Update postgres

packer/files/haproxy-http.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+<short>HAProxy-HTTP</short>
+<description>HAProxy load-balancer</description>
+<port protocol="tcp" port="80"/>
+</service>

packer/files/haproxy-https.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="utf-8"?>
+<service>
+<short>HAProxy-HTTPS</short>
+<description>HAProxy load-balancer</description>
+<port protocol="tcp" port="443"/>
+</service>

packer/files/postgres.service

@@ -0,0 +1,21 @@
+Documentation=man:postgres(1)
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=notify
+User=postgres
+
+# Disable OOM kill
+OOMScoreAdjust=-1000
+Environment=PG_OOM_ADJUST_FILE=/proc/self/oom_score_adj
+Environment=PG_OOM_ADJUST_VALUE=0
+
+ExecStart=/usr/local/pgsql/bin/postgres -D /var/lib/pgsql/data
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=mixed
+KillSignal=SIGINT
+TimeoutSec=infinity
+
+[Install]
+WantedBy=multi-user.target

packer/files/relabel_ndb.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# Relabel system
+sudo restorecon -Rv /
+# Reconfigure selinux to enforce mode for reboots
+sudo sed -i 's/^SELINUX=permissive/SELINUX=enforcing/' /etc/selinux/config
+# Immediately reenable selinux enforce mode
+sudo setenforce 1

packer/postgres/postgres.pkr.hcl

@@ -69,14 +69,18 @@ build {
     timeout           = "20m"
   }
 
+  provisioner "file" {
+    source      = "../files"
+    destination = "/tmp"
+  }
+
   provisioner "shell" {
+    execute_command = "chmod +x {{ .Path }}; sudo {{ .Vars }} {{ .Path }}"
     environment_vars = [
       "POSTGRES_VERSION=${var.postgres_version}",
       "POSTGIS_VERSION=${var.postgis_version}"
     ]
-    execute_command = "chmod +x {{ .Path }}; sudo {{ .Vars }} {{ .Path }}"
     script          = "../scripts/postgres-install.sh"
-    timeout         = "15m"
   }
 
   provisioner "shell" {

packer/postgres/variables.pkr.hcl

@@ -17,13 +17,13 @@ variable "base_image_name" {
 variable "postgres_version" {
   type        = string
   description = "Postgres major version to install on the Image"
-  default     = "14"
+  default     = "15.8"
 }
 
 variable "postgis_version" {
   type        = string
   description = "Postgis version to install"
-  default     = "postgis33_14"
+  default     = "3.5.0"
 }
 
 variable "image_delete" {

packer/scripts/install-deps.sh

@@ -2,7 +2,7 @@
 set -e
 
 # Install dependencies and cli tools needed by other packer scripts and NDB service
-dnf update -y && yum upgrade -y
+dnf update -y
 dnf install -y ansible unzip iptables nftables wget lvm2* zip lsof rsync network-scripts
 
 # Ensure that ansible collections needed are installed 

packer/scripts/os-stig.sh

@@ -10,3 +10,10 @@ unzip *-ansible.zip
 TASKS_FILE=$( find roles/*/tasks -name main.yml -type f )
 sed -i '/notify: do_reboot/d' $TASKS_FILE
 chmod +x enforce.sh && ./enforce.sh
+
+# FIPS hosts can't use ed25519 keys, so comment out the hostkey from the sshd_config
+sed -i 's|^HostKey /etc/ssh/ssh_host_ed25519_key|#HostKey /etc/ssh/ssh_host_ed25519_key|' /etc/ssh/sshd_config
+
+# User password setting changes. Accounts are used to access VMs with SSH using ssh keys, but expired passwords prevent SSH from working even with ssh-keys so passwords shouldn't expire
+sed -i 's/^PASS_MAX_DAYS [0-9]\+/PASS_MAX_DAYS -1/' /etc/login.defs
+sed -i 's/^PASS_MIN_DAYS [0-9]\+/PASS_MIN_DAYS 0/' /etc/login.defs

