"PostgreSQL failed to start" on a CIS-hardened node
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
PostgreSQL Charm |
New
|
Undecided
|
Unassigned |
Bug Description
Charm is blocked with "PostgreSQL failed to start" message on a CIS-hardened node.
The following errors are found in syslog:
```
Sep 6 12:59:01 landscapesql-1 systemd[1]: Starting PostgreSQL Cluster 10-main...
Sep 6 12:59:01 landscapesql-1 postgresql@
Sep 6 12:59:01 landscapesql-1 systemd[1]: postgresql@
Sep 6 12:59:01 landscapesql-1 systemd[1]: postgresql@
Sep 6 12:59:01 landscapesql-1 systemd[1]: Failed to start PostgreSQL Cluster 10-main.
```
The workaround is as follows:
```
juju run -a landscape-
```
tags: | added: cis-hardening |
This issue is indeed related to the access of /var/log after CIS is applied.
After this /var/log has 750 rights for root user and syslog group.
However postgres' user is member of postgres group and ssl-certs group which results in blocking postgresql start since it can't create its own log file in /var/log/ postgresql/ .
A more surgical approach would be to allow specifically postgres' user to go through /var/log folder either through 2 ways :
* adding postgres user to syslog group
* using setfacl to allow postgres user to just cross /var/log to access /var/log/postgresql
Using setfacl might be more favorable as we can restrict, in CIS context, the user to only access /var/log/postgresl/ directory.
Updated workaround : postgresql 'sudo setfacl -m postgres:x /var/log && sudo systemctl restart postgresql.service'
juju run -a landscape-