Do not listen to all ip addresses.

vitabaks · vitabaks · commit fd6b0ecac987 · 2019-09-06T16:45:14.000+03:00
If the server has a public IP address, then listening to all ip addresses is not secure.
Now we only listen to ip addresses specified in the inventory file.

More details:
* If the scheme "Type B" (by default) is used, then the connection pooller (pgbouncer) will listen in addition to the ip address specified in the inventory file also will be used the cluster ip address ("cluster_vip" variable). Postgresql will be listen for the ip address from the inventory file and the local ip 127.0.0.1.
* If you do not want to install and configure the pgbouncer (install_pgbouncer: 'false'), then postgresql will also listen on the cluster ip address ("cluster_vip" variable).

* In the scheme "Type A" (with_haproxy_load_balancing: 'true '), the haproxy listen only for the cluster ip address ("cluster_vip" variable).
diff --git a/inventory b/inventory
@@ -1,5 +1,6 @@
 # This is example inventory file!
 # Please specify the ip addresses and connection settings for your environment
+# The specified ip addresses will be used to listen by the cluster components.
 
 # "postgresql_exists='true'" if PostgreSQL is already exists and runing
 # "hostname=" variable is optional (used to change the server name)
diff --git a/tasks/haproxy.yml b/tasks/haproxy.yml
@@ -138,10 +138,10 @@
     enabled: yes
     state: restarted
 
-- name: haproxy | wait for port 5000 to become open on the host
+- name: haproxy | check HAProxy is started and accepting connections
   wait_for:
-    port: 5000
-    host: 127.0.0.1
+    port: 7000
+    host: "{{ hostvars[inventory_hostname]['inventory_hostname'] }}"
     state: started
     timeout: 120
     delay: 10
diff --git a/tasks/patroni.yml b/tasks/patroni.yml
@@ -281,7 +281,7 @@
     - name: Patroni | wait for port 8008 to become open on the host
       wait_for:
         port: 8008
-        host: "{{ ansible_ssh_host }}"
+        host: "{{ hostvars[inventory_hostname]['inventory_hostname'] }}"
         state: started
         timeout: 120
         delay: 10
@@ -361,7 +361,7 @@
     - name: Patroni | wait for port 8008 to become open on the host
       wait_for:
         port: 8008
-        host: "{{ ansible_ssh_host }}"
+        host: "{{ hostvars[inventory_hostname]['inventory_hostname'] }}"
         state: started
         timeout: 120
         delay: 10
diff --git a/tasks/pgbouncer.yml b/tasks/pgbouncer.yml
@@ -76,7 +76,7 @@
 - name: PgBouncer | wait for port "{{ pgbouncer_listen_port }}" to become open on the host
   wait_for:
     port: "{{ pgbouncer_listen_port }}"
-    host: "{{ ansible_ssh_host }}"
+    host: "{{ hostvars[inventory_hostname]['inventory_hostname'] }}"
     state: started
     timeout: 300
     delay: 5
diff --git a/templates/haproxy.cfg.j2 b/templates/haproxy.cfg.j2
@@ -21,12 +21,12 @@ defaults
      
 listen stats
     mode http
-    bind 0.0.0.0:7000
+    bind {{ hostvars[inventory_hostname]['inventory_hostname'] }}:7000
     stats enable
     stats uri /
  
 listen master
-    bind 0.0.0.0:5000
+    bind {{ cluster_vip }}:5000
     maxconn 10000
     option tcplog
     option httpchk OPTIONS /master
@@ -44,7 +44,7 @@ server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['inventory_hos
 {% endif %}
 
 listen replicas
-    bind 0.0.0.0:5001
+    bind {{ cluster_vip }}:5001
     maxconn 10000
     option tcplog
     option httpchk OPTIONS /replica
@@ -63,7 +63,7 @@ server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['inventory_hos
 {% endif %}
 
 listen replicas_sync
-    bind 0.0.0.0:5002
+    bind {{ cluster_vip }}:5002
     maxconn 10000
     option tcplog
     option httpchk OPTIONS /sync
@@ -82,7 +82,7 @@ server {{ hostvars[host]['ansible_hostname'] }} {{ hostvars[host]['inventory_hos
 {% endif %}
  
 listen replicas_async
-    bind 0.0.0.0:5003
+    bind {{ cluster_vip }}:5003
     maxconn 10000
     option tcplog
     option httpchk OPTIONS /async
diff --git a/templates/haproxy.tmpl.j2 b/templates/haproxy.tmpl.j2
@@ -21,12 +21,12 @@ defaults
      
