Unable to connect to Postgresql
When I attempt to run any web application php cannot open a database
because of failure to connect. (Please disregard the programme name, it is
running in mod_php, not as an fcgi module). The (php) message is:
--------------------------
[Fri Apr 07 17:03:28.597101 2017] [php7:warn] [pid 1797:tid
140599445419776] [client 192.168.1.10:45127] PHP Warning: pg_connect():
Unable to connect to PostgreSQL server: could not connect to server: No
such file or directory\n\tIs the server running locally and
accepting\n\tconnections on Unix domain socket
"/tmp/.s.PGSQL.5432"? in /httpd/iliffe/testfcgi.php on line 121
----------------------------
The proper socket does exist:
-------------------------------------
ls -al /tmp | grep PGSQL
srwxrwxrwx. 1 postgres postgres 0 Apr 7 16:53 .s.PGSQL.5432
-rw-------. 1 postgres postgres 49 Apr 7 16:53 .s.PGSQL.5432.lock
ss -a | grep 5432
u_str LISTEN 0 128 /tmp/.s.PGSQL.5432 30480 * 0
-------------------------------------
Running on Fedora 25 with SELinux in PERMISSIVE mode. The audit log shows
no hits on Postgresql.
Postgresql version number is 9.6.2
As expected, the postgresql log shows nothing since the last start up.
Thanks in advance.
John
=====================================
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
On 04/07/2017 02:38 PM, John Iliffe wrote:
When I attempt to run any web application php cannot open a database
because of failure to connect. (Please disregard the programme name, it is
running in mod_php, not as an fcgi module). The (php) message is:--------------------------
[Fri Apr 07 17:03:28.597101 2017] [php7:warn] [pid 1797:tid
140599445419776] [client 192.168.1.10:45127] PHP Warning: pg_connect():
Unable to connect to PostgreSQL server: could not connect to server: No
such file or directory\n\tIs the server running locally and
accepting\n\tconnections on Unix domain socket
"/tmp/.s.PGSQL.5432"? in /httpd/iliffe/testfcgi.php on line 121
----------------------------The proper socket does exist:
-------------------------------------
ls -al /tmp | grep PGSQL
srwxrwxrwx. 1 postgres postgres 0 Apr 7 16:53 .s.PGSQL.5432
-rw-------. 1 postgres postgres 49 Apr 7 16:53 .s.PGSQL.5432.lockss -a | grep 5432
u_str LISTEN 0 128 /tmp/.s.PGSQL.5432 30480 * 0
-------------------------------------Running on Fedora 25 with SELinux in PERMISSIVE mode. The audit log shows
no hits on Postgresql.Postgresql version number is 9.6.2
As expected, the postgresql log shows nothing since the last start up.
Well the last time this happened the answer was this:
/messages/by-id/25543.1489081789@sss.pgh.pa.us
Thanks in advance.
John
=====================================
--
Adrian Klaver
adrian.klaver@aklaver.com
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
On 04/07/2017 02:38 PM, John Iliffe wrote:
When I attempt to run any web application php cannot open a database
because of failure to connect. (Please disregard the programme name, it is
running in mod_php, not as an fcgi module). The (php) message is:--------------------------
[Fri Apr 07 17:03:28.597101 2017] [php7:warn] [pid 1797:tid
140599445419776] [client 192.168.1.10:45127] PHP Warning: pg_connect():
Unable to connect to PostgreSQL server: could not connect to server: No
such file or directory\n\tIs the server running locally and
accepting\n\tconnections on Unix domain socket
"/tmp/.s.PGSQL.5432"? in /httpd/iliffe/testfcgi.php on line 121
----------------------------The proper socket does exist:
-------------------------------------
ls -al /tmp | grep PGSQL
srwxrwxrwx. 1 postgres postgres 0 Apr 7 16:53 .s.PGSQL.5432
-rw-------. 1 postgres postgres 49 Apr 7 16:53 .s.PGSQL.5432.lockss -a | grep 5432
u_str LISTEN 0 128 /tmp/.s.PGSQL.5432 30480 * 0
-------------------------------------Running on Fedora 25 with SELinux in PERMISSIVE mode. The audit log shows
no hits on Postgresql.Postgresql version number is 9.6.2
As expected, the postgresql log shows nothing since the last start up.
Meant to add to previous post:
What happens if you try to connect to the database using psql?
Thanks in advance.
John
=====================================
--
Adrian Klaver
adrian.klaver@aklaver.com
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
On 04/07/2017 04:57 PM, John Iliffe wrote:
Hi Adrian:
Not the same problem.
Last time I couldn't get postgresql running at all. This time it is
running and I can't connect to it. I did check for something else holding
the socket, but as far as I can see nothing else has it.
So when was the last time you could connect and has anything of note
happened since then?
Regards,
John
===================================
On Friday 07 April 2017 18:51:33 Adrian Klaver wrote:On 04/07/2017 02:38 PM, John Iliffe wrote:
When I attempt to run any web application php cannot open a database
because of failure to connect. (Please disregard the programme name,
it is running in mod_php, not as an fcgi module). The (php) message
is:--------------------------
[Fri Apr 07 17:03:28.597101 2017] [php7:warn] [pid 1797:tid
140599445419776] [client 192.168.1.10:45127] PHP Warning:
pg_connect(): Unable to connect to PostgreSQL server: could not
connect to server: No such file or directory\n\tIs the server running
locally and
accepting\n\tconnections on Unix domain socket
"/tmp/.s.PGSQL.5432"? in /httpd/iliffe/testfcgi.php on line
121 ----------------------------The proper socket does exist:
-------------------------------------
ls -al /tmp | grep PGSQL
srwxrwxrwx. 1 postgres postgres 0 Apr 7 16:53 .s.PGSQL.5432
-rw-------. 1 postgres postgres 49 Apr 7 16:53 .s.PGSQL.5432.lockss -a | grep 5432
u_str LISTEN 0 128 /tmp/.s.PGSQL.5432 30480
* 0 -------------------------------------Running on Fedora 25 with SELinux in PERMISSIVE mode. The audit log
shows no hits on Postgresql.Postgresql version number is 9.6.2
As expected, the postgresql log shows nothing since the last start up.
Well the last time this happened the answer was this:
/messages/by-id/25543.1489081789@sss.pgh.pa.us
Thanks in advance.
John
=====================================
--
Adrian Klaver
adrian.klaver@aklaver.com
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
Import Notes
Reply to msg id not found: 201704071957.23138.john.iliffe@iliffe.ca
Hi Adrian:
Not the same problem.
Last time I couldn't get postgresql running at all. This time it is
running and I can't connect to it. I did check for something else holding
the socket, but as far as I can see nothing else has it.
Regards,
John
===================================
On Friday 07 April 2017 18:51:33 Adrian Klaver wrote:
On 04/07/2017 02:38 PM, John Iliffe wrote:
When I attempt to run any web application php cannot open a database
because of failure to connect. (Please disregard the programme name,
it is running in mod_php, not as an fcgi module). The (php) message
is:--------------------------
[Fri Apr 07 17:03:28.597101 2017] [php7:warn] [pid 1797:tid
140599445419776] [client 192.168.1.10:45127] PHP Warning:
pg_connect(): Unable to connect to PostgreSQL server: could not
connect to server: No such file or directory\n\tIs the server running
locally and
accepting\n\tconnections on Unix domain socket
"/tmp/.s.PGSQL.5432"? in /httpd/iliffe/testfcgi.php on line
121 ----------------------------The proper socket does exist:
-------------------------------------
ls -al /tmp | grep PGSQL
srwxrwxrwx. 1 postgres postgres 0 Apr 7 16:53 .s.PGSQL.5432
-rw-------. 1 postgres postgres 49 Apr 7 16:53 .s.PGSQL.5432.lockss -a | grep 5432
u_str LISTEN 0 128 /tmp/.s.PGSQL.5432 30480
* 0 -------------------------------------Running on Fedora 25 with SELinux in PERMISSIVE mode. The audit log
shows no hits on Postgresql.Postgresql version number is 9.6.2
As expected, the postgresql log shows nothing since the last start up.
Well the last time this happened the answer was this:
/messages/by-id/25543.1489081789@sss.pgh.pa.us
Thanks in advance.
John
=====================================
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
On 04/07/2017 05:03 PM, John Iliffe wrote:
Please reply to list also
Ccing list.
On Friday 07 April 2017 18:58:15 you wrote:
On 04/07/2017 02:38 PM, John Iliffe wrote:
When I attempt to run any web application php cannot open a database
because of failure to connect. (Please disregard the programme name,
it is running in mod_php, not as an fcgi module). The (php) message
is:--------------------------
[Fri Apr 07 17:03:28.597101 2017] [php7:warn] [pid 1797:tid
140599445419776] [client 192.168.1.10:45127] PHP Warning:
pg_connect(): Unable to connect to PostgreSQL server: could not
connect to server: No such file or directory\n\tIs the server running
locally and
accepting\n\tconnections on Unix domain socket
"/tmp/.s.PGSQL.5432"? in /httpd/iliffe/testfcgi.php on line
121 ----------------------------The proper socket does exist:
-------------------------------------
ls -al /tmp | grep PGSQL
srwxrwxrwx. 1 postgres postgres 0 Apr 7 16:53 .s.PGSQL.5432
-rw-------. 1 postgres postgres 49 Apr 7 16:53 .s.PGSQL.5432.lockss -a | grep 5432
u_str LISTEN 0 128 /tmp/.s.PGSQL.5432 30480
* 0 -------------------------------------Running on Fedora 25 with SELinux in PERMISSIVE mode. The audit log
shows no hits on Postgresql.Postgresql version number is 9.6.2
As expected, the postgresql log shows nothing since the last start up.
Meant to add to previous post:
What happens if you try to connect to the database using psql?
Works just as I would expect.
In fact, I was able to load the one of the databases from the pg_dump
backup using pg_restore without any problems either, and I checked the
results by running some in-stream transactions in psql. Everything went
fine at that point, until I tried to start Apache and couldn't connect.
To be precise PHP could not connect, correct?
My going in position was/still is, that this is a SELinux security problem
but I am finding SELinux to be the most opaque and badly documented software
that I have ever had to deal with, which is why it is running in permissive
mode at the moment.
Well what I know about SELinux would fit in the navel of a flea(tip of
the hat to David Niven), so I can not be of much help there. The reason
I am returned this thread to the list, there are folks that do
understand it.
Regards,
John
Thanks in advance.
John
=====================================
--
Adrian Klaver
adrian.klaver@aklaver.com
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
Import Notes
Reply to msg id not found: 201704072003.30709.john.iliffe@iliffe.ca
On 04/07/2017 05:10 PM, John Iliffe wrote:
Actually Ccing list this time
On Friday 07 April 2017 19:51:57 you wrote:
On 04/07/2017 04:57 PM, John Iliffe wrote:
Hi Adrian:
Well, it ain't that simple! I am trying to take advantage of having a new
server that doesn't have to be in production until month end to update
everything to the latest and greatest. Everything runs properly on the
existing server which is on Postgresql 9.2.1, using mod_php to connect.Changes that I have made are: update Postgresql, PHP, and Apache, change
to fcgi from mod_php (which should not get involved here, but I backed out
that change and still doesn't work) and the addition of SELinux for
security (none on present server).
Aah, so a lot changed.
Do you have a way of trying to connect using PHP that does not involve
going through Apache?
Also, using the on board firewall (firewalld) to provide a secondary domain
where the actual business processes run.So, I guess the answer is that the current arrangement has never run
correctly.Regards,
John
--
Adrian Klaver
adrian.klaver@aklaver.com
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
Import Notes
Reply to msg id not found: 201704072010.21303.john.iliffe@iliffe.ca
On Friday 07 April 2017 20:35:40 Adrian Klaver wrote:
On 04/07/2017 05:03 PM, John Iliffe wrote:
Please reply to list also
Yes, sorry about that.
Ccing list.
On Friday 07 April 2017 18:58:15 you wrote:
On 04/07/2017 02:38 PM, John Iliffe wrote:
When I attempt to run any web application php cannot open a database
because of failure to connect. (Please disregard the programme
name, it is running in mod_php, not as an fcgi module). The (php)
message is:--------------------------
[Fri Apr 07 17:03:28.597101 2017] [php7:warn] [pid 1797:tid
140599445419776] [client 192.168.1.10:45127] PHP Warning:
pg_connect(): Unable to connect to PostgreSQL server: could not
connect to server: No such file or directory\n\tIs the server
running locally and
accepting\n\tconnections on Unix domain socket
"/tmp/.s.PGSQL.5432"? in /httpd/iliffe/testfcgi.php on
line 121 ----------------------------The proper socket does exist:
-------------------------------------
ls -al /tmp | grep PGSQL
srwxrwxrwx. 1 postgres postgres 0 Apr 7 16:53 .s.PGSQL.5432
-rw-------. 1 postgres postgres 49 Apr 7 16:53
.s.PGSQL.5432.lockss -a | grep 5432
u_str LISTEN 0 128 /tmp/.s.PGSQL.5432 30480* 0 -------------------------------------
Running on Fedora 25 with SELinux in PERMISSIVE mode. The audit log
shows no hits on Postgresql.Postgresql version number is 9.6.2
As expected, the postgresql log shows nothing since the last start
up.Meant to add to previous post:
What happens if you try to connect to the database using psql?
Works just as I would expect.
In fact, I was able to load the one of the databases from the pg_dump
backup using pg_restore without any problems either, and I checked the
results by running some in-stream transactions in psql. Everything
went fine at that point, until I tried to start Apache and couldn't
connect.To be precise PHP could not connect, correct?
Yes. The "unable to connect" message is being issued by PHP. But PHP
seems to know what is required (Unix domain socket number and where to find
it are both correct as far as I can see.
My going in position was/still is, that this is a SELinux security
problem but I am finding SELinux to be the most opaque and badly
documented software that I have ever had to deal with, which is why
it is running in permissive mode at the moment.Well what I know about SELinux would fit in the navel of a flea(tip of
the hat to David Niven), so I can not be of much help there. The reason
I am returned this thread to the list, there are folks that do
understand it.Regards,
John
Thanks in advance.
John
=====================================
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
On Friday 07 April 2017 20:39:55 Adrian Klaver wrote:
On 04/07/2017 05:10 PM, John Iliffe wrote:
Actually Ccing list this timeOn Friday 07 April 2017 19:51:57 you wrote:
On 04/07/2017 04:57 PM, John Iliffe wrote:
Hi Adrian:
Well, it ain't that simple! I am trying to take advantage of having a
new server that doesn't have to be in production until month end to
update everything to the latest and greatest. Everything runs
properly on the existing server which is on Postgresql 9.2.1, using
mod_php to connect.Changes that I have made are: update Postgresql, PHP, and Apache,
change to fcgi from mod_php (which should not get involved here, but
I backed out that change and still doesn't work) and the addition of
SELinux for security (none on present server).Aah, so a lot changed.
Do you have a way of trying to connect using PHP that does not involve
going through Apache?
Yes, running in command line mode under root; the output from one of the
cron jobs that hits the database seems to be as expected. It uses a
database that hasn't been loaded yet and the error message from the
postgresql log says that. (actually it says the role doesn't exist but
that is the correct response) The point is, it does connect because it
tries to log in.
Also, using the on board firewall (firewalld) to provide a secondary
domain where the actual business processes run.So, I guess the answer is that the current arrangement has never run
correctly.Regards,
John
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
On 04/07/2017 05:35 PM, Adrian Klaver wrote:
On 04/07/2017 05:03 PM, John Iliffe wrote:
Running on Fedora 25 with SELinux in PERMISSIVE mode. The audit log
shows no hits on Postgresql.
My going in position was/still is, that this is a SELinux security
problem
but I am finding SELinux to be the most opaque and badly documented
software
that I have ever had to deal with, which is why it is running in
permissive
mode at the moment.Well what I know about SELinux would fit in the navel of a flea(tip of
the hat to David Niven), so I can not be of much help there. The reason
I am returned this thread to the list, there are folks that do
understand it.
If SELinux is running in permissive I don't see how it could be at fault
for your issue. Did you verify that (getenforce)?
--------------------------
[Fri Apr 07 17:03:28.597101 2017] [php7:warn] [pid 1797:tid
140599445419776] [client 192.168.1.10:45127] PHP Warning:
pg_connect(): Unable to connect to PostgreSQL server: could not
connect to server: No such file or directory\n\tIs the server running
locally and
accepting\n\tconnections on Unix domain socket
"/tmp/.s.PGSQL.5432"? in /httpd/iliffe/testfcgi.php on line
121 ----------------------------
This might be a silly question, but is PHP running on the same server as
Postgres?
