New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When I use systemd socket in combination with auth_type = hba and auth_hba_file IPv4 not OK #1003
Comments
The recommended way to do that is to use pgbouncer it's so_reuseport option: https://www.pgbouncer.org/config.html#so_reuseport Regarding your specific problem though, I'm not entirely sure how systemd its socket forwarding works. An initial thought would be that you would need to add the following to your hba file, because now the connection comes over the unix socket instead of over TCP:
Also, the two ListenStream entries in your pgbouncer.socket file seem like it could cause some problems, usually only one is allowed. Did you look at the systemd logs? |
I need to use IP addresses as I need to connect from external IP addresses to pgbouncer. I've looked into the logging.
When I change my pg_hba.conf to
I can login i.e. it's working as expected. I don't know if it's the correct way to add the IPv4 entries with a ::ffff: prefix? |
Okay, good that you got it working. Then I guess systemd forces use of ipv6 for its socket handling. It's called an IPv4-mapped IPv6 address: https://www.ibm.com/docs/en/zos/2.2.0?topic=addresses-ipv4-mapped-ipv6 Closing this since there's nothing actionable on PgBouncer its side. |
If you carefully read the descriptions of the systemd unit options If you don't want to change your ListenStream=v.w.x.y:6432
ListenStream=[x]:6432
BindIPv6Only=ipv6-only Maybe there is also an argument to be made that these mapped addresses should match IPv4 pg_hba.conf entries? (Should check with PostgreSQL core.) |
Okay, re-opening to see if we should change our HBA logic and have ipv4 rules match these addresses. |
The ListenStream and BindIPv6Only=ipv6-only solved the issue I've used:
I can now use the pg_hba.conf with IPv4 entries, IPv4 format and IPv6 (native IPv6 format). |
When I use socket in combination with auth_type = hba and auth_hba_file IPv4 not OK.
I will use the easiest explainable example:
The debian pgbouncer apt.postgresql.org package Version 1.21.0-1.pgdg120+1 (bookworm i.e. debian 12).
I have attacheched both the /lib/systemd/system/pgbouncer.socket and the /lib/systemd/system/pgbouncer.service files
pgbouncer.tar.gz
In pg_hba.conf I've entered (auth_hba_file).
With the standard pgbouncer.service file I can connect to both the IPv4 and IPv6 Addresses without a problem.
As soon as I enable "Requires=pgbouncer.socket" i.e. uncomment it.
The systemd socket is used. And I only can connect via the IPv6 IP addresses.
I get:
Without "Requires=pgbouncer.socket" I can sign in via IPv4 and IPv6.
The reason why I want to use a socket is because I want to have two bgbouncers listing on the same port and IP address.
It's not in this example, as the issue is easier to produce like this.
The text was updated successfully, but these errors were encountered: