Merge branch 'develop' into fix/postgres-storage-grants

soedirgo · web-flow · commit 29aa02ad7faf · 2025-06-24T17:58:24.000+10:00
diff --git a/.github/workflows/qemu-image-build.yml b/.github/workflows/qemu-image-build.yml
@@ -10,6 +10,7 @@ on:
       - 'qemu-arm64-nix.pkr.hcl'
       - 'common-nix.vars.pkr.hcl'
       - 'ansible/vars.yml'
+      - 'scripts/*'
   workflow_dispatch:
 
 permissions:
@@ -30,7 +31,7 @@ jobs:
       - name: Set PostgreSQL versions - only builds pg17 atm
         id: set-versions
         run: |
-          VERSIONS=$(nix run nixpkgs#yq --  '.postgres_major[1,2]' ansible/vars.yml | nix run nixpkgs#jq -- -R -s -c 'split("\n")[:-1]')
+          VERSIONS=$(nix run nixpkgs#yq --  '.postgres_major[1]' ansible/vars.yml | nix run nixpkgs#jq -- -R -s -c 'split("\n")[:-1]')
           echo "postgres_versions=$VERSIONS" >> $GITHUB_OUTPUT
 
   build:
diff --git a/Dockerfile-kubernetes b/Dockerfile-kubernetes
@@ -1,9 +1,12 @@
-FROM alpine:3.21
+FROM alpine:3.22
 
 ADD ./output-cloudimg/packer-cloudimg /disk/focal.qcow2
 
-RUN apk add --no-cache qemu-system-aarch64 qemu-img openssh-client nftables cloud-utils-localds aavmf virtiofsd
-# dev stuff
-# RUN apk add --no-cache iproute2
+RUN apk add --no-cache qemu-system-aarch64 qemu-img openssh-client aavmf virtiofsd \
+    && truncate -s 64M /root/varstore.img \
+    && truncate -s 64M /root/efi.img \
+    && dd if=/usr/share/AAVMF/QEMU_EFI.fd of=/root/efi.img conv=notrunc \
+    && qemu-img create -f qcow2 /tmp/disk.qcow2 -b /disk/focal.qcow2 -F qcow2 \
+    && apk del --no-cache aavmf qemu-img
 
 CMD exec /bin/sh -c "trap : TERM INT; sleep 9999999999d & wait"
diff --git a/ansible/files/gotrue.service.j2 b/ansible/files/gotrue.service.j2
@@ -4,7 +4,12 @@ Description=Gotrue
 [Service]
 Type=simple
 WorkingDirectory=/opt/gotrue
+{% if qemu_mode is defined and qemu_mode %}
+ExecStart=/opt/gotrue/gotrue
+{% else %}
 ExecStart=/opt/gotrue/gotrue --config-dir /etc/auth.d
+{% endif %}
+
 User=gotrue
 Restart=always
 RestartSec=3
diff --git a/ansible/tasks/setup-postgrest.yml b/ansible/tasks/setup-postgrest.yml
@@ -6,22 +6,28 @@
     url: https://www.postgresql.org/media/keys/ACCC4CF8.asc
     state: present
 
-- name: PostgREST - add Postgres PPA
+- name: PostgREST - add Postgres PPA main
   apt_repository:
-    repo: "deb http://apt.postgresql.org/pub/repos/apt/ focal-pgdg {{ postgresql_major }}"
+    repo: "deb http://apt.postgresql.org/pub/repos/apt/ focal-pgdg main"
     state: present
+    filename: postgresql-pgdg
 
-- name: PostgREST - update apt cache
+- name: PostgREST - install system dependencies
   apt:
-    update_cache: yes
-
-# libpq is a C library that enables user programs to communicate with
-# the PostgreSQL database server.
-- name: PostgREST - system dependencies
-  apt:
-    pkg:
+    package:
       - libpq5
       - libnuma-dev
+    update_cache: yes
+    state: present
+
+- name: PostgREST - verify libpq5 version
+  shell: dpkg -l libpq5 | grep '^ii' | awk '{print $3}'
+  register: libpq5_version
+  changed_when: false
+
+- name: Show installed libpq5 version
+  debug:
+    msg: "Installed libpq5 version: {{ libpq5_version.stdout }}"
 
 - name: PostgREST - remove Postgres PPA gpg key
   apt_key:
@@ -30,7 +36,7 @@
 
 - name: PostgREST - remove Postgres PPA
   apt_repository:
-    repo: "deb http://apt.postgresql.org/pub/repos/apt/ focal-pgdg {{ postgresql_major }}"
+    repo: "deb http://apt.postgresql.org/pub/repos/apt/ focal-pgdg main"
     state: absent
 
 - name: postgis - ensure dependencies do not get autoremoved
@@ -88,7 +94,6 @@
       #! /usr/bin/env bash
       set -euo pipefail
       set -x
-
       cd "$(dirname "$0")"
       cat $@ > merged.conf
     dest: /etc/postgrest/merge.sh
diff --git a/ansible/vars.yml b/ansible/vars.yml
@@ -9,9 +9,9 @@ postgres_major:
 
 # Full version strings for each major version
 postgres_release:
-  postgresorioledb-17: "17.0.1.094-orioledb"
-  postgres17: "17.4.1.044"
-  postgres15: "15.8.1.101"
+  postgresorioledb-17: "17.0.1.096-orioledb"
+  postgres17: "17.4.1.046"
+  postgres15: "15.8.1.103"
 
 # Non Postgres Extensions
 pgbouncer_release: "1.19.0"
diff --git a/ebssurrogate/scripts/qemu-bootstrap-nix.sh b/ebssurrogate/scripts/qemu-bootstrap-nix.sh
@@ -155,6 +155,6 @@ execute_stage2_playbook
 # we do not want to ship an initialized DB as this is performed as needed
 mkdir -p /db/template
 mv /data/pgdata /db/template
+cloud-init clean --logs
 clean_legacy_things
 clean_system
-cloud-init clean --logs
diff --git a/scripts/90-cleanup-qemu.sh b/scripts/90-cleanup-qemu.sh
@@ -43,7 +43,10 @@ elif [ -n "$(command -v apt-get)" ]; then
   add-apt-repository --yes --remove ppa:ansible/ansible
 
   source /etc/os-release
-  apt-get -y remove --purge linux-headers-5.11.0-1021-aws
+
+  apt-mark manual libevent-2.1-7 # required for pgbouncer
+  apt-get -y remove --purge ansible-core apport appstream bash-completion bcache-tools bind9-dnsutils bind9-host bind9-libs bolt btrfs-progs byobu command-not-found console-setup distro-info eject fonts-ubuntu-console friendly-recovery ftp fwupd gawk gdisk keyboard-configuration libvolume-key1 libicu66 libssl-dev lvm2 lxd-agent-loader man-db mdadm modemmanager mtd-utils nano netcat-openbsd nfs-common ntfs-3g parted pastebinit screen strace thin-provisioning-tools tmux usb-modeswitch vim vim-runtime wget whiptail xfsprogs
+  apt remove -y --purge libc6-dev linux-libc-dev libevent-dev libpcre3-dev libsystemd-dev
 