HTH,
Joe
--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development
On 04/07/2017 07:45 PM, Joe Conway wrote:
On 04/07/2017 05:35 PM, Adrian Klaver wrote:
On 04/07/2017 05:03 PM, John Iliffe wrote:
Running on Fedora 25 with SELinux in PERMISSIVE mode. The audit log
shows no hits on Postgresql.My going in position was/still is, that this is a SELinux security
problem
but I am finding SELinux to be the most opaque and badly documented
software
that I have ever had to deal with, which is why it is running in
permissive
mode at the moment.Well what I know about SELinux would fit in the navel of a flea(tip of
the hat to David Niven), so I can not be of much help there. The reason
I am returned this thread to the list, there are folks that do
understand it.If SELinux is running in permissive I don't see how it could be at fault
for your issue. Did you verify that (getenforce)?--------------------------
[Fri Apr 07 17:03:28.597101 2017] [php7:warn] [pid 1797:tid
140599445419776] [client 192.168.1.10:45127] PHP Warning:
pg_connect(): Unable to connect to PostgreSQL server: could not
connect to server: No such file or directory\n\tIs the server running
locally and
accepting\n\tconnections on Unix domain socket
"/tmp/.s.PGSQL.5432"? in /httpd/iliffe/testfcgi.php on line
121 ----------------------------This might be a silly question, but is PHP running on the same server as
Postgres?
To add to this, previously you mentioned:
"Also, using the on board firewall (firewalld) to provide a secondary
domain where the actual business processes run. "
What exactly does that mean?
HTH,
Joe
--
Adrian Klaver
adrian.klaver@aklaver.com
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
On Friday 07 April 2017 22:45:16 Joe Conway wrote:
On 04/07/2017 05:35 PM, Adrian Klaver wrote:
On 04/07/2017 05:03 PM, John Iliffe wrote:
Running on Fedora 25 with SELinux in PERMISSIVE mode. The audit
log shows no hits on Postgresql.My going in position was/still is, that this is a SELinux security
problem
but I am finding SELinux to be the most opaque and badly documented
software
that I have ever had to deal with, which is why it is running in
permissive
mode at the moment.Well what I know about SELinux would fit in the navel of a flea(tip of
the hat to David Niven), so I can not be of much help there. The
reason I am returned this thread to the list, there are folks that do
understand it.If SELinux is running in permissive I don't see how it could be at fault
for your issue. Did you verify that (getenforce)?
One would think so. But I'm out of ideas otherwise. I've been chasing
this around for several days.
--------------------------
[Fri Apr 07 17:03:28.597101 2017] [php7:warn] [pid 1797:tid
140599445419776] [client 192.168.1.10:45127] PHP Warning:
pg_connect(): Unable to connect to PostgreSQL server: could not
connect to server: No such file or directory\n\tIs the server running
locally and
accepting\n\tconnections on Unix domain socket
"/tmp/.s.PGSQL.5432"? in /httpd/iliffe/testfcgi.php on line
121 ----------------------------This might be a silly question, but is PHP running on the same server as
Postgres?
No question is silly if you don't know the answer :-)
Yes, they are both on the same server.
