Secure PostgreSQL : Patroni, Etcd, Pgbackrest Included

-

Step by step guide for securing your PostgreSQL Database Environment

I’ve moved my blog from https://insanedba.blogspot.com to https://dincosman.com Please update your bookmarks and follow/subscribe at the new address for all the latest updates and content. More up-to-date content of this post may be available there.

In today's world, keeping data secure is absolutely crucial. As companies depend more and more on databases to handle all sorts of sensitive information, making sure those databases are locked down tight is a top priority.

Ensuring the overall security of PostgreSQL is a multifaceted task that involves implementing various measures to protect the database from potential threats. Many measures may be taken in every layer of the database environment. I will explain some in detail and summarize others in one sentence.
Lets start with the database itself.

Step by step guide for securing your Postgresql Database Environment

Secure PostgreSQL Database:

1. Authentication and Authorization : Use RBAC (role based access control), different schemas for apps, use advanced authentication methods like LDAP, Kerberos, and client certificate authentication.

2. Encryption : Utilize encryption for both data in transit and data at rest. There are some encryption options in PostgreSQL but not at file level. Securing data at rest is generally achieved through Transparent Data Encryption (TDE). TDE is available on EDB Postgres, as of May 2024, but not yet available on the community edition. Percona is also developing an open-source extension, pg_tde, for this purpose, but it still has a long way to go.

    Securing data at transit is accomplished with using SSL certificates, I will provide a quick implementation. Since my organization has its own certification authority, I do not use self-signed certificates. Please prepare your request according to your server's DNS names and also the DNS name used for the load-balancing solution (such as HAProxy, F5 etc.) that clients are using to connect your patroni cluster.

[postgres@posvt01 ~]# vi csr_details.txt
[ req ]
default_bits = 2048
default_md = sha256
req_extensions = v3_req
distinguished_name = dn
prompt = no
[ dn ]
C = TR
ST = Ankara
L = Cankaya
OU = BJKIT
O = BJK
CN = pgcluster.localdomain
[ v3_req ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = pgcluster.localdomain
DNS.2 = posvt01.localdomain
DNS.3 = posvt02.localdomain
IP.1 = 192.168.60.101
IP.2 = 192.168.60.102
[postgres@posvt01 ~]$ openssl req -newkey rsa:2048 -sha256 -nodes -keyout keys/server.key -config csr_details.txt -out certs/server.csr
Generating a 2048 bit RSA private key
................................................................................................................++
................................................................................................................++
writing new private key to 'keys/server.key'
-----
#-- We delivered our request server.csr to Certification Authority.
#-- After certification authority signed it, put it in under /etc/ssl/postgres directory with root certificate.
#-- If you have also intermediate certificates between your server and root certificates. Make a bundle certificate for root containing intermediate.
[root@posvt01 ~]# cat intermediate.cer > /etc/ssl/postgres/root.crt
[root@posvt01 ~]# cat root.cer >> /etc/ssl/postgres/root.crt
[postgres@posvt01 ~]$ cd certs
[postgres@posvt01 certs]$ mv server.crt /etc/ssl/postgres/server.crt
[postgres@posvt01 ~]$ cd ../keys
[postgres@posvt01 keys]$ mv server.key /etc/ssl/postgres/server.key
[root@posvt01 postgres]# cd /etc/ssl/postgres
[root@posvt01 postgres]# ls -ls
total 16
8 -rw-r--r-- 1 postgres postgres 4542 May 12 10:24 root.crt
4 -rw-r--r-- 1 postgres postgres 2384 May 12 10:24 server.crt
4 -rw------- 1 postgres postgres 1704 May 12 10:24 server.key
[postgres@posvt01 ~]$ chmod 0600 /etc/ssl/postgres/server.key
[postgres@posvt01 postgres]$ scp /etc/ssl/postgres/* postgres@posvt02:/etc/ssl/postgres/
#-- Configure ssl related parameters
[postgres@s001posvt01 keys]$ patronictl -c /etc/patroni.yml edit-config
...
ssl: on
ssl_cert_file: /etc/ssl/postgres/server.crt
ssl_key_file: /etc/ssl/postgres/server.key
...
#-- Configure your pg_hba.conf to force ssl_certificate for clients, edit all your current application access rules to use hostssl
[postgres@s001posvt01 ~]$ vi $PGDATA/pg_hba.conf
...
local all postgres peer
local replication replicator trust
hostnossl all all 0.0.0.0/0 reject
hostssl replication replicator 127.0.0.1/32 scram-sha-256
hostssl replication replicator 192.168.60.0/24 scram-sha-256
hostssl all all 127.0.0.1/32 scram-sha-256
hostssl all all 192.168.60.0/24 scram-sha-256
hostssl all all 192.168.64.0/24 scram-sha-256
...
#-- Reload config on only production server
postgres=# SELECT pg_reload_conf();
#-- Reload config on all cluster nodes
[postgres@posvt01 keys]$ patronictl -c /etc/patroni.yml reload pgcluster
#-- Check ssl used or not
SQL> SELECT datname,usename, ssl, client_addr
FROM pg_stat_ssl
JOIN pg_stat_activity
ON pg_stat_ssl.pid = pg_stat_activity.pid;
view raw configure_ssl_for_postgresql.txt hosted with ❤ by GitHub
3. Auditing and Logging: Enable auditing (pgaudit)  and logging features in PostgreSQL to monitor database activity and detect potential security breaches. This includes logging database events, such as login attempts, queries, and modifications, as well as setting up audit trails to track changes to sensitive data.

