目录
环境
系统平台:Linux x86-64 Red Hat Enterprise Linux 7,中标麒麟(CPU申威)7,中标麒麟(CPU海光)7,中标麒麟(CPU龙芯)7,中标麒麟(CPU飞腾)7
版本:4.3.4
本文适用于指导Highgo Database安全版数据库配置。
详细信息
Highgo Database安全版中,将数据库超级管理员的权限进行了重新分配,拆分成了三部分,由三个管理员代替超级管理员,三个管理员分别是系统管理员(sysdba)、系统安全员(syssso)、系统审计员(syssao)。三个管理员相互制约,系统管理员负责数据库的日常维护和管理,系统安全员负责授权和密码管理,系统审计员负责对所有人员的操作进行审计。
1、调整swap
内存及对应swap建议值参照表
| MemTotal |
SwapTotal |
| 8G |
2~4G |
| 8~16G |
4~8G |
| 16~64G |
8~32G |
| >=64G |
32G |
2、添加端口到系统防火墙
| --添加数据库端口到防火墙 [root@k8s1 ~]# firewall-cmd --add-port=5866/tcp --permanent success |
3、关闭并禁用NetworkManager
| [root@hgdb ~]# systemctl stop NetworkManager.service [root@hgdb ~]# systemctl disable NetworkManager.service |
4、关闭并禁用selinux
| [root@hgdb ~]# sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config [root@hgdb ~]# setenforce 0 [root@hgdb ~]# cat /etc/selinux/config | grep SELINUX=disabled [root@hgdb ~]# getenforce |
5、安装软件包
| [root@hgdb ~]# yum install vim wget readline readline-devel zlib zlib-devel openssl openssl-devel pam-devel libxml2-devel libxslt-devel python-devel tcl-devel gcc gcc-c++ rsync -y |
6、配置用户limits
| --修改limits.conf添加以下内容 [root@hgdb ~]# vi /etc/security/limits.conf #for highgo db 4.3.4 highgo soft core unlimited highgo hard nproc unlimited highgo soft nproc unlimited highgo hard memlock unlimited highgo hard nofile 1024000 highgo soft memlock unlimited highgo soft nofile 1024000 highgo hard stack 65536 highgo soft stack 65536 |
7、修改数据库参数
| #使用sysdba登录psql设置参数 psql -U sysdba -d highgo --设置*表示所有ip都可以访问数据库 highgo # alter system set listen_addresses = '*'; --修改数据库的最大连接数 highgo # alter system set max_connections = 2000; --修改shared_buffers,建议设置为物理内存的25%,最大不超过40% highgo # alter system set shared_buffers = '10240MB'; highgo # alter system set checkpoint_timeout='30min'; highgo # alter system set checkpoint_completion_target = 0.8; --设置hgdb生成的日志格式 highgo # alter system set log_destination = 'csvlog'; --开启日志 highgo # alter system set logging_collector = on; --修改日志存放路径 highgo # alter system set log_directory = 'hgdb_log'; --修改日志文件名称格式 highgo # alter system set log_filename = 'highgodb_%d.log'; --设置每天生成一个新的日志文件 highgo # alter system set log_rotation_age = '1d'; --不限制单个日志文件大小 highgo # alter system set log_rotation_size = 0; --覆盖同名文件 highgo # alter system set log_truncate_on_rotation = on; --设置记录ddl语句 highgo # alter system set log_statement = 'ddl'; --开启归档 highgo # alter system set wal_level = replica; highgo # alter system set archive_mode = on; --红色字体部分为归档存放路径 highgo # alter system set archive_command = 'test ! -f /hgdbbak/archive/%f && cp %p /hgdbbak/archive/%f' --设置用户连接与断开数据库的信息 highgo # alter system set log_connections=on; highgo # alter system set log_disconnections=on; highgo # alter system set maintenance_work_mem=’1GB’; |
注:log_filename定义了日志名称为highgodb_%d,%d表示当月几号生成的,例如10月20号,生成的日志为highgodb_20.log。log_rotation_age设定每天生成一个日志文件。log_rotation_size不限定日志大小。log_truncate_on_rotation设定如果存在相同文件名的日志会进行覆盖。以上四个参数共同设定了日志只能保存一个月。
8、修改用户密码有效期
Highgo Database安全版默认的密码有效期是7天,密码有效期可以修改的时间范围为1~365天,使用syssso用户登录数据库进行修改。修改方式如下:
