编译安装 pgsql
学习 PostgreSQL 从编译安装开始,从官网下载指定版本的[源码包]
编译前准备
下面是 Debian 12.x 发行版编译 PostgreSQL 16.1 需要的依赖项。
必要说明
PostgreSql 官方推荐使用 GCC 最新版编译器来构建,但为了支持 JIT 这里用的是 llvm+clang 编译器套件;
GCC 编译器不支持 JIT 即时编译功能;
也就是说如果要增加 --with-llvm 编译选项,就需要使用 llvm+clang 编译器组合。
C 语言编译器主要有四种: MSVC/GCC/MinGW/Clang+LLVM
bash
apt install -y clang liblz4-dev libzstd-dev bison flex libreadline-dev \
zlib1g-dev libpam0g-dev libxslt1-dev uuid-dev libsystemd-dev libicu-devdebian12 纯净版所需完整依赖
bash
apt install -y bzip2
apt install -y make clang liblz4-dev libzstd-dev bison flex libreadline-dev \
zlib1g-dev libpam0g-dev libxslt1-dev uuid-dev libsystemd-dev pkg-config \
libssl-dev libxml2-dev xsltproc fop dbtoepub libicu-dev依赖包说明
| package | note |
|---|---|
| clang | c/c++ 编译器,llvm+clang 是套组合 |
| liblz4-dev | 用于 LZ4 压缩算法的开发库 |
| libzstd-dev | 用于 Zstandard 压缩算法的开发库 |
| bison | 一个广泛使用的语法分析器生成器,主要用于 Unix 和类 Unix 系统 |
| flex | 一个词法分析器生成工具,通常与 Bison 结合使用,以创建完整的编译器前端 |
| libreadline-dev | 提供命令行编辑功能的开发库 |
| zlib1g-dev | 用于 zlib 压缩和解压缩数据的开发库 |
| libpam0g-dev | 用于 PAM 支持的开发库 |
| libxslt1-dev | 包含用于开发 XSLT 应用程序的库和头文件 |
| uuid-dev | 包含了用于生成和处理 UUID 的库和头文件 |
| libsystemd-dev | 用于开发与 systemd 相关的应用程序的包,它提供了一组头文件和库文件 |
| libicu-dev | icu 开发库包,支持国际化(i18n)和本地化(l10n)功能 |
编译选项说明
| commom | note |
|---|---|
| --prefix=PREFIX | 指定安装路径 |
| --datadir=DIR | 指定数据目录路径 |
| --enable-debug | 启用调试模式 |
| --enable-cassert | 启用断言检查 |
| CC=CMD | 指定 C 编译器( gcc/clang 注意是区分大小写的) |
| CXX=CMD | 指定 C++ 编译器( c++/clang++ 注意是区分大小写的) |
| --with-llvm | 启用基于 LLVM 的 JIT 支持,优化适合 OLTP/OLAP |
| LLVM_CONFIG=PATH | 用于定位 LLVM 安装的程序 |
| --with-pgport=PortNum | 指定 pgsql 服务器监听的端口号 |
| --with-pam | 允许 pgsql 使用系统的 PAM 认证机制进行用户身份验证 |
| --with-systemd | 确保 PostgreSQL 与 systemd 服务和日志系统集成 |
| --with-uuid=e2fs | 构建 uuid-ossp 使用 e2fsprogs 库,用于生成唯一标识符 |
| --with-libxml | 支持 XML 数据类型 |
| --with-libxslt | 支持 XSLT 转换,扩展 XML 处理能力 |
| --with-lz4 | 启用 LZ4 压缩算法的支持 |
| --with-zstd | 启用 Zstandard 压缩算法的支持 |
| --with-openssl | 启用 OpenSSL 支持,用于加密通信 |
--enable-debug:启用后,可以在调试器中运行程序来分析问题,这会大大增加已安装的可执行文件的大小,并且在非 GCC 编译器上它通常也会禁用编译器优化,生产环境中只建议在选择 GCC 编译器时添加此选项。- 编译器:
llvm+clang跟gcc是两个编译器,是互斥的,如果要启用--with-llvm就要使用clang - 安装部分依赖包时,可能会自动安装
gcc编译器包 --with-ossp: uuid 支持 3 种方式ossp-uuid(维护不积极)bsd(跨平台支持)e2fs(兼容linux,性能高)
编译
bash
# 修改操作系统打开最大文件句柄数
# /etc/security/limits.conf 结尾添加下面两行
# 进行这一步操作的目的是防止linux操作系统内打开文件句柄数量的限制,避免不必要的故障
echo "postgres soft nofile 65535
postgres hard nofile 65535" > /etc/security/limits.d/postgres.confbash
su - postgres -s /bin/zsh
wget https://ftp.postgresql.org/pub/source/v17./postgresql-17.6.tar.bz2
tar -xjf postgresql-17.6.tar.bz2
mkdir ~/postgresql-17.6/build_postgres
cd ~/postgresql-17.6/build_postgresbash
# 使用postgres账户编译
# 关于生产环境要不要添加 --enable-debug 选项问题:使用gcc编译器时可以启用debug
# 使用 llvm+clang 编译器套件时不应该启用debug,因为llvm可以优化pgsql性能,而使用 --enable-debug 选项,通常会禁用编译器的性能优化
# LLVM_CONFIG 的路径在不同发行版不同,如,debian12路径为:/usr/lib/llvm-14/bin/llvm-config
../configure --prefix=/server/postgres \
--enable-debug \
--enable-cassert \
CC=clang \
CXX=clang++ \
--with-llvm \
LLVM_CONFIG=/usr/lib/llvm-19/bin/llvm-config \
--with-pam \
--with-systemd \
--with-uuid=e2fs \
--with-lz4 \
--with-zstd \
--with-openssl \
--with-libxml \
--with-libxslt > stdout.logbash
# 使用postgres账户安装
make -j4 > make.log
make check > make.log
make install
# 编译安装完后记得移除源码包,节省空间
rm -rf ~/postgresql-17.6 ~/postgresql-17.6.tar.bz2bash
su - postgres -s /bin/zsh
# 初始化 pgsql 数据库,-D 参数指定数据目录路径,
# 执行命令后将在指定目录下创建必要的文件和目录结构
/server/postgres/bin/initdb -D /server/pgData -E UTF8 --locale=zh_CN.utf8 -U postgresbash
# 这些指令通常不需要使用
# 启动 pgsql 数据库服务器,-D 参数指定数据目录路径,-l 参数指定了日志文件的路径,
# 执行命令后数据库服务器将开始运行,并记录日志到指定的文件中。
/server/postgres/bin/pg_ctl -D /server/pgData -l logFile start
# 这个命令用于创建一个名为 "test" 的新数据库。
# 执行该命令后,将在数据库中创建一个名为 "test" 的新数据库。
/server/postgres/bin/createdb test
# 这个命令用于启动 PostgreSQL 命令行客户端,并连接到名为 "test" 的数据库。
# 执行该命令后,你将进入一个交互式的 PostgreSQL 命令行界面,可以执行 SQL 查询和操作。
/server/postgres/bin/psql testpsql
bash
# 最简单登录指令
psql
# 修改 sock 文件路径后,需要指定 sock 文件所在目录才能正常登录
psql -h /run/postgresmd
```bash
# 注意:如果没有跟用户同名的数据库就必须使用 -d 指定数据库名
psql -h 127.0.0.1 -U admin -d postgres -W
psql -h 192.168.66.254 -U admin -d postgres -W
```
> 这是一个用于连接到 PostgreSQL 数据库的命令。其中:
- psql 是 PostgreSQL 的命令行工具。
- -h /run/postgres 指定了要连接的数据库服务器的主机名、 IP 地址或 socket 文件,这里是/run/postgres。
- -U admin 指定了要使用的用户名,这里是 admin。
- -d postgres 指定了要连接的数据库名称,这里是 postgres。
- -W 表示在连接时需要输入密码。systemd 单元
bash
echo "[Unit]
Description=PostgreSQL database server
Documentation=man:postgres(1)
After=network-online.target
Wants=network-online.target
[Service]
Type=notify
User=postgres
Group=postgres
RuntimeDirectory=postgres
RuntimeDirectoryMode=0750
ExecStart=/server/postgres/bin/postgres -D /server/pgData
ExecReload=/bin/kill -HUP \$MAINPID
KillMode=mixed
KillSignal=SIGINT
TimeoutSec=infinity
[Install]
WantedBy=multi-user.target
" > /lib/systemd/system/postgres.servicebash
systemctl enable postgres
systemctl daemon-reload注意
使用 Type=notify 需要在编译构建阶段 configure 时,使用 --with-systemd 选项
配置文件
PostgreSQL 主要有以下几个配置文件:
postgresql.conf:这是主要的配置文件,用于设置数据库的各种参数和选项。它包含了许多可配置的参数,例如内存分配、连接数限制、日志记录等。通过编辑该文件,可以自定义数据库的行为。postgresql.auto.conf: 该文件自动生成的,每当 postgresql.conf 被读取时,这个文件会被自动读取。 postgresql.auto.conf 中的设置会覆盖 postgresql.conf 中的设置。pg_hba.conf:这个文件用于配置数据库的身份验证方式。它定义了不同类型连接(如本地连接、TCP/IP 连接)的认证方法。你可以根据需要设置不同的认证方式,例如信任所有用户、使用密码加密等。pg_ident.conf:这个文件用于配置数据库的用户映射。它允许将外部系统(如操作系统用户)映射到数据库用户。通过配置该文件,可以实现对外部系统的用户进行身份验证和授权。
配置案例
ini
# -----------------------------
# PostgreSQL configuration file
# -----------------------------
#
# This file consists of lines of the form:
#
# name = value
#
# (The "=" is optional.) Whitespace may be used. Comments are introduced with
# "#" anywhere on a line. The complete list of parameter names and allowed
# values can be found in the PostgreSQL documentation.
#
# The commented-out settings shown in this file represent the default values.
# Re-commenting a setting is NOT sufficient to revert it to the default value;
# you need to reload the server.
#
# This file is read on server startup and when the server receives a SIGHUP
# signal. If you edit the file on a running system, you have to SIGHUP the
# server for the changes to take effect, run "pg_ctl reload", or execute
# "SELECT pg_reload_conf()". Some parameters, which are marked below,
# require a server shutdown and restart to take effect.
#
# Any parameter can also be given as a command-line option to the server, e.g.,
# "postgres -c log_connections=on". Some parameters can be changed at run time
# with the "SET" SQL command.
#
# Memory units: B = bytes Time units: us = microseconds
# kB = kilobytes ms = milliseconds
# MB = megabytes s = seconds
# GB = gigabytes min = minutes
# TB = terabytes h = hours
# d = days
#------------------------------------------------------------------------------
# FILE LOCATIONS
#------------------------------------------------------------------------------
# The default values of these variables are driven from the -D command-line
# option or PGDATA environment variable, represented here as ConfigDir.
#data_directory = 'ConfigDir' # use data in another directory
# (change requires restart)
#hba_file = 'ConfigDir/pg_hba.conf' # host-based authentication file
# (change requires restart)
#ident_file = 'ConfigDir/pg_ident.conf' # ident configuration file
# (change requires restart)
# If external_pid_file is not explicitly set, no extra PID file is written.
#external_pid_file = '' # write an extra PID file
# (change requires restart)
#------------------------------------------------------------------------------
# CONNECTIONS AND AUTHENTICATION
#------------------------------------------------------------------------------
# - Connection Settings -
#listen_addresses = 'localhost' # what IP address(es) to listen on;
# comma-separated list of addresses;
# defaults to 'localhost'; use '*' for all
# (change requires restart)
#port = 5432 # (change requires restart)
max_connections = 100 # (change requires restart)
#reserved_connections = 0 # (change requires restart)
#superuser_reserved_connections = 3 # (change requires restart)
#unix_socket_directories = '/tmp' # comma-separated list of directories
# (change requires restart)
#unix_socket_group = '' # (change requires restart)
#unix_socket_permissions = 0777 # begin with 0 to use octal notation
# (change requires restart)
#bonjour = off # advertise server via Bonjour
# (change requires restart)
#bonjour_name = '' # defaults to the computer name
# (change requires restart)
# - TCP settings -
# see "man tcp" for details
#tcp_keepalives_idle = 0 # TCP_KEEPIDLE, in seconds;
# 0 selects the system default
#tcp_keepalives_interval = 0 # TCP_KEEPINTVL, in seconds;
# 0 selects the system default
#tcp_keepalives_count = 0 # TCP_KEEPCNT;
# 0 selects the system default
#tcp_user_timeout = 0 # TCP_USER_TIMEOUT, in milliseconds;
# 0 selects the system default
#client_connection_check_interval = 0 # time between checks for client
# disconnection while running queries;
# 0 for never
# - Authentication -
#authentication_timeout = 1min # 1s-600s
#password_encryption = scram-sha-256 # scram-sha-256 or md5
#scram_iterations = 4096
#db_user_namespace = off
# GSSAPI using Kerberos
#krb_server_keyfile = 'FILE:${sysconfdir}/krb5.keytab'
#krb_caseins_users = off
#gss_accept_delegation = off
# - SSL -
#ssl = off
#ssl_ca_file = ''
#ssl_cert_file = 'server.crt'
#ssl_crl_file = ''
#ssl_crl_dir = ''
#ssl_key_file = 'server.key'
#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
#ssl_prefer_server_ciphers = on
#ssl_ecdh_curve = 'prime256v1'
#ssl_min_protocol_version = 'TLSv1.2'
#ssl_max_protocol_version = ''
#ssl_dh_params_file = ''
#ssl_passphrase_command = ''
