In secure environments, the manager and agent services run on servers under separately created operating system users, not under the superuser. In this case, operating system users must be granted additional privileges so that the manager and agent services can function correctly.
If the agent service is running on behalf of an operating system user lacking the required privileges, consider the following limitations:
When creating instances and clusters:
The main instance data catalog cannot be created. PPEM
uses sudo and requires the privileges to run
chmod, chown,
initdb, and pg_ctl.
Instances cannot be configured. PPEM
automatically specifies instance parameters in the
postgresql.auto.conf configuration file and
requires the privilege to access the main instance data catalog.
When restoring instances from backups:
The main instance data catalog cannot be restored. PPEM requires the privilege to access the catalog where the main instance data catalog will be created.
External catalogs cannot be restored. PPEM requires the privilege to access the catalogs where the external catalogs will be created.
The PPEM service cannot be managed and the systemd unit cannot be created. PPEM requires the privilege to access the system path.
When executing the commands provided in this section, consider the following:
The Debian Linux operating system commands are specified. For other operating system versions, use their corresponding commands.
Standard object names are specified in the commands, for
example, ppem for the
repository database.
If required, you can specify different names.
The installation process includes the following steps:
Ensure that prerequisites are met.
PPEM will be installed. You can update the browser page with the web application and start working.
Prerequisites
Prepare the servers for installing PPEM according to hardware and software requirements.
You will need at least one server.
Install a Postgres Pro DBMS instance at least on one of the servers.
For more information about installation, refer to the official Postgres Pro documentation.
Create Operating System Users
Create separate operating system users on all servers:
# useradd ppem
The manager and agent services will start under the created operating system users.
Configure the Manager
On the Postgres Pro DBMS instance server:
Install the repository:
# wget -O pgpro-repo-add.sh https://repo.postgrespro.ru/ppem/ppem/keys/pgpro-repo-add.sh # sh pgpro-repo-add.sh
Install the manager:
# apt install ppem ppem-gui
The ppem-manager.yml manager configuration file
will be downloaded to your local device.
Create the DBMS user on behalf of which the manager will connect to the repository database:
# sudo -u postgres createuser --pwprompt ppem
In this example, the ppem user is created. This
user will be mentioned in other commands in this section.
When executing this command, specify the DBMS user password.
Create the repository database:
# sudo -u postgres createdb -O ppem ppem
Ensure that the DBMS user can connect to the database:
# psql -h localhost -U ppem -d ppem
In case of connection issues, ensure that the HBA rule
allowing the DBMS user to connect to the database, as well
as the authorization method, are specified in the
pg_hba.conf configuration file.
For more information, refer to the official Postgres Pro
documentation on the
pg_hba.conf
configuration file.
In the ppem-manager.yml manager
configuration file:
Specify the repository database name using the
repo.name parameter:
repo: name: "ppem"
Specify the DBMS user name and password using the
repo.user and
repo.password parameters:
repo:
user: "ppem"
password: "DBMS_user_password"
Specify the URL for connecting the manager to the
repository database using the
repo.url parameter:
repo:
url: "postgres://ppem:DBMS_user_password@localhost/ppem"
For more information about the URL format, refer to the official Postgres Pro documentation on connection strings.
Configure the manager service to start under the created operating system user:
Start editing the systemd unit:
# systemctl edit ppem
In the [Service] section, specify the
name of the operating system user:
[Service] User=ppem
Ensure that the operating system user is granted the
privilege to read the
ppem-manager.yml manager
configuration file.
If the privilege is not granted, execute the following commands:
# chown ppem:ppem /etc/ppem-manager.yml # chmod 400 /etc/ppem-manager.yml
Save the systemd unit parameters, then reload it:
# systemctl daemon-reload
Start the manager service and add it to the server startup:
# systemctl start ppem # systemctl enable ppem
The web application will be installed on the server.
Configure Agents
On all servers:
Install the agents:
# apt install ppem-agent
The ppem-agent.yml agent configuration
file will be downloaded to your local device.
Create the DBMS user on behalf of which the agent will connect to the repository database:
# sudo -u postgres createuser --pwprompt ppem_agent
In this example, the ppem_agent user is created. This
user will be mentioned in other commands in this section.
When executing this command, specify the DBMS user password.
Grant ppem_agent the privilege to read the system
catalog and run functions.
It is recommended to grant the following privileges:
GRANT pg_monitor, pg_maintain, pg_signal_backend, pg_read_all_settings TO ppem_agent;
Grant ppem_agent the following privileges on every
database in the instance:
GRANT EXECUTE ON FUNCTION pg_catalog.pg_stat_file(TEXT) TO ppem_agent; GRANT EXECUTE ON FUNCTION pg_catalog.pg_stat_file(TEXT, BOOLEAN) TO ppem_agent; GRANT SELECT ON pg_catalog.pg_statistic TO ppem_agent; GRANT SELECT ON pg_catalog.pg_config TO ppem_agent; GRANT EXECUTE ON FUNCTION pg_catalog.pg_config() TO ppem_agent; GRANT SELECT ON pg_catalog.pg_file_settings TO ppem_agent; GRANT EXECUTE ON FUNCTION pg_catalog.pg_show_all_file_settings() TO ppem_agent; GRANT SELECT ON pg_catalog.pg_authid TO ppem_agent;
Grant ppem_agent the following privileges to manage
backups:
ALTER ROLE ppem_agent WITH REPLICATION; GRANT USAGE ON SCHEMA pg_catalog TO ppem_agent; GRANT EXECUTE ON FUNCTION pg_catalog.current_setting(text) TO ppem_agent; GRANT EXECUTE ON FUNCTION pg_catalog.set_config(text, text, boolean) TO ppem_agent; GRANT EXECUTE ON FUNCTION pg_catalog.pg_is_in_recovery() TO ppem_agent; GRANT EXECUTE ON FUNCTION pg_catalog.pg_backup_start(text, boolean) TO ppem_agent; GRANT EXECUTE ON FUNCTION pg_catalog.pg_backup_stop(boolean) TO ppem_agent; GRANT EXECUTE ON FUNCTION pg_catalog.pg_create_restore_point(text) TO ppem_agent; GRANT EXECUTE ON FUNCTION pg_catalog.pg_switch_wal() TO ppem_agent; GRANT EXECUTE ON FUNCTION pg_catalog.pg_last_wal_replay_lsn() TO ppem_agent; GRANT EXECUTE ON FUNCTION pg_catalog.txid_current() TO ppem_agent; GRANT EXECUTE ON FUNCTION pg_catalog.txid_current_snapshot() TO ppem_agent; GRANT EXECUTE ON FUNCTION pg_catalog.txid_snapshot_xmax(txid_snapshot) TO ppem_agent; GRANT EXECUTE ON FUNCTION pg_catalog.pg_control_checkpoint() TO ppem_agent;
You can grant privileges only for the database that will be used for connecting the user to the instance.
For more information about privileges, refer to the official Postgres Pro documentation on pg_probackup.
Ensure that the DBMS user can connect to the repository database:
# psql -h localhost -U ppem_agent -d ppem
In case of connection issues, ensure that the HBA rule
allowing the DBMS user to connect to the database, as well
as the authorization method, are specified in the
pg_hba.conf configuration file.
For more information, refer to the official Postgres Pro
documentation on the
pg_hba.conf
configuration file.
Get an API key for configuring the agent:
Copy the API key from the displayed agent installation instruction and save this key.
In the ppem-agent.yml agent configuration file,
specify the agent parameters:
agent: name: "agent_name" manager: url: "URL_for_connecting_to_manager" api_key: "API_key_for_connecting_to_manager" instance: connection_defaults: user: "DBMS_username" password: "DBMS_user_password" http: server: address: "network_address_for_incoming_connections" port: "port_for_incoming_connections"
Where:
agent.name: The unique agent name.
agent.manager.url: The URL for
connecting the agent to the manager in the
scheme://manager_network_address/path_to_API_version
agent.manager.api_key: The previously
obtained API key for connecting the agent to the
manager.
agent.instance.connection_defaults.user and
agent.instance.connection_defaults.password:
The DBMS user name and password.
http.server.address and
http.server.port: The network address
of the server and the port number for incoming network
connections.
To enable listening of all network addresses and ports, do not specify any values for these parameters.
Grant the
created
operating system user the superuser privileges to
work with target directories using the
chown and chmod
commands.
Running, stopping, and reloading instances also require the operating system user to have the following privileges:
Cmnd_Alias PG_SYS = \ /usr/bin/systemctl status postgresql*.service, \ /usr/bin/systemctl stop postgresql*.service, \ /usr/bin/systemctl start postgresql*.service, \ /usr/bin/systemctl restart postgresql*.service, \ /usr/bin/systemctl reload postgresql*.service Cmnd_Alias PG_CTL = \ /usr/lib/postgresql/17/bin/pg_ctl, \ /usr/lib/postgresql/16/bin/pg_ctl ppem ALL = (root) NOPASSWD: PG_SYS ppem ALL = (postgres) NOPASSWD: PG_CTL
Configure the agent service to start on behalf of the operating system user:
Start editing the systemd unit:
# systemctl edit ppem-agent
In the [Service] section, specify the
operating system user:
[Service] User=ppem
Ensure that the operating system user is granted the
privilege to read the ppem-agent.yml agent
configuration file.
If the privilege is not granted:
# chown ppem:ppem /etc/ppem-agent.yml # chmod 400 /etc/ppem-agent.yml
Save the systemd unit parameters, then reload it:
# systemctl daemon-reload
Start the agent service and add it to the server startup:
# systemctl start ppem-agent # systemctl enable ppem-agent