| [root@k8s3 ~]# psql -U syssso highgo Password for user syssso: NOTICE: ------------------------------------------- Login User: syssso Login time: 2019-08-22 10:53:58.631077+08 Login Address: [local] Last Login Status: SUCCESS Login Failures: 0 Valied Until: 2019-08-29 10:43:57+08 ------------------------------------------- psql (4.3.4.6) Type "help" for help. highgo=>select set_secure_param('hg_PwdValidUntil','365'); --修改密码有效期为365天 highgo=>\q [root@k8s3 ~]# pg_ctl restart -D /opt/HighGoDB-4.3.4.6/data --重启数据库生效 waiting for server to shut down.... done server stopped waiting for server to start....2019-08-22 11:44:47.998 CST [9016] LOG: data encryption performed by pgcrypto 2019-08-22 11:44:48.000 CST [9016] LOG: listening on IPv6 address "::1", port 5866 2019-08-22 11:44:48.001 CST [9016] LOG: listening on IPv4 address "127.0.0.1", port 5866 2019-08-22 11:44:48.008 CST [9016] LOG: listening on Unix socket "/tmp/.s.PGSQL.5866" 2019-08-22 11:44:48.039 CST [9016] LOG: This is a trial edition, validate until 2019-09-21 10:43:56, database will not be able to start up after that time,please apply an official license by that time. 2019-08-22 11:44:48.040 CST [9016] LOG: redirecting log output to logging collector process 2019-08-22 11:44:48.040 CST [9016] HINT: Future log output will appear in directory "log". done server started --再次查看 [root@k8s3 ~]# psql -U syssso highgo Password for user syssso: NOTICE: ------------------------------------------- Login User: syssso Login time: 2019-08-22 11:45:28.739054+08 Login Address: [local] Last Login Status: SUCCESS Login Failures: 0 Valied Until: 2019-08-29 10:43:57+08 ------------------------------------------- psql (4.3.4.6) Type "help" for help. highgo=> select show_secure_param(); show_secure_param ----------------------------- Secure level = table, + hg_SepOfPowers = on, + hg_MAControl = on, + hg_RowSecure = off, + hg_PwdValidUntil = 365, + hg_PwdErrorLock = 5, + hg_ShowLoginInfo = on, + hg_ClientNoInput = 30 min, + hg_PwdRule = on, + (1 row) |
9、修改用户密码
Highgo Database安全版用户默认密码为“highgo@123”,有效期为7天,修改密码有效期后,密码到期或修改密码有效期后,需重新修改密码,密码有效期才会顺延。
| [root@k8s3 ~]# psql -U syssso highgo Password for user syssso: NOTICE: ------------------------------------------- Login User: syssso Login time: 2019-08-22 13:26:39.091443+08 Login Address: [local] Last Login Status: SUCCESS Login Failures: 0 Valied Until: 2019-08-29 10:43:57+08 --此处为密码到期时间 ------------------------------------------- psql (4.3.4.6) Type "help" for help. highgo=> alter user syssso with password 'highgo123'; --修改密码为“highgo123” ALTER ROLE |
10、审计功能配置
Highgo Database安全版带有审计功能,但在某些情况下,审计日志会占用大量的资源或空间,此时调整配置审计功能参数,减少日志的产生量。
| --如果数据库所在磁盘空间较小,可以减小审计日志保留时间,默认审计日志不会删除,审计日志没有定时清理功能,但可以使用循环覆盖,保证日志只保留一定时间,推荐审计保留一周,如下面设置 --使用syssao用户登录 [root@k8s3 audit_log]# psql -U sysdba highgo Password for user sysdba: NOTICE: ------------------------------------------- Login User: sysdba Login time: 2019-08-22 14:27:51.443573+08 Login Address: [local] Last Login Status: SUCCESS Login Failures: 0 Valied Until: 2019-08-29 10:43:57+08 ------------------------------------------- psql (4.3.4.6) Type "help" for help. --设置审计日志保留名称为%a_%H,%a表示当天为周几,%H表示小时 highgo=> select set_audit_param('hg_audit_filename','%a_%H'); set_audit_param --------------------------------- set configuration successfully. --开启审计日志自动覆盖功能 highgo=> select set_audit_param('hg_audit_truncate_on_rotation','on'); set_audit_param --------------------------------- set configuration successfully. (1 row) --设置审计日志覆盖时间间隔为7天 highgo=> select set_audit_param('hg_audit_RotationAge','10080'); set_audit_param --------------------------------- set configuration successfully. (1 row) --设置完成后,重启数据库 [root@k8s3 audit_log]# pg_ctl restart -D /opt/HighGoDB-4.3.4.6/data |
注:如需设置审计日志保留一个月,需要将参数“hg_audit_filename”的%a_%H修改为%d_%H,同时将参数“hg_audit_RotationAge”修改为43200。
更多详细信息请登录【瀚高技术支持平台】查看https://support.highgo.com/#/index/docContent/ba1ac6ce05d82604
