-
Notifications
You must be signed in to change notification settings - Fork 109
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gsa.datagov-deploy-postgresql only works the first time in sandbox #1336
Comments
#1336 Currently, this role only works on a new, empty database and then we need to skip this role after that. Let's remove the role until we can rethink and refactor it.
Stepping back, I think we want to simplify this role to only manage one application database and one app user. Managing the permissions gets complicated. For Inventory, which needs to create a datastore read-only user, this really needs to be handled by the application since paster generates the SQL commands. This fits better with cloud.gov, since the application is going to have to create that database user at startup. |
Couldn't we design a script that runs inside the app on startup? This would then be run locally, on staging, on cloud.gov, etc while using environment variables so that we ensure this is working as expected? @adborden |
Yes! You've hit the nail on the head. What we're struggling with here is the line between platform responsibility vs application responsibility. The application is responsible for creating the schema and running migrations while the platform should be responsible for creating a database, creating a user, setting the password, and exposing those details as configuration (environment variables) to the application. We ran into trouble here when we said the read-only datastore user should be created by the platform. But from a technical standpoint, postgresql doesn't support that very well since the read-only-ness is set using table-level permissions and really only CKAN knows about the schemas in order to do that (that's why they have a paster command to generate SQL). So, yes, what should happen is this role should:
Then, as you say, the startup script should run any migrations and set permissions on the datastore user. This should work the same in all environments. We're already doing this on Dashboard. CodeIgniter has this built in at request time (I would prefer startup time, but whatever). One catch on BSP, since CKAN is run via apache2, there's no good place to execute the startup script. This is why we need to separate CKAN into its own process (a startup script that ends with executing a wsgi program). |
There are still issue with db initialization in local tests (for certain ckan extensions). But the issue of db initialization for local catalog testing and all cloud.gov spaces is resolved. There are a lot of references to list for this, but as a start, |
The first apply works fine, but subsequent ones fail with this error. This role is only applied to sandbox environments (we'd like them to run on production in order to rotate creds, but don't want to do that work yet).
Work-around: specify
--skip-tags database
when running in the sandbox to avoid running this role.How to reproduce
ansible-playbook catalog.yml --inventory inventories/ci
Expected behavior
Role applies successfully.
Actual behavior
Role fails.
The text was updated successfully, but these errors were encountered: