Clean the DB-related bits in the setup scripts

The DB setup is now either handled in the DB container init for what requires superuser permissions or in `mgr-setup`. All other DB setup bits from spacewalk-setup and uyuni-setup-reportdb can now be removed. Writing the DB properties to rhn.conf still has to happen in `spacewalk-setup` due to the way that file is generated by satcon script. This would be a mess to cleanup in a future PR. The DB users are no longer superusers, so uyuni-setup-reportdb-user has to handle the user deletion a bit differently as only the user itself or a superuser can drop the objects it owns.
uyuni-project · Feb 24, 2025 · 50cf303 · 50cf303
1 parent c611bf6
commit 50cf303
Show file tree

Hide file tree

Showing 22 changed files with 158 additions and 1,278 deletions.
diff --git a/containers/doc/rds.sh b/containers/doc/rds.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# Prepare the internal database
+echo "CREATE DATABASE $MANAGER_DB_NAME ENCODING = UTF8 ;" | ( export PGPASSWORD=$EXTERNALDB_ADMIN_PASS; exec psql -h $MANAGER_DB_HOST -U $EXTERNALDB_ADMIN_USER)
+echo "CREATE ROLE $MANAGER_USER PASSWORD '$MANAGER_PASS'  NOCREATEDB NOCREATEROLE INHERIT LOGIN;" | ( export PGPASSWORD=$EXTERNALDB_ADMIN_PASS; exec psql -h $MANAGER_DB_HOST -U $EXTERNALDB_ADMIN_USER)
+echo "GRANT rds_superuser to $MANAGER_USER;" | ( export PGPASSWORD=$EXTERNALDB_ADMIN_PASS; exec psql -h $MANAGER_DB_HOST -U $EXTERNALDB_ADMIN_USER)
+echo "GRANT create on database $MANAGER_DB_NAME to $MANAGER_USER;" | ( export PGPASSWORD=$EXTERNALDB_ADMIN_PASS; exec psql -h $MANAGER_DB_HOST -U $EXTERNALDB_ADMIN_USER)
+
+# Prepare the report database
+echo "CREATE DATABASE $PGNAME ENCODING = UTF8 ;" | ( export PGPASSWORD=$EXTERNALDB_ADMIN_PASS; exec psql -h $HOST -U $EXTERNALDB_ADMIN_USER)
+echo "CREATE EXTENSION IF NOT EXISTS plpgsql;"  | ( export PGPASSWORD=$EXTERNALDB_ADMIN_PASS; exec psql -h $HOST -U $EXTERNALDB_ADMIN_USER -d $PGNAME)
+echo "CREATE ROLE $PGUSER PASSWORD '$PGPASSWORD' NOCREATEDB NOCREATEROLE INHERIT LOGIN;" | ( export PGPASSWORD=$EXTERNALDB_ADMIN_PASS; exec psql -h $HOST -U $EXTERNALDB_ADMIN_USER)
+echo "GRANT rds_superuser to $PGUSER;" | ( export PGPASSWORD=$EXTERNALDB_ADMIN_PASS; exec psql -h $HOST -U $EXTERNALDB_ADMIN_USER)
+echo "GRANT create on database $PGNAME to $PGUSER;" | ( export PGPASSWORD=$EXTERNALDB_ADMIN_PASS; exec psql -h $HOST -U $EXTERNALDB_ADMIN_USER)
diff --git a/containers/server-image/Dockerfile b/containers/server-image/Dockerfile
@@ -20,8 +20,6 @@ RUN echo "rpm.install.excludedocs = yes" >>/etc/zypp/zypp.conf && \
         ${PRODUCT_PATTERN_PREFIX}_retail \
         spacewalk-backend-sql-postgresql \
         spacewalk-java-postgresql \
-        postgresql16-contrib \
-        postgresql16-server \
         postgresql16 \
         billing-data-service \
         grub2-x86_64-efi \

diff --git a/containers/server-image/server-image.changes.cbosdo.postgresql b/containers/server-image/server-image.changes.cbosdo.postgresql
@@ -0,0 +1 @@
+- Move the database to a separate container
diff --git a/python/spacewalk/satellite_tools/spacewalk-debug b/python/spacewalk/satellite_tools/spacewalk-debug
@@ -329,11 +329,6 @@ rpm -qa | sort > $DIR/rpm-manifest-clean
 echo "    * querying schema version, database charactersets and database"
 /usr/bin/rhn-schema-version > $DIR/database-schema-version
 /usr/bin/rhn-charsets > $DIR/database-character-sets
-if [ "$(spacewalk-cfg-get externaldb)" = "0" ] ; then
-    if [ -f /usr/bin/smdba ] ; then
-        /usr/bin/smdba space-overview > $DIR/db-control-report
-    fi
-fi
 
 if [ -f /usr/bin/spacewalk-sql ] ; then
     USERS_TZ_LC_SQL="""

diff --git a/schema/spacewalk/postgres/class/evr_t.sql b/schema/spacewalk/postgres/class/evr_t.sql
diff --git a/schema/spacewalk/spacewalk-sql b/schema/spacewalk/spacewalk-sql
@@ -55,12 +55,6 @@ if ($reportdb) {
         $options{$n} = $options{'report_'.$n} if (defined $options{'report_'.$n});
     }
 }
-if ($options{'externaldb_admin_user'}) {
-        $options{'db_user'} = $options{'externaldb_admin_user'}
-}
-if ($options{'externaldb_admin_password'}) {
-        $options{'db_password'} = $options{'externaldb_admin_password'}
-}
 my @missing;
 for my $n (qw( db_backend db_name db_user db_password )) {
         if (not defined $options{$n}) {

diff --git a/spacewalk/admin/spacewalk-startup-helper b/spacewalk/admin/spacewalk-startup-helper
@@ -114,26 +114,6 @@ check_database() {
     # Check, if the report DB was already setup
     if egrep -m1 "^report_db_host[[:space:]]*=[[:space:]]*[a-zA-Z0-9_-]+" /etc/rhn/rhn.conf; then
         REPORTDB_EXISTS='y'
-    else
-        # Check, if the DB is local and we should setup the reporting DB automated
-	if egrep -m1 "^db_host[[:space:]]*=[[:space:]]*localhost" /etc/rhn/rhn.conf; then
-            # Do not use 'md5' auth anymore, migrate to 'scram-sha-256' if needed
-            db_migrate_md5_to_scram
-
-            # if the main database is local, we setup the report DB automatically
-            /usr/bin/uyuni-setup-reportdb create --db reportdb --user pythia_susemanager --autogenpw \
-                                          --address '*' --remote '0.0.0.0/0,::/0' && {
-                REPORTDB_EXISTS='y'
-            }
-
-            if [ $? -ne 0 ]; then
-                echo "Report Database creation has failed. Please check the logs."
-                exit 1
-            fi
-
-        else
-            logger -p user.notice "Database not local - skipping setup of report database"
-        fi
     fi
 
     if [ $REPORTDB_EXISTS == 'y' ]; then

diff --git a/spacewalk/certs-tools/mgr_ssl_cert_setup.py b/spacewalk/certs-tools/mgr_ssl_cert_setup.py
@@ -558,23 +558,6 @@ def deployApache(apache_cert_content, server_key_content):
     )
 
 
-# pylint: disable-next=invalid-name
-def deployPg(server_key_content):
-    pg_uid, pg_gid = getUidGid("postgres", "postgres")
-    if pg_uid and pg_gid:
-        # deploy only the key with different permissions
-        # the certificate is the same as for apache
-        if os.path.exists(PG_KEY_FILE):
-            os.remove(PG_KEY_FILE)
-        # pylint: disable-next=unspecified-encoding
-        with open(PG_KEY_FILE, "w", encoding="utf-8") as f:
-            f.write(server_key_content)
-        os.chmod(PG_KEY_FILE, int("0600", 8))
-        os.chown(PG_KEY_FILE, pg_uid, pg_gid)
-
-        log("""$> systemctl restart postgresql.service """)
-
-
 # pylint: disable-next=invalid-name
 def deployCAInDB(certData):
     if not os.path.exists("/usr/bin/rhn-ssl-dbstore"):
@@ -716,7 +699,6 @@ def _main():
         sys.exit(1)
 
     deployApache(apache_cert_content, files_content.server_key)
-    deployPg(files_content.server_key)
     deployCAUyuni(certData)
     if not options.skip_db:
         deployCAInDB(certData)

diff --git a/spacewalk/config/var/lib/rhn/rhn-satellite-prep/etc/rhn/rhn.conf b/spacewalk/config/var/lib/rhn/rhn-satellite-prep/etc/rhn/rhn.conf
@@ -36,16 +36,7 @@ report_db_port = @@report_db_port@@
 report_db_ssl_enabled = @@report_db_ssl_enabled@@
 report_db_sslrootcert = @@report_db_sslrootcert@@
 
-externaldb = @@externaldb@@
-externaldb_admin_user = @@externaldb_admin_user@@
-externaldb_admin_password = @@externaldb_admin_password@@
-
-server.nls_lang = @@serverDOTnls_lang@@
-
-hibernate.dialect=@@hibernate_dialect@@
-hibernate.connection.driver_class=@@hibernate_driver@@
-hibernate.connection.driver_proto=@@hibernate_driver_proto@@
-
+server.nls_lang = english.UTF8
 
 web.satellite = 1
 web.satellite_install = @@satellite_install@@
@@ -62,15 +53,15 @@ session_secret_4 = @@session_secret_4@@
 
 server.secret_key = @@server_secret_key@@
 
-encrypted_passwords = @@encrypted_passwords@@
+encrypted_passwords = 1
 
 web.restrict_mail_domains =
 
 # system snapshots enabled
 enable_snapshots = 1
 
 #cobbler host name
-cobbler.host = @@cobblerDOThost@@
+cobbler.host = localhost
 
 # Web UI hostname
 java.hostname = @@javaDOThostname@@