trust auth, or we
could add an ident map that allowed $USER to login as buildfarm. Finding
all the places we would need to fix that could be a fun project ...

We could also maybe teach initdb to honor an environment setting
INTDB_DEFAULT_AUTH or some such.

I agree this should be reverted for now until we work out what we want
to do.

cheers

andrew

--
Andrew Dunstan https://www.2ndQuadrant.com
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

In response to

Responses

Browse pgsql-docs by date

  From Date Subject
Next Message Andres Freund 2019-07-22 17:40:42 Re: initdb recommendations
Previous Message Tom Lane 2019-07-22 16:39:01 Re: initdb recommendations

Browse pgsql-hackers by date

  From Date Subject
Next Message Alvaro Herrera 2019-07-22 17:05:32 Re: Add parallelism and glibc dependent only options to reindexdb
Previous Message Alvaro Herrera 2019-07-22 16:58:40 Re: [PATCH] minor bugfix for pg_basebackup (9.6 ~ )