PMM 15014 Upgrade internal PostgreSQL version from 14 to 18#5295
Open
talhabinrizwan wants to merge 7 commits intov3from
Open
PMM 15014 Upgrade internal PostgreSQL version from 14 to 18#5295talhabinrizwan wants to merge 7 commits intov3from
talhabinrizwan wants to merge 7 commits intov3from
Conversation
PostgreSQL 15+ revoked the default CREATE privilege on the public schema from all users. Explicit grants are now required in the build-time Ansible role, the initialization role, and the pg14→pg18 migration script.
PostgreSQL 15+ revoked the default CREATE privilege on the public schema from all users. Add an explicit grant in initWithRoot() after provisioning the database and role.
PostgreSQL 15+ revoked the default CREATE privilege on the public schema from all users. Add ensureSchemaGrant() called unconditionally in SetupDB before migrateDB, covering both fresh installs and existing containers where the role was provisioned without the grant. Also fix a pre-existing bug in initWithRoot where GRANT ALL PRIVILEGES used $1/$2 placeholders, which are not supported for identifiers in PostgreSQL.
Add back the scram-sha-256 authentication option alongside trust in the dev container's pg_hba.conf configuration, preserving the comments explaining the dual-auth setup for convenience in dev environments.
talhabinrizwan
requested review from
JiriCtvrtka and
maxkondr
and removed request for
a team
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## v3 #5295 +/- ##
==========================================
+ Coverage 42.10% 42.13% +0.02%
==========================================
Files 410 410
Lines 41992 41991 -1
==========================================
+ Hits 17682 17694 +12
+ Misses 22525 22512 -13
Partials 1785 1785
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Contributor
|
@talhabinrizwan It still needs some changes in managed to pass tests there properly. |
The Go template for the PostgreSQL supervisord config had an extra -c max_connections=2000 flag that was not present in the original PG14 template and does not match the test fixture (pmm-db_enabled.ini), causing TestSavePMMConfig to fail. Removed to restore parity with prior behavior.
maxkondr
reviewed
Apr 29, 2026
|
|
||
| if ! /usr/pgsql-14/bin/pg_ctl status -D "$POSTGRES_DATA_DIR" > /dev/null 2>&1; then | ||
| /usr/pgsql-14/bin/pg_ctl start -D "$POSTGRES_DATA_DIR" -o "-c logging_collector=off" | ||
| if ! /usr/pgsql-18/bin/pg_ctl status -D "$POSTGRES_DATA_DIR" > /dev/null 2>&1; then |
Contributor
There was a problem hiding this comment.
it is better to extract pg_ctl into global var -> avoid massive path changes in future
| fi | ||
| } | ||
|
|
||
| upgrade_pg14_to_pg18 |
Contributor
There was a problem hiding this comment.
this func uses /srv/.pgpassword file but is called before ensure_postgres_password that creates this file in case it is absent
| // PostgreSQL 15+ revoked the default CREATE privilege on the public schema from PUBLIC, | ||
| // so it must be granted explicitly before migrations can create tables. | ||
| // Skipped for HA mode and when the embedded postgres password file is absent (external PostgreSQL). | ||
| func ensureSchemaGrant(params SetupDBParams) error { |
Contributor
There was a problem hiding this comment.
why is this logic located here but not in docker entrypoint?
| } | ||
|
|
||
| _, err = db.Exec(`GRANT ALL PRIVILEGES ON DATABASE $1 TO $2`, params.Name, params.Username) | ||
| _, err = db.Exec(fmt.Sprintf(`GRANT ALL PRIVILEGES ON DATABASE "%s" TO "%s"`, params.Name, params.Username)) |
Contributor
There was a problem hiding this comment.
No, this is exactly the way to SQL-injections
| } | ||
| defer db.Close() //nolint:errcheck | ||
|
|
||
| _, err = db.Exec(fmt.Sprintf(`GRANT CREATE ON SCHEMA public TO "%s"`, params.Username)) |
Contributor
There was a problem hiding this comment.
Suggested change
| _, err = db.Exec(fmt.Sprintf(`GRANT CREATE ON SCHEMA public TO "%s"`, params.Username)) | |
| _, err = db.Exec(`GRANT CREATE ON SCHEMA public TO $1`, params.Username) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
PMM-15014
Link to the Feature Build: SUBMODULES-4324