#ssl_passphrase_command_supports_reload = off
#------------------------------------------------------------------------------
# RESOURCE USAGE (except WAL)
#------------------------------------------------------------------------------
# - Memory -
shared_buffers = 128MB # min 128kB
# (change requires restart)
#huge_pages = try # on, off, or try
# (change requires restart)
#huge_page_size = 0 # zero for system default
# (change requires restart)
#temp_buffers = 8MB # min 800kB
#max_prepared_transactions = 0 # zero disables the feature
# (change requires restart)
# Caution: it is not advisable to set max_prepared_transactions nonzero unless
# you actively intend to use prepared transactions.
#work_mem = 4MB # min 64kB
#hash_mem_multiplier = 2.0 # 1-1000.0 multiplier on hash table work_mem
#maintenance_work_mem = 64MB # min 1MB
#autovacuum_work_mem = -1 # min 1MB, or -1 to use maintenance_work_mem
#logical_decoding_work_mem = 64MB # min 64kB
#max_stack_depth = 2MB # min 100kB
#shared_memory_type = mmap # the default is the first option
# supported by the operating system:
# mmap
# sysv
# windows
# (change requires restart)
dynamic_shared_memory_type = posix # the default is usually the first option
# supported by the operating system:
# posix
# sysv
# windows
# mmap
# (change requires restart)
#min_dynamic_shared_memory = 0MB # (change requires restart)
#vacuum_buffer_usage_limit = 256kB # size of vacuum and analyze buffer access strategy ring;
# 0 to disable vacuum buffer access strategy;
# range 128kB to 16GB
# - Disk -
#temp_file_limit = -1 # limits per-process temp file space
# in kilobytes, or -1 for no limit
# - Kernel Resources -
#max_files_per_process = 1000 # min 64
# (change requires restart)
# - Cost-Based Vacuum Delay -
#vacuum_cost_delay = 0 # 0-100 milliseconds (0 disables)
#vacuum_cost_page_hit = 1 # 0-10000 credits
#vacuum_cost_page_miss = 2 # 0-10000 credits
#vacuum_cost_page_dirty = 20 # 0-10000 credits
#vacuum_cost_limit = 200 # 1-10000 credits
# - Background Writer -
#bgwriter_delay = 200ms # 10-10000ms between rounds
#bgwriter_lru_maxpages = 100 # max buffers written/round, 0 disables
#bgwriter_lru_multiplier = 2.0 # 0-10.0 multiplier on buffers scanned/round
#bgwriter_flush_after = 512kB # measured in pages, 0 disables
# - Asynchronous Behavior -
#backend_flush_after = 0 # measured in pages, 0 disables
#effective_io_concurrency = 1 # 1-1000; 0 disables prefetching
#maintenance_io_concurrency = 10 # 1-1000; 0 disables prefetching
#max_worker_processes = 8 # (change requires restart)
#max_parallel_workers_per_gather = 2 # taken from max_parallel_workers
#max_parallel_maintenance_workers = 2 # taken from max_parallel_workers
#max_parallel_workers = 8 # maximum number of max_worker_processes that
# can be used in parallel operations
#parallel_leader_participation = on
#old_snapshot_threshold = -1 # 1min-60d; -1 disables; 0 is immediate
# (change requires restart)
#------------------------------------------------------------------------------
# WRITE-AHEAD LOG
#------------------------------------------------------------------------------
# - Settings -
#wal_level = replica # minimal, replica, or logical
# (change requires restart)
#fsync = on # flush data to disk for crash safety
# (turning this off can cause
# unrecoverable data corruption)
#synchronous_commit = on # synchronization level;
# off, local, remote_write, remote_apply, or on
#wal_sync_method = fsync # the default is the first option
# supported by the operating system:
# open_datasync
# fdatasync (default on Linux and FreeBSD)
# fsync
# fsync_writethrough
# open_sync
#full_page_writes = on # recover from partial page writes
#wal_log_hints = off # also do full page writes of non-critical updates
# (change requires restart)
#wal_compression = off # enables compression of full-page writes;
# off, pglz, lz4, zstd, or on
#wal_init_zero = on # zero-fill new WAL files
#wal_recycle = on # recycle WAL files
#wal_buffers = -1 # min 32kB, -1 sets based on shared_buffers
# (change requires restart)
#wal_writer_delay = 200ms # 1-10000 milliseconds
#wal_writer_flush_after = 1MB # measured in pages, 0 disables
#wal_skip_threshold = 2MB
#commit_delay = 0 # range 0-100000, in microseconds
#commit_siblings = 5 # range 1-1000
# - Checkpoints -
#checkpoint_timeout = 5min # range 30s-1d
#checkpoint_completion_target = 0.9 # checkpoint target duration, 0.0 - 1.0
#checkpoint_flush_after = 256kB # measured in pages, 0 disables
#checkpoint_warning = 30s # 0 disables
max_wal_size = 1GB
min_wal_size = 80MB
# - Prefetching during recovery -
#recovery_prefetch = try # prefetch pages referenced in the WAL?
#wal_decode_buffer_size = 512kB # lookahead window used for prefetching
# (change requires restart)
# - Archiving -
#archive_mode = off # enables archiving; off, on, or always
# (change requires restart)
#archive_library = '' # library to use to archive a WAL file
# (empty string indicates archive_command should
# be used)
#archive_command = '' # command to use to archive a WAL file
# placeholders: %p = path of file to archive
# %f = file name only
# e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f'
#archive_timeout = 0 # force a WAL file switch after this
# number of seconds; 0 disables
# - Archive Recovery -
# These are only used in recovery mode.
#restore_command = '' # command to use to restore an archived WAL file
# placeholders: %p = path of file to restore
# %f = file name only
# e.g. 'cp /mnt/server/archivedir/%f %p'
#archive_cleanup_command = '' # command to execute at every restartpoint
#recovery_end_command = '' # command to execute at completion of recovery
# - Recovery Target -
# Set these only when performing a targeted recovery.
#recovery_target = '' # 'immediate' to end recovery as soon as a
# consistent state is reached
# (change requires restart)
#recovery_target_name = '' # the named restore point to which recovery will proceed
# (change requires restart)
#recovery_target_time = '' # the time stamp up to which recovery will proceed
# (change requires restart)
#recovery_target_xid = '' # the transaction ID up to which recovery will proceed
# (change requires restart)
#recovery_target_lsn = '' # the WAL LSN up to which recovery will proceed
# (change requires restart)
#recovery_target_inclusive = on # Specifies whether to stop:
# just after the specified recovery target (on)
# just before the recovery target (off)
# (change requires restart)
#recovery_target_timeline = 'latest' # 'current', 'latest', or timeline ID
# (change requires restart)
#recovery_target_action = 'pause' # 'pause', 'promote', 'shutdown'
# (change requires restart)
#------------------------------------------------------------------------------
# REPLICATION
#------------------------------------------------------------------------------
# - Sending Servers -
# Set these on the primary and on any standby that will send replication data.
#max_wal_senders = 10 # max number of walsender processes
# (change requires restart)
#max_replication_slots = 10 # max number of replication slots
# (change requires restart)
#wal_keep_size = 0 # in megabytes; 0 disables
#max_slot_wal_keep_size = -1 # in megabytes; -1 disables
#wal_sender_timeout = 60s # in milliseconds; 0 disables
#track_commit_timestamp = off # collect timestamp of transaction commit
# (change requires restart)
# - Primary Server -
# These settings are ignored on a standby server.
#synchronous_standby_names = '' # standby servers that provide sync rep
# method to choose sync standbys, number of sync standbys,
# and comma-separated list of application_name
# from standby(s); '*' = all
# - Standby Servers -
# These settings are ignored on a primary server.
#primary_conninfo = '' # connection string to sending server
#primary_slot_name = '' # replication slot on sending server
#hot_standby = on # "off" disallows queries during recovery
# (change requires restart)
#max_standby_archive_delay = 30s # max delay before canceling queries
# when reading WAL from archive;
# -1 allows indefinite delay
#max_standby_streaming_delay = 30s # max delay before canceling queries
# when reading streaming WAL;
# -1 allows indefinite delay
#wal_receiver_create_temp_slot = off # create temp slot if primary_slot_name
# is not set
#wal_receiver_status_interval = 10s # send replies at least this often
# 0 disables
#hot_standby_feedback = off # send info from standby to prevent
# query conflicts
#wal_receiver_timeout = 60s # time that receiver waits for
# communication from primary
# in milliseconds; 0 disables
#wal_retrieve_retry_interval = 5s # time to wait before retrying to
# retrieve WAL after a failed attempt
#recovery_min_apply_delay = 0 # minimum delay for applying changes during recovery
