"PostgreSQL failed to start" on a CIS-hardened node

Bug #1988983 reported by Przemyslaw Hausman
This bug affects 3 people
Affects Status Importance Assigned to Milestone
PostgreSQL Charm

Bug Description

Charm is blocked with "PostgreSQL failed to start" message on a CIS-hardened node.

The following errors are found in syslog:

Sep 6 12:59:01 landscapesql-1 systemd[1]: Starting PostgreSQL Cluster 10-main...
Sep 6 12:59:01 landscapesql-1 postgresql@10-main[4653]: Error: /usr/lib/postgresql/10/bin/pg_ctl /usr/lib/postgresql/10/bin/pg_ctl start -D /var/lib/postgresql/10/main -l /var/log/postgresql/postgresql-10-main.log -w -t 3600 -s -o -c config_file="/etc/postgresql/10/main/postgresql.conf" exited with status 1:
Sep 6 12:59:01 landscapesql-1 systemd[1]: postgresql@10-main.service: Can't open PID file /var/run/postgresql/10-main.pid (yet?) after start: No such file or directory
Sep 6 12:59:01 landscapesql-1 systemd[1]: postgresql@10-main.service: Failed with result 'protocol'.
Sep 6 12:59:01 landscapesql-1 systemd[1]: Failed to start PostgreSQL Cluster 10-main.

The workaround is as follows:

juju run -a landscape-postgresql 'sudo chmod 0775 /var/log && sudo systemctl restart postgresql'

Revision history for this message
DUFOUR Olivier (odufourc) wrote :

This issue is indeed related to the access of /var/log after CIS is applied.
After this /var/log has 750 rights for root user and syslog group.

However postgres' user is member of postgres group and ssl-certs group which results in blocking postgresql start since it can't create its own log file in /var/log/postgresql/ .

A more surgical approach would be to allow specifically postgres' user to go through /var/log folder either through 2 ways :
* adding postgres user to syslog group
* using setfacl to allow postgres user to just cross /var/log to access /var/log/postgresql

Using setfacl might be more favorable as we can restrict, in CIS context, the user to only access /var/log/postgresl/ directory.

Updated workaround :
juju run -a landscape-postgresql 'sudo setfacl -m postgres:x /var/log && sudo systemctl restart postgresql.service'

tags: added: cis-hardening
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.