Page MenuHomeDevCentral

PostgreSQL can't start on WindRiver
Open, HighPublic

Description

Sep 30 23:30:12 windriver postgres[7302]: [7-1] 2024-09-30 23:30:12.619 UTC [7302] FATAL: could not load pg_hba.conf

Related Objects

Event Timeline

dereckson triaged this task as High priority.Mon, Sep 30, 23:33
dereckson created this task.

Indeed there is no pg_hba.conf in /var/db/postgres/data

Mitigated by restoring pg_hba.conf from old WindRiver, but we should check if roles/dbserver-pgsql provisions correctly that file on WindRiver.

1# PostgreSQL Client Authentication Configuration File
2# ===================================================
3#
4# Refer to the "Client Authentication" section in the PostgreSQL
5# documentation for a complete description of this file. A short
6# synopsis follows.
7#
8# This file controls: which hosts are allowed to connect, how clients
9# are authenticated, which PostgreSQL user names they can use, which
10# databases they can access. Records take one of these forms:
11#
12# local DATABASE USER METHOD [OPTIONS]
13# host DATABASE USER ADDRESS METHOD [OPTIONS]
14# hostssl DATABASE USER ADDRESS METHOD [OPTIONS]
15# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS]
16# hostgssenc DATABASE USER ADDRESS METHOD [OPTIONS]
17# hostnogssenc DATABASE USER ADDRESS METHOD [OPTIONS]
18#
19# (The uppercase items must be replaced by actual values.)
20#
21# The first field is the connection type:
22# - "local" is a Unix-domain socket
23# - "host" is a TCP/IP socket (encrypted or not)
24# - "hostssl" is a TCP/IP socket that is SSL-encrypted
25# - "hostnossl" is a TCP/IP socket that is not SSL-encrypted
26# - "hostgssenc" is a TCP/IP socket that is GSSAPI-encrypted
27# - "hostnogssenc" is a TCP/IP socket that is not GSSAPI-encrypted
28#
29# DATABASE can be "all", "sameuser", "samerole", "replication", a
30# database name, or a comma-separated list thereof. The "all"
31# keyword does not match "replication". Access to replication
32# must be enabled in a separate record (see example below).
33#
34# USER can be "all", a user name, a group name prefixed with "+", or a
35# comma-separated list thereof. In both the DATABASE and USER fields
36# you can also write a file name prefixed with "@" to include names
37# from a separate file.
38#
39# ADDRESS specifies the set of hosts the record matches. It can be a
40# host name, or it is made up of an IP address and a CIDR mask that is
41# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that
42# specifies the number of significant bits in the mask. A host name
43# that starts with a dot (.) matches a suffix of the actual host name.
44# Alternatively, you can write an IP address and netmask in separate
45# columns to specify the set of hosts. Instead of a CIDR-address, you
46# can write "samehost" to match any of the server's own IP addresses,
47# or "samenet" to match any address in any subnet that the server is
48# directly connected to.
49#
50# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256",
51# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert".
52# Note that "password" sends passwords in clear text; "md5" or
53# "scram-sha-256" are preferred since they send encrypted passwords.
54#
55# OPTIONS are a set of options for the authentication in the format
56# NAME=VALUE. The available options depend on the different
57# authentication methods -- refer to the "Client Authentication"
58# section in the documentation for a list of which options are
59# available for which authentication methods.
60#
61# Database and user names containing spaces, commas, quotes and other
62# special characters must be quoted. Quoting one of the keywords
63# "all", "sameuser", "samerole" or "replication" makes the name lose
64# its special character, and just match a database or username with
65# that name.
66#
67# This file is read on server startup and when the server receives a
68# SIGHUP signal. If you edit the file on a running system, you have to
69# SIGHUP the server for the changes to take effect, run "pg_ctl reload",
70# or execute "SELECT pg_reload_conf()".
71#
72# Put your actual configuration here
73# ----------------------------------
74#
75# If you want to allow non-local connections, you need to add more
76# "host" records. In that case you will also need to make PostgreSQL
77# listen on a non-local interface via the listen_addresses
78# configuration parameter, or via the -i or -h command line switches.
79
80# CAUTION: Configuring the system for local "trust" authentication
81# allows any local user to connect as any PostgreSQL user, including
82# the database superuser. If you do not trust all your local users,
83# use another authentication method.
84
85
86# TYPE DATABASE USER ADDRESS METHOD
87
88# "local" is for Unix domain socket connections only
89local all all trust
90# IPv4 local connections:
91host all all 127.0.0.1/32 trust
92# IPv6 local connections:
93host all all ::1/128 trust
94# Allow replication connections from localhost, by a user with the
95# replication privilege.
96local replication all trust
97host replication all 127.0.0.1/32 trust
98host replication all ::1/128 trust

We could live with that configuration on devserver, but that file is clearly not good to test permissions, as it allows any connection from localhost (try from an user account psql -U netbox)