In this post, we will install pgAdmin 4 on a CentOS 7 server using ansible.
Prerequisites
In this post, we will assume that we have access to CentOS 7 machine/VM with proper credentials that can be fed to ansible through inventory. Most of the steps will also assume that we have SELinux set to enforcing.
Installing Apache web server
Before we can start installing pgAdmin, we need to install and configure
Apache that will serve the application. On CentOS 7, we need to install
httpd and mod_wsgi packages and then start the server. Ansible tasks that
achieve this would look something like this:
- name: Install Apache
package:
name: "{{ item }}"
with_items:
- httpd
- mod_wsgi
- name: Start Apache
service:
name: httpd
enabled: yes
state: started
Running this through ansible will install and start the server that can be used to serve static files and wsgi apps. But by default, wsgi applications will not be allowed to connect to database, which means that we need to fix some SELinux stuff.
Fortunately for us, fixing this error just means setting
httpd_can_network_connect_db SELinux boolean to true. And in ansible
language, this means adding the following task to the playbook:
- name: Allow apache to access db
seboolean:
name: httpd_can_network_connect_db
state: yes
persistent: yes
Note that we marked the boolean flag change as persistent in order to, well, persist it;) This way the flag setting will not be lost during system reboot.
Now we are ready to install the pgAdmin onto this server.
Installing pgAdmin
We start the installation by adding PostgreSQL 10 yum repository. Please note that the version in the next task was latest stable at the time of the post creation. Always use the latest stable version from the PostgreSQL RPM build project in order to keep your installation secure.
- name: Add PostgreSQL 10 repo
package:
name: https://download.postgresql.org/pub/repos/yum/10/redhat/rhel-7-x86_64/pgdg-centos10-10-2.noarch.rpm
pgAdmin will also require some packages that are only available in EPEL repo, so we will go ahead and add that repository too:
- name: Add EPEL
yum:
name: epel-release
Now we can actually install pgAdmin web package that contains the wsgi application our Apache will serve:
- name: Install pgAdmin4
yum:
name: pgadmin4-v2-web
Before we can start using the pgAdmin, we must create the required folder
layout on disk and add first admin user. pgAdmin comes bundled with setup.py
script that does this for us, all we have to do is run it with proper
environment variables set.
- name: Initialize pgAdmin4
command: python /usr/lib/python2.7/site-packages/pgadmin4-web/setup.py
args:
creates: /var/lib/pgadmin/pgadmin4.db
environment:
PGADMIN_SETUP_EMAIL: [email protected]
PGADMIN_SETUP_PASSWORD: correct horse battery staple
Please do note that we used creates argument for the command ansible module
here in order to avoid inadvertently running over the existing pgAdmin
configuration. This does not matter much for the initial installation, but we
should try getting into a habit of always thinking about our end-users and how
not to delete their data.
All that is left for us to do now is inform Apache about our latest and greatest pgAdmin installation. And thanks to the pgAdmin authors and packagers that prepared Apache configuration for us, we can do this with a simple copy command:
- name: Install pgAdmin4 site config
copy:
src: /etc/httpd/conf.d/pgadmin4-v2.conf.sample
dest: /etc/httpd/conf.d/pgadmin4-v2.conf
remote_src: yes
notify: Restart apache
Taking care of the notify stuff is left as an exercise for the reader. And
we are done, right? Wrong. Navigating to the webserver.name/pgAdmin4, we
will be greeted by big fat Internal Server Error. We need to fix
permissions for the pgAdmin runtime stuff. And here is how we do this:
- name: Fix pgAdmin permissions
file:
path: "{{ item }}"
setype: httpd_sys_content_rw_t
owner: apache
group: apache
recurse: yes
with_items:
- /var/log/pgadmin
- /var/lib/pgadmin
Note that we are fixing two problems at once here:
- we are setting the ownership bits to something that will allow Apache to read and write those files, and
- notifying SELinux that it is OK to let Apache write to those files.
And now we are done. Stay sharp and see you next time.