HTH,
Joe
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
John Iliffe wrote:
The proper socket does exist:
-------------------------------------
ls -al /tmp | grep PGSQL
srwxrwxrwx. 1 postgres postgres 0 Apr 7 16:53 .s.PGSQL.5432
-rw-------. 1 postgres postgres 49 Apr 7 16:53 .s.PGSQL.5432.lock
Maybe the httpd service lives in another namespace,
e.g. it's chrooted. What if you try:
<?php echo file_exists("/tmp/.s.PGSQL.5432"); ?>
Best regards,
--
Daniel Vérité
PostgreSQL-powered mailer: http://www.manitou-mail.org
Twitter: @DanielVerite
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
On Saturday 08 April 2017 00:10:14 Adrian Klaver wrote:
On 04/07/2017 07:45 PM, Joe Conway wrote:
On 04/07/2017 05:35 PM, Adrian Klaver wrote:
On 04/07/2017 05:03 PM, John Iliffe wrote:
Running on Fedora 25 with SELinux in PERMISSIVE mode. The audit
log shows no hits on Postgresql.My going in position was/still is, that this is a SELinux security
problem
but I am finding SELinux to be the most opaque and badly documented
software
that I have ever had to deal with, which is why it is running in
permissive
mode at the moment.Well what I know about SELinux would fit in the navel of a flea(tip
of the hat to David Niven), so I can not be of much help there. The
reason I am returned this thread to the list, there are folks that
do understand it.If SELinux is running in permissive I don't see how it could be at
fault for your issue. Did you verify that (getenforce)?--------------------------
[Fri Apr 07 17:03:28.597101 2017] [php7:warn] [pid 1797:tid
140599445419776] [client 192.168.1.10:45127] PHP Warning:
pg_connect(): Unable to connect to PostgreSQL server: could not
connect to server: No such file or directory\n\tIs the server
running locally and
accepting\n\tconnections on Unix domain socket
"/tmp/.s.PGSQL.5432"? in /httpd/iliffe/testfcgi.php on
line 121 ----------------------------This might be a silly question, but is PHP running on the same server
as Postgres?To add to this, previously you mentioned:
"Also, using the on board firewall (firewalld) to provide a secondary
domain where the actual business processes run. "What exactly does that mean?
I'm trying/planning to use firewalld to keep certain remote addresses from
connecting to the mail server. Since I have it anyway, I want to
strengthen the security by moving non-Internet connections internal of that
firewall so only Apache is exposed to the Internet and the databases, etc,
are internal.
This is a Unix domain socket connection so I don't think the firewall should
get involved.
Since you raised the question, I added port 5432 to the open list in
firewalld but it didn't make any difference, still not connecting.
HTH,
Joe
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
On Saturday 08 April 2017 00:10:14 Adrian Klaver wrote:
On 04/07/2017 07:45 PM, Joe Conway wrote:
On 04/07/2017 05:35 PM, Adrian Klaver wrote:
On 04/07/2017 05:03 PM, John Iliffe wrote:
Running on Fedora 25 with SELinux in PERMISSIVE mode. The audit
log shows no hits on Postgresql.My going in position was/still is, that this is a SELinux security
problem
but I am finding SELinux to be the most opaque and badly documented
software
that I have ever had to deal with, which is why it is running in
permissive
mode at the moment.Well what I know about SELinux would fit in the navel of a flea(tip
of the hat to David Niven), so I can not be of much help there. The
reason I am returned this thread to the list, there are folks that
do understand it.If SELinux is running in permissive I don't see how it could be at
fault for your issue. Did you verify that (getenforce)?--------------------------
[Fri Apr 07 17:03:28.597101 2017] [php7:warn] [pid 1797:tid
140599445419776] [client 192.168.1.10:45127] PHP Warning:
pg_connect(): Unable to connect to PostgreSQL server: could not
connect to server: No such file or directory\n\tIs the server
running locally and
accepting\n\tconnections on Unix domain socket
"/tmp/.s.PGSQL.5432"? in /httpd/iliffe/testfcgi.php on
line 121 ----------------------------This might be a silly question, but is PHP running on the same server
as Postgres?To add to this, previously you mentioned:
"Also, using the on board firewall (firewalld) to provide a secondary
domain where the actual business processes run. "What exactly does that mean?
There is something rather odd here.
getenforce shows the mode as permissive, which is what I think it is.
BUT, this morning's logwatch report shows:
*** Denials ***
system_u system_u (tcp_socket): 1 times
Unfortunately, it doesn't say WHICH stream socket. I'll check that and see
if I can find the actual socket that got denied, and if it was actually let
through or not.
HTH,
Joe
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
On 04/08/2017 06:26 AM, John Iliffe wrote:
On Saturday 08 April 2017 00:10:14 Adrian Klaver wrote:
On 04/07/2017 07:45 PM, Joe Conway wrote:
On 04/07/2017 05:35 PM, Adrian Klaver wrote:
On 04/07/2017 05:03 PM, John Iliffe wrote:
Running on Fedora 25 with SELinux in PERMISSIVE mode. The audit
log shows no hits on Postgresql.My going in position was/still is, that this is a SELinux security
problem
but I am finding SELinux to be the most opaque and badly documented
software
that I have ever had to deal with, which is why it is running in
permissive
mode at the moment.Well what I know about SELinux would fit in the navel of a flea(tip
of the hat to David Niven), so I can not be of much help there. The
reason I am returned this thread to the list, there are folks that
do understand it.If SELinux is running in permissive I don't see how it could be at
fault for your issue. Did you verify that (getenforce)?--------------------------
[Fri Apr 07 17:03:28.597101 2017] [php7:warn] [pid 1797:tid
140599445419776] [client 192.168.1.10:45127] PHP Warning:
pg_connect(): Unable to connect to PostgreSQL server: could not
connect to server: No such file or directory\n\tIs the server
running locally and
accepting\n\tconnections on Unix domain socket
"/tmp/.s.PGSQL.5432"? in /httpd/iliffe/testfcgi.php on
line 121 ----------------------------This might be a silly question, but is PHP running on the same server
as Postgres?To add to this, previously you mentioned:
"Also, using the on board firewall (firewalld) to provide a secondary
domain where the actual business processes run. "What exactly does that mean?
I'm trying/planning to use firewalld to keep certain remote addresses from
connecting to the mail server. Since I have it anyway, I want to
strengthen the security by moving non-Internet connections internal of that
firewall so only Apache is exposed to the Internet and the databases, etc,
are internal.This is a Unix domain socket connection so I don't think the firewall should
get involved.
So what if you change the connection to use -h localhost?
Since you raised the question, I added port 5432 to the open list in
firewalld but it didn't make any difference, still not connecting.HTH,
Joe
--
Adrian Klaver
adrian.klaver@aklaver.com
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
On 04/08/2017 06:31 AM, John Iliffe wrote:
On Saturday 08 April 2017 00:10:14 Adrian Klaver wrote:
On 04/07/2017 07:45 PM, Joe Conway wrote:
On 04/07/2017 05:35 PM, Adrian Klaver wrote:
On 04/07/2017 05:03 PM, John Iliffe wrote:
Running on Fedora 25 with SELinux in PERMISSIVE mode. The audit
log shows no hits on Postgresql.My going in position was/still is, that this is a SELinux security
problem
but I am finding SELinux to be the most opaque and badly documented
software
that I have ever had to deal with, which is why it is running in
permissive
mode at the moment.Well what I know about SELinux would fit in the navel of a flea(tip
of the hat to David Niven), so I can not be of much help there. The
reason I am returned this thread to the list, there are folks that
do understand it.If SELinux is running in permissive I don't see how it could be at
fault for your issue. Did you verify that (getenforce)?--------------------------
[Fri Apr 07 17:03:28.597101 2017] [php7:warn] [pid 1797:tid
140599445419776] [client 192.168.1.10:45127] PHP Warning:
pg_connect(): Unable to connect to PostgreSQL server: could not
connect to server: No such file or directory\n\tIs the server
running locally and
accepting\n\tconnections on Unix domain socket
"/tmp/.s.PGSQL.5432"? in /httpd/iliffe/testfcgi.php on
line 121 ----------------------------This might be a silly question, but is PHP running on the same server
as Postgres?To add to this, previously you mentioned:
"Also, using the on board firewall (firewalld) to provide a secondary
domain where the actual business processes run. "What exactly does that mean?
There is something rather odd here.
getenforce shows the mode as permissive, which is what I think it is.
If getenforce shows you are in permissive, then selinux is not your
problem, full stop.
BUT, this morning's logwatch report shows:
*** Denials ***
system_u system_u (tcp_socket): 1 times
selinux will continue to log denials in permissive -- this is useful to
determine what would have been blocked by selinux had it been in
enforcing, which in turn gives you a chance to fix those issues before
turning on enforcing.
For more detail on the selinux logs look in /var/log/audit/audit.log
You definitely have something odd going on though. As you said
elsewhere, using a Unix domain socket connection the firewall should
not get involved either.
