March 12, 2018

Installing pgAdmin4 on Centos 7

WORDS BY   Tadej Borovšak

POSTED IN   postgresql | pgadmin4 | centos | ansible


In this post, we will install pgAdmin 4 on a CentOS 7 server using ansible.

Prerequisites

In this post, we will assume that we have access to CentOS 7 machine/VM with proper credentials that can be fed to ansible through inventory. Most of the steps will also assume that we have SELinux set to enforcing.

Installing Apache web server

Before we can start installing pgAdmin, we need to install and configure Apache that will serve the application. On CentOS 7, we need to install httpd and mod_wsgi packages and then start the server. Ansible tasks that achieve this would look something like this:

- name: Install Apache
  package:
    name: "{{ item }}"
  with_items:
    - httpd
    - mod_wsgi

- name: Start Apache
  service:
    name: httpd
    enabled: yes
    state: started

Running this through ansible will install and start the server that can be used to serve static files and wsgi apps. But by default, wsgi applications will not be allowed to connect to database, which means that we need to fix some SELinux stuff.

Fortunately for us, fixing this error just means setting httpd_can_network_connect_db SELinux boolean to true. And in ansible language, this means adding the following task to the playbook:

- name: Allow apache to access db
  seboolean:
    name: httpd_can_network_connect_db
    state: yes
    persistent: yes

Note that we marked the boolean flag change as persistent in order to, well, persist it;) This way the flag setting will not be lost during system reboot.

Now we are ready to install the pgAdmin onto this server.

Installing pgAdmin

We start the installation by adding PostgreSQL 10 yum repository. Please note that the version in the next task was latest stable at the time of the post creation. Always use the latest stable version from the PostgreSQL RPM build project in order to keep your installation secure.

- name: Add PostgreSQL 10 repo
  package:
    name: https://download.postgresql.org/pub/repos/yum/10/redhat/rhel-7-x86_64/pgdg-centos10-10-2.noarch.rpm

pgAdmin will also require some packages that are only available in EPEL repo, so we will go ahead and add that repository too:

- name: Add EPEL
  yum:
    name: epel-release

Now we can actually install pgAdmin web package that contains the wsgi application our Apache will serve:

- name: Install pgAdmin4
  yum:
    name: pgadmin4-v2-web

Before we can start using the pgAdmin, we must create the required folder layout on disk and add first admin user. pgAdmin comes bundled with setup.py script that does this for us, all we have to do is run it with proper environment variables set.

- name: Initialize pgAdmin4
  command: python /usr/lib/python2.7/site-packages/pgadmin4-web/setup.py
  args:
    creates: /var/lib/pgadmin/pgadmin4.db
  environment:
    PGADMIN_SETUP_EMAIL: admin@xlab.si
    PGADMIN_SETUP_PASSWORD: correct horse battery staple

Please do note that we used creates argument for the command ansible module here in order to avoid inadvertently running over the existing pgAdmin configuration. This does not matter much for the initial installation, but we should try getting into a habit of always thinking about our end-users and how not to delete their data.

All that is left for us to do now is inform Apache about our latest and greatest pgAdmin installation. And thanks to the pgAdmin authors and packagers that prepared Apache configuration for us, we can do this with a simple copy command:

- name: Install pgAdmin4 site config
  copy:
    src: /etc/httpd/conf.d/pgadmin4-v2.conf.sample
    dest: /etc/httpd/conf.d/pgadmin4-v2.conf
    remote_src: yes
  notify: Restart apache

Taking care of the notify stuff is left as an exercise for the reader. And we are done, right? Wrong. Navigating to the webserver.name/pgAdmin4, we will be greeted by big fat Internal Server Error. We need to fix permissions for the pgAdmin runtime stuff. And here is how we do this:

- name: Fix pgAdmin permissions
  file:
    path: "{{ item }}"
    setype: httpd_sys_content_rw_t
    owner: apache
    group: apache
    recurse: yes
  with_items:
    - /var/log/pgadmin
    - /var/lib/pgadmin

Note that we are fixing two problems at once here:

  1. we are setting the ownership bits to something that will allow Apache to read and write those files, and
  2. notifying SELinux that it is OK to let Apache write to those files.

And now we are done. Stay sharp and see you next time.