PostgreSQL - Fail to start delegate ip address on pgpool 2

Question

I try to set up a pgpool server on ubuntu server and following this link : pgpool-II Tutorial [ Watchdog ].

But when I to start a pgpool service, the delegated IP doesn't start.

I have seen in a log file on syslog and got some error like this.

    Oct 25 08:46:25 pgpool-1 pgpool[1647]: [8-2] 2017-10-25 08:46:25: pid 1647: DETAIL:  Host:"172.16.0.42" WD Port:9000 pgpool-II port:5432 
    Oct 25 08:46:25 pgpool-1 pgpool: SIOCSIFADDR: Operation not permitted
    Oct 25 08:46:25 pgpool-1 pgpool: SIOCSIFFLAGS: Operation not permitted
    Oct 25 08:46:25 pgpool-1 pgpool: SIOCSIFNETMASK: Operation not permitted
    Oct 25 08:46:25 pgpool-1 pgpool[1648]: [18-1] 2017-10-25 08:46:25: pid 1648: LOG:  failed to acquire the delegate IP address
    Oct 25 08:46:25 pgpool-1 pgpool[1648]: [18-2] 2017-10-25 08:46:25: pid 1648: DETAIL:  'if_up_cmd' failed
    Oct 25 08:46:25 pgpool-1 pgpool[1648]: [19-1] 2017-10-25 08:46:25: pid 1648: WARNING:  watchdog escalation failed to acquire delegate IP

I use ubuntu 14.04 with pgpool2 version 3.6.6-1, and watchdog version 5.31-1.

And I has configured on pgpool.conf at virtual IP setting like this.

# - Virtual IP control Setting -
delegate_IP = '172.16.0.201'
if_cmd_path = '/sbin'
if_up_cmd = 'ifconfig eth0:0 inet $_IP_$ netmask 255.255.0.0'
if_down_cmd = 'ifconfig eth0:0 down'
arping_path = '/usr/sbin'
arping_cmd = 'arping -U $_IP_$ -w 1'

Any suggestion for this? Thank you for any help.

score 0 · Answer 1 · answered Oct 25 '17 at 09:43

Looks like user that runs it doesn't have permission to use ifconfig. Did you follow those steps from tutorial?

setuid configuration

In watchdog process, root privilege is required to contol virtual IP. You could start pgpool-II as root user. However in this tutorial, Apache needs to start pgpool as apache user and control virtual IP because we are using pgpoolAdmin. For this purpose, we setuid if_config and arping. Also we don't want any user other than apache accesses the commands because of security reason. Execute following commands on each of osspc19 and osspc20 (It requires root privilege).

At first, make a directory for containing ipconfig and arping which is set setuid. The path is specified at ifconif_path and arping_path; in this tutorial, this is /home/apache/sbin. Then give execute privilege to only apache user.
$ su -
# mkdir -p /home/apache/sbin
# chown apache:apache /home/apache/sbin
# chmod 700 /home/apache/sbin
Next, copy the original ifconfig and arping to the directory and then set setuid to these.
# cp /sbin/ifconfig /home/apache/sbin
# cp /use/sbin/arping /home/apache/sbin
# chmod 4755 /home/apache/sbin/ifconfig
# chmod 4755 /home/apache/sbin/arping
Note that explained above should be used for tutorial purpose only. In the real world you'd better create setuid wrapper programs to execute ifconfig and arping. This is left for your exercise.

I try to do as this steps again, but get a same result. – chatree kunjai Oct 27 '17 at 07:36 — chatree kunjai, Oct 27 '17 at 07:36

Yuci · Answer 2 · 2017-12-19T16:44:23.780

(Note: this answer may help in case you run Pgpool-II servers with Watchdog in Docker containers)

I tried to setup Pgpool-II servers with Watchdog in Docker containers today, and I got almost the same error (though I did set the SUID bit and even tried running Pgpool-II as the root user):

SIOCSIFADDR: Operation not permitted
SIOCSIFFLAGS: Operation not permitted
SIOCSIFNETMASK: Operation not permitted
pid 88: LOG:  failed to acquire the delegate IP address
pid 88: DETAIL:  'if_up_cmd' failed
pid 88: WARNING:  watchdog escalation failed to acquire delegate IP

Later I found that it was because the container did not have the privilege to change its network configurations, by default by design.

I then ran my Pgpool-II Docker containers in the privileged mode as shown below:

pgpool1:
    privileged: true
    image: postdock/pgpool:latest-pgpool36
    ...

The error is gone and the virtual IP is set up correctly.

score 0 · Answer 3 · answered Jun 11 '19 at 07:04

My problem is solved by the following method.

Make a directory for containing ipconfig and arping. Then give execute privilege to only non-root user.

$mkdir /var/lib/pgsql/sbin
$chown postgres:postgres /var/lib/pgsql/sbin
$cp /sbin/ip /var/lib/pgsql/sbin
$cp /sbin/arping /var/lib/pgsql/sbin

Run visudo, which safely edits the sudoers file:

$visudo

Then add an entry like this in sudoers file:

postgres ALL = NOPASSWD: /var/lib/pgsql/sbin/ip *, /var/lib/pgsql/sbin/arping *

Next, create bash files(ipadd.sh,ipdel.sh,arping.sh) to run ip and arping commands with sudo.

$cat /var/lib/pgsql/sbin/ipadd.sh
#!/bin/bash
sudo /var/lib/pgsql/sbin/ip addr add $1/24 dev eth1 label eth1:0

$cat /var/lib/pgsql/sbin/ipdel.sh
#!/bin/bash
sudo /var/lib/pgsql/sbin/ip addr del $1/24 dev eth1

$cat /var/lib/pgsql/sbin/arping.sh
#!/bin/bash
sudo /var/lib/pgsql/sbin/arping -U $1 -w 1 -I eth1

$chmod 755 /var/lib/pgsql/sbin/*
$chown postgres:postgres /var/lib/pgsql/sbin/*

Add an entry like this in pgpool.conf:

delegate_IP = '10.10.10.62'
if_up_cmd = 'ipadd.sh $_IP_$'
if_down_cmd = 'ipdel.sh $_IP_$'
arping_cmd = 'arping.sh $_IP_$'
if_cmd_path = '/var/lib/pgsql/sbin'
arping_path = '/var/lib/pgsql/sbin'

Then restart the pgpool service. Ignore the warning you can see as follows.

WARNING: checking setuid bit of if_up_cmd
DETAIL: ifup[/var/lib/pgsql/sbin/ipadd.sh] doesn't have setuid bit
WARNING: checking setuid bit of if_down_cmd
DETAIL: ifdown[/var/lib/pgsql/sbin/ipdel.sh] doesn't have setuid bit
WARNING: checking setuid bit of arping command
DETAIL: arping[/var/lib/pgsql/sbin/arping.sh] doesn't have setuid bit

Stop and check one of your two pgpool services.

PostgreSQL - Fail to start delegate ip address on pgpool 2

3 Answers3