Merge pull request #777 from EnterpriseDB/TPA/23.42

Release branch for TPA

Author: gvasquezvargas

product_docs/docs/tpa/23/INSTALL-repo.mdx

@@ -22,15 +22,15 @@ the source and [run TPA in a Docker container](reference/INSTALL-docker/).
 ## Quickstart
 
 First, you must install the various dependencies Python 3, Python
-venv, git, openvpn and patch. Installing from EDB repositories
+venv, git, and openvpn. Installing from EDB repositories
 would install these automatically along with the TPA
 packages.
 
 Before you install TPA, you must install the required packages:
 
--   **Debian/Ubuntu** <br/> `sudo apt-get install python3 python3-pip python3-venv git openvpn patch`
--   **Redhat, Rocky or AlmaLinux (RHEL7)** <br/> `sudo yum install python3 python3-pip epel-release git openvpn patch`
--   **Redhat, Rocky or AlmaLinux (RHEL8)** <br/>`sudo yum install python36 python3-pip epel-release git openvpn patch`
+-   **Debian/Ubuntu** <br/> `sudo apt-get install python3 python3-pip python3-venv git openvpn`
+-   **Redhat, Rocky or AlmaLinux (RHEL7)** <br/> `sudo yum install python3 python3-pip epel-release git openvpn`
+-   **Redhat, Rocky or AlmaLinux (RHEL8)** <br/>`sudo yum install python36 python3-pip epel-release git openvpn`
 
 ## Clone and setup
 

product_docs/docs/tpa/23/INSTALL.mdx

@@ -64,7 +64,7 @@ to the target instances.
 ## Installing TPA packages
 
 To install TPA, you must first [subscribe to an EDB repository](https://www.enterprisedb.com/docs/repos/getting_started/).
-TPA is available in all EDB repositories. 
+TPA is available in all EDB repositories.
 
 Install TPA as follows:
 
@@ -107,6 +107,9 @@ install the correct versions of all required modules.
 sudo /opt/EDB/TPA/bin/tpaexec setup
 ```
 
+`tpaexec setup` will automatically use a suitable version of the
+requirements.txt file to install the correct modules for your system.
+
 You must run this as root because it writes to `/opt/EDB/TPA`,
 but the process will not affect any system-wide Python modules you may
 have installed (including Ansible).
@@ -138,10 +141,10 @@ If your internet-connected machine uses the same operating system as the
 target, we recommend using `yumdownloader` (RHEL-like) or `apt download`
 (Debian-like) to download the packages.
 
-Alternatively, you can download packages for any platform from your 
+Alternatively, you can download packages for any platform from your
 browser by visiting [EDB Repos](https://www.enterprisedb.com/repos) and
-selecting either 'Enterprise', 'Standard' or 'Community 360' under the 
-heading 'Download EDB software packages from your browser'. 
+selecting either 'Enterprise', 'Standard' or 'Community 360' under the
+heading 'Download EDB software packages from your browser'.
 To install TPA you need these packages:
 
 -   tpaexec

product_docs/docs/tpa/23/ansible-and-sudo.mdx

@@ -118,6 +118,116 @@ the sudo options only if there is a specific need to do so. The defaults
 were chosen for good reasons. For example, removing `-S -n` will cause
 tasks to timeout if password-less sudo is incorrectly configured.
 
+## Managing privilege escalation configuration
+
+### Default sudo configuration
+
+By default, TPA automatically manages sudo-related configuration on target
+instances, including installing the sudo package if not present and
+configuring sudoers files for various components.
+
+The default value of `privilege_escalation_command` is `"sudo"`, which enables
+TPA to manage sudo installation and configuration.
+
+### Using an alternative privilege escalation command
+
+If your environment uses a different privilege escalation command, you can
+configure TPA to use an alternative by setting `privilege_escalation_command`
+in `cluster_vars`:
+
+```yaml
+cluster_vars:
+  privilege_escalation_command: other_tool  # replaces sudo; may include arguments
+```
+
+The value is used as a direct in-place replacement for `sudo` in each
+privilege escalation command TPA generates for managed applications. It may
+include additional arguments if needed (e.g., `other_tool --flag`).
+
+You can set it to any privilege escalation command supported by Ansible's
+become mechanism. Refer to the
+[Ansible privilege escalation documentation](https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_privilege_escalation.html)
+for the complete list of supported methods.
+
+**Important:** `sudo` is the only privilege escalation command officially
+supported by EDB. When using alternative commands, you are responsible for
+ensuring compatibility and proper configuration. EDB Support may have limited
+ability to assist with issues related to alternative privilege escalation
+mechanisms.
+
+#### Ansible's become method vs. `privilege_escalation_command`
+
+There are two separate privilege escalation settings to be aware of:
+
+-   **`ansible_become_method`** controls how Ansible itself escalates privileges
+    when running deployment tasks on target instances. This is an Ansible variable
+    set in your inventory or `ansible.cfg`.
+-   **`privilege_escalation_command`** controls the command that the managed
+    applications (EFM, repmgr, HARP) invoke at runtime to escalate privileges
+    for service management operations, independently of Ansible.
+
+Because they serve different purposes, both must be configured consistently.
+If your environment uses an alternative tool instead of sudo, you must set
+`privilege_escalation_command` in `cluster_vars` *and* configure
+`ansible_become_method` in your Ansible inventory or `ansible.cfg` to match.
+
+#### Recommended approach: Using hooks
+
+If you need to use an alternative privilege escalation command, we recommend
+using [TPA hooks](tpaexec-hooks/) to configure your privilege escalation
+mechanism. Hooks allow you to run custom tasks at specific points during
+deployment, giving you full control over how privilege escalation is configured
+whilst keeping your customisations separate from TPA's core deployment logic.
+
+For example, you can use a `post-repo` hook to install and configure your
+privilege escalation command after repositories are configured, or a `pre-deploy`
+hook to set up the necessary permissions before the main deployment begins.
+This approach provides better maintainability and makes it easier to manage
+environment-specific requirements.
+
+#### Manual configuration requirements
+
+When using an alternative privilege escalation command (anything other than
+`"sudo"`), TPA will skip sudo package installation and sudoers configuration.
+You must install and configure the chosen privilege escalation command
+on all target systems, either manually or with hooks, before running
+`tpaexec deploy`.
+
+**1. Service management permissions for the postgres user**
+
+Your privilege escalation mechanism must allow the postgres system user to
+execute systemctl commands for starting, stopping, restarting, and reloading
+PostgreSQL and related services. This is required for failover managers
+(repmgr, HARP, EFM) to function correctly during automatic failover operations.
+
+For example, with sudo, TPA would configure the following permissions:
+
+```
+postgres ALL=(ALL) NOPASSWD: /bin/systemctl start postgresql
+postgres ALL=(ALL) NOPASSWD: /bin/systemctl stop postgresql
+postgres ALL=(ALL) NOPASSWD: /bin/systemctl restart postgresql
+postgres ALL=(ALL) NOPASSWD: /bin/systemctl reload postgresql
+```
+
+You must configure equivalent permissions in your chosen privilege escalation
+system.
+
+**2. EFM database function permissions (EFM clusters only)**
+
+If your cluster uses EFM as the failover manager, your privilege escalation
+mechanism must allow the EFM system user to execute the `efm_db_functions`
+script as the postgres user. This is required for EFM to perform health checks
+and failover operations.
+
+For example, with sudo, TPA would configure:
+
+```
+efm ALL=(postgres) NOPASSWD: /usr/edb/efm-X.Y/bin/efm_db_functions
+```
+
+Configure equivalent permissions in your privilege escalation system to allow
+the efm user to run this script as the postgres user.
+
 ## Logging
 
 For playbook executions, the sudo logs will show mostly invocations of

product_docs/docs/tpa/23/architecture-PGD-S.mdx

@@ -45,10 +45,10 @@ More detail on the options is provided in the following section.
 
 #### Mandatory Options
 
-| Options                                               | Description                                                                               |
-| ----------------------------------------------------- | ----------------------------------------------------------------------------------------- |
-| `--architecture` (`-a`)                               | Must be set to `PGD-S`                                                                    |
