Support Questions

Find answers, ask questions, and share your expertise
Announcements
Celebrating as our community reaches 100,000 members! Thank you!

CDH 5.3 KeyTrustee DB Service

avatar
Contributor

I have managed to initialize and setup Navigator Encrypt plus KeyTrustee solution, with several data drives encrypted and mounted. The data nodes can be rebooted, the keys fetched on boot, and mounted. This is great. But - when the KeyTrustee server was rebooted, postgresql-9.3 failed to start. I cannot start this database service and I don't understand why. Because of this, now all data volumes are now not able to be mounted.

 

This is a TEST/CONCEPT setup and so far as no actual data on it. If we need to start over and re-initialize the database, and re-encrypt data volumes, then fine. But, we need to know if this is recoverable and/or how to prevent this from occuring in production cluster.

 

I'm also new to postgresql. I can only imagine I need to try to "su -" as "cloudera-scm" account, but I don't remember the password used. I also imagine we can fix it by adding user privileges within postgresql database, but not sure how to go about properly doing this.

 

Any insight here would be really helpful. Thanks!

 

 sudo /sbin/service postgresql-9.3 status

postgresql-9.3 is stopped

 

sudo /sbin/service postgresql-9.3 start
Starting postgresql-9.3 service:                           [FAILED]

 

 /usr/pgsql-9.3/bin/pg_ctl -D /var/lib/pgsql/9.3/keytrustee start
pg_ctl: could not open PID file "/var/lib/pgsql/9.3/keytrustee/postmaster.pid": Permission denied

 

 sudo /usr/pgsql-9.3/bin/pg_ctl -D /var/lib/pgsql/9.3/keytrustee start
pg_ctl: cannot be run as root
Please log in (using, e.g., "su") as the (unprivileged) user that will
own the server process.

 

sudo ls -l /var/lib/pgsql/9.3/
total 24
drwx------  2 postgres postgres 4096 May 20 03:50 backups
drwx------ 16 postgres postgres 4096 Jun 15 09:39 data
drwx------ 16 postgres postgres 4096 Jun 15 09:43 keytrustee
-rw-------  1 postgres postgres 9424 Jun 15 09:43 pgstartup.log

 

sudo ls -l /var/lib/pgsql/9.3/keytrustee
total 120
drwx------ 6 postgres postgres  4096 May 18 13:39 base
drwx------ 2 postgres postgres  4096 May 28 15:42 global
-rw-r--r-- 1 root     root         0 May 18 13:30 MASTER
drwx------ 2 postgres postgres  4096 May 18 13:30 pg_clog
-rw------- 1 postgres postgres  4564 Jun 15 08:38 pg_hba.conf
-rw------- 1 postgres postgres  1636 May 18 13:30 pg_ident.conf
drwx------ 2 postgres postgres  4096 May 24 00:00 pg_log
drwx------ 4 postgres postgres  4096 May 18 13:30 pg_multixact
drwx------ 2 postgres postgres  4096 Jun 15 09:43 pg_notify
drwx------ 2 postgres postgres  4096 May 18 13:30 pg_serial
drwx------ 2 postgres postgres  4096 May 18 13:30 pg_snapshots
drwx------ 2 postgres postgres  4096 May 28 15:41 pg_stat
drwx------ 2 postgres postgres  4096 Jun  6 08:25 pg_stat_tmp
drwx------ 2 postgres postgres  4096 May 18 13:30 pg_subtrans
drwx------ 2 postgres postgres  4096 May 18 13:30 pg_tblspc
drwx------ 2 postgres postgres  4096 May 18 13:30 pg_twophase
-rw------- 1 postgres postgres     4 May 18 13:30 PG_VERSION
drwx------ 3 postgres postgres  4096 May 18 13:30 pg_xlog
-rw-r--r-- 1 postgres postgres   874 May 18 15:22 postgres.conf.include
-rw------- 1 postgres postgres 20855 May 18 15:22 postgresql.conf
-rw------- 1 postgres postgres    77 Jun 15 09:43 postmaster.opts
-rw------- 1 postgres postgres  1245 May 18 13:30 root.crt
-rw------- 1 postgres root      1704 May 18 13:30 root.key
-rw------- 1 postgres postgres  1127 May 18 13:30 server.crt
-rw------- 1 postgres postgres  1704 May 18 13:30 server.key

1 ACCEPTED SOLUTION

avatar
Contributor
Update: Interestingly, when I had another user try to run the service, it gave a different error in the logs, which ended up being much more helpful error message. Essentially it all was related to permissions to the files for keytrustee.

View solution in original post

2 REPLIES 2

avatar
Contributor
Update: Interestingly, when I had another user try to run the service, it gave a different error in the logs, which ended up being much more helpful error message. Essentially it all was related to permissions to the files for keytrustee.

avatar
Community Manager

I am happy to see that you figured out the problem. Thank you for sharing the solution as it may help others as well. 


Cy Jervis, Manager, Community Program
Was your question answered? Make sure to mark the answer as the accepted solution.
If you find a reply useful, say thanks by clicking on the thumbs up button.