   apt-get -y update
   apt-get -y upgrade
diff --git a/testinfra/test_ami_nix.py b/testinfra/test_ami_nix.py
@@ -507,3 +507,233 @@ def test_postgrest_ending_empty_key_query_parameter_is_removed(host):
         },
     )
     assert res.ok
+
+
+def test_postgresql_version(host):
+    """Print the PostgreSQL version being tested and ensure it's >= 14."""
+    result = run_ssh_command(host['ssh'], "sudo -u postgres psql -c 'SELECT version();'")
+    if result['succeeded']:
+        print(f"\nPostgreSQL Version:\n{result['stdout']}")
+        # Extract version number from the output
+        version_line = result['stdout'].strip().split('\n')[2]  # Skip header and get the actual version
+        # Extract major version number (e.g., "15.8" -> 15)
+        import re
+        version_match = re.search(r'PostgreSQL (\d+)\.', version_line)
+        if version_match:
+            major_version = int(version_match.group(1))
+            print(f"PostgreSQL major version: {major_version}")
+            assert major_version >= 14, f"PostgreSQL version {major_version} is less than 14"
+        else:
+            assert False, "Could not parse PostgreSQL version number"
+    else:
+        print(f"\nFailed to get PostgreSQL version: {result['stderr']}")
+        assert False, "Failed to get PostgreSQL version"
+    
+    # Also get the version from the command line
+    result = run_ssh_command(host['ssh'], "sudo -u postgres psql --version")
+    if result['succeeded']:
+        print(f"PostgreSQL Client Version: {result['stdout'].strip()}")
+    else:
+        print(f"Failed to get PostgreSQL client version: {result['stderr']}")
+    
+    print("✓ PostgreSQL version is >= 14")
+
+
+def test_libpq5_version(host):
+    """Print the libpq5 version installed and ensure it's >= 14."""
+    # Try different package managers to find libpq5
+    result = run_ssh_command(host['ssh'], "dpkg -l | grep libpq5 || true")
+    if result['succeeded'] and result['stdout'].strip():
+        print(f"\nlibpq5 package info:\n{result['stdout']}")
+        # Extract version from dpkg output (format: ii libpq5:arm64 17.5-1.pgdg20.04+1)
+        import re
+        version_match = re.search(r'libpq5[^ ]* +(\d+)\.', result['stdout'])
+        if version_match:
+            major_version = int(version_match.group(1))
+            print(f"libpq5 major version: {major_version}")
+            assert major_version >= 14, f"libpq5 version {major_version} is less than 14"
+        else:
+            print("Could not parse libpq5 version from dpkg output")
+    else:
+        print("\nlibpq5 not found via dpkg")
+    
+    # Also try to find libpq.so files
+    result = run_ssh_command(host['ssh'], "find /usr -name '*libpq*' -type f 2>/dev/null | head -10")
+    if result['succeeded'] and result['stdout'].strip():
+        print(f"\nlibpq files found:\n{result['stdout']}")
+    else:
+        print("\nNo libpq files found")
+    
+    # Check if we can get version from a libpq file
+    result = run_ssh_command(host['ssh'], "ldd /usr/bin/psql | grep libpq || true")
+    if result['succeeded'] and result['stdout'].strip():
+        print(f"\npsql libpq dependency:\n{result['stdout']}")
+    else:
+        print("\nCould not find libpq dependency for psql")
+    
+    # Try to get version from libpq directly
+    result = run_ssh_command(host['ssh'], "psql --version 2>&1 | head -1")
+    if result['succeeded'] and result['stdout'].strip():
+        print(f"\npsql version output: {result['stdout'].strip()}")
+        # The psql version should match the libpq version
+        import re
+        version_match = re.search(r'psql \(PostgreSQL\) (\d+)\.', result['stdout'])
+        if version_match:
+            major_version = int(version_match.group(1))
+            print(f"psql/libpq major version: {major_version}")
+            assert major_version >= 14, f"psql/libpq version {major_version} is less than 14"
+        else:
+            print("Could not parse psql version")
+    
+    print("✓ libpq5 version is >= 14")
+
+
+def test_postgrest_read_only_session_attrs(host):
+    """Test PostgREST with target_session_attrs=read-only and check for session errors."""
+    # First, check if PostgreSQL is configured for read-only mode
+    result = run_ssh_command(host['ssh'], "sudo -u postgres psql -c \"SHOW default_transaction_read_only;\"")
+    if result['succeeded']:
+        default_read_only = result['stdout'].strip()
+        print(f"PostgreSQL default_transaction_read_only: {default_read_only}")
+    else:
+        print("Could not check PostgreSQL read-only setting")
+        default_read_only = "unknown"
+    
+    # Check if PostgreSQL is in recovery mode (standby)
+    result = run_ssh_command(host['ssh'], "sudo -u postgres psql -c \"SELECT pg_is_in_recovery();\"")
+    if result['succeeded']:
+        in_recovery = result['stdout'].strip()
+        print(f"PostgreSQL pg_is_in_recovery: {in_recovery}")
+    else:
+        print("Could not check PostgreSQL recovery status")
+        in_recovery = "unknown"
+    
+    # Find PostgreSQL configuration file
+    result = run_ssh_command(host['ssh'], "sudo -u postgres psql -c \"SHOW config_file;\"")
+    if result['succeeded']:
+        config_file = result['stdout'].strip().split('\n')[2].strip()  # Skip header and get the actual path
+        print(f"PostgreSQL config file: {config_file}")
+    else:
+        print("Could not find PostgreSQL config file")
+        config_file = "/etc/postgresql/15/main/postgresql.conf"  # Default fallback
+    
+    # Backup PostgreSQL config
+    result = run_ssh_command(host['ssh'], f"sudo cp {config_file} {config_file}.backup")
+    assert result['succeeded'], "Failed to backup PostgreSQL config"
+    
+    # Add read-only setting to PostgreSQL config
+    result = run_ssh_command(host['ssh'], f"echo 'default_transaction_read_only = on' | sudo tee -a {config_file}")
+    assert result['succeeded'], "Failed to add read-only setting to PostgreSQL config"