-| Postgres flavour and version (e.g. `--postgresql 15`) | A valid [flavour and version specifier](tpaexec-configure/#postgres-flavour-and-version). |
+| Options                                               | Description                                                                                                        |
+| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ |
+| `--architecture` (`-a`)                               | Must be set to `PGD-S`                                                                                             |
+| Postgres flavour and version (e.g. `--postgresql 15`) | A valid [flavour and version specifier](tpaexec-configure/#postgres-flavour-and-version). Supports Postgres 14-18. |
 
 <br/><br/>
 

product_docs/docs/tpa/23/architecture-PGD-X.mdx

@@ -49,27 +49,27 @@ More detail on the options is provided in the following section.
 
 #### Mandatory Options
 
-| Options                                               | Description                                                                               |
-| ----------------------------------------------------- | ----------------------------------------------------------------------------------------- |
-| `--architecture` (`-a`)                               | Must be set to `PGD-X`                                                                    |
-| Postgres flavour and version (e.g. `--postgresql 15`) | A valid [flavour and version specifier](tpaexec-configure/#postgres-flavour-and-version). |
-| `--pgd-routing`                                       | Must be either `global` or `local`.                                                       |
+| Options                                               | Description                                                                                                        |
+| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ |
+| `--architecture` (`-a`)                               | Must be set to `PGD-X`                                                                                             |
+| Postgres flavour and version (e.g. `--postgresql 15`) | A valid [flavour and version specifier](tpaexec-configure/#postgres-flavour-and-version). Supports Postgres 14-18. |
+| `--pgd-routing`                                       | Must be either `global` or `local`.                                                                                |
 
 <br/><br/>
 
 #### Additional Options
 
-| Options                     | Description                                                                                                 | Behaviour if omitted                                        |
-| --------------------------- | ----------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------- |
-| `--platform`                | One of `aws`, `docker`, `bare`.                                                                             | Defaults to `aws`.                                          |
-| `--location-names`          | A space-separated list of location names. The number of locations is equal to the number of names supplied. | TPA will configure a single location with three data nodes. |
-| `--witness-only-location`   | A location name, must be a member of `location-names`.                                                      | No witness-only location is added.                          |
-| `--data-nodes-per-location` | The number of data nodes in each location, must be at least 2.                                              | Defaults to 3.                                              |
-| `--enable-camo`             | Sets two data nodes in each location as CAMO partners.                                                      | CAMO will not be enabled.                                   |
-| `--bdr-database`            | The name of the database to be used for replication.                                                        | Defaults to `bdrdb`.                                        |
-| `--enable-pgd-probes`       | Enable http(s) api endpoints for pgd-proxy such as `health/is-ready` to allow probing proxy's health.       | Disabled by default.                                        |
-| `--proxy-listen-port`       | The port on which proxy nodes will route traffic to the write leader.                                       | Defaults to 6432                                            |
-| `--proxy-read-only-port`    | The port on which proxy nodes will route read-only traffic to shadow nodes.                                 | Defaults to 6433                                            |
+| Options                     | Description                                                                                                 | Behaviour if omitted                                                   |
+| --------------------------- | ----------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------- |
+| `--platform`                | One of `aws`, `docker`, `bare`.                                                                             | Defaults to `aws`.                                                     |
+| `--location-names`          | A space-separated list of location names. The number of locations is equal to the number of names supplied. | TPA will configure a single location with three data nodes.            |
+| `--witness-only-location`   | A location name, must be a member of `location-names`.                                                      | No witness-only location is added.                                     |
+| `--data-nodes-per-location` | The number of data nodes in each location, must be at least 2.                                              | Defaults to 3.                                                         |
+| `--enable-camo`             | Sets two data nodes in each location as CAMO partners.                                                      | CAMO will not be enabled.                                              |
+| `--bdr-database`            | The name of the database to be used for replication.                                                        | Defaults to `bdrdb`.                                                   |
+| `--enable-pgd-probes`       | Enable http(s) api endpoints for pgd-proxy such as `health/is-ready` to allow probing proxy's health.       | Disabled by default.                                                   |
+| `--read-write-port`         | The port for Connection Manager to listen on for read-write connections.                                    | Left empty in config.yml, allowing default of the postgres port + 1000 |
+| `--read-only-port`          | The port for Connection Manager to listen on for read-only connections.                                     | Left empty in config.yml, allowing default of the read-write port + 1  |
 
 <br/><br/>
 

product_docs/docs/tpa/23/configure-cluster.mdx

@@ -132,6 +132,7 @@ postgres_version: '14' # Defined at top-level
 cluster_vars:
   postgres_version: "{{ postgres version }}" # Templated with top-level variable 
   postgres_data_dir: "/data/{{ cluster_name }}/edb{{ postgres_version }}/data" # Templated with top-level variable
+  privilege_escalation_command: sudo
 ```
 