# - Subscribers -
# These settings are ignored on a publisher.
#max_logical_replication_workers = 4 # taken from max_worker_processes
# (change requires restart)
#max_sync_workers_per_subscription = 2 # taken from max_logical_replication_workers
#max_parallel_apply_workers_per_subscription = 2 # taken from max_logical_replication_workers
#------------------------------------------------------------------------------
# QUERY TUNING
#------------------------------------------------------------------------------
# - Planner Method Configuration -
#enable_async_append = on
#enable_bitmapscan = on
#enable_gathermerge = on
#enable_hashagg = on
#enable_hashjoin = on
#enable_incremental_sort = on
#enable_indexscan = on
#enable_indexonlyscan = on
#enable_material = on
#enable_memoize = on
#enable_mergejoin = on
#enable_nestloop = on
#enable_parallel_append = on
#enable_parallel_hash = on
#enable_partition_pruning = on
#enable_partitionwise_join = off
#enable_partitionwise_aggregate = off
#enable_presorted_aggregate = on
#enable_seqscan = on
#enable_sort = on
#enable_tidscan = on
# - Planner Cost Constants -
#seq_page_cost = 1.0 # measured on an arbitrary scale
#random_page_cost = 4.0 # same scale as above
#cpu_tuple_cost = 0.01 # same scale as above
#cpu_index_tuple_cost = 0.005 # same scale as above
#cpu_operator_cost = 0.0025 # same scale as above
#parallel_setup_cost = 1000.0 # same scale as above
#parallel_tuple_cost = 0.1 # same scale as above
#min_parallel_table_scan_size = 8MB
#min_parallel_index_scan_size = 512kB
#effective_cache_size = 4GB
#jit_above_cost = 100000 # perform JIT compilation if available
# and query more expensive than this;
# -1 disables
#jit_inline_above_cost = 500000 # inline small functions if query is
# more expensive than this; -1 disables
#jit_optimize_above_cost = 500000 # use expensive JIT optimizations if
# query is more expensive than this;
# -1 disables
# - Genetic Query Optimizer -
#geqo = on
#geqo_threshold = 12
#geqo_effort = 5 # range 1-10
#geqo_pool_size = 0 # selects default based on effort
#geqo_generations = 0 # selects default based on effort
#geqo_selection_bias = 2.0 # range 1.5-2.0
#geqo_seed = 0.0 # range 0.0-1.0
# - Other Planner Options -
#default_statistics_target = 100 # range 1-10000
#constraint_exclusion = partition # on, off, or partition
#cursor_tuple_fraction = 0.1 # range 0.0-1.0
#from_collapse_limit = 8
#jit = on # allow JIT compilation
#join_collapse_limit = 8 # 1 disables collapsing of explicit
# JOIN clauses
#plan_cache_mode = auto # auto, force_generic_plan or
# force_custom_plan
#recursive_worktable_factor = 10.0 # range 0.001-1000000
#------------------------------------------------------------------------------
# REPORTING AND LOGGING
#------------------------------------------------------------------------------
# - Where to Log -
#log_destination = 'stderr' # Valid values are combinations of
# stderr, csvlog, jsonlog, syslog, and
# eventlog, depending on platform.
# csvlog and jsonlog require
# logging_collector to be on.
# This is used when logging to stderr:
#logging_collector = off # Enable capturing of stderr, jsonlog,
# and csvlog into log files. Required
# to be on for csvlogs and jsonlogs.
# (change requires restart)
# These are only used if logging_collector is on:
#log_directory = 'log' # directory where log files are written,
# can be absolute or relative to PGDATA
#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' # log file name pattern,
# can include strftime() escapes
#log_file_mode = 0600 # creation mode for log files,
# begin with 0 to use octal notation
#log_rotation_age = 1d # Automatic rotation of logfiles will
# happen after that time. 0 disables.
#log_rotation_size = 10MB # Automatic rotation of logfiles will
# happen after that much log output.
# 0 disables.
#log_truncate_on_rotation = off # If on, an existing log file with the
# same name as the new log file will be
# truncated rather than appended to.
# But such truncation only occurs on
# time-driven rotation, not on restarts
# or size-driven rotation. Default is
# off, meaning append to existing files
# in all cases.
# These are relevant when logging to syslog:
#syslog_facility = 'LOCAL0'
#syslog_ident = 'postgres'
#syslog_sequence_numbers = on
#syslog_split_messages = on
# This is only relevant when logging to eventlog (Windows):
# (change requires restart)
#event_source = 'PostgreSQL'
# - When to Log -
#log_min_messages = warning # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# info
# notice
# warning
# error
# log
# fatal
# panic
#log_min_error_statement = error # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# info
# notice
# warning
# error
# log
# fatal
# panic (effectively off)
#log_min_duration_statement = -1 # -1 is disabled, 0 logs all statements
# and their durations, > 0 logs only
# statements running at least this number
# of milliseconds
#log_min_duration_sample = -1 # -1 is disabled, 0 logs a sample of statements
# and their durations, > 0 logs only a sample of
# statements running at least this number
# of milliseconds;
# sample fraction is determined by log_statement_sample_rate
#log_statement_sample_rate = 1.0 # fraction of logged statements exceeding
# log_min_duration_sample to be logged;
# 1.0 logs all such statements, 0.0 never logs
#log_transaction_sample_rate = 0.0 # fraction of transactions whose statements
# are logged regardless of their duration; 1.0 logs all
# statements from all transactions, 0.0 never logs
#log_startup_progress_interval = 10s # Time between progress updates for
# long-running startup operations.
# 0 disables the feature, > 0 indicates
# the interval in milliseconds.
# - What to Log -
#debug_print_parse = off
#debug_print_rewritten = off
#debug_print_plan = off
#debug_pretty_print = on
#log_autovacuum_min_duration = 10min # log autovacuum activity;
# -1 disables, 0 logs all actions and
# their durations, > 0 logs only
# actions running at least this number
# of milliseconds.
#log_checkpoints = on
#log_connections = off
#log_disconnections = off
#log_duration = off
#log_error_verbosity = default # terse, default, or verbose messages
#log_hostname = off
#log_line_prefix = '%m [%p] ' # special values:
# %a = application name
# %u = user name
# %d = database name
# %r = remote host and port
# %h = remote host
# %b = backend type
# %p = process ID
# %P = process ID of parallel group leader
# %t = timestamp without milliseconds
# %m = timestamp with milliseconds
# %n = timestamp with milliseconds (as a Unix epoch)
# %Q = query ID (0 if none or not computed)
# %i = command tag
# %e = SQL state
# %c = session ID
# %l = session line number
# %s = session start timestamp
# %v = virtual transaction ID
# %x = transaction ID (0 if none)
# %q = stop here in non-session
# processes
# %% = '%'
# e.g. '<%u%%%d> '
#log_lock_waits = off # log lock waits >= deadlock_timeout
#log_recovery_conflict_waits = off # log standby recovery conflict waits
# >= deadlock_timeout
#log_parameter_max_length = -1 # when logging statements, limit logged
# bind-parameter values to N bytes;
# -1 means print in full, 0 disables
#log_parameter_max_length_on_error = 0 # when logging an error, limit logged
# bind-parameter values to N bytes;
# -1 means print in full, 0 disables
#log_statement = 'none' # none, ddl, mod, all
#log_replication_commands = off
#log_temp_files = -1 # log temporary files equal or larger
# than the specified size in kilobytes;
# -1 disables, 0 logs all temp files
log_timezone = 'Asia/Shanghai'
# - Process Title -
#cluster_name = '' # added to process titles if nonempty
# (change requires restart)
#update_process_title = on
#------------------------------------------------------------------------------
# STATISTICS
#------------------------------------------------------------------------------
# - Cumulative Query and Index Statistics -
#track_activities = on
#track_activity_query_size = 1024 # (change requires restart)
#track_counts = on
#track_io_timing = off
#track_wal_io_timing = off
#track_functions = none # none, pl, all
#stats_fetch_consistency = cache # cache, none, snapshot
# - Monitoring -
#compute_query_id = auto
#log_statement_stats = off
#log_parser_stats = off
#log_planner_stats = off
#log_executor_stats = off
#------------------------------------------------------------------------------
# AUTOVACUUM
#------------------------------------------------------------------------------
#autovacuum = on # Enable autovacuum subprocess? 'on'