packer/scripts/postgres-install.sh

@@ -1,12 +1,90 @@
 #!/bin/bash
 set -e
 
-wget https://apt.postgresql.org/pub/repos/yum/keys/PGDG-RPM-GPG-KEY-RHEL
-sudo rpm --import PGDG-RPM-GPG-KEY-RHEL
-sudo dnf install -y https://download.postgresql.org/pub/repos/yum/reporpms/EL-8-x86_64/pgdg-redhat-repo-latest.noarch.rpm
-sudo dnf -qy module disable postgresql
-sudo dnf install -y postgresql${POSTGRES_VERSION}-server
-sudo rpm --import http://download.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8
-sudo dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
-sudo subscription-manager repos --enable codeready-builder-for-rhel-8-x86_64-rpms
-sudo dnf install -y ${POSTGIS_VERSION}
+export PATH=$PATH:/usr/local/bin
+subscription-manager repos --enable codeready-builder-for-rhel-8-$(arch)-rpms
+rpm --import https://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL-8
+dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
+dnf groupinstall -y "Development Tools"
+dnf install -y zlib-devel readline-devel libicu-devel systemd-devel cmake libxml2-devel proj-devel gdal-devel protobuf-devel protobuf-c-devel json-c-devel
+
+dnf -qy module disable postgresql
+
+wget https://ftp.postgresql.org/pub/source/v${POSTGRES_VERSION}/postgresql-${POSTGRES_VERSION}.tar.bz2
+
+tar -xvf postgresql-${POSTGRES_VERSION}.tar.bz2
+cd postgresql-${POSTGRES_VERSION}/
+ls -l
+
+./configure --with-systemd
+make
+make install
+useradd postgres
+useradd etcd
+echo 'export PATH=$PATH:/usr/local/bin:/usr/local/pgsql/bin' >> /home/postgres/.bashrc
+cd
+
+# Install postgis
+## Install GEOS from source
+wget https://download.osgeo.org/geos/geos-3.13.0.tar.bz2
+# Unpack and setup build directory
+tar xvfj geos-3.13.0.tar.bz2
+cd geos-3.13.0
+mkdir _build
+cd _build
+# Set up the build
+cmake \
+    -DCMAKE_BUILD_TYPE=Release \
+    -DCMAKE_INSTALL_PREFIX=/usr/local \
+    ..
+# Run the build, test, install
+make
+make install
+cd
+
+## Install postgis from source
+wget https://postgis.net/stuff/postgis-${POSTGIS_VERSION}.tar.gz
+tar -xvzf postgis-${POSTGIS_VERSION}.tar.gz
+cd postgis-${POSTGIS_VERSION}
+./configure --with-pgconfig=/usr/local/pgsql/bin/pg_config
+make
+make install
+cd
+
+# Install HA postgres deps
+
+dnf install -y  python3-devel python3-psycopg2 haproxy keepalived
+wget https://github.com/etcd-io/etcd/releases/download/v3.5.16/etcd-v3.5.16-linux-amd64.tar.gz
+tar xzvf etcd-v3.5.16-linux-amd64.tar.gz
+cp etcd-v3.5.16-linux-amd64/etcd* /usr/bin/.
+
+sudo pip3 install --force-reinstall cdiff
+sudo pip3 install --force-reinstall -v "patroni[etcd]==3.2.2"
+
+mkdir /var/lib/etcd
+chown etcd:etcd /var/lib/etcd/
+
+# Move files
+
+# Copy the postgres systemd service into the correct location for NDB
+cp /tmp/files/postgres.service /etc/systemd/system/era_postgres.service
+cp /tmp/files/haproxy* /etc/firewalld/services/.
+cd /etc/firewalld/services
+restorecon haproxy-http.xml
+restorecon haproxy-https.xml
+chmod 640 haproxy*
+
+# Copy relabel script into permanent location to resolve issues with NDB not setting SELinux labels properly after copying files onto a new DB from a profile
+cp /tmp/files/relabel_ndb.sh /usr/local/bin/.
+chmod +x /usr/local/bin/relabel_ndb.sh
+
+# Set up watchdog
+modprobe softdog
+chown postgres /dev/watchdog
+
+# Turn off pwquality enforcement. NDB can have issues creating new DBs from a profile caused by not being able to update the NDB user password
+echo "enforcing = 0" >> /etc/security/pwquality.conf
+
+# Set SELinux to permissive mode which is required in some cases to get NDB to properly create a new DB from a profile. The relabel_ndb.sh should be called in the NDB post_create_script to relabel the machine and turn SELinux enforcement back on
+sudo sed -i 's/^SELINUX=enforcing/SELINUX=permissive/' /etc/selinux/config
+sudo setenforce 0