Commit 470719fe authored by Kirill Smelkov's avatar Kirill Smelkov

gitlab: PostgreSQL service

Organize internal PostgreSQL database which will be used as DB for
Roby-on-Rails GitLab and listens only on unix socket (for security and
performance reasons - see earlier intro patch).

To do it we use slapos.cookbook:postgres recipe, with disabling
"listen-to-network" via passing empty sets to ipv4 and ipv6 recipe
arguments.

The promise to check whether DB is alive is just `psql -c '\q'` which
will error if failing to connect to DB, but exit silently if connected ok.

Explicit log rotation is not needed - as postgresql logs to
stdout/stderr - not to a file - logs are handled by slapos - put into
.slappartX_postgresql.log and automatically rotated there.

XXX omnibus-gitlab tunes postgresql with shared_buffers and other
parameters, most likely for performance reasons - see e.g.

    https://gitlab.com/gitlab-org/omnibus-gitlab/blob/8-2-stable/files/gitlab-cookbooks/gitlab/templates/default/postgresql.conf.erb#L113

I decided not to fine-tune postgresql for now, and get on-field feedback
first, and then, if needed, we can tune.

/cc @kazuhiko, @jerome
parent 5e4a181a
No related merge requests found
......@@ -7,6 +7,8 @@
parts =
directory
service-postgresql
service-cron
# std stuff for slapos instance
......@@ -60,6 +62,57 @@ recipe = slapos.cookbook:wrapper
wrapper-path = !py! '${directory:promise}/' + '${:_buildout_section_name_}'[8:]
#####################
# Postgresql db #
#####################
# XXX gitlab-omnibus also tunes:
# - shared_buffers
# - work_mem
# - checkpoint_*
# - effective_check_size
# - lc_* en_US.UTF-8 -> C (?)
[service-postgresql]
recipe = slapos.cookbook:postgres
bin = {{ postgresql_location }}/bin
services= ${directory:service}
dbname = gitlabhq_production
# NOTE db name must match to what was used in KVM on lab.nexedi.com (restore script grants access to this user)
superuser = gitlab-psql
# no password - pgsql will listen only on unix sockets (see below) thus access
# is protected with filesystem-level permissions.
# ( besides, if we use slapos.cookbook:generate.password and do `password = ...`
# the password is stored in plain text in .installed and thus becomes insecure )
password=
pgdata-directory = ${directory:srv}/postgresql
# empty addresses - listen only on unix socket
ipv4 = !py!set([])
ipv6 = !py!set([])
ipv6-random =
port =
depend =
${promise-postgresql:recipe}
[promise-postgresql]
<= promise-wrapper
command-line =
{{ postgresql_location }}/bin/psql
-h ${service-postgresql:pgdata-directory}
-U ${service-postgresql:superuser}
-d ${service-postgresql:dbname}
-c '\q'
# postgresql logs to stdout/stderr - logs are handled by slapos not us
# [logrotate-entry-postgresql]
#############
# cron #
#############
......
......@@ -28,3 +28,4 @@ context =
raw gunzip_bin ${gzip:location}/bin/gunzip
raw gzip_bin ${gzip:location}/bin/gzip
raw logrotate_bin ${logrotate:location}/usr/sbin/logrotate
raw postgresql_location ${postgresql92:location}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment