Request a Demo
4.1. Installation in Secure Environments
Prev UpChapter 4. Installation and SetupHome Next

4.1. Installation in Secure Environments #

In secure environments, the manager and agent services run on servers under separately created operating system users, not under the superuser. In this case, operating system users must be granted additional privileges so that the manager and agent services can function correctly.

Important

If the agent service is running on behalf of an operating system user lacking the required privileges, consider the following limitations:

  • When creating instances and clusters:

    • The main instance data catalog cannot be created. PPEM uses sudo and requires the privileges to run chmod, chown, initdb, and pg_ctl.

    • Instances cannot be configured. PPEM automatically specifies instance parameters in the postgresql.auto.conf configuration file and requires the privilege to access the main instance data catalog.

  • When restoring instances from backups:

    • The main instance data catalog cannot be restored. PPEM requires the privilege to access the catalog where the main instance data catalog will be created.

    • External catalogs cannot be restored. PPEM requires the privilege to access the catalogs where the external catalogs will be created.

  • The PPEM service cannot be managed and the systemd unit cannot be created. PPEM requires the privilege to access the system path.

When executing the commands provided in this section, consider the following:

  • The Debian Linux operating system commands are specified. For other operating system versions, use their corresponding commands.

  • Standard object names are specified in the commands, for example, ppem for the repository database. If required, you can specify different names.

The installation process includes the following steps:

PPEM will be installed. You can update the browser page with the web application and start working.

Prerequisites

  1. Prepare the servers for installing PPEM according to hardware and software requirements.

    You will need at least one server.

  2. Install a Postgres Pro DBMS instance at least on one of the servers.

    For more information about installation, refer to the official Postgres Pro documentation.

Create Operating System Users

Create separate operating system users on all servers: 

# useradd ppem

The manager and agent services will start under the created operating system users.

Configure the Manager

On the Postgres Pro DBMS instance server:

  1. Install the repository: 

    # wget -O pgpro-repo-add.sh https://repo.postgrespro.ru/ppem/ppem/keys/pgpro-repo-add.sh
# sh pgpro-repo-add.sh

  2. Install the manager: 

    # apt install ppem ppem-gui

    The ppem-manager.yml manager configuration file will be downloaded to your local device.

  3. Create the DBMS user on behalf of which the manager will connect to the repository database: 

    # sudo -u postgres createuser --pwprompt ppem

    In this example, the ppem user is created. This user will be mentioned in other commands in this section.

    When executing this command, specify the DBMS user password.

  4. Create the repository database: 

    # sudo -u postgres createdb -O ppem ppem

  5. Ensure that the DBMS user can connect to the database: 

    # psql -h localhost -U ppem -d ppem

    In case of connection issues, ensure that the HBA rule allowing the DBMS user to connect to the database, as well as the authorization method, are specified in the pg_hba.conf configuration file.

    For more information, refer to the official Postgres Pro documentation on the pg_hba.conf configuration file.

  6. In the ppem-manager.yml manager configuration file:

    • Specify the repository database name using the repo.name parameter: 

      repo:
  name: "ppem"

    • Specify the DBMS user name and password using the repo.user and repo.password parameters: 

      repo:
  user: "ppem"
  password: "DBMS_user_password"

    • Specify the URL for connecting the manager to the repository database using the repo.url parameter: 

      repo:
  url: "postgres://ppem:DBMS_user_password@localhost/ppem"

      For more information about the URL format, refer to the official Postgres Pro documentation on connection strings.

  7. Configure the manager service to start under the created operating system user:

    1. Start editing the systemd unit: 

      # systemctl edit ppem

    2. In the [Service] section, specify the name of the operating system user: 

      [Service]
User=ppem

    3. Ensure that the operating system user is granted the privilege to read the ppem-manager.yml manager configuration file.

      If the privilege is not granted, execute the following commands: 

      # chown ppem:ppem /etc/ppem-manager.yml
# chmod 400 /etc/ppem-manager.yml

    4. Save the systemd unit parameters, then reload it: 

      # systemctl daemon-reload

  8. Start the manager service and add it to the server startup: 

    # systemctl start ppem
# systemctl enable ppem

The web application will be installed on the server.

Configure Agents

On all servers:

  1. Install the agents: 

    # apt install ppem-agent

    The ppem-agent.yml agent configuration file will be downloaded to your local device.

  2. Create the DBMS user on behalf of which the agent will connect to the repository database: 

    # sudo -u postgres createuser --pwprompt ppem_agent

    In this example, the ppem_agent user is created. This user will be mentioned in other commands in this section.

    When executing this command, specify the DBMS user password.

  3. Grant ppem_agent the privilege to read the system catalog and run functions.

    It is recommended to grant the following privileges: 

    GRANT pg_monitor, pg_maintain, pg_signal_backend, pg_read_all_settings TO ppem_agent;

    Grant ppem_agent the following privileges on every database in the instance: 

    GRANT EXECUTE ON FUNCTION pg_catalog.pg_stat_file(TEXT) TO ppem_agent;
GRANT EXECUTE ON FUNCTION pg_catalog.pg_stat_file(TEXT, BOOLEAN) TO ppem_agent;
GRANT SELECT ON pg_catalog.pg_statistic TO ppem_agent;
GRANT SELECT ON pg_catalog.pg_config TO ppem_agent;
GRANT EXECUTE ON FUNCTION pg_catalog.pg_config() TO ppem_agent;
GRANT SELECT ON pg_catalog.pg_file_settings TO ppem_agent;
GRANT EXECUTE ON FUNCTION pg_catalog.pg_show_all_file_settings() TO ppem_agent;
GRANT SELECT ON pg_catalog.pg_authid TO ppem_agent;

    Grant ppem_agent the following privileges to manage backups: 

    ALTER ROLE ppem_agent WITH REPLICATION;

GRANT USAGE ON SCHEMA pg_catalog TO ppem_agent;
GRANT EXECUTE ON FUNCTION pg_catalog.current_setting(text) TO ppem_agent;
GRANT EXECUTE ON FUNCTION pg_catalog.set_config(text, text, boolean) TO ppem_agent;
GRANT EXECUTE ON FUNCTION pg_catalog.pg_is_in_recovery() TO ppem_agent;
GRANT EXECUTE ON FUNCTION pg_catalog.pg_backup_start(text, boolean) TO ppem_agent;
GRANT EXECUTE ON FUNCTION pg_catalog.pg_backup_stop(boolean) TO ppem_agent;
GRANT EXECUTE ON FUNCTION pg_catalog.pg_create_restore_point(text) TO ppem_agent;
GRANT EXECUTE ON FUNCTION pg_catalog.pg_switch_wal() TO ppem_agent;
GRANT EXECUTE ON FUNCTION pg_catalog.pg_last_wal_replay_lsn() TO ppem_agent;
GRANT EXECUTE ON FUNCTION pg_catalog.txid_current() TO ppem_agent;
GRANT EXECUTE ON FUNCTION pg_catalog.txid_current_snapshot() TO ppem_agent;
GRANT EXECUTE ON FUNCTION pg_catalog.txid_snapshot_xmax(txid_snapshot) TO ppem_agent;
GRANT EXECUTE ON FUNCTION pg_catalog.pg_control_checkpoint() TO ppem_agent;

    You can grant privileges only for the database that will be used for connecting the user to the instance.

    For more information about privileges, refer to the official Postgres Pro documentation on pg_probackup.

  4. Ensure that the DBMS user can connect to the repository database: 

    # psql -h localhost -U ppem_agent -d ppem

    In case of connection issues, ensure that the HBA rule allowing the DBMS user to connect to the database, as well as the authorization method, are specified in the pg_hba.conf configuration file.

    For more information, refer to the official Postgres Pro documentation on the pg_hba.conf configuration file.

  5. Get an API key for configuring the agent:

    1. Log in to the web application.

    2. Copy the API key from the displayed agent installation instruction and save this key.

  6. In the ppem-agent.yml agent configuration file, specify the agent parameters: 

    agent:
  name: "agent_name"
  manager:
    url: "URL_for_connecting_to_manager"
    api_key: "API_key_for_connecting_to_manager"
instance:
  connection_defaults:
    user: "DBMS_username"
    password: "DBMS_user_password"
http:
  server:
    address: "network_address_for_incoming_connections"
    port: "port_for_incoming_connections"

    Where:

    • agent.name: The unique agent name.

    • agent.manager.url: The URL for connecting the agent to the manager in the scheme://manager_network_address/path_to_API_version format.

    • agent.manager.api_key: The previously obtained API key for connecting the agent to the manager.

    • agent.instance.connection_defaults.user and agent.instance.connection_defaults.password: The DBMS user name and password.

    • http.server.address and http.server.port: The network address of the server and the port number for incoming network connections.

      To enable listening of all network addresses and ports, do not specify any values for these parameters.

  7. Grant the created operating system user the superuser privileges to work with target directories using the chown and chmod commands.

    Running, stopping, and reloading instances also require the operating system user to have the following privileges: 

    Cmnd_Alias PG_SYS = \
  /usr/bin/systemctl status postgresql*.service, \
  /usr/bin/systemctl stop postgresql*.service, \
  /usr/bin/systemctl start postgresql*.service, \
  /usr/bin/systemctl restart postgresql*.service, \
  /usr/bin/systemctl reload postgresql*.service

Cmnd_Alias PG_CTL = \
  /usr/lib/postgresql/17/bin/pg_ctl, \
  /usr/lib/postgresql/16/bin/pg_ctl

ppem ALL = (root) NOPASSWD: PG_SYS
ppem ALL = (postgres) NOPASSWD: PG_CTL

  8. Configure the agent service to start on behalf of the operating system user:

    1. Start editing the systemd unit: 

      # systemctl edit ppem-agent

    2. In the [Service] section, specify the operating system user: 

      [Service]
User=ppem

    3. Ensure that the operating system user is granted the privilege to read the ppem-agent.yml agent configuration file.

      If the privilege is not granted: 

      # chown ppem:ppem /etc/ppem-agent.yml
# chmod 400 /etc/ppem-agent.yml

    4. Save the systemd unit parameters, then reload it: 

      # systemctl daemon-reload

  9. Start the agent service and add it to the server startup: 

    # systemctl start ppem-agent
# systemctl enable ppem-agent
Prev Up Next
Chapter 4. Installation and Setup Home 4.2. Installation in the High Availability Mode
epub pdf