银河麒麟v10 sp3安装pg12.7 单向添加openssl

pg12.7

一，安装数据库
--前期配置
--关闭防火墙等
systemctl status firewalld.service
systemctl stop firewalld.service
systemctl disable firewalld.service
systemctl status firewalld.service
 
echo "SELINUX=disabled"  /etc/selinux/config
cat  /etc/selinux/config
 
--ssh快速登录
vim /etc/ssh/sshd_config
UseDNS no
GSSAPIAuthentication no

service sshd restart
/bin/systemctl restart sshd.service

--修改主机名
vim /etc/hostname   

db01

vim /etc/hosts
192.168.18.101    db01
 
--配置yum源
mount -o loop Kylin-Server-V10-SP3-General-Release-2303-X86_64.iso /media

[root@localhost yum.repos.d]# vim  kylin.repo
[ks10-local-iso]
name = Kylin Linux Advanced Server 10 - local
baseurl = file:///media
gpgcheck = 1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-kylin
enabled = 1

--yum补充安装包
vim  1.sh 
yum install -y gcc*  c* 
yum install -y zlib-devel* lrzsz* 
yum install -y sysbench* openssh* 
yum install -y initscripts*  net-tools* 
yum install -y ncurses*  libtermcap-devel*
yum install -y cmake* make*
yum install -y zlib*  readline*
yum install -y tcl* openssl* 
yum install -y openldap*  gcc-c++*  
yum install -y openssl-devel*  pam*
yum install -y perl     
yum install -y python36     
yum -y install e2fsprogs-devel uuid uuid-devel libuuid-devel
yum -y install readline readline-devel zlib zlib-devel gettext gettext-devel openssl openssl-devel pam pam-devel libxml2 libxml2-devel libxslt libxslt-devel perl perl-devel tcl-devel uuid-devel gcc gcc-c++ make flex bison perl-ExtUtils*

-- 创建用户
groupadd -g 60001 pg12
useradd -u 60001 -g pg12 pg12
echo "Bdstar1234" | passwd --stdin pg12

-- 创建目录
mkdir -p  /data/postgresql/pg12/{pgdata,archive,scripts,backup,pg12,soft,pgdir}
chown -R pg12:pg12 /data/postgresql/pg12
chmod -R 775 /data/postgresql

-- 编译
chown -R pg12:pg12 /data/postgresql/*
 
su - pg12
cd /data/soft/postgresql-12.7
tar -zxvf postgresql-12.7.tar.gz
cd postgresql-12.7

         

## 编译 12.7版本需要 --with-uuid=e2fs 
cd /data/soft/postgresql-12.7
./configure --prefix=/data/postgresql/pg12/pg12 --without-readline --with-uuid=e2fs   --with-openssl
 make -j 8 && make install

cd  contrib/uuid-ossp/
make && make install

tar -zxvf rlwrap-0.37.tar.gz 
./configure
make
make install

================================
--迁移数据库
pg_basebackup -h 127.0.0.1  -U postgres -l bk20240722 -F p -P -R -D /data/postgresql/pg12/pgdir/bak

tar -zcvf bk20240722.tar.gz bak    &
#tar -zxvf bk20240722.tar.gz           
=============================================

新库配置

-- 配置环境变量
cat >>  ~/.bash_profile <<"EOF"
export LANG=en_US.UTF-8
export PS1="[\u@\h \W]\$ "
export PGPORT=15433
export PGDATA=/data/postgresql/pg12/pgdata
export PGHOME=/data/postgresql/pg12/pg12
export LD_LIBRARY_PATH=$PGHOME/lib:/lib64:/usr/lib64:/usr/local/lib64:/lib:/usr/lib:/usr/local/lib:$LD_LIBRARY_PATH
export PATH=$PGHOME/bin:$PATH:.
export DATE=`date +"%Y%m%d%H%M"`
export MANPATH=$PGHOME/share/man:$MANPATH
export PGHOST=$PGDATA
export PGUSER=postgres
export PGDATABASE=postgres

alias psql='rlwrap psql' 
EOF

source  ~/.bash_profile

-- 初始化
su - pgsql
initdb -D /data/postgresql/pg12/pgdata -E UTF8 --locale=en_US.utf8 -U postgres  

-- 修改参数
cat >> /data/postgresql/pg12/pgdata/postgresql.conf <<"EOF"
listen_addresses = '*'
port=15433
unix_socket_directories='/data/postgresql/pg12/pgdata'
logging_collector = on
log_directory = 'pg_log'
log_filename = 'postgresql-%a.log'
log_truncate_on_rotation = on
EOF

cat   > /data/postgresql/pg12/pgdata/pg_hba.conf << EOF
# TYPE  DATABASE    USER    ADDRESS       METHOD
local     all       all                    trust
host      all       all   127.0.0.1/32     trust
host      all       all    0.0.0.0/0        md5
host   replication  all    0.0.0.0/0        md5
EOF

-- 启动
su - pg12
pg_ctl start
pg_ctl status
pg_ctl stop

-- 关闭库，删除库的数据文件，
pg_ctl

rm -rf /data/postgresql/pg12/pgdata/*
mv /data/postgresql/pg12/pgdir/bak/*  /data/postgresql/pg12/pgdata/

chown pg12:pg12 /data/postgresql/pg12/pgdata/  -R 

--删除备份过来的相关数据

rm -rf  postgresql.crt
rm -rf  postgresql.csr
rm -rf  postgresql.key
rm -rf  root.crt
rm -rf  root.srl
rm -rf  server.crt
rm -rf  server.key
rm -rf  standby.signal

删除加密软件
vim postgresql.conf

#ssl=on
#ssl_ca_file='root.crt'
#ssl_key_file='server.key'
#ssl_cert_file='server.crt'

vim pg_hba.conf
#host all all all md5
#hostssl all all 0.0.0.0/0 cert

-- 修改参数
cat >> /data/postgresql/pg12/pgdata/postgresql.conf <<"EOF"
listen_addresses = '*'
port=15433
unix_socket_directories='/data/postgresql/pg12/pgdata'
logging_collector = on
log_directory = 'pg_log'
log_filename = 'postgresql-%a.log'
log_truncate_on_rotation = on
EOF

重启
pg_ctl start

===================================================================================================

#https://cloud.tencent.com/developer/article/1977976   (参考)

启用openssl（单向）

1. 查看postgresql是否使用openssl选项编译安装，没有则需重新编译：
[pg12@db01 pgdata]$  pg_config|grep CONFIGURE
CONFIGURE = '--prefix=/data/postgresql/pg12/pg12' '--without-readline' '--with-uuid=e2fs' '--with-openssl'

2. 查看ssl_library的参数值是OpenSSL

postgres=#  show ssl_library ;
 ssl_library 
-------------
 OpenSSL
(1 row)

postgres=# select version();
                                   version                                   
-----------------------------------------------------------------------------
 PostgreSQL 12.7 on x86_64-pc-linux-gnu, compiled by gcc (GCC) 7.3.0, 64-bit
(1 row)

3. PostgreSQL配置单向SSL认证连接
mkdir /data/postgresql/pg12/pgdata/openssl
openssl req -new -x509 -days 365 -nodes -text -subj '/CN=postgres' -out /data/postgresql/pg12/pgdata/openssl/server.crt -keyout /data/postgresql/pg12/pgdata/openssl/server.key
chmod 600 /data/postgresql/pg12/pgdata/openssl/server.key

4. postgresql.conf配置文件添加
ssl = on
ssl_cert_file = '/data/postgresql/pg12/pgdata/openssl/server.crt'
ssl_key_file = '/data/postgresql/pg12/pgdata/openssl/server.key'

 pg_hba.conf配置文件添加
 host     all        all    all              md5
 hostssl  all        all    0.0.0.0/0        cert

5. 重启，添加配置
[pg12@db01 pgdata]$ pg_ctl restart
报错
waiting for server to start....2024-07-22 08:18:41.358 UTC [1890106] FATAL:  could not access file "passwordcheck": No such file or directory
这个扩展已经包含在pgsql源码中，但是默认并未完成，所以需要安装之，进入pgsql源码目录

解决方法：
[pg12@db01 pgdata]$ cd /data/soft/postgresql-12.7/contrib/passwordcheck
[pg12@db01 passwordcheck]$make 
[pg12@db01 passwordcheck]$make  install 
重启成功
[pg12@db01 passwordcheck]$ pg_ctl restart

[pg12@db01 pgdata]$ psql -h localhost -d postgres -U postgres -p 15433

Password for user postgres: 
psql (12.7)
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
Type "help" for help.

postgres=# select ssl_is_used();

报错
ERROR:  function ssl_is_used() does not exist
LINE 1: select ssl_is_used();
               ^
HINT:  No function matches the given name and argument types. You might need to add explicit type casts.

这个扩展已经包含在pgsql源码中，需要再次进入pgsql源码目录
[pg12@db01 pgdata]$ cd /data/soft/postgresql-12.7/contrib/sslinfo
[pg12@db01 sslinfo]$ make 
[pg12@db01 sslinfo]$ make install

--创建sslinfo
postgres=# create extension sslinfo;
CREATE EXTENSION
postgres=# select ssl_is_used();
 ssl_is_used 
-------------
 t
 
-- 连接的时候需要加上-h参数，否则不是以ssl连接的
[pg12@db01 sslinfo]$ psql -h localhost -d postgres -U postgres -p 15433
Password for user postgres: 
psql (12.7)
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, bits: 256, compression: off)
Type "help" for help.

postgres=# select ssl_is_used(); 
 ssl_is_used 
-------------
 t
(1 row)

postgres=# select ssl_version();
 ssl_version 
-------------
 TLSv1.3
(1 row)