 In this case, `tpaexec provision` will write three variables (a

product_docs/docs/tpa/23/firstclusterdeployment.mdx

@@ -44,12 +44,6 @@ newgrp docker
     lets them trivially gain root on the Docker host. Only trusted users
     should have access to the Docker daemon.
 
-!!! Note on RHEL 7 instances
-
-    To use RHEL 7 instances your host must be configured to run cgroups v1. 
-    Refer to documentation for your system to verify and alter cgroups configuration, 
-    or choose another operating system for your containers to follow this tutorial.
-
 ### Creating a configuration with TPA
 
 The next step in this process is to create a configuration. TPA does most of the work for you through its `configure` command. All you have to do is supply command line flags and options to select, in broad terms, what you want to deploy. Here's our `tpaexec configure` command:

product_docs/docs/tpa/23/images/m1.dot

@@ -1,4 +1,4 @@
-# © Copyright EnterpriseDB UK Limited 2015-2025 - All rights reserved.
+# © Copyright EnterpriseDB UK Limited 2015-2026 - All rights reserved.
 
 digraph M1 {
     backup [shape=box];

product_docs/docs/tpa/23/index.mdx

@@ -44,11 +44,11 @@ title: Trusted Postgres Architect
 originalFilePath: index.md
 pdf: true
 directoryDefaults:
-  version: 23.41.0
+  version: 23.42.0
 
 ---
 
-© Copyright EnterpriseDB UK Limited 2015-2025 - All rights reserved.
+© Copyright EnterpriseDB UK Limited 2015-2026 - All rights reserved.
 
 ## Introduction
 

product_docs/docs/tpa/23/platform-docker.mdx

@@ -53,11 +53,19 @@ and launch Docker from the application menu.
 
 ### Cgroups
 
-TPA supports Docker containers on hosts running cgroups version 1 or 2.
-On a host running cgroups2, instances running RHEL 7 are not supported.
+All [currently-supported operating systems](reference/distributions/) provide support cgroups
+version 2. You should always use cgroups version 2 on the host machine
+when deploying to Docker unless you are using a legacy operating system.
 
-If you need to use RHEL 7 instances but your host is running cgroups
-version 2, you can switch to cgroups version 1 as follows.
+!!!Important
+
+Instructions for using legacy systems are provided purely for
+testing or to support migrating away from those platforms.
+!!!
+
+For some legacy platforms, in particular RHEL 7, you will need to
+configure your host to use version 1. You can switch to cgroups version
+1 as follows.
 
 On Debian-family Linux distributions: