diff options
| author | Silvino Silva <silvino@bk.ru> | 2020-04-20 01:03:12 +0100 |
|---|---|---|
| committer | Silvino Silva <silvino@bk.ru> | 2020-04-20 01:03:12 +0100 |
| commit | 6ca80c0a296cb44bc2b335211df86e8a95383cdf (patch) | |
| tree | 809ca0fc2eee0353d7040539310605d0e113b3d7 /tools/postgresql.html | |
| parent | fd186246f96768b8398f0ffe32ef136cb895fa21 (diff) | |
| parent | 5eec098c537ed98f76af59c37a54cb45645cc2a6 (diff) | |
| download | doc-6ca80c0a296cb44bc2b335211df86e8a95383cdf.tar.gz | |
Merge branch 'master' into develop
Diffstat (limited to 'tools/postgresql.html')
| -rw-r--r-- | tools/postgresql.html | 257 |
1 files changed, 150 insertions, 107 deletions
diff --git a/tools/postgresql.html b/tools/postgresql.html index 285e7c3..f27b7d4 100644 --- a/tools/postgresql.html +++ b/tools/postgresql.html @@ -26,32 +26,38 @@ # sudo -u postgres initdb -D /srv/pgsql/data </pre> - <h2 id="config">2. Configure Server</h2> + <h3 id="syslog-ng">1.1. Configure syslog-ng</h3> - <h3>2.1. Init script</h3> - - <p>Change <a href="conf/etc/rc.d/postgresql">/etc/rc.d/postgresql</a>;</p> + <p><a href="syslog-ng.html">Configure syslog-ng</a> first, configuration example contains rules for postgresql as is configured in this document.</p> <pre> - # - # /etc/rc.d/postgresql: start, stop or restart PostgreSQL server postmaster - # + destination d_postgres { file("/var/log/pgsql"); }; + filter f_postgres { facility(local0) and program("postgresql)"; }; + log { source(s_src); filter(f_postgres); destination(d_postgres);}; - PG_DATA=/srv/pgsql/data + filter f_messages { level(info,notice,warn) + and not facility(auth,authpriv,cron,daemon,mail,news,local0); }; - case "$1" in - start|stop|status|restart|reload) - sudo -u postgres pg_ctl -D "$PG_DATA" -l /var/log/postgresql "$1" - ;; - *) - echo "usage: $0 start|stop|restart|reload|status" - ;; - esac + filter f_daemon { facility(daemon, local0) + and not filter(f_debug) + and not program("vh_tribu") + and not program("vh_tribu_error");}; + </pre> - # End of file + <p>Create /etc/logrotate.d/postgres;</p> + + <pre> + /var/log/pgsql { + weekly + compress + delaycompress + rotate 10 + notifempty + create 660 postgres postgres + } </pre> - <h3>2.2. Certificates</h3> + <h3 id="gencert">1.2. Certificates</h3> <pre> $ sudo openssl genrsa -des3 -out /etc/ssl/keys/pg.key 2048 @@ -115,36 +121,70 @@ $ sudo chmod 644 /etc/ssl/certs/pg.cert </pre> - <h3>2.3. Super user password</h3> + <h2 id="server">2. Configure Server</h2> - <p>Create password for super user;</p> + <h3 id="init">2.1. Init script</h3> + + <p>Change <a href="conf/etc/rc.d/postgresql">/etc/rc.d/postgresql</a>;</p> <pre> - # su postgres - $ psql -U postgres + # + # /etc/rc.d/postgresql: start, stop or restart PostgreSQL server postmaster + # + + PG_DATA=/srv/pgsql/data + + case "$1" in + start|stop|status|restart|reload) + sudo -u postgres pg_ctl -D "$PG_DATA" -l /var/log/postgresql "$1" + ;; + *) + echo "usage: $0 start|stop|restart|reload|status" + ;; + esac + + # End of file </pre> - <h3>2.4. Configure postgresql.conf</h3> + <h3 id="config">2.2. Configure postgresql.conf</h3> <p>Edit <a href="conf/srv/pgsql/data/postgresql.conf">/srv/pgsql/data/postgresql.conf</a>;</p> <pre> - # - Security and Authentication - - - #authentication_timeout = 1min # 1s-600s ssl = on # (change requires restart) - #ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers - # (change requires restart) - #ssl_prefer_server_ciphers = on # (change requires restart) - #ssl_ecdh_curve = 'prime256v1' # (change requires restart) ssl_cert_file = '/etc/ssl/certs/pg.crt' # (change requires restart) ssl_key_file = '/etc/ssl/keys/pg.key' # (change requires restart) - #ssl_ca_file = '' # (change requires restart) - #ssl_crl_file = '' # (change requires restart) password_encryption = scram-sha-256 + jit = off + log_destination = 'syslog' + syslog_facility = 'LOCAL0' + log_connections = on + log_disconnections = on + log_duration = on + log_hostname = on + log_line_prefix = 'd=$d u=% %m [%p] ' # special values: </pre> - <h3>2.5. Configure pg_hba.conf</h3> + <h3 id="pass">2.3. Super user password</h3> + + <p>Create password for the super user postgres, login to postgresql;</p> + + <pre> + $ sudo -u postgres psql -U postgres + </pre> + + <p>Create password for postgres user;</p> + + <pre> + postgres=# \password + Enter new password: + Enter it again: + postgres=# + </pre> + + <p>Configure pg_hba.conf in the next step to enforce authentication.</p> + + <h3 id="pg_hba">2.4. Configure pg_hba.conf</h3> <p>Edit <a href="conf/srv/pgsql/data/pg_hba.conf">/srv/pgsql/data/pg_hba.conf</a>; @@ -152,164 +192,167 @@ <pre> # TYPE DATABASE USER ADDRESS METHOD - local postgres all trust - host postgres all 127.0.0.1/32 trust - host all all 127.0.0.1/32 scram-sha-256 - host all all 0.0.0.0/0 reject + + # "local" is for Unix domain socket connections only + local all postgres scram-sha-256 + #local all postgres trust + # IPv4 local connections: + host all postgres 127.0.0.1/32 scram-sha-256 + # IPv6 local connections: + host all postgres ::1/128 scram-sha-256 + # Allow replication connections from localhost, by a user with the + # replication privilege. + local replication postgres scram-sha-256 + host replication postgres 127.0.0.1/32 scram-sha-256 + host replication postgres ::1/128 scram-sha-256 </pre> - <p>Start server and alter postgres password</p> + <p>Restart server to enforce authentication from now on;</p> <pre> # /etc/rc.d/postgresql start </pre> + <h2 id="users">3. Manage users</h2> + + <h3 id="createuser">3.1. Create user - create role</h3> + + <p>Create a new user with createuser command;</p> + <pre> - postgres=# alter user postgres with password 'new_password'; + $ sudo -u postgres createuser --pwprompt --encrypted \ + --no-createrole --no-createdb user_name + Enter password for new user: + Enter it again: </pre> - <h3 id="syslog">2.6. Configure syslog-ng</h3> + <h3 id="dropuser">3.2. Remove user - drop role</h3> - <p><a href="syslog-ng.html">Configure Syslog-ng</a>, check <a href="http://michael.otacoo.com/postgresql-2/postgres-settings-simple-syslog-configuration-with-syslog-ng/">Michael at otacoo</a> article. Example;</p> - - <p>Edit /pgsql/data/<a href="../conf/srv/pgsql/data/postgresql.conf">postgresql.conf</a>;</p> + <p>Deleting user with dropuser command;</p> <pre> - log_destination = 'syslog' # Can specify multiple destinations - syslog_facility='LOCAL0' - syslog_ident='postgres' - log_connections = on - log_disconnections = on - log_duration = on + sudo -u postgres dropuser user_name </pre> - <p>Create /etc/logrotate.d/postgres;</p> + <h3 id="userpass">3.3. Change password</h3> + + <p>Update password of a user;</p> <pre> - /var/log/pgsql { - weekly - compress - delaycompress - rotate 10 - notifempty - create 660 postgres postgres - } + $ sudo -u postgres psql </pre> - <pre> - destination postgres { file("/var/log/pgsql"); }; - filter f_postgres { facility(local0); }; - log { source(s_log); filter(f_postgres); destination(postgres); }; + postgres=#\password user_name; </pre> + <p>This will set password using hash / encryption method selected on postgresql.conf</p> - <h2 id="createuser">3. Create User</h2> + <h3 id="listuser">3.4. List users - roles</h3> - <p>Create a new user with createuser