+    
+    # Restart PostgreSQL to apply the new configuration
+    result = run_ssh_command(host['ssh'], "sudo systemctl restart postgresql")
+    assert result['succeeded'], "Failed to restart PostgreSQL"
+    
+    # Wait for PostgreSQL to start up
+    sleep(5)
+    
+    # Verify the change took effect
+    result = run_ssh_command(host['ssh'], "sudo -u postgres psql -c \"SHOW default_transaction_read_only;\"")
+    if result['succeeded']:
+        new_default_read_only = result['stdout'].strip()
+        print(f"PostgreSQL default_transaction_read_only after change: {new_default_read_only}")
+    else:
+        print("Could not verify PostgreSQL read-only setting change")
+    
+    # First, backup the current PostgREST config
+    result = run_ssh_command(host['ssh'], "sudo cp /etc/postgrest/base.conf /etc/postgrest/base.conf.backup")
+    assert result['succeeded'], "Failed to backup PostgREST config"
+    
+    try:
+        # Read the current config to get the db-uri
+        result = run_ssh_command(host['ssh'], "sudo cat /etc/postgrest/base.conf | grep '^db-uri'")
+        assert result['succeeded'], "Failed to read current db-uri"
+        
+        current_db_uri = result['stdout'].strip()
+        print(f"Current db-uri: {current_db_uri}")
+        
+        # Extract just the URI part (remove the db-uri = " prefix and trailing quote)
+        uri_start = current_db_uri.find('"') + 1
+        uri_end = current_db_uri.rfind('"')
+        base_uri = current_db_uri[uri_start:uri_end]
+        
+        # Modify the URI to add target_session_attrs=read-only
+        if '?' in base_uri:
+            # URI already has parameters, add target_session_attrs
+            modified_uri = base_uri + "&target_session_attrs=read-only"
+        else:
+            # URI has no parameters, add target_session_attrs
+            modified_uri = base_uri + "?target_session_attrs=read-only"
+        
+        print(f"Modified URI: {modified_uri}")
+        
+        # Use awk to replace the db-uri line more reliably
+        result = run_ssh_command(host['ssh'], f"sudo awk '{{if ($1 == \"db-uri\") print \"db-uri = \\\"{modified_uri}\\\"\"; else print $0}}' /etc/postgrest/base.conf > /tmp/new_base.conf && sudo mv /tmp/new_base.conf /etc/postgrest/base.conf")
+        assert result['succeeded'], "Failed to update db-uri in config"
+        
+        # Verify the change was made correctly
+        result = run_ssh_command(host['ssh'], "sudo cat /etc/postgrest/base.conf | grep '^db-uri'")
+        print(f"Updated db-uri line: {result['stdout'].strip()}")
+        
+        # Also show the full config to debug
+        result = run_ssh_command(host['ssh'], "sudo cat /etc/postgrest/base.conf")
+        print(f"Full config after change:\n{result['stdout']}")
+        
+        # Restart PostgREST to apply the new configuration
+        result = run_ssh_command(host['ssh'], "sudo systemctl restart postgrest")
+        assert result['succeeded'], "Failed to restart PostgREST"
+        
+        # Wait a moment for PostgREST to start up
+        sleep(5)
+        
+        # Check if PostgREST is running
+        result = run_ssh_command(host['ssh'], "sudo systemctl is-active postgrest")
+        if not (result['succeeded'] and result['stdout'].strip() == 'active'):
+            # If PostgREST failed to start, check the logs to see why
+            log_result = run_ssh_command(host['ssh'], "sudo journalctl -u postgrest --since '5 seconds ago' --no-pager")
+            print(f"PostgREST failed to start. Recent logs:\n{log_result['stdout']}")
+            assert False, "PostgREST failed to start after config change"
+        
+        # Make a test request to trigger any potential session errors
+        try:
+            response = requests.get(
+                f"http://{host['ip']}/rest/v1/",
+                headers={"apikey": anon_key, "authorization": f"Bearer {anon_key}"},
+                timeout=10
+            )
+            print(f"Test request status: {response.status_code}")
+        except Exception as e:
+            print(f"Test request failed: {str(e)}")
+        
+        # Check PostgREST logs for "session is not read-only" errors
+        result = run_ssh_command(host['ssh'], "sudo journalctl -u postgrest --since '5 seconds ago' | grep -i 'session is not read-only' || true")
+        
+        if result['stdout'].strip():
+            print(f"\nFound 'session is not read-only' errors in PostgREST logs:\n{result['stdout']}")
+            assert False, "PostgREST logs contain 'session is not read-only' errors even though PostgreSQL is configured for read-only mode"
+        else:
+            print("\nNo 'session is not read-only' errors found in PostgREST logs")
+            
+    finally:
+        # Restore the original configuration
+        result = run_ssh_command(host['ssh'], "sudo cp /etc/postgrest/base.conf.backup /etc/postgrest/base.conf")
+        if result['succeeded']:
+            result = run_ssh_command(host['ssh'], "sudo systemctl restart postgrest")
+            if result['succeeded']:
+                print("Restored original PostgREST configuration")
+            else:
+                print("Warning: Failed to restart PostgREST after restoring config")
+        else:
+            print("Warning: Failed to restore original PostgREST configuration")
+        
+        # Restore PostgreSQL to original configuration
+        result = run_ssh_command(host['ssh'], f"sudo cp {config_file}.backup {config_file}")
+        if result['succeeded']:
+            result = run_ssh_command(host['ssh'], "sudo systemctl restart postgresql")
+            if result['succeeded']:
+                print("Restored PostgreSQL to original configuration")
+            else:
+                print("Warning: Failed to restart PostgreSQL after restoring config")
+        else:
+            print("Warning: Failed to restore PostgreSQL configuration")
+
