Обсуждение: Grafana unable to connect Azure Postgresql Flexible server
Hi Gurus,
Note: - We can however, connect to the postgresql flexible server from a pod (with psql) in the same AKS.
I am new to Postgresql. Have the following implementation:
Grafana (7.5.1) deployed as Pod on AKS (Azure Kubernetes service).
Using grafana.ini it points to a Azure Postgresql Flexible server (13.3) within the same Vnet.
The grafana pod fails to start with the following error:
t=2021-09-07T06:40:00+0000 lvl=info msg="Connecting to DB" logger=sqlstore dbtype=postgres
t=2021-09-07T06:40:00+0000 lvl=info msg="Starting DB migrations" logger=migrator
service init failed: failed to check table existence: pq: no pg_hba.conf entry for host "10.240.1.45", user "grafana", database "grafana", SSL off
service init failed: failed to check table existence: pq: no pg_hba.conf entry for host "10.240.1.45", user "grafana", database "grafana", SSL off
Thanks and Regards
Prabir Sarkar
On Tue, Sep 7, 2021 at 4:14 PM Prabir Kr Sarkar <prabir.kr.sarkar@gmail.com> wrote: > > The grafana pod fails to start with the following error: > > t=2021-09-07T06:40:00+0000 lvl=info msg="Connecting to DB" logger=sqlstore dbtype=postgres > t=2021-09-07T06:40:00+0000 lvl=info msg="Starting DB migrations" logger=migrator > service init failed: failed to check table existence: pq: no pg_hba.conf entry for host "10.240.1.45", user "grafana",database "grafana", SSL off That seems quite self explanatory. Your grafana is trying to connect as "grafana" role, on "grafana" database from 10.240.1.45, and your pg_hba.conf file doesn't allow it. I'm not sure how to configure that on AKS but you need to either authorize it or configure grafana to use some other credentials that are already allowed, like this one: > Note: - We can however, connect to the postgresql flexible server from a pod (with psql) in the same AKS. (assuming that this psql connection is allowing other IP). See https://www.postgresql.org/docs/current/auth-pg-hba-conf.html for more details about the pg_hba.conf file.
Hi Julien,
Thanks for your response. The url - https://docs.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networking says the following :
- Because Azure Database for PostgreSQL is a managed database service, users are not provided host or OS access to view or modify configuration files such as pg_hba.conf. The content of the files is automatically updated based on the network settings.
- Applications that are deployed on different subnets within the same virtual network can access flexible servers directly.
So, since our AKS and Postgresql flexible servers are in the same VNet the above assertion holds. Have attached a snapshot of the Networking tab of postgresql server which says the same thing.
Prabir Sarkar
On Tue, Sep 7, 2021 at 1:51 PM Julien Rouhaud <rjuju123@gmail.com> wrote:
On Tue, Sep 7, 2021 at 4:14 PM Prabir Kr Sarkar
<prabir.kr.sarkar@gmail.com> wrote:
>
> The grafana pod fails to start with the following error:
>
> t=2021-09-07T06:40:00+0000 lvl=info msg="Connecting to DB" logger=sqlstore dbtype=postgres
> t=2021-09-07T06:40:00+0000 lvl=info msg="Starting DB migrations" logger=migrator
> service init failed: failed to check table existence: pq: no pg_hba.conf entry for host "10.240.1.45", user "grafana", database "grafana", SSL off
That seems quite self explanatory. Your grafana is trying to connect
as "grafana" role, on "grafana" database from 10.240.1.45, and your
pg_hba.conf file doesn't allow it. I'm not sure how to configure that
on AKS but you need to either authorize it or configure grafana to use
some other credentials that are already allowed, like this one:
> Note: - We can however, connect to the postgresql flexible server from a pod (with psql) in the same AKS.
(assuming that this psql connection is allowing other IP). See
https://www.postgresql.org/docs/current/auth-pg-hba-conf.html for more
details about the pg_hba.conf file.
Thanks and Regards
Prabir Sarkar
Вложения
On Tue, Sep 7, 2021 at 10:54 AM Prabir Kr Sarkar <prabir.kr.sarkar@gmail.com> wrote: > > Hi Julien, > Thanks for your response. The url - https://docs.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networkingsays the following : > > Because Azure Database for PostgreSQL is a managed database service, users are not provided host or OS access to view ormodify configuration files such as pg_hba.conf. The content of the files is automatically updated based on the networksettings. That means that issues around it are better discussed with Azure support, as your problems are related to their managed service, and not to PostgreSQL, no? > Applications that are deployed on different subnets within the same virtual network can access flexible servers directly. > > So, since our AKS and Postgresql flexible servers are in the same VNet the above assertion holds. Have attached a snapshotof the Networking tab of postgresql server which says the same thing. It's very clear from the message that the failing connection is coming from a different subnet. The connection into PostgreSQL comes from 10.240.1.45, which is very definitely not in the 10.144.0.0/16 subnet. //Magnus > On Tue, Sep 7, 2021 at 1:51 PM Julien Rouhaud <rjuju123@gmail.com> wrote: >> >> On Tue, Sep 7, 2021 at 4:14 PM Prabir Kr Sarkar >> <prabir.kr.sarkar@gmail.com> wrote: >> > >> > The grafana pod fails to start with the following error: >> > >> > t=2021-09-07T06:40:00+0000 lvl=info msg="Connecting to DB" logger=sqlstore dbtype=postgres >> > t=2021-09-07T06:40:00+0000 lvl=info msg="Starting DB migrations" logger=migrator >> > service init failed: failed to check table existence: pq: no pg_hba.conf entry for host "10.240.1.45", user "grafana",database "grafana", SSL off >> >> That seems quite self explanatory. Your grafana is trying to connect >> as "grafana" role, on "grafana" database from 10.240.1.45, and your >> pg_hba.conf file doesn't allow it. I'm not sure how to configure that >> on AKS but you need to either authorize it or configure grafana to use >> some other credentials that are already allowed, like this one: >> >> > Note: - We can however, connect to the postgresql flexible server from a pod (with psql) in the same AKS. >> >> (assuming that this psql connection is allowing other IP). See >> https://www.postgresql.org/docs/current/auth-pg-hba-conf.html for more >> details about the pg_hba.conf file. > > > > -- > Thanks and Regards > Prabir Sarkar
Hi Magnus,
Thanks for your email. We raised a ticket with Microsoft and they confirmed that :-
There are 905 failed connections to PostgreSQL server postgresql-ha between 9/6/2021 2:42:16 PM(UTC) and 9/8/2021 4:24:13 AM(UTC) because of an invalid authorization specification. This error typically indicates a mismatch between the SSL settings on the Postgres server and the client making the connection. Please refer to this document for more information.
And asked us to:
- Check the SSL settings on the client. Flexible Server supports encrypted connections using Transport Layer Security (TLS 1.2+) and all incoming connections with TLS 1.0 and TLS 1.1 will be denied.
Regards
Prabir
On Tue, Sep 7, 2021 at 2:39 PM Magnus Hagander <magnus@hagander.net> wrote:
On Tue, Sep 7, 2021 at 10:54 AM Prabir Kr Sarkar
<prabir.kr.sarkar@gmail.com> wrote:
>
> Hi Julien,
> Thanks for your response. The url - https://docs.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networking says the following :
>
> Because Azure Database for PostgreSQL is a managed database service, users are not provided host or OS access to view or modify configuration files such as pg_hba.conf. The content of the files is automatically updated based on the network settings.
That means that issues around it are better discussed with Azure
support, as your problems are related to their managed service, and
not to PostgreSQL, no?
> Applications that are deployed on different subnets within the same virtual network can access flexible servers directly.
>
> So, since our AKS and Postgresql flexible servers are in the same VNet the above assertion holds. Have attached a snapshot of the Networking tab of postgresql server which says the same thing.
It's very clear from the message that the failing connection is coming
from a different subnet. The connection into PostgreSQL comes from
10.240.1.45, which is very definitely not in the 10.144.0.0/16 subnet.
//Magnus
> On Tue, Sep 7, 2021 at 1:51 PM Julien Rouhaud <rjuju123@gmail.com> wrote:
>>
>> On Tue, Sep 7, 2021 at 4:14 PM Prabir Kr Sarkar
>> <prabir.kr.sarkar@gmail.com> wrote:
>> >
>> > The grafana pod fails to start with the following error:
>> >
>> > t=2021-09-07T06:40:00+0000 lvl=info msg="Connecting to DB" logger=sqlstore dbtype=postgres
>> > t=2021-09-07T06:40:00+0000 lvl=info msg="Starting DB migrations" logger=migrator
>> > service init failed: failed to check table existence: pq: no pg_hba.conf entry for host "10.240.1.45", user "grafana", database "grafana", SSL off
>>
>> That seems quite self explanatory. Your grafana is trying to connect
>> as "grafana" role, on "grafana" database from 10.240.1.45, and your
>> pg_hba.conf file doesn't allow it. I'm not sure how to configure that
>> on AKS but you need to either authorize it or configure grafana to use
>> some other credentials that are already allowed, like this one:
>>
>> > Note: - We can however, connect to the postgresql flexible server from a pod (with psql) in the same AKS.