 listen stats
     mode http
-    bind 0.0.0.0:7000
+    bind {{ hostvars[inventory_hostname]['inventory_hostname'] }}:7000
     stats enable
     stats uri /
  
 listen master
-    bind 0.0.0.0:5000
+    bind {{ cluster_vip }}:5000
     maxconn 10000
     option tcplog
     option httpchk OPTIONS /master
@@ -43,7 +43,7 @@ listen master
 
 
 listen replicas
-    bind 0.0.0.0:5001
+    bind {{ cluster_vip }}:5001
     maxconn 10000
     option tcplog
     option httpchk OPTIONS /replica
@@ -61,7 +61,7 @@ listen replicas
 
 
 listen replicas_sync
-    bind 0.0.0.0:5002
+    bind {{ cluster_vip }}:5002
     maxconn 10000
     option tcplog
     option httpchk OPTIONS /sync
@@ -79,7 +79,7 @@ listen replicas_sync
 
 
 listen replicas_async
-    bind 0.0.0.0:5003
+    bind {{ cluster_vip }}:5003
     maxconn 10000
     option tcplog
     option httpchk OPTIONS /async
diff --git a/templates/patroni.yml.j2 b/templates/patroni.yml.j2
@@ -5,8 +5,8 @@ name: {{ ansible_hostname }}
 namespace: /service/
 
 restapi:
-  listen: {{ ansible_ssh_host }}:8008
-  connect_address: {{ ansible_ssh_host }}:8008
+  listen: {{ hostvars[inventory_hostname]['inventory_hostname'] }}:8008
+  connect_address: {{ hostvars[inventory_hostname]['inventory_hostname'] }}:8008
 #  certfile: /etc/ssl/certs/ssl-cert-snakeoil.pem
 #  keyfile: /etc/ssl/private/ssl-cert-snakeoil.key
 #  authentication:
@@ -108,8 +108,13 @@ bootstrap:
 
   
 postgresql:
-  listen: 0.0.0.0:{{ postgresql_port }}
-  connect_address: {{ ansible_ssh_host }}:{{ postgresql_port }}
+{% if with_haproxy_load_balancing == "true" or install_pgbouncer == "true" %}
+  listen: {{ hostvars[inventory_hostname]['inventory_hostname'] }},127.0.0.1:{{ postgresql_port }}
+{% endif %}
+{% if with_haproxy_load_balancing != "true" and install_pgbouncer != "true" %}
+  listen: {{ hostvars[inventory_hostname]['inventory_hostname'] }},{{ cluster_vip }},127.0.0.1:{{ postgresql_port }}
+{% endif %}
+  connect_address: {{ hostvars[inventory_hostname]['inventory_hostname'] }}:{{ postgresql_port }}
   use_unix_socket: true
   data_dir: {{ postgresql_data_dir }}
   bin_dir: {{ postgresql_bin_dir }}
diff --git a/templates/pgbouncer.ini.j2 b/templates/pgbouncer.ini.j2
@@ -6,7 +6,12 @@
 [pgbouncer]
 logfile = {{ pgbouncer_log_dir }}/pgbouncer.log
 pidfile = /var/run/pgbouncer/pgbouncer.pid
-listen_addr = {{ pgbouncer_listen_address | default('*') }}
+{% if with_haproxy_load_balancing == 'true' %}
+listen_addr = {{ hostvars[inventory_hostname]['inventory_hostname'] }}
+{% endif %}
+{% if with_haproxy_load_balancing != 'true' %}
+listen_addr = {{ hostvars[inventory_hostname]['inventory_hostname'] }},{{ cluster_vip }}
+{% endif %}
 listen_port = {{ pgbouncer_listen_port | default(6432) }}
 unix_socket_dir = /var/run/postgresql
 auth_type = md5
diff --git a/vars/main.yml b/vars/main.yml
@@ -144,7 +144,6 @@ postgresql_pg_hba:
 install_pgbouncer: 'true'  # or 'false' if you do not want to install and configure the pgbouncer service
 pgbouncer_conf_dir: "/etc/pgbouncer"
 pgbouncer_log_dir: "/var/log/pgbouncer"
-pgbouncer_listen_address: '0.0.0.0'
 pgbouncer_listen_port: 6432
 max_client_conn: 10000
 max_db_connections: 1000