# requires track_counts to also be on.
#autovacuum_max_workers = 3 # max number of autovacuum subprocesses
# (change requires restart)
#autovacuum_naptime = 1min # time between autovacuum runs
#autovacuum_vacuum_threshold = 50 # min number of row updates before
# vacuum
#autovacuum_vacuum_insert_threshold = 1000 # min number of row inserts
# before vacuum; -1 disables insert
# vacuums
#autovacuum_analyze_threshold = 50 # min number of row updates before
# analyze
#autovacuum_vacuum_scale_factor = 0.2 # fraction of table size before vacuum
#autovacuum_vacuum_insert_scale_factor = 0.2 # fraction of inserts over table
# size before insert vacuum
#autovacuum_analyze_scale_factor = 0.1 # fraction of table size before analyze
#autovacuum_freeze_max_age = 200000000 # maximum XID age before forced vacuum
# (change requires restart)
#autovacuum_multixact_freeze_max_age = 400000000 # maximum multixact age
# before forced vacuum
# (change requires restart)
#autovacuum_vacuum_cost_delay = 2ms # default vacuum cost delay for
# autovacuum, in milliseconds;
# -1 means use vacuum_cost_delay
#autovacuum_vacuum_cost_limit = -1 # default vacuum cost limit for
# autovacuum, -1 means use
# vacuum_cost_limit
#------------------------------------------------------------------------------
# CLIENT CONNECTION DEFAULTS
#------------------------------------------------------------------------------
# - Statement Behavior -
#client_min_messages = notice # values in order of decreasing detail:
# debug5
# debug4
# debug3
# debug2
# debug1
# log
# notice
# warning
# error
#search_path = '"$user", public' # schema names
#row_security = on
#default_table_access_method = 'heap'
#default_tablespace = '' # a tablespace name, '' uses the default
#default_toast_compression = 'pglz' # 'pglz' or 'lz4'
#temp_tablespaces = '' # a list of tablespace names, '' uses
# only default tablespace
#check_function_bodies = on
#default_transaction_isolation = 'read committed'
#default_transaction_read_only = off
#default_transaction_deferrable = off
#session_replication_role = 'origin'
#statement_timeout = 0 # in milliseconds, 0 is disabled
#lock_timeout = 0 # in milliseconds, 0 is disabled
#idle_in_transaction_session_timeout = 0 # in milliseconds, 0 is disabled
#idle_session_timeout = 0 # in milliseconds, 0 is disabled
#vacuum_freeze_table_age = 150000000
#vacuum_freeze_min_age = 50000000
#vacuum_failsafe_age = 1600000000
#vacuum_multixact_freeze_table_age = 150000000
#vacuum_multixact_freeze_min_age = 5000000
#vacuum_multixact_failsafe_age = 1600000000
#bytea_output = 'hex' # hex, escape
#xmlbinary = 'base64'
#xmloption = 'content'
#gin_pending_list_limit = 4MB
#createrole_self_grant = '' # set and/or inherit
# - Locale and Formatting -
datestyle = 'iso, ymd'
#intervalstyle = 'postgres'
timezone = 'Asia/Shanghai'
#timezone_abbreviations = 'Default' # Select the set of available time zone
# abbreviations. Currently, there are
# Default
# Australia (historical usage)
# India
# You can create your own file in
# share/timezonesets/.
#extra_float_digits = 1 # min -15, max 3; any value >0 actually
# selects precise output mode
#client_encoding = sql_ascii # actually, defaults to database
# encoding
# These settings are initialized by initdb, but they can be changed.
lc_messages = 'zh_CN.utf8' # locale for system error message
# strings
lc_monetary = 'zh_CN.utf8' # locale for monetary formatting
lc_numeric = 'zh_CN.utf8' # locale for number formatting
lc_time = 'zh_CN.utf8' # locale for time formatting
#icu_validation_level = warning # report ICU locale validation
# errors at the given level
# default configuration for text search
default_text_search_config = 'pg_catalog.simple'
# - Shared Library Preloading -
#local_preload_libraries = ''
#session_preload_libraries = ''
#shared_preload_libraries = '' # (change requires restart)
#jit_provider = 'llvmjit' # JIT library to use
# - Other Defaults -
#dynamic_library_path = '$libdir'
#gin_fuzzy_search_limit = 0
#------------------------------------------------------------------------------
# LOCK MANAGEMENT
#------------------------------------------------------------------------------
#deadlock_timeout = 1s
#max_locks_per_transaction = 64 # min 10
# (change requires restart)
#max_pred_locks_per_transaction = 64 # min 10
# (change requires restart)
#max_pred_locks_per_relation = -2 # negative values mean
# (max_pred_locks_per_transaction
# / -max_pred_locks_per_relation) - 1
#max_pred_locks_per_page = 2 # min 0
#------------------------------------------------------------------------------
# VERSION AND PLATFORM COMPATIBILITY
#------------------------------------------------------------------------------
# - Previous PostgreSQL Versions -
#array_nulls = on
#backslash_quote = safe_encoding # on, off, or safe_encoding
#escape_string_warning = on
#lo_compat_privileges = off
#quote_all_identifiers = off
#standard_conforming_strings = on
#synchronize_seqscans = on
# - Other Platforms and Clients -
#transform_null_equals = off
#------------------------------------------------------------------------------
# ERROR HANDLING
#------------------------------------------------------------------------------
#exit_on_error = off # terminate session on any error?
#restart_after_crash = on # reinitialize after backend crash?
#data_sync_retry = off # retry or panic on failure to fsync
# data?
# (change requires restart)
#recovery_init_sync_method = fsync # fsync, syncfs (Linux 5.8+)
#------------------------------------------------------------------------------
# CONFIG FILE INCLUDES
#------------------------------------------------------------------------------
# These options allow settings to be loaded from files other than the
# default postgresql.conf. Note that these are directives, not variable
# assignments, so they can usefully be given more than once.
#include_dir = '...' # include files ending in '.conf' from
# a directory, e.g., 'conf.d'
#include_if_exists = '...' # include file only if it exists
#include = '...' # include file
#------------------------------------------------------------------------------
# CUSTOMIZED OPTIONS
#------------------------------------------------------------------------------
# Add settings for extensions here
# - basic
listen_addresses = '127.0.0.1,192.168.66.254'
#port = 5432
external_pid_file = '/run/postgres/process.pid'
unix_socket_directories = '/run/postgres'
# - TLS
ssl = on
ssl_ca_file = '/server/etc/postgres/tls/root.crt'
ssl_cert_file = '/server/etc/postgres/tls/server.crt'
#ssl_crl_file = ''
#ssl_crl_dir = ''
ssl_key_file = '/server/etc/postgres/tls/server.key'
#openssl>=3.0以后,安全性得到提升,通常不配置此项
# 如果需要更高的安全性或特定的兼容性要求,并且服务器资源允许,那么可以配置此项
#ssl_dh_params_file = '/server/etc/postgres/tls/pgsql.dh'
# - WAL
# 启用复制至少是 replica
wal_level = replica
archive_mode = on
# 把 WAL 片段拷贝到目录 /server/logs/postgres/wal_archive/
archive_command = 'test ! -f /server/logs/postgres/wal_archive/%f && cp %p /server/logs/postgres/wal_archive/%f'
# - LOG
log_destination = 'jsonlog'
logging_collector = on
log_directory = '/server/logs/postgres'
log_file_mode = 0600
log_truncate_on_rotation = on
log_filename = 'postgres-%d.log'
