Hello Hackers,
When running PostgreSQL in container as rootless and bridged network,
all connection will appear as local connection not matter what their
origin is and pg_hba.conf based allow/deny will not be effective.
One approach is to make PostgreSQL aware of systemd socket activation,
where systemd creates socket FDs and passes them to PostgreSQL. Thus
providing real connection originator. Many services have adopted systemd
socket activation and attached patch enables same for PostgreSQL.
This patch has effect on current use of socket unless systemd socket are
used. Code is also guarded when postgres is not compiled with systemd flag.
Attached patch is based on HEAD.
Here is a sample systemd .socket (
~/.config/systemd/user/PostgreSQL-18.socket )
8<------
[Unit]
Description=PostgreSQL Server Socket
Conflicts=postgresql-18.service
[Socket]
ListenStream=127.0.0.1:5432
ListenStream=192.168.1.100:5432
ListenStream=/tmp/.s.PGSQL.5432
ListenStream=/run/user/1000/.s.PGSQL.5432
[Install]
WantedBy=sockets.target
8<------
Match this name with quadlet .container name, for more details
https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html
For local testing oneĀ can also use systemd-socket-activate, for more
details
https://www.freedesktop.org/software/systemd/man/latest/systemd-socket-activate.html
Notes:
1. PostgreSQL config variables must match above sockets and order.
listen_addresses = '127.0.0.1,192.168.100.49'
unix_socket_directories = '/tmp/,/run/user/1000/'
Two TCP sockets and 2 unix sockets and in same order.
2. Since postgres container will be started on first connection,
"database system is starting up" message will be visible only for first
connection but not for subsequent connections.
make check-world passes with or without sytsemd and with socket activation.
--
Kind Regards,
Yogesh Sharma
PostgreSQL, Linux, and Networking Expert
Open Source Enthusiast and Advocate
PostgreSQL Contributors Team @ RDS Open Source Databases
Amazon Web Services: https://aws.amazon.com
From 565c83e701406ed504eb8738fbc78c41f3618371 Mon Sep 17 00:00:00 2001
From: Yogesh Sharma <yogesh.sha...@catprosystems.com>
Date: Wed, 5 Feb 2025 17:06:21 -0500
Subject: [PATCH] Add systemd socket activation supoort in postgresql.
Socket activiation enables systemd to start the configured configured
sockets and pass FDs to PostgreSQL. These changes are only effective
when postgres is compiled with --with-systemd and systemd .socket is
used.
Why add socket activation support?
Socket activiation helps in the case where postgers container is running
as rootlessi under podman. Without this change, postgres will see all
connections as originating from local and pg_hba will not be able to
block connections from intranet or internet.
postgresql-18.socket
8<------
[Unit]
Description=YS Server Socket
Conflicts=postgresql-18.service
[Socket]
ListenStream=127.0.0.1:5432
ListenStream=192.168.100.49:5432
ListenStream=/tmp/.s.PGSQL.5432
ListenStream=/run/user/1000/.s.PGSQL.5432
[Install]
WantedBy=sockets.target
8<------
Match this name with quadlet .container name
https://docs.podman.io/en/latest/markdown/podman-systemd.unit.5.html
This .socket file get installed in ~/.config/system/user and enabled.
For local testing one can also use systemd-socket-activate
https://www.freedesktop.org/software/systemd/man/latest/systemd-socket-activate.html
Postgresql Config variables shall match above sockets.
listen_addresses = '127.0.0.1,192.168.100.49'
unix_socket_directories = '/tmp/,/run/user/1000/'
---
src/backend/libpq/pqcomm.c | 76 +++++++++++------
src/test/postmaster/Makefile | 2 +
.../t/004_systemd_socket_activation.pl | 84 +++++++++++++++++++
3 files changed, 136 insertions(+), 26 deletions(-)
create mode 100644 src/test/postmaster/t/004_systemd_socket_activation.pl
diff --git a/src/backend/libpq/pqcomm.c b/src/backend/libpq/pqcomm.c
index bddd6465de2..48f1b0b2f66 100644
--- a/src/backend/libpq/pqcomm.c
+++ b/src/backend/libpq/pqcomm.c
@@ -72,6 +72,10 @@
#include <mstcpip.h>
#endif
+#ifdef USE_SYSTEMD
+#include <systemd/sd-daemon.h>
+#endif
+
#include "common/ip.h"
#include "libpq/libpq.h"
#include "miscadmin.h"
@@ -423,6 +427,7 @@ ListenServerPort(int family, const char *hostName, unsigned short portNumber,
int err;
int maxconn;
int ret;
+ int systemd_fd_count = 0;
char portNumberStr[32];
const char *familyDesc;
char familyDescBuf[64];
@@ -444,6 +449,12 @@ ListenServerPort(int family, const char *hostName, unsigned short portNumber,
hint.ai_flags = AI_PASSIVE;
hint.ai_socktype = SOCK_STREAM;
+#ifdef USE_SYSTEMD
+ systemd_fd_count = sd_listen_fds(0);
+ if (systemd_fd_count > 0 && systemd_fd_count <= (*NumListenSockets))
+ elog(FATAL, "Sockets passed by systemd (%d) are less than listen_addresses configured in postgresql.conf", systemd_fd_count);
+#endif
+
if (family == AF_UNIX)
{
/*
@@ -459,12 +470,16 @@ ListenServerPort(int family, const char *hostName, unsigned short portNumber,
(int) (UNIXSOCK_PATH_BUFLEN - 1))));
return STATUS_ERROR;
}
- if (Lock_AF_UNIX(unixSocketDir, unixSocketPath) != STATUS_OK)
+ if (systemd_fd_count == 0 && Lock_AF_UNIX(unixSocketDir, unixSocketPath) != STATUS_OK)
return STATUS_ERROR;
service = unixSocketPath;
+ if (systemd_fd_count > 0 && sd_is_socket_unix(SD_LISTEN_FDS_START + (*NumListenSockets), SOCK_STREAM, 1, unixSocketPath, 0) < 1)
+ elog(FATAL, "Sockets (%d) passed by systemd is not same type as configured in postgresql.conf", *NumListenSockets);
}
else
{
+ if (systemd_fd_count > 0 && sd_is_socket_inet(SD_LISTEN_FDS_START + (*NumListenSockets), AF_UNSPEC, SOCK_STREAM, 1, portNumber) < 1)
+ elog(FATAL, "Sockets (%d) passed by systemd is not same type as configured in postgresql.conf", *NumListenSockets);
snprintf(portNumberStr, sizeof(portNumberStr), "%d", portNumber);
service = portNumberStr;
}
@@ -538,7 +553,14 @@ ListenServerPort(int family, const char *hostName, unsigned short portNumber,
addrDesc = addrBuf;
}
- if ((fd = socket(addr->ai_family, SOCK_STREAM, 0)) == PGINVALID_SOCKET)
+ if (systemd_fd_count > 0)
+ {
+ fd = SD_LISTEN_FDS_START + (*NumListenSockets);
+ ereport(LOG, (errmsg("Using systemd FD %d at %d", fd, *NumListenSockets)));
+ }
+ else
+ fd = socket(addr->ai_family, SOCK_STREAM, 0);
+ if (fd == PGINVALID_SOCKET)
{
ereport(LOG,
(errcode_for_socket_access(),
@@ -598,32 +620,34 @@ ListenServerPort(int family, const char *hostName, unsigned short portNumber,
}
}
#endif
-
- /*
- * Note: This might fail on some OS's, like Linux older than
- * 2.4.21-pre3, that don't have the IPV6_V6ONLY socket option, and map
- * ipv4 addresses to ipv6. It will show ::ffff:ipv4 for all ipv4
- * connections.
- */
- err = bind(fd, addr->ai_addr, addr->ai_addrlen);
- if (err < 0)
+ if (systemd_fd_count == 0)
{
- int saved_errno = errno;
+ /*
+ * Note: This might fail on some OS's, like Linux older than
+ * 2.4.21-pre3, that don't have the IPV6_V6ONLY socket option, and
+ * map ipv4 addresses to ipv6. It will show ::ffff:ipv4 for all
+ * ipv4 connections.
+ */
+ err = bind(fd, addr->ai_addr, addr->ai_addrlen);
+ if (err < 0)
+ {
+ int saved_errno = errno;
- ereport(LOG,
- (errcode_for_socket_access(),
- /* translator: first %s is IPv4, IPv6, or Unix */
- errmsg("could not bind %s address \"%s\": %m",
- familyDesc, addrDesc),
- saved_errno == EADDRINUSE ?
- (addr->ai_family == AF_UNIX ?
- errhint("Is another postmaster already running on port %d?",
- (int) portNumber) :
- errhint("Is another postmaster already running on port %d?"
- " If not, wait a few seconds and retry.",
- (int) portNumber)) : 0));
- closesocket(fd);
- continue;
+ ereport(LOG,
+ (errcode_for_socket_access(),
+ /* translator: first %s is IPv4, IPv6, or Unix */
+ errmsg("could not bind %s address \"%s\": %m",
+ familyDesc, addrDesc),
+ saved_errno == EADDRINUSE ?
+ (addr->ai_family == AF_UNIX ?
+ errhint("Is another postmaster already running on port %d?",
+ (int) portNumber) :
+ errhint("Is another postmaster already running on port %d?"
+ " If not, wait a few seconds and retry.",
+ (int) portNumber)) : 0));
+ closesocket(fd);
+ continue;
+ }
}
if (addr->ai_family == AF_UNIX)
diff --git a/src/test/postmaster/Makefile b/src/test/postmaster/Makefile
index e06b81f8c47..e1d79ee2a07 100644
--- a/src/test/postmaster/Makefile
+++ b/src/test/postmaster/Makefile
@@ -13,6 +13,8 @@ subdir = src/test/postmaster
top_builddir = ../../..
include $(top_builddir)/src/Makefile.global
+export with_systemd
+
check:
$(prove_check)
diff --git a/src/test/postmaster/t/004_systemd_socket_activation.pl b/src/test/postmaster/t/004_systemd_socket_activation.pl
new file mode 100644
index 00000000000..374ccf1abb1
--- /dev/null
+++ b/src/test/postmaster/t/004_systemd_socket_activation.pl
@@ -0,0 +1,84 @@
+
+# Copyright (c) 2024-2025, PostgreSQL Global Development Group
+
+use strict;
+use warnings FATAL => 'all';
+use locale;
+
+use PostgreSQL::Test::Cluster;
+use PostgreSQL::Test::Utils;
+use Time::HiRes qw(sleep);
+use Test::More;
+
+if ($ENV{with_systemd} ne 'yes')
+{
+ plan skip_all => 'systemd not supported by this build';
+}
+
+# Node initialization
+my $node = PostgreSQL::Test::Cluster->new('socket');
+
+$node->init();
+
+my $port = $node->port;
+my $pgdata = $node->data_dir;
+my $logfile = $node->logfile;
+my $ret;
+my $logstart;
+
+# Starting postgres using systemd-socket-activate
+# -l 127.0.0.1:5432 -l 192.168.100.49:5432
+# -l [2600:1700:31f0:6b7f:5a47:caff:fe73:924f]:5432
+# -l /tmp/.s.PGSQL.5432
+# -l /run/user/1000/.s.PGSQL.5432 $PG_DEV_INST/bin/postgres
+# -D $PGDATA
+# Start postgresql using system
+my $tcp_fd = " -l 127.0.0.1:".$port;
+my $unix_fd = " -l /tmp/.s.PGSQL.".$port;
+my $pg_cmd = " postgres -D ".$pgdata." &>>".$logfile." &";
+my $systemd_cmd = "systemd-socket-activate ".$tcp_fd.$unix_fd.$pg_cmd;
+my $systemd_bad1 = "systemd-socket-activate ".$unix_fd.$tcp_fd.$pg_cmd;
+my $systemd_bad2 = "systemd-socket-activate ".$tcp_fd.$pg_cmd;
+
+# Setup listen_address
+$node->append_conf('postgresql.conf', "listen_addresses = '127.0.0.1'");
+# Setup unix_socket_directory
+$node->append_conf('postgresql.conf', "unix_socket_directories = '/tmp'");
+
+# Start with an empty logfile
+$ret = PostgreSQL::Test::Utils::system_log( "echo ''>".$logfile );
+
+note 'Bad test 1';
+# Test passing FD in wrong order
+$ret = PostgreSQL::Test::Utils::system_log( $systemd_bad1 );
+ok($ret == "0", "systemd-socket-activate started");
+$logstart = -s $node->logfile;
+# psql: error: connection to server at "127.0.0.1", port 5432 failed: FATAL: the database system is starting up
+$node->connect_fails("host=127.0.0.1", "Check for failure due to wrong FD order",
+ expected_stderr => qr/failed: server closed the connection unexpectedly/);
+ok( $node->log_contains(qr/FATAL: Sockets \(0\) passed by systemd is not same type as configured in postgresql.conf/, $logstart),
+ "Check for socket 0 mismtach message");
+
+
+note 'Bad test 2';
+# Only pass TCP FD
+$ret = PostgreSQL::Test::Utils::system_log( $systemd_bad2 );
+ok($ret == "0", "systemd-socket-activate started");
+$logstart = -s $node->logfile;
+# psql: error: connection to server at "127.0.0.1", port 5432 failed: FATAL: the database system is starting up
+$node->connect_fails("host=127.0.0.1", "Check for failure due to wrong FD passed",
+ expected_stderr => qr/failed: server closed the connection unexpectedly/);
+ok( $node->log_contains(qr/FATAL: Sockets passed by systemd \(1\) are less than listen_addresses configured in postgresql.conf/, $logstart),
+ "Check for socket 0 mismtach message");
+
+note 'Good test';
+# This is a good test with all the correct settings
+$ret = PostgreSQL::Test::Utils::system_log( $systemd_cmd );
+ok($ret == "0", "systemd-socket-activate started");
+# psql: error: connection to server at "127.0.0.1", port 5432 failed: FATAL: the database system is starting up
+$node->connect_fails("host=127.0.0.1", "database system is starting up", expected_stderr => qr/FATAL: the database system is starting up/);
+sleep(1);
+$node->connect_ok("host=127.0.0.1", "Connect to IP works");
+$node->connect_ok("host=/tmp", "Connect to unix_sock works");
+$node->stop();
+done_testing();
--
2.48.1
