当前位置: 首页 > news >正文

PostgreSQL在openEuler部署后,别忘了做这几步安全与性能调优(附配置模板)

news 2026/6/6 7:48:48

PostgreSQL在openEuler部署后的安全与性能调优实战指南

当你完成PostgreSQL在openEuler系统上的基础安装后,真正的挑战才刚刚开始。本文将带你深入探索那些容易被忽视却至关重要的配置细节,从安全加固到性能优化,让你的数据库在生产环境中既安全又高效。

1. 生产环境防火墙精细配置

许多教程会建议直接关闭防火墙,但这在生产环境中无异于敞开大门迎接风险。正确的做法是精细控制访问权限,只开放必要的端口和服务。

首先确认firewalld服务状态:

systemctl status firewalld

如果处于关闭状态,需要先启用:

systemctl start firewalld systemctl enable firewalld

为PostgreSQL添加专用防火墙规则(假设使用默认端口5432):

firewall-cmd --permanent --add-port=5432/tcp firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port port="5432" protocol="tcp" accept' firewall-cmd --reload

关键安全策略

  • 仅允许特定IP段访问数据库端口
  • 限制管理接口访问(如pgAdmin)
  • 定期审计防火墙规则

提示:生产环境中建议结合网络ACL和安全组实现多层防护

2. PostgreSQL核心参数调优

针对4核8G的服务器配置,以下参数调整可以显著提升性能:

2.1 内存相关配置

编辑postgresql.conf文件,找到以下参数进行调整:

shared_buffers = 2GB # 通常设置为总内存的25% work_mem = 16MB # 每个查询操作的内存,复杂查询可适当增加 maintenance_work_mem = 512MB # 维护操作(如VACUUM)使用的内存 effective_cache_size = 6GB # 操作系统和PostgreSQL可用的缓存估计

2.2 并行查询配置

max_worker_processes = 4 # 等于CPU核心数 max_parallel_workers_per_gather = 2 # 每个查询的并行工作进程 max_parallel_workers = 4 # 系统总并行工作进程

2.3 其他关键参数

random_page_cost = 1.1 # SSD存储建议1.0-1.1 effective_io_concurrency = 200 # SSD建议100-200 wal_level = replica # 复制环境需要replica或更高 synchronous_commit = remote_write # 平衡性能与数据安全

参数调整后需要重启服务生效:

pg_ctl restart -D $PGDATA

3. 数据库安全加固措施

3.1 创建专用监控账户

避免使用超级用户进行日常监控,创建专用只读账户:

CREATE ROLE monitor WITH LOGIN PASSWORD 'StrongPassword123!'; GRANT pg_monitor TO monitor;

3.2 密码策略强化

修改pg_hba.conf启用SCRAM-SHA-256加密:

host all all 0.0.0.0/0 scram-sha-256

设置密码有效期(在postgresql.conf中):

password_encryption = scram-sha-256

3.3 日志审计配置

log_destination = 'csvlog' logging_collector = on log_directory = 'pg_log' log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log' log_rotation_age = 1d log_rotation_size = 100MB log_statement = 'mod' log_connections = on log_disconnections = on

4. 日常维护与监控方案

4.1 自动化维护任务

设置定期VACUUM和ANALYZE(在postgresql.conf中):

autovacuum = on autovacuum_max_workers = 2 autovacuum_vacuum_cost_limit = 1000

创建维护脚本/usr/local/bin/pg_maintenance.sh

#!/bin/bash su - postgres -c "vacuumdb --all --analyze" su - postgres -c "reindexdb --all"

设置cron任务每周执行:

0 3 * * 0 /usr/local/bin/pg_maintenance.sh > /var/log/pg_maintenance.log 2>&1

4.2 性能监控关键指标

建立基础监控查询:

-- 连接数监控 SELECT count(*) as total_connections, count(*) filter (where state = 'active') as active_connections, count(*) filter (where state = 'idle') as idle_connections FROM pg_stat_activity; -- 锁等待监控 SELECT blocked_locks.pid AS blocked_pid, blocking_locks.pid AS blocking_pid, blocked_activity.usename AS blocked_user, blocking_activity.usename AS blocking_user FROM pg_catalog.pg_locks blocked_locks JOIN pg_catalog.pg_stat_activity blocked_activity ON blocked_activity.pid = blocked_locks.pid JOIN pg_catalog.pg_locks blocking_locks ON blocking_locks.locktype = blocked_locks.locktype AND blocking_locks.DATABASE IS NOT DISTINCT FROM blocked_locks.DATABASE AND blocking_locks.relation IS NOT DISTINCT FROM blocked_locks.relation AND blocking_locks.page IS NOT DISTINCT FROM blocked_locks.page AND blocking_locks.tuple IS NOT DISTINCT FROM blocked_locks.tuple AND blocking_locks.virtualxid IS NOT DISTINCT FROM blocked_locks.virtualxid AND blocking_locks.transactionid IS NOT DISTINCT FROM blocked_locks.transactionid AND blocking_locks.classid IS NOT DISTINCT FROM blocked_locks.classid AND blocking_locks.objid IS NOT DISTINCT FROM blocked_locks.objid AND blocking_locks.objsubid IS NOT DISTINCT FROM blocked_locks.objsubid AND blocking_locks.pid != blocked_locks.pid JOIN pg_catalog.pg_stat_activity blocking_activity ON blocking_activity.pid = blocking_locks.pid WHERE NOT blocked_locks.GRANTED;

4.3 备份策略实施

配置基础备份脚本/usr/local/bin/pg_backup.sh

#!/bin/bash DATE=$(date +%Y%m%d) BACKUP_DIR="/backup/postgresql/$DATE" mkdir -p $BACKUP_DIR su - postgres -c "pg_dumpall | gzip > $BACKUP_DIR/pg_dumpall_$DATE.sql.gz" find /backup/postgresql -type d -mtime +30 -exec rm -rf {} \;

设置每日备份任务:

0 2 * * * /usr/local/bin/pg_backup.sh > /var/log/pg_backup.log 2>&1

对于关键业务数据库,建议配置WAL归档和PITR(时间点恢复):

wal_level = replica archive_mode = on archive_command = 'test ! -f /backup/wal/%f && cp %p /backup/wal/%f'
http://www.jsqmd.com/news/561488/

相关文章:

  • 误删Anaconda?3招紧急恢复指南
  • 3步解锁抖音无水印下载神器:让内容备份效率提升10倍的完整指南
  • 2026最新养老护理服务推荐!北京/广州住家/白班/钟点工服务权威榜单 - 十大品牌榜
  • ReBarUEFI:突破硬件性能瓶颈的可调整大小BAR技术实现方案
  • vite项目安装tailwind 链接 教程
  • 告别移植烦恼:手把手教你将SquareLine Studio 1.5.0的UI设计一键跑在LVGL Windows模拟器上
  • 保姆级教程:在VMware ESXi 8.0上一步步部署vCenter Server 8.0(含网络配置与存储避坑)
  • E-Hentai漫画下载器:从繁琐到高效的漫画保存解决方案
  • 微信小程序Canvas滚动难题拆解:从“淘宝详情页”到“股票K线图”的通用解决思路
  • 突破Cursor限制的终极指南:5个步骤解锁AI编程全功能
  • 数据结构:单调栈
  • 3大突破!开源RGB控制终极指南:从多软件混战到统一灯光管理
  • C++17 filesystem实战:5分钟搞定跨平台文件操作(Windows/Linux示例)
  • 天鹅到家,月嫂/保姆/家政服务/母婴护理/养老护理,布局北京广州 - 十大品牌榜
  • Adobe Illustrator脚本终极指南:释放设计自动化的无限潜能
  • 人类的主观与事物发展的客观:一场注定的矛盾
  • SmolVLA多轮对话效果展示:复杂任务规划与上下文一致性测评
  • 终极Windows安装自由:MediaCreationTool.bat完整指南
  • 如何通过Claude HUD实时监控工具提升AI开发效率
  • 手把手教你恢复误删的xfce4面板(附备份还原完整流程)
  • Windows性能优化:任务管理器深度使用指南
  • 【技术笔记】Cheat Engine 内存搜索方法论:从入门到进阶
  • 从Fast Scan到Hierarchical:5种DFT测试架构选择指南(含SOC案例)
  • 2026最新月嫂推荐!北京/广州住家/白班等场景优质服务机构榜单 - 十大品牌榜
  • 2026最新北京/广州保姆推荐!住家/白班/钟点工/照顾老人/照顾孩子服务平台权威榜单 - 十大品牌榜
  • 云手机 流畅稳定 操作简单
  • 告别官方镜像!手把手教你将自编译Android系统刷入AVD(基于Android Studio 4.2+)
  • OpenClaw+GLM-4.7-Flash双剑合璧:3步实现科研论文自动化综述
  • 从“第一性原理”到“第二曲线”:如何用底层思维驱动业务创新
  • 安卓应用锁开发实战:如何用Activity拦截实现密码验证(附完整代码)