command;</p> + <pre> + $ sudo -u postgres psql + </pre> <pre> - $ sudo -u postgres createuser --pwprompt --encrypted \ - --no-createrole --no-createdb flyspray - Enter password for new user: - Enter it again: + postgres=# \dg </pre> - <h2 id="createdb">4. Create Database</h2> + <h2 id="databases">4. Manage databases</h2> + + <h3 id="createdb">4.1. Create database</h3> - <p>Create a new database for new user with createdb command;</p> + <p>Create a new database named db_name for user_name with createdb command;</p> <pre> $ sudo -u postgres createdb --template=template0 --encoding=UTF8 \ - --owner=flyspray db_flyspray + --owner=user_name db_name </pre> - <h2 id="dropdb">5. Drop Database</h2> + <h3 id="dropdb">4.2. Drop database</h3> <p>Deleting database with dropdb command;</p> <pre> - sudo -u postgres dropdb db_flyspray + sudo -u postgres dropdb -U postgres db_name </pre> - <h2 id="dropuser">6. Drop User</h2> + <h3 id="listdb">4.3. List databases</h3> - <p>Deleting user with dropuser command;</p> + <p>List roles then list databases;</p> <pre> - sudo -u postgres dropuser flyspray + postgres=# \l </pre> - <h2 id="psql">7. Psql</h2> + <h3 id="backup">4.4. Dump and restore</h3> - <p>Lets check with psql, login with user postgres;</p> + <p>Dump all databases</p> <pre> - $ sudo -u postgres psql + $ pg_dumpall -U postgres | gzip > cluster_dump.gz </pre> - <p>First show help;</p> + <p>Restore dumpfile of all databases;</p> <pre> - postgres=# \? + $ gzip -c cluster_dump.gz | psql -U postgres </pre> - <h3 id="listdb">7.1. List Databases and Roles</h3> - - <p>List roles then list databases;</p> + <p>Restore a database;</p> <pre> - postgres=# \dg - postgres=# \l + $ psql -U user_name -d db_name -f db_name_dump </pre> - <h3 id="psqldb">7.2. Create Database</h3> + <h2 id="psql">5. Psql</h2> + + <p>Lets check with psql, login with user postgres;</p> <pre> - postgres=# create database db_flyspray_ext owner flyspray encoding 'UTF-8' template template0; + $ sudo -u postgres psql </pre> - <h3 id="droptables">7.3. Drop Tables</h3> - - <p>This example assumes that all tables, - are in public schema. First connect to database and - list tables;</p> + <p>First show help;</p> <pre> - postgres=# revoke SELECT on db_flyspray from flyspray; + postgres=# \? </pre> + <p>Connect to a db_name as user_name;</p> + <pre> - postgres=# \c db_flyspray - postgres=# \dt + postgres=# \c db_name user_name </pre> - <p>Drop all tables on public schema and recreate public schema;</p> + <h3 id="psqldb">5.2. Create Database</h3> <pre> - db_flyspray=# drop schema public cascade; - db_flyspray=# create schema public; + postgres=# create database db_name owner user_name encoding 'UTF-8' template template0; </pre> - <h2 id="backup">8. Backup and restore</h3> + <h3 id="droptables">5.3. Drop All Tables</h3> - <h3>8.1. Dump databases</h3> + <p>This example assumes that all tables, + are in public schema. First revoke previously granted privileges from one or more roles;</p> <pre> - $ pg_dumpall -U postgres | gzip > cluster_dump.gz + postgres=# revoke ALL PRIVILEGES on db_name from user_name; </pre> - <h3>8.2. Restore</h3> + <p>Drop all tables on public schema and recreate public schema;</p> <pre> - $ gzip -c cluster_dump.gz | psql -U postgres + postgres=# \c db_name + db_name=# drop schema public cascade; + db_name=# create schema public; </pre> <a href="index.html">Tools Index</a> <p> - This is part of the Hive System Documentation. - Copyright (C) 2019 - Hive Team. + This is part of the Tribu System Documentation. + Copyright (C) 2020 + Tribu Team. See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a> for copying conditions.</p> </body> |