4. Parameter Hardening: PostgreSQL provides a wide range of configuration parameters that can be adjusted to enhance security. Administrators should review and adjust these parameters according to best practices and security requirements. This includes settings related to authentication, encryption, resource usage and connection settings. For example, use scram-sha-256 for password_enryption method , use a non standard port for connections different than 5432.

5. Patch Management: Keep PostgreSQL up to date with the latest security patches and updates and regularly monitor for new releases and apply patches in a timely manner to ensure the database remains secure.

6. Network Security: Secure the network infrastructure surrounding PostgreSQL database. This includes implementing firewalls, intrusion detection/prevention systems, and network segmentation to limit access to the database server and prevent unauthorized connections.

7. Backup and Disaster Recovery: Implement robust backup strategies and disaster recovery procedures to ensure data availability and integrity in the event of a security incident or system failure. I strongly advise to use pgbackrest as a backup solution.

By addressing these key aspects of PostgreSQL security, organizations can create a strong defense against potential threats and safeguard their valuable data assets. It's important to approach security as an ongoing process, regularly reviewing and updating security measures to adapt to evolving threats and vulnerabilities.

Secure Patroni:

Running a single instance of PostgreSQL may not suffice for high availability and fault tolerance requirements. Hence, organizations often opt for a clustered approach, where multiple instances of PostgreSQL are synchronized to ensure data redundancy and availability. Here comes the Patroni, a powerful tool designed to automate PostgreSQL high availability and failover management. Patroni simplifies the deployment and management of PostgreSQL clusters by orchestrating tasks such as leader election, replication, and automatic failover. 

There are also some important steps should be taken to secure patroni REST APIs. Such as using non-default ports, using SSL and password authentication for unsafe RESTAPI endpoint calls, limiting access to Patroni REST APIs . Here is a short implementation provided below.

#-- Some security related parameters -- set on all postgresql servers
[postgres@posvt01 ~]$ vi /etc/patroni.yml
...
restapi:
listen: posvt01.localdomain:3308
connect_address: posvt01.localdomain:3308
certfile: /etc/ssl/postgres/server.crt
keyfile: /etc/ssl/postgres/server.key
cafile: /etc/ssl/postgres/root.crt
authentication:
username: patroni_admin
password: patroni
allowlist: ['192.168.60.0/24']
allowlist_include_members: true
verify_client: required
...
ctl:
insecure: false
certfile: /etc/ssl/postgres/server.crt
cacert: /etc/ssl/postgres/root.crt
keyfile: /etc/ssl/postgres/server.key
...
# -- Example of GET rest api call
[postgres@posvt01 pgdata]$ curl -sv https://posvt01.localdomain:3308/master --cacert /etc/ssl/postgres/root.crt --cert /etc/ssl/postgres/server.crt --key /etc/ssl/postgres/server.key
# -- Add the root certificate to the trusted authorities
[root@posvt01 anchors]# cp /etc/ssl/postgres/root.crt /etc/pki/ca-trust/source/anchors/
[root@posvt01 anchors]# update-ca-trust
# -- Example of POST rest api call -- requires password authentication also, otherwise HTTP/1.0 401 Unauthorized
[root@posvt02 ~]# curl -sv https://patroni_admin:patroni@posvt02.localdomain:3308/reload -XPOST --cacert /etc/ssl/postgres/root.crt --cert /etc/ssl/postgres/server.crt --key /etc/ssl/postgres/server.key
view raw configure_patroni_ssl.txt hosted with ❤ by GitHub
Once you've configured Patroni REST APIs to utilize SSL, it's essential to also set up your load balancing solution (such as HAProxy or F5) to communicate with Patroni REST APIs securely over SSL. Below, I've included a sample configuration for your reference. To ensure proper functionality, you'll need to add the 'verify none' and 'check-ssl' attributes to your existing configuration. Note that for the 'check-ssl' attribute to work, HAProxy must be compiled with the OpenSSL library during installation. You can achieve this by executing the following command during installation: 'make TARGET=linux-glibc USE_PCRE=1 USE_OPENSSL=1 USE_ZLIB=1 USE_CRYPT_H=1 USE_LIBCRYPT=1'. If your current installation does not include OpenSSL, you'll need to reinstall HAProxy after compiling it with the 'use_openssl=1' option.

[root@etcd02 ~]# cat /etc/ssl/etcd/server.crt /etc/ssl/etcd/server.key >> /etc/ssl/etcd/haproxy_combined.crt
[root@etcd02 ~]# vi /etc/haproxy/haproxy.cfg
global
maxconn 4096
defaults
log global
mode tcp
timeout client 30m
timeout connect 4s
timeout server 30m
timeout check 5s
listen stats
mode http
bind *:7000
stats enable
stats uri /
listen primary
bind 192.168.60.120:3500
option httpchk OPTIONS/master
http-check expect status 200
default-server inter 3s fall 3 rise 2 on-marked-down shutdown-sessions
server postgresql_192.168.60.101_3531 posvt01.localdomain:3531 verify none maxconn 100 check check-ssl port 8008 crt /etc/ssl/etcd/haproxy_combined.crt ca-file /etc/ssl/etcd/root.crt
server postgresql_192.168.60.102_3531 posvt02.localdomain:3531 verify none maxconn 100 check check-ssl port 8008 crt /etc/ssl/etcd/haproxy_combined.crt ca-file /etc/ssl/etcd/root.crt
listen standby
bind 192.168.60.120:3501
option httpchk OPTIONS/replica
http-check expect status 200
default-server inter 3s fall 3 rise 2 on-marked-down shutdown-sessions
server postgresql_192.168.60.101_3531 posvt01.localdomain:3531 verify none maxconn 100 check check-ssl port 8008 crt /etc/ssl/etcd/haproxy_combined.crt ca-file /etc/ssl/etcd/root.crt
server postgresql_192.168.60.102_3531 posvt02.localdomain:3531 verify none maxconn 100 check check-ssl port 8008 crt /etc/ssl/etcd/haproxy_combined.crt ca-file /etc/ssl/etcd/root.crt
view raw haproxy.cfg hosted with ❤ by GitHub
Additionally, there is a notorious Authenticated Remote Code Execution (RCE) vulnerability, which allows remote attackers to execute arbitrary code by modifying the PostgreSQL configuration file through the Patroni HTTP REST API. Caution is required in dealing with this vulnerability. Considering that the local configuration section of the patroni.yml file always takes precedence over global configuration, it's important to note that OS-related parameters (restore_command, archive_command) provided below should be set in the local configuration section of the Patroni configuration against this vulnerability.

[postgres@posvt01 ~]$ vi /etc/patroni.yml
...
postgresql
...
connect_address: posvt01.localdomain:3535
...
parameters:
unix_socket_directories: '/var/run/postgresql'
archive_command: "pgbackrest --stanza=pg-cluster1 archive-push %p"
restore_command: "pgbackrest --stanza=pg-cluster1 archive-get %f %p"
...
view raw patroni_local_parameters_for_RCE.txt hosted with ❤ by GitHub

Secure Etcd:

To further enhance the reliability and security of the PostgreSQL cluster, etcd is employed as a distributed key-value store. Etcd serves as the centralized configuration store for Patroni, storing critical information such as cluster state, configuration parameters, and leader election metadata. By utilizing etcd, Patroni ensures consistency and coordination across the PostgreSQL cluster, enabling seamless failover and recovery procedures.

Etcd's endpoints also should be configured with SSL and non-default ports should be used. You may configure it as follows:

[root@etcd01 ~]# cd /etc/ssl/
[root@etcd01 ~]# mkdir etcd
[root@etcd01 ~]# cd etcd
[root@etcd01 ~]# cat csr_details.txt
[ req ]
default_bits = 2048
default_md = sha256
req_extensions = v3_req
distinguished_name = dn
prompt = no
[ dn ]
C = TR
ST = Ankara
L = Cankaya
OU = BJKIT
O = BJK
CN = etcd01.localdomain
[ v3_req ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = etcd01.localdomain
DNS.2 = etcd02.localdomain
DNS.3 = etcd03.localdomain
IP.1 = 192.168.60.111
IP.2 = 192.168.60.112
IP.3 = 192.168.60.113
[root@etcd01 ~]# openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/etcd/server.key -config csr_details.txt -out /etc/ssl/etcd/server.csr
Generating a 2048 bit RSA private key
................................................+++
...........+++
writing new private key to 'server.key'
-----
#-- We delivered our request server.csr to Certifcation Authority.
#-- Certificate is signed by Certification Authority and returned to us as server.crt
# -- Root.crt is the bundle of the intermediate and root certificates
[root@etcd01 etcd]# mv /etc/ssl/other/intermediate.cer /etc/ssl/etcd/root.crt
[root@etcd01 etcd]# cat /etc/ssl/other/parentroot.crt >> /etc/ssl/etcd/root.crt
[root@etcd01 etcd]# ls
root.crt server.crt server.key
root@s001etcd01 etcd]# cd ..
[root@etcd01 ssl]# chown -R etcd:etcd etcd
[root@etcd01 ssl]# cd etcd
[root@etcd01 etcd]# ls -ls
total 12
4 -rw-r----- 1 etcd etcd 1781 May 2 22:17 root.crt
4 -rw-r--r-- 1 etcd etcd 1663 May 2 22:17 server.crt
4 -rw-r--r-- 1 etcd etcd 1704 May 2 22:17 server.key
-- Configure all 3 nodes (etcd01,etcd02 and etcd03) according to the below config -- change ip and dns addresses.
[root@etcd01 etcd]# vi /etc/etcd.env
ETCD_NAME=etcd1
ETCD_DATA_DIR=/mnt/etcd_data
ETCD_INITIAL_ADVERTISE_PEER_URLS=https://etcd01.localdomain:3380
ETCD_LISTEN_PEER_URLS=https://192.168.60.101:3380
ETCD_LISTEN_CLIENT_URLS=https://192.168.60.101:3379
ETCD_ADVERTISE_CLIENT_URLS=https://etcd01.localdomain:3379
ETCD_INITIAL_CLUSTER_TOKEN="etcd-cluster-1"
ETCD_INITIAL_CLUSTER=etcd1=https://etcd01.localdomain:3380,etcd2=https://etcd02.localdomain:3380,etcd3=https://etcd03.localdomain:3380
ETCD_INITIAL_CLUSTER_STATE=new
#SSL Configuration
ETCD_CLIENT_CERT_AUTH=true
ETCD_TRUSTED_CA_FILE=/etc/ssl/etcd/root.crt
ETCD_CERT_FILE=/etc/ssl/etcd/server.crt
ETCD_KEY_FILE=/etc/ssl/etcd/server.key
ETCD_PEER_CLIENT_CERT_AUTH=true
ETCD_PEER_TRUSTED_CA_FILE=/etc/ssl/etcd/root.crt
ETCD_PEER_CERT_FILE=/etc/ssl/etcd/server.crt
ETCD_PEER_KEY_FILE=/etc/ssl/etcd/server.key
ETCD_QUOTA_BACKEND_BYTES=8589934592
ETCD_AUTO_COMPACTION_MODE=periodic
ETCD_AUTO_COMPACTION_RETENTION="72"
ETCD_HEARTBEAT_INTERVAL=1000
ETCD_ELECTION_TIMEOUT=5000
[root@etcd01 etc]# vi /etc/systemd/system/etcd.service
[Unit]
Description=etcd service
After=network.target
[Service]
User=etcd
Type=notify
EnvironmentFile=/etc/etcd.env
ExecStart=/usr/local/bin/etcd
Restart=always
RestartSec=10s
LimitNOFILE=40000
[Install]
WantedBy=multi-user.target
~
view raw etcd_config_with_ssl.txt hosted with ❤ by GitHub

Secure Pgbackrest:

PGBackrest is a top-notch backup and restore tool for PostgreSQL databases. It's known for its speed, efficiency, and versatility, offering features like parallel processing and incremental backups. PGBackrest operates independently, making it easy to manage backups in diverse environments. It's a must-have for PostgreSQL database administrators looking for reliable data protection.

Securing PGBackrest endpoints with TLS is crucial for protecting sensitive data during backup processes. TLS encryption ensures that communications between PGBackrest and clients are secure, preventing unauthorized access and tampering. By implementing TLS, you safeguard your data integrity, maintain confidentiality, enhance overall security, and comply with regulations. Additionally, enabling TLS can increase the speed of backups. It's worth noting that TLS 3.0 is supported starting from pgBackrest version 2.37 and later.

I utilize a separate dedicated server for the pgBackrest repository. Below are the steps you can follow to enable TLS on pgBackrest.

[root@posbckp01 ~]# cd /etc/ssl/
[root@posbckp01 ssl]# mkdir pgbackrest
[root@posbckp01 ssl]# cd pgbackrest/
[root@posbckp01 ~]# cat csr_details.txt
[ req ]
default_bits = 2048
default_md = sha256
req_extensions = v3_req
distinguished_name = dn
prompt = no
[ dn ]
C = TR
ST = Ankara
L = Cankaya
OU = BJKIT
O = BJK
CN = posbckp01.localdomain
[ v3_req ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = posbckp01.localdomain
IP.1 = 192.168.60.180
[root@posbckp01 pgbackrest]# openssl req -newkey rsa:2048 -sha256 -nodes -keyout /etc/ssl/pgbackrest/server.key -config csr_details.txt -out /etc/ssl/pgbackrest/server.csr
Generating a 2048 bit RSA private key
...............+++
............................................................+++
writing new private key to '/etc/ssl/pgbackrest/server.key'
-----
[root@posbckp01 pgbackrest]# ls
csr_details.txt server.csr server.key
#-- We delivered our request server.csr to Certifcation Authority.
#-- Certificate is signed by Certification Authority and returned to us as serverbckp.cer
[root@posbckp01 pgbackrest]# ls
root.cer serverbckp.cer serverbckp.key
[root@posbckp01 pgbackrest]# mv serverbckp.cer serverbckp.crt
[root@posbckp01 pgbackrest]# mv root.cer root.crt
[root@posbckp01 ssl]# chown -R pgbackrest:pgbackrest pgbackrest/
[root@posbckp01 ssl]# cd pgbackrest/
[root@posbckp01 pgbackrest]# ls
root.crt serverbckp.crt serverbckp.key
[root@posbckp01 pgbackrest]# chmod 600 ./*
[root@posbckp01 pgbackrest]# ls
root.crt serverbckp.crt serverbckp.key
[root@posbckp01 pgbackrest]# ls -ls
total 16
8 -rw------- 1 pgbackrest pgbackrest 4542 May 10 14:00 root.crt
4 -rw------- 1 pgbackrest pgbackrest 2266 May 5 15:38 serverbckp.crt
4 -rw------- 1 pgbackrest pgbackrest 1704 May 5 13:58 serverbckp.key
#-- Below is the sample backup configuration on pgbackrest repository server
[root@posbckp01 pgbackrest]# vi /etc/pgbackrest/pgbackrest.conf
[pgcluster]
pg1-host=posvt01.localdomain
pg1-path=/mnt/postgres/pgdata
pg1-port=3531
pg1-socket-path=/var/run/postgresql
pg2-host=posvt02.localdomain
pg2-path=/mnt/postgres/pgdata
pg2-port=3531
pg2-socket-path=/var/run/postgresql
#tls client options
pg1-host-type=tls
pg1-host-user=postgres
pg1-host-cert-file=/etc/ssl/pgbackrest/serverbckp.crt
pg1-host-key-file=/etc/ssl/pgbackrest/serverbckp.key
pg1-host-ca-file=/etc/ssl/pgbackrest/root.crt
pg2-host-type=tls
pg2-host-user=postgres
pg2-host-cert-file=/etc/ssl/pgbackrest/serverbckp.crt
pg2-host-key-file=/etc/ssl/pgbackrest/serverbckp.key
pg2-host-ca-file=/etc/ssl/pgbackrest/root.crt
[global]
#backup-standby=y
process-max=4
repo1-path=/mnt/pgbackrest
repo1-retention-full-type=time
repo1-retention-full=28
repo1-retention-diff=3
log-level-file=detail
log-level-console=info
start-fast=y
delta=y
# tls server options
tls-server-address=posbckp01.localdomain
tls-server-cert-file=/etc/ssl/pgbackrest/serverbckp.crt
tls-server-key-file=/etc/ssl/pgbackrest/serverbckp.key
tls-server-ca-file=/etc/ssl/pgbackrest/root.crt
tls-server-auth=posvt01.localdomain=pgcluster
tls-server-auth=posvt02.localdomain=pgcluster
tls-server-auth=pgcluster.localdomain=pgcluster
#-- Below is the sample backup configuration on postgresql database servers. Do it in both nodes
[root@posvt01 pgbackrest]# vi /etc/pgbackrest/pgbackrest.conf
[pgcluster]
pg1-path=/mnt/postgres/pgdata
pg1-port=3531
pg1-socket-path=/var/run/postgresql
[global]
archive-async=y
archive-push-queue-max=48GB
log-level-file=detail
log-level-console=info
spool-path=/var/spool/pgbackrest
repo1-host=posbckp01.localdomain
repo1-path=/mnt/pgbackrest
process-max=4
delta=y
repo1-host-type=tls
repo1-host-cert-file=/etc/ssl/postgres/server.crt
repo1-host-key-file=/etc/ssl/postgres/server.key
repo1-host-ca-file=/etc/ssl/postgres/root.crt
# tls server options
tls-server-address=posvt01.localdomain
tls-server-cert-file=/etc/ssl/postgres/server.crt
tls-server-key-file=/etc/ssl/postgres/server.key
tls-server-ca-file=/etc/ssl/postgres/root.crt
tls-server-auth=posbckp01.localdomain=pgcluster
#-- Turning pgbackrest to a service and enable it on across reboots
[root@posbckp01 pgbackrest]# vi /etc/systemd/system/pgbackrest.service
[Unit]
Description=pgBackRest Server
After=network.target
StartLimitIntervalSec=0
[Service]
Type=simple
User=pgbackrest
Restart=always
RestartSec=1
ExecStart=/usr/bin/pgbackrest server
ExecReload=kill -HUP $MAINPID
[Install]
WantedBy=multi-user.target
#-- Turning pgbackrest to a service and enable it on across reboots on postgresql database servers. -- Do it on both nodes
[root@posvt01 pgbackrest]# vi /etc/systemd/system/pgbackrest.service
[Unit]
Description=pgBackRest Server
After=network.target
StartLimitIntervalSec=0
[Service]
Type=simple
User=postgres
Restart=always
RestartSec=1
ExecStart=/usr/bin/pgbackrest server
ExecReload=kill -HUP $MAINPID
[Install]
WantedBy=multi-user.target
[root@posvt01 pgbackrest]# systemctl daemon-reload
[root@posvt01 pgbackrest]# systemctl enable pgbackrest
[root@posvt01 pgbackrest]# systemctl start pgbackrest
[root@posvt01 pgbackrest]# pgbackrest server-ping
[root@posbckp01 pgbackrest]# systemctl daemon-reload
[root@posbckp01 pgbackrest]# systemctl enable pgbackrest
[root@posbckp01 pgbackrest]# systemctl start pgbackrest
#-- Test connection
[root@posbckp01 pgbackrest]# pgbackrest server-ping
#-- Check stanza
[postgres@posvt01 ~]$ pgbackrest --stanza=pgcluster check
view raw enable_tls_on_pgbackrest hosted with ❤ by GitHub
Having ensured the comprehensive security of the entire PostgreSQL database environment, the DBA can now enjoy a well-deserved peace of mind.

comprehensive security of the entire PostgreSQL database

Hope it helps.

Comments

Post a Comment

Popular posts from this blog

How to Upgrade PostgreSQL, PostGIS and Patroni in Air-Gapped Environments

-
Image
Upgrade Your PostgreSQL Database: Major Steps and Minor Touches I’ve moved my blog from https://insanedba.blogspot.com to https://dincosman.com Please update your bookmarks and follow/subscribe at the new address for all the latest updates and content. More up-to-date content of this post may be available there. In this blog post, I will show how a complete PostgreSQL environment major update can be done. Minor upgrades are not a tough task; they are no different from a standard Linux package upgrade. As my production environment serves in an airgapped-environment, I will complete all the major upgrades with no internet connection. I've downloaded all the required whl and .rpm packages before the upgrade. Before starting, a short description of major and minor PostgreSQL upgrades is provided below: Major Upgrade: Upgrading PostgreSQL to a new major version, such as moving from 10 to 11 or 12 to 13. Major upgrades bring significa...
Read more

Oracle Grid Release Update by using Ansible Playbooks

-
Image
Ansible is a friend in need and a friend indeed for DBAs. I’ve moved my blog from https://insanedba.blogspot.com to https://dincosman.com Please update your bookmarks and follow/subscribe at the new address for all the latest updates and content. More up-to-date content of this post may be available there. In this blog post, I will mention about Redhat Ansible and show how you can patch your grid infrastructure by using it. Ansible is an open source, command-line IT automation software application written in Python. It can configure systems, deploy software, and orchestrate advanced workflows to support application deployment, system updates, and more. Ansible's main strengths are simplicity and ease of use. It is a little bit similar to dcli commands in Exadata environments, but much more powerful as you may run playbooks which consist of different tasks. Ansible stands out from other configuration management tools because it doesn't need agents installed on target host...
Read more