Awx: Support SSL connections to external PostgreSQL database

Created on 24 Nov 2017  路  2Comments  路  Source: ansible/awx
ISSUE TYPE
  • Feature Idea
COMPONENT NAME
  • Installer
SUMMARY

It would be good to support SSL connections to an external PostgreSQL database as available parameters in the installer inventory file. Currently we work around this by changing DATABASES in settings.py, then copying settings.py into the official containers along with our certs and pushing the image back up to our private Docker registry.

We've seen good results so far with the following config:

DATABASES = {
    'default': {
        'ATOMIC_REQUESTS': True,
        'ENGINE': 'django.db.backends.postgresql',
        'NAME': os.getenv("DATABASE_NAME", None),
        'USER': os.getenv("DATABASE_USER", None),
        'PASSWORD': os.getenv("DATABASE_PASSWORD", None),
        'HOST': os.getenv("DATABASE_HOST", None),
        'PORT': os.getenv("DATABASE_PORT", None),
        'CONN_MAX_AGE': 60,
        'OPTIONS': {
            'sslmode': 'require',
            'keepalives_idle': 5,
            'keepalives_interval': 1,
            'keepalives_count': 5,
        },
    },
}

using the following Dockerfile:

FROM ansible/awx_task:1.0.1.223

USER root
COPY our_ssl_cert.pem /etc/pki/ca-trust/source/anchors/
COPY settings.py /etc/tower/settings.py
RUN update-ca-trust
ENVIRONMENT
  • AWX version: 1.0.1.223
  • AWX install method: docker for mac
  • Ansible version: 2.4.1
  • Operating System: OS X 10.12.6
  • Web Browser: Chrome
STEPS TO REPRODUCE

The following fields (or equivalent) could be available in the inventory file:

# Set pg_hostname if you have an external postgres server, otherwise
# a new postgres service will be created
pg_hostname=postgresql
pg_username=awx
pg_password=awxpass
pg_database=awx
pg_port=5432
sslmode=require
cert_path=<cert_file_name.pem>

For sslmode, an environment variable would be set in settings.py, same as the other fields.

For cert_path, the certificate would be installed during the container image build.

ADDITIONAL INFORMATION

Client side keepalives seem to be necessary for Django/psycopg2 to stay connected correctly. Otherwise after a few hours of running we start to see issues with AWX saving job event data due to dropped connections.

awx.main.commands.run_callback_receiver Database Error Saving Job Event: SSL SYSCALL error: EOF detected

I'm not familiar enough with Django to know whether this should be hardcoded into settings.py or if it should be user-configurable. It's also unclear whether CONN_MAX_AGE is required.

installer medium needs_devel enhancement
Source
picture batemanst
👍12

Most helpful comment

+1 this would be really interesting and important in term of security (Like when using RDS through public IP)

picture kedare on 23 Apr 2018
👍3

All 2 comments

+1 this would be really interesting and important in term of security (Like when using RDS through public IP)

kedare picture kedare on 23 Apr 2018
👍3

Resolved via https://github.com/ansible/awx/pull/3040

ryanpetrello picture ryanpetrello on 22 Jan 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

shortsteps picture shortsteps  路  3Comments
mwiora picture mwiora  路  3Comments
pebbledavec picture pebbledavec  路  3Comments
astraios picture astraios  路  3Comments
worsco picture worsco  路  3Comments