>>
>> (assuming that this psql connection is allowing other IP). See
>> https://www.postgresql.org/docs/current/auth-pg-hba-conf.html for more
>> details about the pg_hba.conf file.
>
>
>
> --
> Thanks and Regards
> Prabir Sarkar
Thanks and Regards
Prabir Sarkar
From: Prabir Kr Sarkar <prabir.kr.sarkar@gmail.com>
Sent: Wednesday, September 8, 2021 3:46:50 AM
To: Magnus Hagander <magnus@hagander.net>; Pgsql-admin <pgsql-admin@lists.postgresql.org>
Subject: Re: Grafana unable to connect Azure Postgresql Flexible server
Sent: Wednesday, September 8, 2021 3:46:50 AM
To: Magnus Hagander <magnus@hagander.net>; Pgsql-admin <pgsql-admin@lists.postgresql.org>
Subject: Re: Grafana unable to connect Azure Postgresql Flexible server
Hi Magnus,
Thanks for your email. We raised a ticket with Microsoft and they confirmed that :-
There are 905 failed connections to PostgreSQL server postgresql-ha between 9/6/2021 2:42:16 PM(UTC) and 9/8/2021 4:24:13 AM(UTC) because of an invalid authorization specification. This error typically indicates a mismatch between the SSL settings on the Postgres server and the client making the connection. Please refer to this document for more information.
And asked us to:
- Check the SSL settings on the client. Flexible Server supports encrypted connections using Transport Layer Security (TLS 1.2+) and all incoming connections with TLS 1.0 and TLS 1.1 will be denied.
Regards
Prabir
On Tue, Sep 7, 2021 at 2:39 PM Magnus Hagander <magnus@hagander.net> wrote:
On Tue, Sep 7, 2021 at 10:54 AM Prabir Kr Sarkar
<prabir.kr.sarkar@gmail.com> wrote:
>
> Hi Julien,
> Thanks for your response. The url - https://docs.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networking says the following :
>
> Because Azure Database for PostgreSQL is a managed database service, users are not provided host or OS access to view or modify configuration files such as pg_hba.conf. The content of the files is automatically updated based on the network settings.
That means that issues around it are better discussed with Azure
support, as your problems are related to their managed service, and
not to PostgreSQL, no?
> Applications that are deployed on different subnets within the same virtual network can access flexible servers directly.
>
> So, since our AKS and Postgresql flexible servers are in the same VNet the above assertion holds. Have attached a snapshot of the Networking tab of postgresql server which says the same thing.
It's very clear from the message that the failing connection is coming
from a different subnet. The connection into PostgreSQL comes from
10.240.1.45, which is very definitely not in the 10.144.0.0/16 subnet.
//Magnus
> On Tue, Sep 7, 2021 at 1:51 PM Julien Rouhaud <rjuju123@gmail.com> wrote:
>>
>> On Tue, Sep 7, 2021 at 4:14 PM Prabir Kr Sarkar
>> <prabir.kr.sarkar@gmail.com> wrote:
>> >
>> > The grafana pod fails to start with the following error:
>> >
>> > t=2021-09-07T06:40:00+0000 lvl=info msg="Connecting to DB" logger=sqlstore dbtype=postgres
>> > t=2021-09-07T06:40:00+0000 lvl=info msg="Starting DB migrations" logger=migrator
>> > service init failed: failed to check table existence: pq: no pg_hba.conf entry for host "10.240.1.45", user "grafana", database "grafana", SSL off
>>
>> That seems quite self explanatory. Your grafana is trying to connect
>> as "grafana" role, on "grafana" database from 10.240.1.45, and your
>> pg_hba.conf file doesn't allow it. I'm not sure how to configure that
>> on AKS but you need to either authorize it or configure grafana to use
>> some other credentials that are already allowed, like this one:
>>
>> > Note: - We can however, connect to the postgresql flexible server from a pod (with psql) in the same AKS.
>>
>> (assuming that this psql connection is allowing other IP). See
>> https://www.postgresql.org/docs/current/auth-pg-hba-conf.html for more
>> details about the pg_hba.conf file.
>
>
>
> --
> Thanks and Regards
> Prabir Sarkar
Thanks and Regards
Prabir Sarkar