Seems like the issue is related to PHP somehow. For example, see:
http://serverfault.com/questions/641329/cannot-connect-to-postgresql-unix-domain-socket
Joe
--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development
On Saturday 08 April 2017 09:20:46 Daniel Verite wrote:
John Iliffe wrote:
The proper socket does exist:
-------------------------------------
ls -al /tmp | grep PGSQL
srwxrwxrwx. 1 postgres postgres 0 Apr 7 16:53 .s.PGSQL.5432
-rw-------. 1 postgres postgres 49 Apr 7 16:53 .s.PGSQL.5432.lockMaybe the httpd service lives in another namespace,
e.g. it's chrooted. What if you try:
<?php echo file_exists("/tmp/.s.PGSQL.5432"); ?>
Basically, nothing.
If I include it in an Apache script exactly as suggested, then the script
puts out a blank screen, no error messages.
I used the result in an 'if' statement and it apparently returns false, but
that could be an artefact of nothing being returned by file_exists(). It is
possible that since the "file" is really a socket, and not a file or
directory as required by the documentation, it is not found by however
file_exists() looks for files.
There is no error log entry from either Apache or PHP.
Best regards,
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
On Saturday 08 April 2017 09:38:07 Adrian Klaver wrote:
On 04/08/2017 06:26 AM, John Iliffe wrote:
On Saturday 08 April 2017 00:10:14 Adrian Klaver wrote:
On 04/07/2017 07:45 PM, Joe Conway wrote:
On 04/07/2017 05:35 PM, Adrian Klaver wrote:
On 04/07/2017 05:03 PM, John Iliffe wrote:
Running on Fedora 25 with SELinux in PERMISSIVE mode. The audit
log shows no hits on Postgresql.My going in position was/still is, that this is a SELinux security
problem
but I am finding SELinux to be the most opaque and badly
documented software
that I have ever had to deal with, which is why it is running in
permissive
mode at the moment.Well what I know about SELinux would fit in the navel of a flea(tip
of the hat to David Niven), so I can not be of much help there. The
reason I am returned this thread to the list, there are folks that
do understand it.If SELinux is running in permissive I don't see how it could be at
fault for your issue. Did you verify that (getenforce)?--------------------------
[Fri Apr 07 17:03:28.597101 2017] [php7:warn] [pid 1797:tid
140599445419776] [client 192.168.1.10:45127] PHP Warning:
pg_connect(): Unable to connect to PostgreSQL server: could not
connect to server: No such file or directory\n\tIs the server
running locally and
accepting\n\tconnections on Unix domain socket
"/tmp/.s.PGSQL.5432"? in /httpd/iliffe/testfcgi.php on
line 121 ----------------------------This might be a silly question, but is PHP running on the same
server as Postgres?To add to this, previously you mentioned:
"Also, using the on board firewall (firewalld) to provide a secondary
domain where the actual business processes run. "What exactly does that mean?
I'm trying/planning to use firewalld to keep certain remote addresses
from connecting to the mail server. Since I have it anyway, I want
to strengthen the security by moving non-Internet connections
internal of that firewall so only Apache is exposed to the Internet
and the databases, etc, are internal.This is a Unix domain socket connection so I don't think the firewall
should get involved.So what if you change the connection to use -h localhost?
Can you please expand on that request? I'm not sure where you want me to
put that directive. I'm using the mod_php module in Apache.
Since you raised the question, I added port 5432 to the open list in
firewalld but it didn't make any difference, still not connecting.HTH,
Joe
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
On 04/08/2017 01:23 PM, John Iliffe wrote:
On Saturday 08 April 2017 09:38:07 Adrian Klaver wrote:
So what if you change the connection to use -h localhost?
Can you please expand on that request? I'm not sure where you want me to
put that directive. I'm using the mod_php module in Apache.
See the second example here:
http://php.net/manual/en/function.pg-connect.php
8<-------------
$dbconn2 = pg_connect("host=localhost port=5432 dbname=mary");
// connect to a database named "mary" on "localhost" at port "5432"
8<-------------
That will try to use a tcp connection on localhost instead of a unix socket.
Another question I don't believe has been asked is, what does your
pg_hba.conf look like?
Joe
--
Crunchy Data - http://crunchydata.com
PostgreSQL Support for Secure Enterprises
Consulting, Training, & Open Source Development