log_rotation_age = 1d
log_rotation_size = 0ini
# PostgreSQL Client Authentication Configuration File
# ===================================================
#
# Refer to the "Client Authentication" section in the PostgreSQL
# documentation for a complete description of this file. A short
# synopsis follows.
#
# ----------------------
# Authentication Records
# ----------------------
#
# This file controls: which hosts are allowed to connect, how clients
# are authenticated, which PostgreSQL user names they can use, which
# databases they can access. Records take one of these forms:
#
# local DATABASE USER METHOD [OPTIONS]
# host DATABASE USER ADDRESS METHOD [OPTIONS]
# hostssl DATABASE USER ADDRESS METHOD [OPTIONS]
# hostnossl DATABASE USER ADDRESS METHOD [OPTIONS]
# hostgssenc DATABASE USER ADDRESS METHOD [OPTIONS]
# hostnogssenc DATABASE USER ADDRESS METHOD [OPTIONS]
#
# (The uppercase items must be replaced by actual values.)
#
# The first field is the connection type:
# - "local" is a Unix-domain socket
# - "host" is a TCP/IP socket (encrypted or not)
# - "hostssl" is a TCP/IP socket that is SSL-encrypted
# - "hostnossl" is a TCP/IP socket that is not SSL-encrypted
# - "hostgssenc" is a TCP/IP socket that is GSSAPI-encrypted
# - "hostnogssenc" is a TCP/IP socket that is not GSSAPI-encrypted
#
# DATABASE can be "all", "sameuser", "samerole", "replication", a
# database name, a regular expression (if it starts with a slash (/))
# or a comma-separated list thereof. The "all" keyword does not match
# "replication". Access to replication must be enabled in a separate
# record (see example below).
#
# USER can be "all", a user name, a group name prefixed with "+", a
# regular expression (if it starts with a slash (/)) or a comma-separated
# list thereof. In both the DATABASE and USER fields you can also write
# a file name prefixed with "@" to include names from a separate file.
#
# ADDRESS specifies the set of hosts the record matches. It can be a
# host name, or it is made up of an IP address and a CIDR mask that is
# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that
# specifies the number of significant bits in the mask. A host name
# that starts with a dot (.) matches a suffix of the actual host name.
# Alternatively, you can write an IP address and netmask in separate
# columns to specify the set of hosts. Instead of a CIDR-address, you
# can write "samehost" to match any of the server's own IP addresses,
# or "samenet" to match any address in any subnet that the server is
# directly connected to.
#
# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256",
# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert".
# Note that "password" sends passwords in clear text; "md5" or
# "scram-sha-256" are preferred since they send encrypted passwords.
#
# OPTIONS are a set of options for the authentication in the format
# NAME=VALUE. The available options depend on the different
# authentication methods -- refer to the "Client Authentication"
# section in the documentation for a list of which options are
# available for which authentication methods.
#
# Database and user names containing spaces, commas, quotes and other
# special characters must be quoted. Quoting one of the keywords
# "all", "sameuser", "samerole" or "replication" makes the name lose
# its special character, and just match a database or username with
# that name.
#
# ---------------
# Include Records
# ---------------
#
# This file allows the inclusion of external files or directories holding
# more records, using the following keywords:
#
# include FILE
# include_if_exists FILE
# include_dir DIRECTORY
#
# FILE is the file name to include, and DIR is the directory name containing
# the file(s) to include. Any file in a directory will be loaded if suffixed
# with ".conf". The files of a directory are ordered by name.
# include_if_exists ignores missing files. FILE and DIRECTORY can be
# specified as a relative or an absolute path, and can be double-quoted if
# they contain spaces.
#
# -------------
# Miscellaneous
# -------------
#
# This file is read on server startup and when the server receives a
# SIGHUP signal. If you edit the file on a running system, you have to
# SIGHUP the server for the changes to take effect, run "pg_ctl reload",
# or execute "SELECT pg_reload_conf()".
#
# ----------------------------------
# Put your actual configuration here
# ----------------------------------
#
# If you want to allow non-local connections, you need to add more
# "host" records. In that case you will also need to make PostgreSQL
# listen on a non-local interface via the listen_addresses
# configuration parameter, or via the -i or -h command line switches.
# CAUTION: Configuring the system for local "trust" authentication
# allows any local user to connect as any PostgreSQL user, including
# the database superuser. If you do not trust all your local users,
# use another authentication method.
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all trust
# IPv4 local connections:
# host all all 127.0.0.1/32 trust
# IPv6 local connections:
# host all all ::1/128 trust
# Allow replication connections from localhost, by a user with the
# replication privilege.
local replication all trust
# host replication all 127.0.0.1/32 trust
# host replication all ::1/128 trust
# custom
# 局域网和外网需要使用 ssl认证+密码认证 建立连接
hostssl all admin 192.168.0.0/16 scram-sha-256 clientcert=verify-full
# 本地仅需要通过 密码认证 建立连接
hostnossl all admin 127.0.0.1/32 scram-sha-2561. 基本配置
bash
# /server/pgData/postgresql.conf
listen_addresses = '127.0.0.1,192.168.66.254'
#port = 5432
external_pid_file = '/run/postgres/process.pid'
unix_socket_directories = '/run/postgres'2. 启用 TLS
PostgreSQL 本身支持使用 ssl 连接来加密客户端/服务器通信,以提高安全性。这需要在客户端和服务器系统上都安装 OpenSSL,并且在 PostgreSQL 构建时启用 ssl 支持
SSL 登录验证通常分为 单向验证 和 双向验证 两种方式:
1. 单向验证(One-way SSL)
单向验证也被称为服务器端验证,指的是服务器要求客户端提供身份验证证书,以证明客户端的身份。
在单向验证中,服务器会向客户端发送自己的证书,但不会要求客户端提供证书。
这种方式可以确保客户端与正确的服务器进行通信,但无法验证客户端的身份。
单向验证需要证书: 服务器私钥+服务器自签名证书
bash
su postgres -s /bin/zsh
mkdir /server/postgres/tls
cd /server/postgres/tls/
# 要为服务器创建一个简单的自签名证书,有效期为365天,
# - 请使用以下OpenSSL命令,将 [debian12-lnpp] 替换为服务器的主机名:
openssl req -new -x509 -days 365 -nodes -text -out server.crt \
-keyout server.key -subj "/CN=debian12-lnpp"
# 注意:确保私钥仅属主用户有权限,否则服务器会拒绝
chmod 600 server.keybash
# /server/pgData/postgresql.conf
ssl = on
ssl_cert_file = '/server/postgres/tls/server.crt'
ssl_key_file = '/server/postgres/tls/server.key'2. 双向验证(Two-way SSL)
双向验证也被称为相互验证,指的是服务器和客户端都需要提供身份验证证书。
在双向验证中,服务器会向客户端发送自己的证书,并要求客户端提供证书。
客户端收到服务器的证书后,会对其进行验证,确认服务器的身份。
然后,客户端会向服务器提供自己的证书,服务器也会对其进行验证,确认客户端的身份。
这种方式可以确保客户端与正确的服务器进行通信,并且可以验证客户端的身份。
双向验证需要证书: ca根证书/服务器私钥+服务器部署证书/客户端私钥+客户端部署证书
bash
su postgres -s /bin/zsh
mkdir /server/postgres/tls
cd /server/postgres/tls/
# 1. 首先创建 [颁发机构CA根证书]
# - 1.1 创建证书签名请求(CSR)和证书私钥文件:
openssl req -new -nodes -text -out root.csr \
-keyout root.key -subj "/CN=Certificate Authority/O=PostgreSQL"
chmod 600 root.key # 注意:确保私钥仅属主用户有权限,否则服务器会拒绝
# - 1.2 使用 [证书签名请求+证书私钥+openssl配置] 创建 [颁发机构CA根证书]
# - 使用 openssl version -d 指令可以获取 openssl.cnf 路径
openssl x509 -req -in root.csr -text -days 3650 \
-extfile /etc/ssl/openssl.cnf -extensions v3_ca \
-signkey root.key -out root.crt
chmod 600 root.* # 安全起见,全部设为仅属主可见bash
# 2. 创建 [服务器部署证书]
# - 2.1 创建服务器签名请求(CSR)和服务器私钥文件
# - 如果客户端使用了 【verify-full】 SSL模式,则CN对应的值必须是客户端连接数据库时的[服务器主机ip]
# 如,服务器IP或服务器回环地址: 127.0.0.1 或 192.168.66.254 或 localhost 等
openssl req -new -nodes -text -out server.csr \
-keyout server.key -subj "/CN=192.168.66.254/O=PostgreSQL"
chmod 600 server.key # 注意:确保私钥仅属主用户有权限,否则服务器会拒绝
# - 2.2 使用 [CA根证书+证书私钥+服务器私钥] 创建 [服务器部署证书]
openssl x509 -req -in server.csr -text -days 365 \
-CA root.crt -CAkey root.key -CAcreateserial \
-out server.crt
chmod 600 server.* # 安全起见,全部设为仅属主可见bash
# 3. 创建 [客户端证书]
# - 3.1 创建客户端签名请求(CSR)和客户端私钥文件
# - 如果对应的hostssl行没有设置认证选项,则客户端只需要开启SSL,客户端是否认证由客户端自己控制
# - 如果对应的hostssl行加入了认证选项【clientcert={verify-ca|verify-full}】,则客户端需要开启SSL,并使用正确的客户端验证
# - 如果对应的hostssl行加入了 【clientcert=verify-full】 认证选项,则CN对应的值必须是数据库登录用户名
openssl req -new -nodes -text -out client-emad.csr \
-keyout client-emad.key -subj "/CN=emad/O=PostgreSQL"
# - 3.2 使用 [CA根证书+证书私钥+客户端私钥] 创建 [客户端证书]
openssl x509 -req -in client-emad.csr -text -days 365 \
-CA root.crt -CAkey root.key -CAcreateserial \
-out client-emad.crt
# - admin 用户 私钥+签名请求
openssl req -new -nodes -text -out client-admin.csr \
-keyout client-admin.key -subj "/CN=admin/O=PostgreSQL"
# - admin 用户 部署证书
openssl x509 -req -in client-admin.csr -text -days 365 \
-CA root.crt -CAkey root.key -CAcreateserial \
-out client-admin.crt
chmod 600 client-* # 客户端证书是提供给特定客户的,安全起见,全部设为仅属主可见sh
#!/bin/bash
# 这些文件是用于生成测试证书的,部署环境应从正规的数字证书的签发机构获取相关证书
#
# tls/root.{crt,key} CA证书用于签署其他证书,以建立信任链
# tls/pgsql.{crt,key} 这个证书可用于SSL/TLS连接中的任何用途
# tls/server.{crt,key} 只能用于SSL/TLS连接中的服务器身份验证
# tls/client.{crt,key} 只能用于SSL/TLS连接中的客户端身份验证
# tls/client-emad.{crt,key} 允许用户emad使用verify-full验证类型
# tls/client-admin.{crt,key} 允许用户admin使用verify-full验证类型
# tls/pgsql.dh 在SSL/TLS握手过程中协商临时密钥,以确保通信的安全性
generate_cert() {
local name=$1
local cn="$2"
local opts="$3"
local keyfile=tls/${name}.key
local certfile=tls/${name}.crt
[ -f $keyfile ] || openssl genrsa -out $keyfile 2048
openssl req \
-new -sha256 \
-subj "/O=PostgreSQL Test/CN=$cn" \
-key $keyfile | \
openssl x509 \
-req -sha256 \
-CA tls/root.crt \
-CAkey tls/root.key \
-CAserial tls/root.txt \
-CAcreateserial \
-days 365 \
$opts \
-out $certfile
}
mkdir tls
[ -f tls/root.key ] || openssl genrsa -out tls/root.key 4096
openssl req \
-x509 -new -nodes -sha256 \
-key tls/root.key \
-days 3650 \
-subj '/O=PostgreSQL Test/CN=Certificate Authority' \
-out tls/root.crt
cat > tls/openssl.cnf <<_END_
[ server_cert ]
keyUsage = digitalSignature, keyEncipherment
nsCertType = server
[ client_cert ]
keyUsage = digitalSignature, keyEncipherment
nsCertType = client
_END_
generate_cert server "Server-only" "-extfile tls/openssl.cnf -extensions server_cert"
generate_cert client "Client-only" "-extfile tls/openssl.cnf -extensions client_cert"
generate_cert client-admin "admin" "-extfile tls/openssl.cnf -extensions client_cert"
generate_cert client-emad "emad" "-extfile tls/openssl.cnf -extensions client_cert"
generate_cert pgsql "Generic-cert"
[ -f tls/pgsql.dh ] || openssl dhparam -out tls/pgsql.dh 2048bash
# 证书吊销比较复杂,放到后面再处理bash
# /server/pgData/postgresql.conf
ssl = on
ssl_ca_file = '/server/postgres/tls/root.crt'
ssl_cert_file = '/server/postgres/tls/server.crt'
#ssl_crl_file = ''
#ssl_crl_dir = ''
ssl_key_file = '/server/postgres/tls/server.key'
#openssl>=3.0以后,安全性得到提升,通常不配置此项
# 如果需要更高的安全性或特定的兼容性要求,并且服务器资源允许,那么可以配置此项
#ssl_dh_params_file = '/server/postgres/tls/pgsql.dh'bash
# /server/pgData/pg_hba.conf
# hostssl 指 tcp/ip 一定是 ssl 传输的,这个跟客户端是否勾选 [使用ssl] 没有关系
# 仅支持ssl/all全部数据库/emad用户/允许连接的客户端IP段/密码使用scram-sha-256加密方式/服务器不验证客户端
# - 客户端不需要勾选 [使用ssl]
hostssl all emad 192.168.0.0/16 scram-sha-256
# 仅支持ssl/all全部数据库/emad用户/允许连接的客户端IP段/密码使用scram-sha-256加密方式/服务器验证客户端
# - 这是双向验证,客户端必须勾选 [使用ssl],表示客户端也是ssl传输
# - 认证选项verify-ca:服务器将验证客户端的证书是否由一个受信任的证书颁发机构签署
hostssl all emad 192.168.0.0/16 scram-sha-256 clientcert=verify-ca
# 仅支持ssl/all全部数据库/emad用户/允许连接的客户端IP段/密码使用scram-sha-256加密方式/服务器验证客户端
# - 这是双向验证,客户端必须勾选 [使用ssl],表示客户端也是ssl传输
# - 认证选项verify-full:服务器不仅验证证书链,还将检查用户名或其映射是否与所提供的证书的 cn(通用名称)相匹配
hostssl all emad 192.168.0.0/16 scram-sha-256 clientcert=verify-fullTLS 备注说明
在 PostgreSQL 中
SSL指的就是TLS签名创建证书的指南来源于
Postgres 官方文档一键脚本参考了 Redis 提供的生成工具,与2中的手工创建略有不同虽然自签名证书可用,但在实际生产中建议使用由证书颁发机构(CA)(通常是企业范围的根 CA)签名的证书。而双向验证也必须要
CA根证书
3. 预写式日志
预写式日志(WAL) 即 Write-Ahead Logging,是一种实现事务日志的标准方法。
bash
# /server/pgData/postgresql.conf
# 启用复制至少是 replica
wal_level = replica
archive_mode = on
# 把 WAL 片段拷贝到目录 /server/logs/postgres/wal_archive/
archive_command = 'test ! -f /server/logs/postgres/wal_archive/%f && cp %p /server/logs/postgres/wal_archive/%f'注意:wal_archive 目录需要预先创建并授予 postgres 用户权限
bash
mkdir /server/logs/postgres/wal_archive
chown postgres /server/logs/postgres/wal_archive/4. 复制
复制(REPLICATION),这里只介绍基于 WAL 通信的流复制
5. 查询调优
后面实现
6. 日志配置
bash
# /server/pgData/postgresql.conf
# 包括错误日志,访问日志等各种日志
log_destination = 'jsonlog'
logging_collector = on
log_directory = '/server/logs/postgres'
log_file_mode = 0640bash
# /server/pgData/postgresql.conf
# 方案一:日志保留指定天数(推荐)
log_truncate_on_rotation = on # on 轮换日志文件时,如文件存在,则覆盖内容
log_filename = 'postgres-%d.log' # %a保留一周、%d保留[01,31]
log_rotation_age = 1d # 每天轮换日志文件
log_rotation_size = 0 # 日志文件大小不限制bash
# /server/pgData/postgresql.conf
# 方案二:日志按天来
log_truncate_on_rotation = off # off 轮换日志文件时,如文件存在,则追加内容
log_filename = 'postgres-%Y-%m-%d_%H%M%S.log'
log_rotation_age = 1d
log_rotation_size = 0bash
# /server/pgData/postgresql.conf
# 方案二:日志按大小来
log_truncate_on_rotation = off
log_filename = 'postgres-%Y-%m-%d_%H%M%S.log'
log_rotation_age = 0
log_rotation_size = 10M数据库角色
PostgreSQL 使用角色的概念管理数据库访问权限。一个角色可以被看成是一个数据库用户或者是一个数据库用户组,这取决于角色被怎样设置。
角色可以拥有数据库对象(例如,表和函数)并且能够把那些对象上的权限赋予给其他角色来控制谁能访问哪些对象。此外,还可以把一个角色中的成员资格授予给另一个角色,这样允许成员角色使用被赋予给另一个角色的权限。
角色的概念把 用户 和 组 的概念都包括在内。在 PostgreSQL 版本 8.1 之前,用户和组是完全不同的两种实体,但是现在只有角色。任意角色都可以扮演用户、组或者两者。
sql
-- 查看角色列表 (psql可以使用 \du 列出现有角色)
SELECT rolname FROM pg_roles;
-- 创建角色(不允许登录),角色不能批量创建
CREATE ROLE name;
-- 移除角色,2种方式等效,移除多个角色用逗号分隔
DROP ROLE name1,name2;
DROP USER name1,name2;sql
-- CREATE 和 ALTER 指令的 [WITH] 是可选的,你也可以省略
-- 登录特权属性,创建允许登录的角色,2种方式等效
CREATE ROLE user_a WITH LOGIN;
CREATE USER user_b;
-- 设置 password 属性,仅pg_hba.conf对应行需要口令验证时才有意义
CREATE ROLE user_c WITH LOGIN PASSWORD '1'
-- 超级用户特权属性,绕开除登录特权外的所有权限检查
CREATE ROLE role_a WITH SUPERUSER;
-- 创建数据库特权属性
CREATE ROLE role_b WITH CREATEDB;
-- 授予角色特权属性
CREATE ROLE role_c WITH CREATEROLE;
-- 同时赋予多个属性
CREATE ROLE role_admin WITH CREATEDB CREATEROLE;
-- user_A修改密码
ALTER USER user_a WITH PASSWORD '1';
-- 授予user_A超级用户特权属性
ALTER USER user_a WITH SUPERUSER;sql
-- 组角色增加成员,多个成员以逗号,隔开
GRANT role_admin TO user_a,user_b,user_c;
-- 组角色移除成员,多个成员以逗号,隔开
REVOKE role_admin FROM user_a,user_b;
-- 成员角色默认继承除特殊权限属性{LOGIN|SUPERUSER|CREATEDB|CREATEROLE}外普通权限
-- 如果成员角色带有 NOINHERIT 属性,则不会继承组角色的任何权限
-- 使用 set role group_name 后临时获取组角色全部权限,但成员角色自身权限不存在
-- 案例,user_c 继承 role_c; role_c 继承 role_b
GRANT role_b TO role_c;
GRANT role_c TO user_c;
-- 登录 role_c,由于 role_b/role_c 只有特权属性,所以 user_c 暂时没有任何权限
-- 下面这步骤后,该回话权限将变成 role_c 的权限,user_c 自身权限已经无关
SET ROLE role_c;
-- 下面这步骤后,该回话权限将变成 role_b 的权限
SET ROLE role_b;
-- 下面这步骤后,权限不变,因为 user_c 并没有 role_a 的继承权
SET ROLE role_a;
-- 下面这步骤后,权限变成 user_c 的权限
SET ROLE user_c;sql
-- 创建超级管理员 admin
CREATE USER admin WITH SUPERUSER PASSWORD '1';客户端权限
bash
# pg_hba.conf
# 除了 local 外,其它类型的【无条件地允许客户端连接(trust)】都应该禁用
# "local" is for Unix domain socket connections only
local all all trust
# 通过TCP/IP连接的本地客户端,无条件建立连接【需要禁用】
# host all all 127.0.0.1/32 trust
# host all all ::1/128 trust
# Allow replication connections from localhost, by a user with the
# replication privilege.
local replication all
# 对于replication权限的用户,通过TCP/IP无条件建立连接 【需要禁用】
# host replication all 127.0.0.1/32 trust
# host replication all ::1/128 trust
# 自定义
# 局域网和外网需要使用 ssl认证+密码认证 建立连接
hostssl all admin,qyphp 192.168.0.0/16 scram-sha-256 clientcert=verify-full
# 本地仅需要通过 密码认证 建立连接
hostnossl all admin,qyphp 127.0.0.1/32 scram-sha-256bash
# pg_hba.conf
hostssl all admin 192.168.0.0/16 scram-sha-256 clientcert=verify-full
hostssl all user_c 192.168.0.0/16 scram-sha-256 clientcert=verify-ca
hostnossl all user_a 192.168.0.0/16 scram-sha-256
# psql 登录 emad
psql "dbname=postgres user=admin host=192.168.66.254 sslmode=verify-full sslrootcert=/server/postgres/tls/root.crt sslcert=/server/postgres/tls/client-admin.crt sslkey=/server/postgres/tls/client-admin.key"
# psql 登录 user_c
psql "dbname=postgres user=user_c host=192.168.66.254 sslmode=verify-ca sslrootcert=/server/postgres/tls/root.crt sslcert=/server/postgres/tls/client-emad.crt sslkey=/server/postgres/tls/client-emad.key"
# psql 登录 user_a
psql "dbname=postgres user=user_a host=192.168.66.254"升级
升级和安装是一样的,在执行 make install 前,请在空闲时段关闭 postgres 单元服务,这样尽可能保证数据不会出错:
bash
systemctl stop postgres.service
make install
systemctl start postgres.service升级警告
如果当前版本没有发现漏洞,线上环境不要对数据库进行升级,如果确实需要升级,就一定要做好快照备份
权限
bash
chown postgres:postgres -R /server/postgres /server/pgData /server/logs/postgres /server/etc/postgres
find /server/postgres /server/pgData /server/logs/postgres /server/etc/postgres -type f -exec chmod 640 {} \;
find /server/postgres /server/pgData /server/logs/postgres /server/etc/postgres -type d -exec chmod 750 {} \;
# bin目录二进制文件需执行权限
chmod 750 -R /server/postgres/bin
# postgres 要求证书最高权限是 600
find /server/etc/postgres/tls -type f -exec chmod 600 {} \;
find /server/etc/postgres/tls -type d -exec chmod 700 {} \;bash
# 权限同部署环境
# 开发用户 emad 加入 lnpp包用户组
usermod -a -G sqlite,redis,postgres,mysql,php-fpm,nginx emad